A former security chief at Twitter, who released a whistleblower report on the company, told lawmakers on Tuesday that the platform has serious security and privacy flaws that the leadership has refused to fix.
Peiter “Mudge” Zatko, a cybersecurity expert who served as Twitter executive from November 2020 until his resignation in January 2022, testified before the Senate Judiciary Committee about the whistleblower complaint he filed with Congress, the Department of Justice, the Federal Trade Commission. and the Securities and Exchange Commission
“[I] am here today because I believe that Twitter’s insecure handling of its users’ data and its inability or unwillingness to truthfully present issues to its board of directors and regulators have created a real risk for tens of millions of Americans, the American democratic process and national security,” Zatko said in his opening statement.
“In addition, I believe that Twitter’s willingness to intentionally mislead regulators violates Twitter’s legal obligations and cannot be ethically tolerated.”
The cybersecurity expert said he found that Twitter cannot protect its data because the company doesn’t know “what data it has, where it lives and where it comes from”. Employees – especially engineers, who make up half of the full-time workforce – have too much access to data. This means that every employee has access to a lot of sensitive information about a Twitter user, including their geolocation and data needed to access their device directly.
“It doesn’t matter who has the keys if you don’t have locks on the doors,” he said.
Twitter founder Jack Dorsey recruited Zatko to the company after the platform was infamously hacked by teenagers who took over several high-profile accounts as part of an effort to scam Twitter users from Bitcoin. After joining, Zatko said he discovered that Twitter had a decade of overdue security vulnerabilities and as a result repeatedly disclosed the flaws “to the highest levels of” the company. When his warnings were ignored, he then took the revelations to government agencies and regulators.
“Twitter leadership misleads the public, lawmakers, regulators and even its own board of directors,” Zatko said, adding that leaders ignored the company’s engineers because “their executive incentives led them to prioritize profit over safety.”
The cybersecurity expert’s testimony was similar to that of Facebook whistleblower Frances Haugen, who spoke to lawmakers last year about concerns about the platform favoring profit over security. While Haugen has supported her claims with internal documents, Zatko has not yet provided documentary support.
Twitter called the former director’s allegations “a false story” that is “riddled with inconsistencies and inaccuracies and lacks important context”. sen. Chuck Grassley (R-Iowa), the ranking committee member, said on Tuesday that Twitter CEO Parag Agrawal declined to testify at the hearing, citing pending legal proceedings with Tesla billionaire Elon Musk.
Twitter sued Musk after he tried to pull out of his $44 billion deal to acquire the platform. Grassley said the Senate hearing is “more important than Twitter’s civil lawsuits in Delaware.”