Twitter whistleblower to Congress: Your data is also at risk

When he joined the company in late 2020, he said, it was “more than a decade behind industry safety standards”. He said yes when Sen. John Kennedy (R-La.) asked if it’s true that “all the engineers and half the employees at Twitter” have access to people’s accounts. Zatko added that he’s seen posts on underground forums offering to sell “access to accounts, delete accounts, unblock accounts,” though he doesn’t know if they’re genuine.

“It doesn’t matter who has the keys if you don’t have locks on the doors,” he said, referring to what he described as Twitter’s lack of strict controls over employee access. to user data.

The charges are disturbing, president of the judiciary Dick Durbin (D-Ill.) says.

“The bottom line is this: Twitter is an extremely powerful platform that cannot afford gaping security vulnerabilities,” Durbin said in his opening statement.

Twitter denied Zatko’s claims, saying they are “riddled with inconsistencies and inaccuracies.” But the company’s security practices have been under scrutiny since July 2020, when a massive cyberattack allowed hackers to send fake tweets promoting a bitcoin scam from the accounts of famous users such as l former President Barack Obama, then-presidential candidate Joe Biden and rapper Kanye West. .

Jack Dorsey, then CEO of Twitter, hired Zatko months after the incident, beginning a brief tenure that ended when the company fired Zatko earlier this year.

Committee Ranking Member Chuck Grassley (R-Iowa) had some beards for current CEO Parag Agrawal, who had declined an invitation to testify alongside Zatko. Agrawal cited possible complications for the company’s ongoing lawsuit against Elon Musk, committee leaders said Monday.

“Put simply, the whistleblower disclosures paint a disturbing picture of a company that is solely focused on profit at all costs, including at the expense of the safety and security of its users,” Grassley said. in his opening speech. He added: “If these allegations are true, I don’t see how Mr. Agrawal can maintain his position on Twitter.”

Twitter declined to comment on the committee’s outreach to Agrawal.

Tuesday’s hearing marks an intensification of congressional pressure on tech companies to take more responsibility for security breaches. The issue is particularly pressing as the midterm elections approach and social media platforms are once again put to the test to combat the kind of misinformation that spread widely during the 2020 presidential race.

But lawmakers’ concerns about Twitter and other social media platforms go far beyond Zatko’s alleged security flaws, said Durbin, who noted a strong partisan divide that has arisen in congressional tech debates.

“I, for one, think Twitter should do a lot more to combat the proliferation of hate speech and conspiracy theories,” Durbin said. “Republicans, on the other hand, claim that Twitter censors their conservative speakers. I urge my colleagues to put aside some of these partisan differences to try to find the common ground we would need to establish safety standards that would be raised today by our whistleblower.

committee member Amy Klobuchar (D-Minn.) focused on misinformation on Twitter, saying that false claims being circulated on the social network “resulted in an attack on a member of my family.” She said she spoke to Dorsey about the incident, “and nothing ever changed.”

“Those are the kinds of things that happen to people in this building because of the misinformation that’s rampant on social media,” she said.

Zatko’s complaints were also admitted as evidence in Twitter’s legal battle with Musk, the former suitor who repudiated his earlier deal to buy the company for $44 billion. Twitter shareholders are widely expected to vote in favor of selling Musk on Tuesday, even if Musk tries to walk away from the deal.

Zatko alleged in a whistleblower complaint first reported by The Washington Post and CNN that Twitter executives lied about cyber vulnerabilities and data security. These included accusations that Twitter does not always delete data from deactivated accounts and that it has failed to clean the platform of automated bot accounts known to spread propaganda and harm the experience. users on the site.

Among his most alarming accusations was that the Indian government pressured Twitter to hire at least one of the country’s government agents.

India’s example points to a greater danger of foreign governments or spy agencies finding ways to plant employees on the social media platform, given Twitter’s lack of internal safeguards, it said. said Zatko on Tuesday.

If such an entity were to “place someone on Twitter, as we know, it would be very difficult for Twitter to find them,” he said in response to a question from the senator. Tom Cotton (R-Ark.). “They would probably be able to stay there for a long time and get a significant amount of information to provide, if they target people or information about Twitter decisions and discussions and the direction of the ‘company.”

Zatko also testified that Twitter had committed multiple violations of a 2011 privacy and security consent decree with the Federal Trade Commission. He added that big tech companies fear the FTC and other U.S. regulators much less than regulatory agencies in Europe, which have the legal power to impose stiff and repeated fines for privacy violations.

“The FTC is a bit over their heads,” he said. “They let companies mark their own assignments.”

The hearing took place a day before current and former Twitter officials are scheduled to appear before the Senate Homeland Security and Governmental Affairs Committee in a separate hearing on “the security impact of social media.” interior”. Twitter’s consumer product manager Jay Sullivan will appear alongside product managers from Meta, YouTube and TikTok.

Tuesday’s hearing also came after Twitter’s data center in Sacramento crashed due to extreme heat last week, putting the social media platform in a ‘non-redundant state’, according to a memo. internal reported by CNN. The shortage of redundant or additional backup data centers was another concern raised by Zatko in the whistleblower’s complaint.

Agrawal fired Zatko in January, after which Zatko filed whistleblower papers in July with the Judiciary Committee — as well as several other committees — as well as the Department of Justice, the Federal Trade Commission and the Securities and Exchange Commission.

Twitter said it fired Zatko due to “ineffective leadership and poor performance.” The company then paid him $7 million as part of a settlement in June that included a nondisclosure agreement, The Wall Street Journal reported last week.

Zatko’s complaint also raised concerns that Twitter executives don’t receive incentives to “detect” or accurately report spambots. This overlaps with accusations from Musk, who claimed that Twitter underestimated its spam bot problem as a reason to drop its offer to buy the company.

Zatko is highly respected within both the hacker, security research and U.S. intelligence communities, having previously worked at the Department of Defense with other tech companies prior to Twitter, said John Tye, his attorney at the non-profit legal group Whistleblower Aid.

“He wants to see this platform and other platforms be all they can be to play a positive role in the public conversation in this country and other countries around the world and have a positive influence on people. elections and human rights,” Tye said. in an interview.

Maggie Miller contributed to this report.