Twitter lacks the resources and motivation to search for and remove foreign intelligence threats within its operations even as it has received warnings of possible spies in its ranks, former head of security Peiter “Mudge” Zatko told lawmakers in his first public appearance since blowing the whistle on the company.
In his testimony before the Senate Judiciary Committee on Tuesday, Zatko recalled one instance during his tenure at Twitter (TWTR) when another executive allegedly dismissed concerns about a possible spying threat by suggesting the risk was not worth addressing.
Zatko claimed he raised concerns that another government’s agent was on the payroll in a foreign Twitter office. In response, he said, the company seemed “unwilling to put the effort in” to root out that individual. Zatko recalled a Twitter executive responding to his concern by saying, “Well, since we already have one, what is the problem if we have more? Let’s keep growing the office.”
A week before Zatko’s firing in January, Twitter also received a specific warning from the FBI that the company may have had one or more Chinese spies within its ranks, Zatko said. The explosive detail linking the US government warning to China had not been a part of Zatko’s publicly reported disclosure to the US government. It remains unclear whether Twitter acted on the tip, but Zatko told Sen. Chuck Grassley that he and others inside Twitter understood that the company was a target for foreign intelligence agencies. (The FBI declined to comment.)
The expanded allegations by Zatko underscore what he says are systemic problems that prevent Twitter from safeguarding user data and threaten to undermine US national security. His Tuesday testimony covered a wide range of alleged concerns about Twitter, including his claims that the company mishandled personal user data, violated its 2011 consent decree with the US Federal Trade Commission and granted Twitter employees excessive access to sensitive data.
In a whistleblower disclosure sent to multiple lawmakers and government agencies in July, Zatko accused Twitter of failing to safeguard users’ personal information and of exposing the most sensitive parts of its operation to too many employees, including potentially to foreign spies on its payroll. Zatko, who worked at Twitter from November 2020 until he was fired in January of this year, has had some closed-door conversations with lawmakers since going public with his whistleblower disclosure. But Tuesday’s hearing marked the first chance for lawmakers to publicly question him about the allegations in his disclosure, which was first reported by CNN and The Washington Post last month.
But many of Zatko’s comments and questions from lawmakers centered on Twitter’s purported inability to identify and shut down potential spying risks.
Twitter on Tuesday afternoon responded to Zatko’s testimony by reiterating a statement it made after his disclosure was initially made public. “Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies,” a Twitter spokesperson said in a statement to CNN. Twitter has previously criticized Zatko and said that his disclosure paints a “false narrative” of the company.
The spokesperson added that the company’s hiring process is independent of foreign influence, and that access to internal company data is managed through measures such as background checks and monitoring systems. The company declined to respond directly to a list of specific allegations from the hearing, including claims that the FBI has warned Twitter it may have had at least one Chinese agent on its payroll.
In pictures: Twitter whistleblower testifies before Congress
In a statement following the event, Zatko’ lawyer, Alexis Ronickher, called the hearing a “watershed moment.”
“Mr. Zatko is hopeful that the Committee’s work today has helped educate the public about just how dire the security and privacy situation is at Twitter and how impacted we all are by these failures,” Ronickher said. “He continues to believe that through this public disclosure process, real world harm for Twitter users may be avoided and our country’s national security better protected.”
Lawmakers on both sides of the aisle appeared to take seriously Zatko’s warnings about alleged foreign interference at the company. As Sen. Dick Durbin, the chair of the Senate Judiciary Committee, put it early in the hearing: “Twitter is an immensely powerful platform that cannot afford gaping security vulnerabilities.”
Threats of foreign interference
Even before Zatko went public as a whistleblower, Twitter had faced scrutiny for allowing a foreign agent to exploit the platform in ways that could threaten US national security and user safety. A former Twitter manager was convicted last month after being accused of spying for Saudi Arabia. Prosecutors said he used his insider knowledge to access Twitter accounts and dig up personal information about Saudi dissidents.
Zatko’s disclosure raised additional concerns about Twitter’s vulnerability to exploitation by foreign governments including Russia and China. Tuesday’s hearing provided a more detailed look at those allegations.
In his testimony, Zatko outlined numerous reasons why foreign governments would be interested in placing agents inside the company. Zatko alleges that all of the company’s engineers, representing about half of its approximately 7,000 employees, have access to its internal production environment and, by extension, significant user data.
Those expansive employee permissions — combined with Twitter’s practice of collecting phone numbers, email addresses, IP addresses, device locations, estimated home addresses, user languages and other personal information — could give foreign governments powerful intelligence capabilities, Zatko said.
Those capabilities could range from identifying political dissidents to conducting counterintelligence operations. It would serve, he said, “not just to identify people of interest or track groups of interest, but also to maybe look at whether Twitter has identified your agents or your information operations.”
Zatko told Grassley he had “high confidence” that at least one agent working on behalf of the Indian government was collecting information from inside the company to benefit the government’s negotiations with Twitter over its practices in the country.
Twitter has previously told CNN that the company’s engineering and product teams are authorized to access the company’s live platform only if they have a specific business justification for doing so, and that employees may only make changes to Twitter’s live product after the code meets certain record-keeping and review requirements.
Zatko said it was typically only when an outside agency, such as the FBI, alerted Twitter to a foreign operative inside the company that it would become aware of that person.
Zatko said the company also lacks detailed event logs that can identify which employees have accessed critical company resources at any given time, making it extremely difficult to trace insider threats.
Complicating matters further, Twitter often fails to understand what user data it collects and where it is stored, according to Zatko. He cited an internal study conducted by Twitter engineers, which allegedly found that for only about 20% of the data it collects does the company know “why they got it, how it was supposed to be used, when it was supposed to be deleted.” With the remainder of the data, the company often did not know what it was or why it was being collected, Zatko said. Samples of that unknown data in the study included personally identifying information such as phone numbers and addresses, he claimed.
Zatko added that bad actors with access to Twitter’s system could potentially exploit that data because the company doesn’t properly understand, and therefore protect, the data it collects.
“There were thousands of failed attempts to access internal systems that were happening per week and nobody was noticing,” he testified, because of the lack of logging of how its internal systems were being used.
“This fundamental lack of logging inside Twitter is a remnant of being so far behind on their infrastructure and the engineering,” he said.
The alleged lack of internal access controls and logging could also allow Twitter employees to access and tweet from other users’ accounts, including those of lawmakers, Zatko said.
“A Twitter engineer, understanding how the running systems and the data flows were operating, could then access and inject, or put forward, information as … any of the senators sitting here today,” he said.