Peiter “Mudge” Zatko, former head of security at Twitter, testifies before the Senate Judiciary Committee on data security at Twitter, on Capitol Hill, September 13, 2022, in Washington, DC. Kevin Dietsch/Getty Images
In a congressional hearing, new details emerged on how thousands of Twitter employees can allegedly access users’ information.
Twitter has serious issues, according to new testimony from the company’s former security chief, Peiter “Mudge” Zatko, who emerged as a whistleblower in August. It’s central issue: The sensitive personal information of its 400 million users is at risk, he says.
During a bipartisan hearing before the US Senate Judiciary Committee on Tuesday, Zatko shared new details about his earlier allegation that some 50 percent of Twitter’s over 7,000 employees could potentially access any user’s personal information, including their address, phone numbers, and even their current physical location. Although Twitter has policies against employees improperly accessing data, Zatko’s claim is that there isn’t enough technically stopping them from doing so. If true, that presents a serious security concern to Twitter’s over 400 million users — including high-profile world leaders, journalists, and activists.
“I’m here today because Twitter leadership is misleading the public, lawmakers, regulators, and even its own board of directors,” said Zatko, who headed Twitter’s security department from November 2020 to January 2022. “The company’s cybersecurity failures make it vulnerable to exploitation, causing real harm to real people.”
Zatko expanded on several other damning allegations about Twitter’s security flaws in his testimony, which comes weeks after the whistleblower complaint he filed with the SEC was made public.
Twitter did not respond to a request for comment following the hearing, but the company has previously described Zatko as a disgruntled former employee who is promoting a “false narrative that is riddled with inconsistencies and inaccuracies” about the company after being fired for “ineffective leadership and poor performance.” In June, the company agreed to pay roughly $7 million in a settlement with Zatko, days prior to him making whistleblower disclosures.
According to Zatko, Twitter’s weak technical infrastructure exposes its users’ personal information. In many tech companies, engineers work in a test environment, where there is no real user data and where engineers are free to experiment with new features and changes. But at Twitter, Zatko said, the company allows all of its engineers to access its “production environment,” or the actual product, giving them access to real user data.
“This is an oddity; this is an exception to the norm. Most companies will have a place where you test your software,” said Zatko, whose concern is that anybody with access to Twitter’s production environment — which he estimates is half the company —”could go rooting through” to find people’s personal information and “use it for their own purposes.”
The question of employee access to user data is just one example in Zatko’s portrait of a company that he says “run[s] from fire to fire” rather than address longstanding technical vulnerabilities that expose its users to risk.
“It’s a culture where they don’t prioritize. They’re only able to focus on one crisis at a time,” said Zatko. “And that crisis isn’t completed. It’s simply replaced with another crisis.”
Twitter’s most imminent crisis at the moment is the uncertainty about who will end up owning the company. In April, Elon Musk offered to buy Twitter for $44 billion, only to back out of his offer shortly after.
Musk has claimed that Twitter executives didn’t respond to his requests for information about spam bots and other issues with the platform, which he argues makes his offer to buy the company obsolete. Twitter is suing Musk in an attempt to force him to go through with the deal. Now, Zatko’s claims could be convenient fodder for Musk to get out of the Twitter deal, supporting his claim that the company didn’t disclose the full extent of its problems. Musk has subpoenaed Zatko as part of his legal defense against Twitter.
But regardless of Zatko’s motives or how Musk’s legal team could use his testimony to their advantage, if what the former employee is saying is true, it reveals a potentially serious breach of duty by Twitter to nearly half a billion users.
In Wednesday’s hearing, Zatko also shared more details about foreign agents who had allegedly infiltrated Twitter’s staff in order to potentially collect private information about users or gain insight into Twitter’s operations. Zatko shared that “at least” one foreign agent from China was suspected to be working at the company, which raises serious national security concerns. Twitter had previously come under fire for hiring two employees who allegedly spied on local dissidents on behalf of the Saudi Arabian government; one of those employees was convicted on spying charges in a US federal court in August. Zatko had also written in his complaint that Twitter was also pressured to hire an Indian foreign agent on its payroll to placate the government there.
Zatko said that at one point, when he alerted a senior executive about another suspected foreign agent working for the company, they replied, “Well, since we already have one, that’s better if we have more. Let’s keep growing the office.”
Senators on both sides of the aisle were widely supportive of Zatko, who like Facebook whistleblower Frances Haugen, they described as fulfilling a patriotic duty in revealing the truth about how influential tech corporations are run. Senators still showed their partisan divides in what issues they raised about Twitter, with some Democrats criticizing Twitter’s handling of misinformation and Republicans questioning whether the company censors conservative speech.
Still, overall, the hearing stayed relatively focused on the security issues at hand.
“Based on your disclosures, it seems to me that the Twitter CEO is more concerned with increasing influence and profits from foreign countries than with protecting user data from foreign spies or hackers,” said Sen. Mike Lee (R-UT) at Tuesday’s hearing.
Sen. Chuck Grassley (R-IA), who opened the hearing along with Sen. Dick Durbin (D-IL), shared his disappointment that Twitter CEO Parag Agrawal declined an invitation to speak at the hearing over concerns that it could jeopardize the company’s ongoing lawsuit with Elon Musk.
“If these allegations are true, I don’t see how Mr. Agrawal can maintain his position at Twitter going forward,” said Sen. Grassley.
Sen. Amy Klobuchar (D-MN), who is trying to pass antitrust legislation targeting tech companies, said during Tuesday’s hearing that Congress has had dozens of hearings about Big Tech regulation in the past several years but still hasn’t passed a single bill on the matter. Klobuchar and other senators have also called for more funding for the Federal Trade Commission, to better enable it to enforce penalties against Twitter and other tech companies. But that hasn’t happened either.
Regardless of whether or not Congress takes further action, Twitter’s issues will continue to play out in the Twitter versus Elon Musk lawsuit trial, which is set to begin next month in the Delaware Court of Chancery.