Twitter’s whistleblower testifies before Senate committee

Twitter on Tuesday afternoon responded to Zatko’s testimony by reiterating a statement it made after his disclosure was initially made public.

The spokesperson added that the company’s hiring process is independent of foreign influence, and that access to internal company data is managed through measures such as background checks, access controls and monitoring systems.

The company declined to respond directly to a list of specific allegations by Zatko, including about the company’s purported inability to detect whether foreign agents are on its payroll and claims that the FBI has warned Twitter it may have had at least one Chinese agent in the company.

Zatko’s hearing showed the extent to which Twitter may be vulnerable to foreign exploitation, making his testimony “really significant,” Sen. Josh Hawley told CNN on Tuesday.

Some of Zatko’s most concerning allegations, Hawley said, were that Twitter’s now-CEO, Parag Agrawal, had proposed making concessions to Russia’s government and that Twitter may be providing Chinese entities with information that could be used to unmask people within China who may be illegally accessing Twitter, Hawley said.

There is also no reason to believe Twitter has meaningfully addressed a US government tip about a Chinese intelligence agent on Twitter’s payroll, another of Zatko’s explosive allegations, Hawley said.

“Nothing [Zatko] said today allays concerns on that score,” Hawley told CNN.

In his testimony Tuesday, Peiter Zatko misspoke when he told Sen. Jon Ossoff that Twitter had accidentally leaked the personal information of 50 million employees, according to Whistleblower Aid, the organization providing Zatko with legal representation.

“The 50 million number was a misstatement, and Mudge will issue a correction to the committee,” said John Tye, Zatko’s attorney and founder of Whistleblower Aid. The correct number, he added, is reflected in Zatko’s original disclosure to the US government.

That filing claims that 20,000, not 50 million, current and former Twitter employees have been affected by data leaks involving the company.

During Tuesday’s hearing, Zatko had claimed that an internal incident report showed 50 million employees being affected by such breaches, and that Zatko was confused by the figure because Twitter does not have 50 million employees, but does hold extensive records on current and former employees that it does not delete.

Twitter has previously said it has about 7,000 current employees.

Twitter shareholders on Tuesday voted in favor of Musk’s $44 billion takeover deal, a value of $54.20 per share. The company’s stock opened Tuesday at just under $41 per share, nearly 25% below the deal price. 

The vote came days after Musk’s third letter to Twitter seeking to terminate their deal, with this one pegged to a purported $7.75 million severance payment the company made to its former head of security, Peiter Zatko, who later blew the whistle about its alleged security and privacy vulnerabilities.

The outcome of the vote was announced shortly after Zatko concluded testifying on Capitol Hill.

In a wide-ranging hearing that lasted more than two hours, Twitter whistleblower Peiter Zatko told lawmakers about a range of concerns he has about the company.

Here are some of the highlights:

Twitter did not immediately respond to requests for comment from CNN about many of Zatko’s allegations.

Peiter Zatko testified that due to its poor security posture, it was possible for Twitter engineers to tweet from other users’ accounts, including those of lawmakers – though he never saw an employee do so.

“I have seen numerous situations where Twitter engineers had to patch a problem and I said, ‘what was the problem?’ and they said, ‘oh, engineers could tweet as anybody, the data was exposed in this part,’” Zatko said. “It was always reactionary in finding these wounds left and right and putting bandaids on them because the systemic underlying problems were not addressed.”

He added: “A Twitter engineer, understanding how the running systems and the data flows were operating could then access and inject, or put forward, information as … any of the senators sitting here today.” 

Zatko said he never saw such a thing happening during his time at the company but added “I am concerned” that it may have happened previously. 

Sen. Lindsay Graham hinted at Elon Musk’s bid to buy — and then get out of buying — Twitter when he asked whistleblower Peiter Zatko whether he would buy the company, given what he knows.

Zatko laughed and then responded, “I guess that depended on the price.”

Sen. Lindsey Graham asked former Twitter security chief Peiter “Mudge” Zatko if he would recommend that Twitter users continue to use the social media platform given the information he has offered in his whistleblower disclosures and his testimony Tuesday.

“I think Twitter is a hugely valuable service,” Zatko said. “I think people should look at the information they’re getting off of it differently, and I think people should put pressure on Twitter and ask questions from the public as well as from the government and the regulators.”

Graham offered, “You’re not asking to shut them down, you’re asking them to get better?”

“Absolutely, sir,” Zatko replied.

Peiter “Mudge” Zatko alleged in his whistleblower disclosures and in his testimony on Tuesday that Twitter may have foreign spies currently on its payroll. He said there may be a number of reasons why governments would try to place agents in the company’s ranks.

Among the reasons, he said, it would serve “not just to identify people of interest or track groups of interest, but also to maybe look at whether Twitter has identified your agents or your information operations [and] what other governments has Twitter possibly identified.”

“Remember, outside of the ability to access large amounts of data on the engineering side you would want to know what Twitter’s plan is as far whether they will cede to your demands for control of information within their environments or not in order to change different types of political pressures, such as strongarming,” he said.

Elon Musk tweeted a popcorn emoji on Tuesday morning as Twitter whistleblower Peiter “Mudge” Zatko testified before Congress, suggesting the billionaire may be keeping an eye on what comes out of the hearing.

Musk on Friday sent a third letter to Twitter seeking to terminate his agreement to buy the company for $44 billion. The latest letter was pegged to a purported $7.75 million payment Twitter made to Zatko, its former head of security.

On Monday, Twitter called the billionaire’s move “invalid and wrongful.”

Neither Twitter nor Zatko’s lawyers commented on the purported $7.75 million severance payment cited in Musk’s letter.

Twitter shareholders are set to vote on whether to approve Musk’s acquisition on Tuesday.

Peiter Zatko detailed the kinds of information that Twitter collects on its users. According to Zatko, the list includes:

Zatko claimed that all of the company’s engineers — through their access to its internal production systems — could potentially access all of that user data.

“If they wanted to root around in the data and find it, they could, and some have,” he said.

One of Zatko’s chief allegations against Twitter is that it does not reliably delete the data of users who cancel their accounts.

Expanding on that claim, Zatko told lawmakers Tuesday that the company’s chief privacy officer had come to him admitting that Twitter has deliberately misled regulators who asked about Twitter’s deletion practices.

“I was told straight out by the chief privacy officer that the [Federal Trade Commission] had come and asked, ‘Does Twitter delete users’ information?’,” Zatko said. “He said, ‘I need you to know this because other regulators are asking us, and this ruse is not going to hold up.’”

Twitter has allegedly told regulators that it deactivates user accounts but has been elusive about whether it fully deletes the data. In response to questions from CNN, Twitter has previously said it has workflows in place to “begin a deletion process” but has not said whether it typically completes that process.

Asked by Sen. Mazie Hirono whether Twitter has the capability to delete user data appropriately, Zatko said it would be possible if Twitter had better control of its data, but that it does not, in a “fundamental root problem” for the company.

“They need to know what data they have, where it is, why they got it and who it is attached to,” Zatko said. “At that point, they would be able to delete.”

Peiter “Mudge” Zatko told lawmakers that when he raised concerns about a foreign agent on the company’s payroll in a foreign office, the company seemed “unwilling to put the effort in” to root out that individual.

The response from an executive, according to Zatko, was: “Well, since we already have one, what is the problem if we have more? Let’s keep growing the office.”

Zatko said that a lack of internal tracking of employees’ actions within Twitter increased the risk of foreign agents operating inside the company and exploiting its data. He claimed that it was typically only when an outside agency alerted Twitter to a foreign operative inside the company that it would become aware of that person.

He added that “there were thousands of failed attempts to access internal systems that were happening per week and nobody was noticing” because of the lack of logging of how its internal systems were being used.

“This fundamental lack of logging inside Twitter is a remnant of being so far behind on their infrastructure and the engineering,” he said.

Even as lawmakers criticized Twitter for its alleged missteps, they also reserved some ire for the federal agencies charged with keeping Twitter accountable. Durbin and Grassley both highlighted what they viewed as a lack of enforcement. 

“I’m concerned that for almost ten years the Federal Trade Commission didn’t know or didn’t take strongly enough action to ensure Twitter complied with the consent decree,” Grassley said. “This is a consent decree that was intended to protect twitter users’ personal information.”

As part of his testimony, Zatko said federal agencies like the FTC are under-resourced and at a disadvantage compared to powerful tech platforms. 

Zatko also said that Twitter was not afraid of the FTC as much as it was afraid of foreign regulators, such as France’s data protection authority, CNIL.

That’s because where Twitter expected US regulators to impose only one-time fines or penalties in response to any legal violations by the company, Twitter feared the prospect of foreign regulators imposing ongoing penalties or restrictions on its business going forward.

“One-time fines are priced in,” he explained.

Zatko said that when he arrived at Twitter, he began asking: “Why do they keep having so many security incidents? The same amount year after year … What is fundamentally, under-the-hood broken? Where is the systemic failure?”

One part of the problem, he said, is that Twitter doesn’t fully understand all the data it collects from users or why it collects that data.

He cited an internal study conducted by engineers which allegedly found that for only about 20% of the data it collects does the company know “why they got it, how it was supposed to be used, when it was supposed to be deleted.” With the remainder of the data, the company often did not know what the data was or why it was being collected, Zatko said. Samples of that unknown data in the study included personally identifying information such as phone numbers and addresses, he claimed.

Zatko also said that bad actors with access to Twitter’s system could potentially access and exploit that data because the company doesn’t properly understand, and therefore protect, the data it collects.

Former Twitter employee and whistleblower Peiter “Mudge” Zatko said that the platform’s potential risk to national security and its users led him to decide it was “necessary to take on the personal and professional risk to myself and to my family of becoming a whislteblower.”

“I did not make my whistleblower disclosures out of spite or to harm Twitter; far from that. I continue to believe in the mission of the company and root for its success. But that success can only happen if the privacy and security of Twitter’s users and the public are protected,” he told lawmakers on Tuesday.

Twitter CEO Parag Agrawal should step down if Zatko’s allegations are proven, according to Sen. Chuck Grassley, the Judiciary Committee’s top Republican. 

“I don’t see how Mr. Agrawal can maintain his position at Twitter” if Zatko’s claims turn out to be accurate, Grassley said. He also blasted the executive over a decision not to testify alongside Zatko despite a committee invitation to appear. 

According to Grassley, Twitter declined to make Agrawal available amid its concerns that his testimony could jeopardize the company’s ongoing litigation with billionaire Elon Musk. 

Twitter did not immediately respond to a request for comment.

Sen. Dick Durbin, the chair of the committee, pointed in his opening statement to the importance of security on Twitter for those who use the platform to criticize governments. Durbin specifically noted Saudi Arabia as an example:

“Earlier this year, a Saudi national who worked for Twitter was convicted by a federal jury for stealing the personal data of dissidents who criticized the Saudi regime and handing the data over to the Saudi government. This is a matter of life and death as we know for these dissidents as the butchering of Jamal Kashoggi made clear.”

Durbin was referring to a former Twitter manager who was accused of spying for Saudi Arabia and convicted last month on six criminal counts, including acting as an agent for the country and trying to disguise a payment from an official tied to Saudi’s royal family. Prosecutors said he used his insider knowledge to access Twitter accounts and dig up personal information about Saudi dissidents.

“Twitter is immensely powerful platform that cannot afford gaping security vulnerabilities,” Durbin added.

As he began his testimony Tuesday, Peiter “Mudge” Zatko laid out why he decided to become a whistleblower.  

When he joined the company, he said he discovered “this enormously influential company was over a decade behind” industry security standards … “causing real harm to real people.”

Zatko said he raised concerns about security vulnerabilities brought to him by Twitter’s own engineers to the company’s executives, but executives failed to act. He quoted writer Upton Sinclair, saying, “It is difficult to get someone to understand something when his salary depends on him not understanding something.” This, he said, was the mentality of Twitter executives when he raised concerns.

“It’s not far fetched to say a Twitter employee could take over the accounts of all of the senators in this room,” he said.

“My genuine hope,” he continued, “is that my disclosures help Twitter finally address its security failures and encourage the company to listen to its engineers and employees who have long reported the same issues I have disclosed.” 

The FBI has warned Twitter it may have at least one Chinese agent on its payroll, according to Sen. Chuck Grassley, summarizing previously undisclosed details of an allegation by Twitter whistleblower Peiter “Mudge” Zatko against his former employer. 

A previously reported version of Zatko’s whistleblower disclosure — submitted to authorities in July and first reported by CNN and The Washington Post in August — indicated that the US government had provided Twitter with specific information that at least one of its employees, perhaps more, may be working for a foreign intelligence agency. 

But that version of the disclosure did not identify which country the suspected agent may have been affiliated with.

“Because of [Zatko’s] disclosures, we’ve learned that personal data from Twitter users was potentially exposed to foreign intelligence agencies,” Grassley said in his opening remarks during a whistleblower hearing involving Zatko on Tuesday. “For example, his disclosures indicate that India was able to place at least two suspected foreign assets within Twitter. His disclosures also note that the FBI notified Twitter of at least one Chinese agent in the company.”

Twitter has not publicly responded to Zatko’s allegations of foreign intelligence compromise, though it has accused Zatko more generally of spreading a “false narrative” about the company. 

The company did not immediately respond to a request for comment on Grassley’s remarks.

The hearing featuring Twitter whistleblower Peiter “Mudge” Zatko has kicked off.

Zatko appeared before lawmakers Tuesday in a dark gray windowpane suit and light blue tie. He walked in holding a wooden cane — which has flames on it — and he sat before the committee at a low table in the center of the massive Hart Senate office hearing room, which had been changed from its initial location to accommodate a larger audience.

It’s his first public appearance since his bombshell allegations against Twitter were reported last month by CNN and The Washington Post. He previously alleged Twitter has undisclosed security and privacy vulnerabilities.

US lawmakers sent Twitter more than a dozen questions about its security practices Monday, on the eve of the whistleblower’s testimony.

With his decision to go public with his concerns, Peiter “Mudge” Zatko could find himself at the center of renewed regulatory scrutiny of Twitter, as happened when Frances Haugen blew the whistle on Facebook.

Before joining Twitter, Zatko, now 51, led an influential cybersecurity grantmaking program at the Pentagon, worked at a Google division for developing cutting-edge technology, helped build the cybersecurity team at fintech firm Stripe, and advised US lawmakers and officials on how to plug security holes in the internet.

Twitter hired Zatko in November 2020 to beef up cybersecurity and privacy at the company in the wake of a high-profile hack, allegedly spearheaded by a Florida teenager, in July 2020 that compromised the Twitter accounts of some of the most famous people on the planet, including then-presidential candidate Joe Biden. The senior executive role meant Zatko reported directly to then-CEO Jack Dorsey, according to the disclosure.

Some who’ve worked alongside Zatko over the last three decades paint a picture of him as a principled technologist with a knack for making the complex accessible and an earnest desire to fix problems, as he’s done for much of his career working with the public and private sector. The decision to blow the whistle, they say, is in keeping with that approach.

His career has shown that “there was more to hacking than just one-upping each other, that there was actually a social good and impact that you could have,” said Dug Song, chief strategy officer at Cisco Security, who has known Zatko since the 1990s. 

Read the full story.

In his disclosure, Zatko levels a barrage of devastating allegations that US lawmakers say are extremely concerning.

Zatko claims Twitter is full of critical security flaws; may not be deleting the data of users who leave the platform as it is required to do; has misled the public about its spam account problem; may currently have foreign intelligence agents on the payroll; and that it hasn’t lived up to years of legal obligations stemming from an earlier privacy settlement with the Federal Trade Commission, which could lead to further liability.

Twitter has criticized Zatko and broadly defended itself against the allegations, saying the disclosure paints a “false narrative” of the company.

Read our full report on the takeaways.

In response to Zatko’s whistleblower disclosure, Twitter has said that security and privacy are both longtime priorities for the company.

The company says Zatko was fired in January for “ineffective leadership and poor performance,” and that his disclosure paints a “false narrative” of the company and is “riddled with inconsistencies and inaccuracies and lacks important context.” (Zatko contends his firing came after he raised concerns internally about security vulnerabilities and misrepresentations by executives to the company’s board.)

In an internal meeting shortly after Zakto’s disclosure was first reported, Twitter executives defended the company and themselves to employees.

The company did not respond to a request for comment ahead of Tuesday’s hearing.

US lawmakers sent Twitter more than a dozen questions about its security practices Monday, on the eve of the whistleblower’s testimony.

In a letter addressed to CEO Parag Agrawal, leading members of the Senate Judiciary Committee questioned Twitter about the steps the company takes to secure personal data on its platform; how it protects against insider threats and foreign intelligence operatives; and allegations it’s intentionally misled regulators about Twitter’s privacy protections for users, claims that could lead to billions of dollars in fines for Twitter if they are proven. 

The committee also invited Agrawal to testify alongside the whistleblower, Peiter “Mudge” Zatko, according to a copy of the letter obtained by CNN. But a committee aide told CNN on Monday evening that the official witness list for Tuesday’s hearing remains unchanged and that Zatko continues to be the sole witness, an indication that Twitter has declined the invitation. 

Twitter didn’t immediately respond to a request for comment.

On the same day that Peiter Zatko will be on Capitol Hill to testify about his experience at Twitter, the company’s shareholders will convene virtually to vote on whether to approve the $44 billion acquisition by Elon Musk.

The shareholder vote is one of the final steps needed to close the deal, which Musk is now fighting to get out of in court.

Twitter’s board has unanimously recommended that shareholders vote in favor of the deal.

Read more here.

Peiter Zatko’s whistleblower disclosure makes a number of allegations that could raise questions about the company’s ability to handle election-related threats ahead of the US midterms.

His disclosure accuses the company of having a reactive approach to misinformation and platform manipulation; a disconnect between product and safety teams; content moderation shortcomings; and a lack of controls to prevent foreign interference.

Members of the US House Committee on Homeland Security last month sent Twitter CEO Parag Agrawal a letter demanding that he address Zatko’s allegations and explain Twitter’s readiness for the 2022 midterms.

“Twitter plays a unique role in our information and political ecosystems. Security flaws that put users’ sensitive personal data within easy reach of a hacker looking to take control of a high-profile account or a foreign dictator looking for information on dissidents are nothing short of a threat to national security,” Rep. Bennie Thompson and Rep. Yvette Clark, chairs of the Committee on Homeland Security and the Subcommittee on Cybersecurity, Infrastructure Protection, & Innovation, respectively, said in the letter.

For its part, Twitter earlier this month said it had activated its policies for safeguarding its platform ahead of the upcoming US midterm elections, plans that include labeling and reducing the spread of misinformation. The company also pushes reliable information to users, including localized election information; labels candidates for US House, US Senate and governor; trains state and local election officials about how to use the platform; and says it enforces its rules at scale, such as those prohibiting harassment, spam and manipulated media.

A company spokesperson said Twitter has “a cross-functional team around the globe that’s focused on curbing the spread of misinformation and fostering an environment conducive to healthy, meaningful conversation on Twitter.”

Read the full story.

Zatko could disclose more today than what’s been disclosed so far in his official filings. Under questioning from lawmakers, Zatko could be asked to reveal new details of meetings he may have had, or other recollections from his time as Twitter’s head of security, that may serve as further evidence of his claims.

To the extent Zatko may be under legal restrictions preventing him from discussing his time at Twitter, those limitations wouldn’t apply to whistleblower testimony to lawmakers and the rest of the US government, according to Whistleblower Aid, the organization providing Zatko’s legal representation.

That’s part of why Tuesday’s hearing carries such high stakes: It may be one of the few venues where the public may see Zatko speaking freely.

Lawmakers won’t be the only ones interested in what Peiter Zatko has to say during Tuesday’s hearing. Zatko’s testimony — and any resulting action taken by lawmakers and regulators — could also have implications for the legal battle over Elon Musk’s effort to walk away from the $44 billion deal he struck to buy the company.

Zatko alleges that Twitter has misled Musk and the public about the number of bots on its platform — an issue that Musk has made central to his effort to exit the deal. The other allegations in his disclosure, such as his claim that Twitter violated a 2011 FTC consent decree over its handling of private user data, also introduce new wild cards to the legal battle.

Musk on Friday filed updated his counterclaims against Twitter, after the judge overseeing the case said he could amend his argument based on Zatko’s disclosure. Also on Friday, Musk sent a third letter seeking to terminate the Twitter deal, citing a purported $7.75 million severance payment the company made to Zatko in June, prior to his disclosure. Twitter hit back in a Monday response calling Musk’s letter “invalid and wrongful.”

Zatko’s lawyers have previously said he has no connection to Musk and his disclosure was not motivated by the fight over the deal.

Twitter and Musk are set to go to trial over the dispute in October.