Twitter received a shellacking on Capitol Hill on Tuesday after its ex-security chief Peiter Zatko told a room full of senators that the company is essentially an insecure hot mess infiltrated by more than one foreign government spy.
Convened by the Senate Judiciary Committee, the hearing covered a range of serious allegations against Twitter made by Zatko, who in July sent a 200-page whistleblower complaint to federal agencies and lawmakers. The former employee, who was fired in January, lambasted the Twitter on numerous fronts, claiming that the social media network had longstanding and basic cybersecurity failures that made it vulnerable to exploitation; that executives prioritized profits over security; that Twitter doesn’t know “what data [it] has, where it lives, or where it came from”; and that employees have access to too much user data and too many systems.
Although Twitter CEO Parag Agrawal was invited to attend the hearing to offer the company’s point of view, Republican Sen. Chuck Grassley of Iowa said that Agrawal had declined to attend because it would “jeopardize” the company’s legal fight against Tesla CEO Elon Musk. Musk is trying to get out of his $44 billion deal to acquire Twitter. His legal team has subpoenaed Zatko, who says he will comply.
The refusal didn’t go over well with Grassley—a self-proclaimed lover of Twitter—who criticized Agrawal’s decision.
“Many of the allegations directly implicate Mr. Agrawal, and he should be here to address them,” Grassley said. “So let me be very clear: The business of this committee and protecting Americans from foreign influence is more important than Twitter’s civil litigation in Delaware. If these allegations are true, I don’t see how Mr. Agrawal can maintain his position at Twitter.”
After Zatko’s testimony, a Twitter spokesperson told Gizmodo in an emailed statement that the whistleblower’s allegations didn’t make sense.
“Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies,” the spokesperson said. Twitter claimed that foreign influence does not play a role in its hiring. In addition, the company explained that it had measures in place to monitor access to its data: background checks, access controls, and monitoring and detection systems, according to the company.
Alexis Ronickher, an attorney for Zatko, did issue a statement after the hearing, calling it a “watershed moment.”
“Mr. Zatko is hopeful that the Committee’s work today has helped educate the public about just how dire the security and privacy situation is at Twitter and how impacted we all are by these failures,” Ronickher said.
The same day, The New Yorker published an exposé detailing efforts by multiple research companies to dig up dirt on Zatko—info on his “personality professionally and socially,” “strengths and weaknesses,” “motives for his whistle-blower complaint and any similar past complaints,” and “need for attention”—by offering his former colleagues as much as a thousand dollars an hour on the phone. Whom the companies represented was unclear.
The three-hour hearing included many astounding revelations, so here is a breakdown of the standout moments.
In his opening statement, Zatko cited novelist Upton Sinclair, famous for his 1906 novel The Jungle, who once said: “It is difficult to get a man to understand something, when his salary depends on his not understanding it.”
This can be seen among the executive team at Twitter, Zatko said, explaining that the company doesn’t know what data it has, where it is, or where it came from. Consequently, according to the whistleblower, they can’t protect it.
In addition, when it comes to deleting user data, Zatko commented later on in the hearing that Twitter can’t delete data because it doesn’t know where it is.
Republican Sen. Chuck Grassley said that the FBI had informed Twitter that there was at least one Chinese foreign agent in the company. Zatko previously alleged India had managed to place at least two foreign agents in Twitter.
Zatko was also asked why Twitter did not have a system in place to limit the access spies from countries like India, Nigeria, and China possibly have at Twitter, which they could use to identify and punish dissidents. He replied that executives cared little.
“I think they would like to, but they’re simply unwilling to put the effort in at the cost of other efforts, such as driving revenue,” the whistleblower explained. “I’m reminded of one conversation with an executive when I said, ‘I am confident that we have a foreign agent,’ and their response was, ‘Well, since we already have one, what does it matter if we have more? Let’s keep growing the office.’”
At this point in our digital lifetimes, it’s clear that online companies have way more information on us than we’d like to think they do. According to Zatko, Twitter has the following information on the average Twitter user:
- Phone number
- Latest IP address they’ve connected from
- Other IP addresses users have connected from
- Current email address and how long users have been using the email with the account
- Prior emails for the account associated with the IP address
- An inference of where users live
- Whether they’re connected to Twitter right now
- Whether users are still connected even if they’re not actively using the information on Twitter
- Type of device users are connected with
- Type of browser
- Brand of the device and possibly specific device model
- What language individuals are using connect to Twitter
Tech’s wackiest CEO has been searching high and low for a way to get out of buying Twitter and is currently battling it out in the courts. Although Musk did not explicitly say he was watching Zatko’s testimony to Congress, he did tweet out a popcorn emoji around the same time the hearing started.
In addition, Musk tweeted out a story from the New Yorker’s Ronan Farrow, published the same day of the hearing, detailing how many of the whistleblower’s former colleagues had been approached and offered money for information on him by numerous companies on behalf of their clients.
“Anyone know who the secret clients are? Let’s out them on Twitter rn haha,” Musk tweeted. In a subsequent tweet, he underlined that Zatko’s colleagues wanted to defend his credibility.
Focusing on the platform itself, Republican Sen. Lindsey Graham of South Carolina asked Zatko whether he would recommend that people continue to use Twitter or “take a time out.” The Twitter whistleblower explained that he felt the social media platform was a “hugely valuable service” that he didn’t want to see shut down. He wanted it to get better.
Here’s where things got a little weird. Out of nowhere, Graham suddenly asks Zatko whether he would buy Twitter, given what he knows about the company. Considering we’ve been talking about topics like privacy, security, data access, and foreign agents, that question seemed a bit off. Could Graham be trying to buddy up to Musk?
Zatko seemed taken aback and appeared to laugh nervously.
“I guess that depends on the price,” the ex-employee said.
It seems that all platforms tell us that access to our banking information is sacred and super protected. According to Zatko, not so at Twitter. The whistleblower explained that when he first joined Twitter, “thousands of users [workers] had access to the advertiser’s information, including their bank accounts and routing numbers.”
“When I first joined, people could change that information,” Zatko pointed out. “And you can understand why changing the banking account information of a company such as Apple or Nike might be problematic.”