Twitter’s former security chief told Congress Tuesday there was “at least one agent” from China’s intelligence service on Twitter’s payroll and that the company knowingly allowed India to add agents to the company roster as well, potentially giving those nations access to sensitive data about users.
These were some of the troubling revelations from Peiter “Mudge” Zatko, a respected cybersecurity expert and Twitter whistleblower who appeared before the Senate Judiciary Committee to lay out his allegations against the company.
Zatko told lawmakers that the social media platform is plagued by weak cyber defenses that make it vulnerable to exploitation by “ teenagers, thieves and spies” and put the privacy of its users at risk.
“I am here today because Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors,” Zatko said as he began his sworn testimony.
“They don’t know what data they have, where it lives and where it came from and so, unsurprisingly, they can’t protect it,” Zatko said. “It doesn’t matter who has keys if there are no locks.”
“Twitter leadership ignored its engineers,” he said, in part because “their executive incentives led them to prioritize profit over security.”
In a statement, Twitter said its hiring process is “independent of any foreign influence” and access to data is managed through a host of measures, including background checks, access controls, and monitoring and detection systems and processes.
One issue that didn’t come up in the hearing was the question of whether Twitter is accurately counting its active users, an important metric for its advertisers. Tesla CEO Elon Musk, who is trying to get out of a $44 billion deal to buy Twitter, has argued without evidence that many of Twitter’s roughly 238 million daily users are fake or malicious accounts, aka “spam bots.”
Even so, “that doesn’t mean that Musk won’t use Zatko’s allegation that Twitter was disinterested in removing bots to try to bolster his argument for walking away from the deal,” said Insider Intelligence analyst Jasmine Enberg.
The Delaware judge overseeing the case ruled last week that Musk can include new evidence related to Zatko’s allegations in the high-stakes trial, which is set to start Oct. 17. During the hearing, Musk tweeted a popcorn emoji, often used to suggest that one is sitting back in anticipation of unfolding drama.
Separately on Tuesday, Twitter’s shareholders voted overwhelmingly to approve the deal, according to multiple media reports. Shareholders have been voting remotely on the issue for weeks. The vote was largely a formality, particularly given Musk’s efforts to nullify the deal, although it does clear a legal hurdle to closing the sale.
Zatko’s message echoed one brought to Congress against another social media giant last year. But unlike that Facebook whistleblower, Frances Haugen, Zatko hasn’t brought troves of internal documents to back up his claims.
Zatko was the head of security for the influential platform until he was fired early this year. He filed a whistleblower complaint in July with Congress, the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission. Among his most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had put stronger measures in place to protect the security and privacy of its users.
Sen. Dick Durbin, an Illinois Democrat who heads the Judiciary Committee, said Zatko has detailed flaws “that may pose a direct threat to Twitter’s hundreds of millions of users as well as to American democracy.”
“Twitter is an immensely powerful platform and can’t afford gaping vulnerabilities,” he said.
Unknown to Twitter users, there’s far more of their personal information disclosed than they — or sometimes even Twitter itself — realize, Zatko testified. He said Twitter did not address “basic systemic failures” brought forward by company engineers.
The FTC has been “a little over its head”, and far behind European counterparts, in policing the sort of privacy violations that have occurred at Twitter, Zatko said.
Zatko’s allegation that Twitter was more concerned about foreign regulators than the FTC, Enberg said, “could be a wakeup call for U.S. lawmakers,” who have been unable to pass meaningful regulation on social media companies.
Sen. Lindsey Graham, a Republican from South Carolina, said one positive result that could come out of Zatko’s findings would be bipartisan legislation to set up a tighter system of regulation of tech platforms.
“We need to up our game in this country,” he said.
Many of Zatko’s claims are uncorroborated and appear to have little documentary support. Twitter has called Zatko’s description of events “a false narrative ... riddled with inconsistencies and inaccuracies” and lacking important context.
Still, Zatko came off as a convincing whistleblower who has “a lot of credibility in this space,” said Ari Lightman, professor of digital media and marketing at Carnegie Mellon University. But he said many of the problems he raised can likely be found at many other digital technology platforms
“They avoid security protocols in a sense of innovating and running really fast,” Lightman said. “We gave digital platforms so much autonomy at the beginning to grow and develop. Now we’re at a point where we’re, ‘Wait a minute ... This has gotten out of hand.’
Among the assertions from Zatko that drew lawmaker attention was Twitter’s apparent negligence in dealing with governments that sought to get spies a job inside the company. Twitter’s inability to log how employees accessed user accounts made it hard for the company to detect when employees were abusing their access, Zatko said.
Zatko said he spoke with “high confidence” about a foreign agent that the government of India placed at Twitter to “understand the negotiations” between India’s ruling party and Twitter about new social media restrictions and how well those negotiations were going.
Zatko also revealed Tuesday that he was told about a week before his firing that “at least one agent” from the Chinese intelligence service MSS, or the Ministry of State Security, was “on the payroll” at Twitter.
He said he was similarly “surprised and shocked” by an exchange with current Twitter CEO Parag Agrawal about Russia — in which Twitter’s current CEO, who was chief technology officer at the time, asked if it would be possible to “punt” content moderation and surveillance to the Russian government, since Twitter doesn’t really “have the ability and tools to do things correctly.”
“And since they have elections, doesn’t that make them a democracy?” Zatko recalled Agrawal saying.
Sen. Charles Grassley, the committee’s ranking Republican, said Tuesday that Agrawal declined to testify at the hearing, citing the ongoing legal proceedings with Musk. But the hearing is “more important than Twitter’s civil litigation in Delaware,” Grassley said. Twitter declined to comment on Grassley’s remarks.
In his complaint, Zatko accused Agrawal as well as other senior executives and board members of numerous violations, including making “false and misleading statements to users and the FTC about the Twitter platform’s security, privacy and integrity.”
Zatko, 51, first gained prominence in the 1990s as a pioneer in the ethical hacking movement and later worked in senior positions at an elite Defense Department research unit and at Google. He joined Twitter in late 2020 at the urging of then-CEO Jack Dorsey.