When he joined the company in late 2020, he said, it was “over a decade behind industry security standards.” He said yes when Sen. John Kennedy (R-La.) asked if it’s true that “all the engineers and half the employees at Twitter” have access to people’s accounts. Zatko added that he has seen posts on secret forums offering to sell “access to accounts, to delete accounts, to unlock accounts,” though he didn’t know if they were true.
“It doesn’t matter who has the keys if you don’t have any locks on the doors,” he said, referring to what he described as Twitter’s lack of strict controls on employee access to user data.
The accusations are disturbing, President of the Judiciary Dick Durbin (D-Ill.) said.
“The bottom line is this: Twitter is an incredibly powerful platform that cannot afford security vulnerabilities,” Durbin said in his opening statement.
Twitter has denied Zatko’s claims, saying they are “riddled with inconsistencies and inaccuracies.” But the company’s security practices have been under scrutiny since July 2020, when a massive cyberattack allowed hackers to send fake tweets promoting a Bitcoin scam from the accounts of famous users such as former presidents Barack Obama, then-presidential candidate Joe Biden and rapper Kanye West. .
Then-Twitter CEO Jack Dorsey hired Zatko months after the incident, beginning a brief tenure that ended when the company fired Zatko earlier this year.
Ranking member of the commission Chuck Grassley (R-Iowa) had some words for current CEO Parag Agrawal, who had declined an invitation to testify alongside Zatko. Agrawal cited potential complications for the company’s ongoing lawsuit against Elon Musk, committee leaders said Monday.
“Simply put, the whistleblower disclosures paint a disturbing picture of a company that is solely focused on profits at any cost, including at the expense of the safety and security of its users,” Grassley said in his opening remarks. He added: “If these allegations are true, I don’t see how Mr Agrawal can maintain his position on Twitter.”
Twitter declined to comment on the committee’s outreach to Agrawal.
Tuesday’s hearing marks a step in Congress’ pressure on tech companies to take more responsibility for security flaws. The issue is especially pressing as the midterm elections approach and social media platforms are once again being put to the test to combat the kind of misinformation that spread widely during the 2020 presidential race.
But lawmakers’ concerns about Twitter and other social media platforms extend beyond the security flaws Zatko alleges, said Durbin, who noted a sharp partisan divide that has emerged in congressional technology debates.
“I believe Twitter needs to do a lot more to combat the spread of hate speech and conspiracy theories,” Durbin said. “Republicans, on the other hand, claim that Twitter censors their conservative speakers. I urge my colleagues to put aside some of these partisan differences in an effort to find the common ground we would need to establish safety standards that would be raised today by our whistleblower.”
Member of the commission Amy Klobuchar (R-Minn.) hit back at the misinformation on Twitter, saying false claims broadcast on the social network “resulted in an attack on a member of my family.” She said she told Dorsey about the incident, “and nothing changed.”
“These are the kinds of things that happen to people in this building because of the misinformation that is rampant on social media,” she said.
Zatko’s complaints have also been admitted as evidence in Twitter’s legal battle with Musk, the one-time plaintiff who reneged on his previous deal to buy the company for $44 billion. Twitter shareholders are widely expected to vote in favor of Musk’s sale on Tuesday, even as Musk is trying to get out of the deal.
Zatko alleged in a whistleblower complaint first reported by The Washington Post and CNN that Twitter executives lied about cyber vulnerabilities and data security. These include allegations that Twitter does not always delete data from deactivated accounts and that it has failed to clean up the platform of automated bot accounts known to spread propaganda and harm users’ experience on the site.
Among his most alarming allegations was that the Indian government had pressured Twitter to hire at least one of the country’s government agents.
India’s example points to a greater risk of foreign governments or spy agencies finding ways to implant employees on the social media platform, given Twitter’s lack of internal safeguards, Zatko testified Tuesday.
If such an entity were to “put someone on Twitter, as we know has happened, it would be very difficult for Twitter to find them,” he said in response to a question from Sen. Tom Cotton (R-Ark.). “They’re probably going to be able to stay there for a long period of time and gain a significant amount of information to provide if they’re targeting people or information about Twitter’s decisions and discussions and the direction of the company.”
Zatko also testified that Twitter committed multiple violations of a 2011 privacy and security consent decree with the Federal Trade Commission. He added that big tech companies have far less to fear from the FTC and other U.S. regulators than from regulatory agencies in Europe, which have the legal authority to impose stiff and repeated fines for privacy violations.
“The FTC is a little over their heads,” he said. “They’re left to let companies do their homework.”
The hearing came a day before current and former Twitter officials are expected to appear before the Senate Homeland Security and Governmental Affairs Committee as part of a special hearing on “social media’s impact on national security.” Twitter’s head of consumer products, Jay Sullivan, will appear alongside chief product officers from Meta, YouTube and TikTok.
Tuesday’s session also came after Twitter’s Sacramento data center crashed due to extreme heat last week, putting the social media platform in a “non-redundant state,” according to an internal memo reported by CNN . The lack of redundant or additional backup data centers was another concern Zatko raised in the whistleblower complaint.
Agrawal fired Zatko in January, after which Zatko submitted whistleblower documents in July to the Judiciary Committee — along with several other committees — as well as the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission.
Twitter said it fired Zatko because of “ineffective leadership and poor performance.” The company later paid him $7 million as part of a settlement in June that included a nondisclosure agreement, The Wall Street Journal reported last week.
Zatko’s complaint also raised concerns that Twitter executives are not incentivized to “detect” or accurately report spam bots. That aligns with accusations from Musk, who used claims that Twitter is underreporting the spam bot problem as a reason to drop his bid to buy the company.
Zatko is well-respected in the hacker, security researcher and U.S. intelligence communities, having previously worked at the Defense Department along with other tech companies before Twitter, said John Tye, his attorney at the nonprofit legal group Whistleblower Aid. .
“He wants to see this platform and other platforms be all they can be to play a positive role in public conversations in this country and in other countries around the world and to play a positive influence on elections and rights of man,” said Tye. in an interview.
Maggie Miller contributed to this report.
