Twitter’s former head of security, Peiter “Mudge” Zatko, will appear before lawmakers in Washington on Tuesday. He is expected to give damning evidence about data and information security failures at the social media platform, after outlining a number of concerns in a whistleblower complaint last month.
The former hacker, widely respected in his field as an information security specialist, joined Twitter on November 16, 2020 and was fired on January 19, 2022. His complaint alleges incompetence and fraud at Twitter, said it found “extreme, egregious deficiencies by Twitter in every area of its mandate,” including lax controls over employee access to user data and interference by foreign governments.
The Senate Judiciary Committee hearing is not directly for the benefit of Elon Musk, who is trying to back out of a $44bn (£38bn) deal to buy Twitter and has been given permission to include Zatko’s revelations as another reason to leave. Musk’s lawyers interviewed Zatko on September 9. But if Zatko’s actions are to have an immediate impact, he will be in a trial in Delaware on Oct. 17, where Twitter is trying to force Musk to buy the company under the terms he agreed to in April.
Here are some questions that Zatko may face on Tuesday.
What is the extent of Twitter’s information security problems?
This is a broad question that is likely to be broken down into multiple parts as far as the lawmaker’s questions go, given the amount of detail in the allegations contained in Zatko’s complaint.
He is likely to be questioned about several allegations, including that Twitter misused users’ email addresses and phone numbers, that more than 50% of its 500,000 data center servers are running software that is outdated or has other known security problems, and that employees were found to be installing spyware on their work computers at the request of outside organizations.
How important is foreign state interference on Twitter?
Zatko’s complaint says he was aware of “numerous episodes” of Twitter being infiltrated by foreign intelligence agencies or complicit in threats to democracies. Examples used were that the Indian government forced Twitter to hire government agents who had access to user data, and executives allowed the platform to become dependent on revenue from Chinese “entities” who could then be able to access information about users in China that they had bypassed. a block. The complaint adds that Twitter received “specific information from a US government source that one or more specific employees of the company were working on behalf of another specific foreign intelligence agency.”
Lawmakers will want to know whether the platform’s product, which plays a highly influential role in politics and media in many countries, could be manipulated as a result.
How important is the Twitter bot problem?
In a section of the complaint titled “bot lies against Elon Musk,” Zatko questions Twitter’s approach to bots, essentially arguing that the company doesn’t have a handle on the problem. Lawmakers are expected to ask Zatko what the true scale of the problem is and how it should be addressed.
Musk cited the proliferation of bot accounts on Twitter — which are not operated by humans and are designed to disrupt and manipulate the user experience — as a key reason for declaring his withdrawal from taking control.
In his complaint, Zatko says Parag Agrawal, Twitter’s chief executive, lied when he tweeted that Twitter executives were “motivated to detect and remove as much spam as we can.”
Tesla’s CEO claims Twitter intentionally misrepresented the number of bots on the platform. The company has repeatedly said that the number of bots on its platforms is less than 5% of its monetized daily active users (mDAU – accounts that can see ads and are therefore commercially valuable to the company).
Zatko says there are many millions of active accounts that are not considered mDAUs, but are part of the average user’s experience on the platform, which creates a poor quality experience. It doesn’t quite square with Musk’s argument, which is that Twitter deliberately understates the number of bots among its mDAUs. Zatko says he doesn’t include them in his mDAU total, but he just doesn’t get rid of them completely.
However, Zatko’s documents claim that management had no appetite to properly measure the bot’s accounts because they were concerned that “if the exact measurements were ever made public, it would damage the company’s image and reputation.” That could at least be material to a shareholder lawsuit, and, overall, Zatko argues loudly that Twitter can’t deal with bots because it uses “outdated” software and “inadequate” monitoring teams.
How reliable are you as a witness?
Twitter has responded to Zatko’s allegations, saying he was fired by Agrawal for “ineffective leadership and poor performance.” Referring to his claims, the company added: “What we have seen so far is a false narrative about Twitter and our privacy and data security practices that is filled with inconsistencies and inaccuracies and lacks important context. The claims and the opportunistic timing of Mr. Zatko appears to be designed to attract attention and cause damage to Twitter, its customers and shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.”
However, Zatko has a considerable pedigree, having made his name as an ethical hacker who helped organizations identify flaws in their systems before going on to work in senior positions at Google, payments firm Stripe and the Department of US Defense. That long history and a reputation for professional rigor led then-Twitter CEO Jack Dorsey to hire him.
Is there a problem with the top executives at Twitter?
Zatko’s complaint is harsh about management standards at the company. Zatko’s allegations against Agrawal include the chief executive directing him in December 2021 to provide information security documents to the risk committee of Twitter’s board of directors that Agrawal knew were “false and misleading.” The complaint says Twitter’s security problems had “developed under Agrawal’s watch.” The complaint raises concerns about the standard of leadership in general, noting an “extremely disengaged” Dorsey — who resigned last year — who spoke a total of 50 words to Zatko in phone conversations over a 12-month period.
Has Twitter misled investors?
Zatko’s complaint states: “For years, in numerous public statements and SEC filings, Twitter has made material misrepresentations and omissions and engaged in actions and practices that act as fraud on its users and shareholders, regarding security, privacy and integrity.” Twitter disputes this. As for the complaint’s impact on Musk’s hiring, Brian Quinn, a professor at Boston College Law School, says, “Twitter will likely respond that while they didn’t disclose that a disgruntled employee had filed security complaints of them, they found that data security and privacy issues were risks to the business.”
