A former security chief at Twitter, who released a whistleblower report about the company, told lawmakers on Tuesday that the platform has serious security and privacy failures that leadership has refused to fix.
Peiter “Mudge” Zatko, a cybersecurity expert who served as a Twitter executive from November 2020 until he was fired in January 2022, testified before the Senate Judiciary Committee about the whistleblower complaint he filed with Congress, the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission
“[I] am here today because I believe that Twitter’s unsafe handling of the data of its users and its inability or unwillingness to truthfully represent issues to its board of directors and regulators have created real risk to tens of millions of Americans, the American democratic process and America’s national security,” Zatko said in his opening statement.
“Further, I believe that Twitter’s willingness to purposely mislead regulatory agencies violates Twitter’s legal obligations and cannot be ethically condoned.”
The cybersecurity expert said that he found that Twitter cannot protect its data because the company does not know “what data it has, where it lives and where it came from.” Employees – particularly engineers, who make up half the full-time workforce – have too much access to data. This means any employee can access loads of sensitive information about a Twitter user, including their geolocation and data needed to directly access their device.
“It doesn’t matter who has the keys if you don’t have any locks on the doors,” he said.
Twitter founder Jack Dorsey recruited Zatko to the company after the platform was infamously hacked by teenagers who took over several high-profile accounts as part of an effort to scam Twitter users out of Bitcoin. After joining, Zatko said he discovered that Twitter had a decade of overdue security issues and as a result disclosed the failures repeatedly “to the highest levels of” the company. When his warnings were ignored, he then submitted the disclosures to government agencies and regulators.
“Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors,” Zatko said, adding that leaders ignored the company’s engineers because “their executive incentives led them to prioritize profits over security.”
The cybersecurity expert’s testimony was similar to that of Facebook whistleblower Frances Haugen, who spoke to lawmakers last year about concerns about the platform choosing profit over safety. While Haugen backed up her claims with internal documents, Zatko has not yet provided documentary support.
Twitter has called the former executive’s allegations “a false narrative” that is “riddled with inconsistencies and inaccuracies and lacks important context.” Sen. Chuck Grassley (R-Iowa), the committee’s ranking member, said Tuesday that Twitter CEO Parag Agrawal declined to testify at the hearing, citing ongoing legal proceedings with Tesla billionaire Elon Musk.
Twitter sued Musk after he attempted to back out of his $44 billion deal to acquire the platform – claiming the company has underreported fake accounts, something Zatko has also accused Twitter of. Grassley said the Senate hearing is “more important than Twitter’s civil litigation in Delaware.”