Twitter whistleblower testifies at Congress about security flaws

David Matthews

Twitter’s ex-security chief told a Congressional committee on Tuesday that the website was vulnerable to “teenagers, thieves and spies” exploiting users’ privacy because of weak cyber defenses.

“I am here today because Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors,” Peiter “Mudge” Zatko told the Senate Judiciary Committee.

“They don’t know what data they have, where it lives and where it came from and so, unsurprisingly, they can’t protect it,” Zatko, 51, said. “It doesn’t matter who has keys if there are no locks.”

Zatko said the company’s leaders routinely ignored red flags because “their executive incentives led them to prioritize profit over security.”

Peiter “Mudge” Zatko, former head of security at Twitter, is sworn-in as he testifies before the Senate Judiciary Committee on data security at Twitter, on Capitol Hill, September 13, 2022 in Washington, DC.
Peiter “Mudge” Zatko, former head of security at Twitter, is sworn-in as he testifies before the Senate Judiciary Committee on data security at Twitter, on Capitol Hill, September 13, 2022 in Washington, DC.


Peiter “Mudge” Zatko, former head of security at Twitter, is sworn-in as he testifies before the Senate Judiciary Committee on data security at Twitter, on Capitol Hill, September 13, 2022 in Washington, DC. (Kevin Dietsch/)

Zatko was fired by the company earlier this year and filed a whistleblower complaint in July with Congress, the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission, alleging, among other things, that the company violated a 2011 FTC settlement by not actually implementing required security and privacy measures for users.

“Twitter is an immensely powerful platform and can’t afford gaping vulnerabilities,” Sen. Dick Durbin (D-Ill.), the head of the Judiciary Committee, said.

Zatko also alleged that users, and sometimes even Twitter, don’t realize how much personal information is disclosed. This led to Twitter being unable to know which employees were abusing their access to users’ personal information and allegedly hiring foreign intelligence workers.

He said the FTC was “a little over its head” and had fallen far behind agencies in Europe that police similar privacy violations.

Peiter “Mudge” Zatko, former head of security at Twitter, is sworn-in as he testifies before the Senate Judiciary Committee on data security at Twitter, on Capitol Hill, September 13, 2022 in Washington, DC.
Peiter “Mudge” Zatko, former head of security at Twitter, is sworn-in as he testifies before the Senate Judiciary Committee on data security at Twitter, on Capitol Hill, September 13, 2022 in Washington, DC.


Peiter “Mudge” Zatko, former head of security at Twitter, is sworn-in as he testifies before the Senate Judiciary Committee on data security at Twitter, on Capitol Hill, September 13, 2022 in Washington, DC. (Kevin Dietsch/)

The testimony resembled that of Facebook whistleblower Frances Haugen, who submitted internal documents. Zatko’s claims are uncorroborated and have been described by Twitter as “a false narrative ... riddled with inconsistencies and inaccuracies.”

It’s possible Zatko’s testimony could affect Elon Musk’s dispute with the company and the $44 billion deal he struck in April but is attempting to back out of.

Zatko said the company knowingly allowed fake “spam bots” to run rampant over the site, the center of Musk’s complaint against the company. Twitter is attempting to legally force Musk to complete the purchase.

The trial, which is set to begin Oct. 17, will likely now include evidence from Zatko’s testimony.

Twitter CEO Parag Agrawal declined to testify because of that upcoming trial, Sen. Charles Grassley (R-Iowa) said. He added that the hearing was “more important that Twitter’s civil litigation in Delaware.”

The company declined to comment on Grassley’s statement, according to the Associated Press.

With News Wire Services

Advertisement