Twitter's whistleblower testifies before Senate committee

Peiter Zatko testified that due to its poor security posture, it was possible for Twitter engineers to tweet from other users’ accounts, including those of lawmakers -- though he never saw an employee do so.

“I have seen numerous situations where Twitter engineers had to patch a problem and I said, ‘what was the problem?’ and they said, ‘oh, engineers could tweet as anybody, the data was exposed in this part,’” Zatko said. “It was always reactionary in finding these wounds left and right and putting bandaids on them because the systemic underlying problems were not addressed."

He added: “A Twitter engineer, understanding how the running systems and the data flows were operating could then access and inject, or put forward, information as … any of the senators sitting here today.” 

Zatko said he never saw such a thing happening during his time at the company but added “I am concerned” that it may have happened previously. 

Sen. Lindsay Graham hinted at Elon Musk's bid to buy — and then get out of buying — Twitter when he asked whistleblower Peiter Zatko whether he would buy the company, given what he knows.

Zatko laughed and then responded, "I guess that depended on the price."

Sen. Lindsey Graham asked former Twitter security chief Peiter “Mudge” Zatko if he would recommend that Twitter users continue to use the social media platform given the information he has offered in his whistleblower disclosures and his testimony Tuesday.

Graham offered, "You're not asking to shut them down, you're asking them to get better?"

“Absolutely, sir,” Zatko replied.

Peiter “Mudge” Zatko alleged in his whistleblower disclosures and in his testimony on Tuesday that Twitter may have foreign spies currently on its payroll. He said there may be a number of reasons why governments would try to place agents in the company's ranks.

Among the reasons, he said, it would serve "not just to identify people of interest or track groups of interest, but also to maybe look at whether Twitter has identified your agents or your information operations [and] what other governments has Twitter possibly identified."

"Remember, outside of the ability to access large amounts of data on the engineering side you would want to know what Twitter’s plan is as far whether they will cede to your demands for control of information within their environments or not in order to change different types of political pressures, such as strongarming," he said.

Elon Musk tweeted a popcorn emoji on Tuesday morning as Twitter whistleblower Peiter “Mudge” Zatko testified before Congress, suggesting the billionaire may be keeping an eye on what comes out of the hearing.

Musk on Friday sent a third letter to Twitter seeking to terminate his agreement to buy the company for $44 billion. The latest letter was pegged to a purported $7.75 million payment Twitter made to Zatko, its former head of security.

On Monday, Twitter called the billionaire’s move “invalid and wrongful.”

Neither Twitter nor Zatko’s lawyers commented on the purported $7.75 million severance payment cited in Musk’s letter.

Twitter shareholders are set to vote on whether to approve Musk’s acquisition on Tuesday.

Peiter Zatko detailed the kinds of information that Twitter collects on its users. According to Zatko, the list includes:

Zatko claimed that all of the company's engineers — through their access to its internal production systems — could potentially access all of that user data.

"If they wanted to root around in the data and find it, they could, and some have," he said.

One of Zatko's chief allegations against Twitter is that it does not reliably delete the data of users who cancel their accounts.

Expanding on that claim, Zatko told lawmakers Tuesday that the company's chief privacy officer had come to him admitting that Twitter has deliberately misled regulators who asked about Twitter's deletion practices.

"I was told straight out by the chief privacy officer that the [Federal Trade Commission] had come and asked, 'Does Twitter delete users' information?'," Zatko said. "He said, 'I need you to know this because other regulators are asking us, and this ruse is not going to hold up.'"

Twitter has allegedly told regulators that it deactivates user accounts but has been elusive about whether it fully deletes the data. In response to questions from CNN, Twitter has previously said it has workflows in place to "begin a deletion process" but has not said whether it typically completes that process.

Asked by Sen. Mazie Hirono whether Twitter has the capability to delete user data appropriately, Zatko said it would be possible if Twitter had better control of its data, but that it does not, in a "fundamental root problem" for the company.

"They need to know what data they have, where it is, why they got it and who it is attached to," Zatko said. "At that point, they would be able to delete."

Peiter “Mudge” Zatko told lawmakers that when he raised concerns about a foreign agent on the company's payroll in a foreign office, the company seemed "unwilling to put the effort in" to root out that individual.

The response from an executive, according to Zatko, was: “Well, since we already have one, what is the problem if we have more? Let's keep growing the office.”

Zatko said that a lack of internal tracking of employees' actions within Twitter increased the risk of foreign agents operating inside the company and exploiting its data. He claimed that it was typically only when an outside agency alerted Twitter to a foreign operative inside the company that it would become aware of that person.

He added that "there were thousands of failed attempts to access internal systems that were happening per week and nobody was noticing" because of the lack of logging of how its internal systems were being used.

"This fundamental lack of logging inside Twitter is a remnant of being so far behind on their infrastructure and the engineering," he said.

Even as lawmakers criticized Twitter for its alleged missteps, they also reserved some ire for the federal agencies charged with keeping Twitter accountable. Durbin and Grassley both highlighted what they viewed as a lack of enforcement. 

"I’m concerned that for almost ten years the Federal Trade Commission didn’t know or didn’t take strongly enough action to ensure Twitter complied with the consent decree,” Grassley said. "This is a consent decree that was intended to protect twitter users' personal information.”

As part of his testimony, Zatko said federal agencies like the FTC are under-resourced and at a disadvantage compared to powerful tech platforms. 

Zatko also said that Twitter was not afraid of the FTC as much as it was afraid of foreign regulators, such as France’s data protection authority, CNIL.

That’s because where Twitter expected US regulators to impose only one-time fines or penalties in response to any legal violations by the company, Twitter feared the prospect of foreign regulators imposing ongoing penalties or restrictions on its business going forward.

"One-time fines are priced in," he explained.