Twitter’s former security chief told the United States Congress that the social media platform is plagued by weak cyber defenses that leave it vulnerable to exploitation by “teenagers, thieves and spies.” ” and endanger the privacy of its users.
“I’m here today because Twitter’s management is misleading the public, lawmakers, regulators, and even its own board of directors,” Peiter “Mudge” Zatko, a respected cybersecurity expert, said on Tuesday. the Senate Judiciary Committee.
“They don’t know what data they have, where it is and where it comes from and so, unsurprisingly, they can’t protect it,” Zatko added. “It doesn’t matter who has the keys if there are no locks.”
His message echoed one brought to Congress against another social media giant last year, but unlike that Facebook whistleblower, Frances Haugen, Zatko did not bring a treasure trove of internal documents to back up his claims.
His testimony comes as U.S. lawmakers try to crack down on disinformation campaigns that risk skewing elections and public health campaigns.
Zatko was the influential platform’s chief security officer until he was sacked earlier this year.
The 51-year-old first rose to prominence in the 1990s as a pioneer of the ethical hacking movement and went on to hold senior positions in an elite Department of Defense research unit and at Google. He joined Twitter in late 2020 at the request of then-CEO Jack Dorsey.
He filed a whistleblower complaint in July with Congress, the US Department of Justice, the Federal Trade Commission (FTC) and the Securities and Exchange Commission.
Among its most serious charges, Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had stricter measures in place to protect the security and privacy of its users.
US Senator Dick Durbin, a Democrat from Illinois who heads the Judiciary Committee, said Zatko had detailed flaws “that could pose a direct threat to the hundreds of millions of Twitter users as well as to American democracy.” .
“Twitter is an extremely powerful platform and cannot afford gaping vulnerabilities,” he said.
Unbeknownst to Twitter users, there’s a lot more personal information being leaked than they — or sometimes even Twitter itself — realize, Zatko said. He said the “basic system failures” reported by the company’s engineers had not been resolved.
The FTC has been “a bit above its head,” and far behind its European counterparts, in monitoring the type of privacy breaches that have occurred on Twitter, Zatko also said.
Many of Zatko’s claims are unsubstantiated and appear to have little documentary evidence.
Twitter called Zatko’s description of the events a “false narrative… riddled with inconsistencies and inaccuracies” and lacking significant context.
—Naughtius Maximus (@elonmusk) September 13, 2022
Zatko also accused the company of deception in its handling of automated “spam bots” or fake accounts.
This allegation is at the heart of billionaire tycoon Elon Musk’s bid to pull out of his $44 billion deal to buy Twitter. Musk and Twitter are locked in a bitter legal battle, with Twitter suing Musk to force him into the deal.
The Delaware judge handling the case ruled last week that Musk can include new evidence related to Zatko’s allegations in the high-stakes trial, which is scheduled to begin Oct. 17.
Sen. Charles Grassley, the committee’s ranking Republican, said Tuesday that Twitter CEO Parag Agrawal refused to testify at the hearing, citing ongoing legal proceedings with Musk.
But the hearing is “bigger than Twitter’s civil litigation in Delaware,” Grassley said. Twitter declined to comment on Grassley’s remarks.
In its complaint, Zatko accused Agrawal and other senior executives and board members of numerous violations, including “false and misleading statements to users and the FTC regarding the security, privacy, and integrity of the Twitter platform”.
Twitter said Zatko was fired for “ineffective leadership and poor performance,” and that his allegations appeared designed to harm the company.
Connection India, China
Among Zatko’s claims that caught the attention of US lawmakers on Tuesday was that Twitter knowingly allowed the Indian government to place its agents on the company’s payroll, where they had access to highly sensitive data. on users.
Twitter’s lack of ability to log how employees accessed user accounts made it difficult for the company to detect when employees were abusing their access, Zatko said.
India has not commented on this assertion.
Whistleblowers had also noted that the US Federal Bureau of Investigation had informed Twitter of at least one Chinese agent at the company, Sen. Grassley said in his opening statement.
Zatko said on Tuesday that in the week before he was fired, he learned that an agent with China’s Ministry of State Security, or MSS, an agency comparable to the United States’ Central Intelligence Agency, was on Twitter’s payroll.
It was not immediately clear whether the alleged Chinese agent was still working at the company.