Twitter's whistleblower testifies before Senate committee

The FBI has warned Twitter it may have at least one Chinese agent on its payroll, according to Sen. Chuck Grassley, summarizing previously undisclosed details of an allegation by Twitter whistleblower Peiter “Mudge” Zatko against his former employer. 

A previously reported version of Zatko’s whistleblower disclosure — submitted to authorities in July and first reported by CNN and The Washington Post in August — indicated that the US government had provided Twitter with specific information that at least one of its employees, perhaps more, may be working for a foreign intelligence agency. 

But that version of the disclosure did not identify which country the suspected agent may have been affiliated with.

"Because of [Zatko’s] disclosures, we’ve learned that personal data from Twitter users was potentially exposed to foreign intelligence agencies,” Grassley said in his opening remarks during a whistleblower hearing involving Zatko on Tuesday. "For example, his disclosures indicate that India was able to place at least two suspected foreign assets within Twitter. His disclosures also note that the FBI notified Twitter of at least one Chinese agent in the company.”

Twitter has not publicly responded to Zatko’s allegations of foreign intelligence compromise, though it has accused Zatko more generally of spreading a “false narrative” about the company. 

The company did not immediately respond to a request for comment on Grassley's remarks.

The hearing featuring Twitter whistleblower Peiter “Mudge” Zatko has kicked off.

Zatko appeared before lawmakers Tuesday in a dark gray windowpane suit and light blue tie. He walked in holding a wooden cane — which has flames on it — and he sat before the committee at a low table in the center of the massive Hart Senate office hearing room, which had been changed from its initial location to accommodate a larger audience.

It's his first public appearance since his bombshell allegations against Twitter were reported last month by CNN and The Washington Post. He previously alleged Twitter has undisclosed security and privacy vulnerabilities.

US lawmakers sent Twitter more than a dozen questions about its security practices Monday, on the eve of the whistleblower's testimony.

With his decision to go public with his concerns, Peiter "Mudge" Zatko could find himself at the center of renewed regulatory scrutiny of Twitter, as happened when Frances Haugen blew the whistle on Facebook.

Before joining Twitter, Zatko, now 51, led an influential cybersecurity grantmaking program at the Pentagon, worked at a Google division for developing cutting-edge technology, helped build the cybersecurity team at fintech firm Stripe, and advised US lawmakers and officials on how to plug security holes in the internet.

Twitter hired Zatko in November 2020 to beef up cybersecurity and privacy at the company in the wake of a high-profile hack, allegedly spearheaded by a Florida teenager, in July 2020 that compromised the Twitter accounts of some of the most famous people on the planet, including then-presidential candidate Joe Biden. The senior executive role meant Zatko reported directly to then-CEO Jack Dorsey, according to the disclosure.

Some who've worked alongside Zatko over the last three decades paint a picture of him as a principled technologist with a knack for making the complex accessible and an earnest desire to fix problems, as he's done for much of his career working with the public and private sector. The decision to blow the whistle, they say, is in keeping with that approach.

His career has shown that "there was more to hacking than just one-upping each other, that there was actually a social good and impact that you could have," said Dug Song, chief strategy officer at Cisco Security, who has known Zatko since the 1990s. 

Read the full story.

In his disclosure, Zatko levels a barrage of devastating allegations that US lawmakers say are extremely concerning.

Zatko claims Twitter is full of critical security flaws; may not be deleting the data of users who leave the platform as it is required to do; has misled the public about its spam account problem; may currently have foreign intelligence agents on the payroll; and that it hasn't lived up to years of legal obligations stemming from an earlier privacy settlement with the Federal Trade Commission, which could lead to further liability.

Twitter has criticized Zatko and broadly defended itself against the allegations, saying the disclosure paints a "false narrative" of the company.

Read our full report on the takeaways.

In response to Zatko's whistleblower disclosure, Twitter has said that security and privacy are both longtime priorities for the company.

The company says Zatko was fired in January for "ineffective leadership and poor performance," and that his disclosure paints a "false narrative" of the company and is "riddled with inconsistencies and inaccuracies and lacks important context." (Zatko contends his firing came after he raised concerns internally about security vulnerabilities and misrepresentations by executives to the company's board.)

In an internal meeting shortly after Zakto's disclosure was first reported, Twitter executives defended the company and themselves to employees.

The company did not respond to a request for comment ahead of Tuesday's hearing.

US lawmakers sent Twitter more than a dozen questions about its security practices Monday, on the eve of the whistleblower's testimony.

In a letter addressed to CEO Parag Agrawal, leading members of the Senate Judiciary Committee questioned Twitter about the steps the company takes to secure personal data on its platform; how it protects against insider threats and foreign intelligence operatives; and allegations it's intentionally misled regulators about Twitter's privacy protections for users, claims that could lead to billions of dollars in fines for Twitter if they are proven. 

The committee also invited Agrawal to testify alongside the whistleblower, Peiter "Mudge" Zatko, according to a copy of the letter obtained by CNN. But a committee aide told CNN on Monday evening that the official witness list for Tuesday's hearing remains unchanged and that Zatko continues to be the sole witness, an indication that Twitter has declined the invitation. 

Twitter didn't immediately respond to a request for comment.

On the same day that Peiter Zatko will be on Capitol Hill to testify about his experience at Twitter, the company's shareholders will convene virtually to vote on whether to approve the $44 billion acquisition by Elon Musk.

The shareholder vote is one of the final steps needed to close the deal, which Musk is now fighting to get out of in court.

Twitter's board has unanimously recommended that shareholders vote in favor of the deal.

Read more here.

Peiter Zatko's whistleblower disclosure makes a number of allegations that could raise questions about the company's ability to handle election-related threats ahead of the US midterms.

His disclosure accuses the company of having a reactive approach to misinformation and platform manipulation; a disconnect between product and safety teams; content moderation shortcomings; and a lack of controls to prevent foreign interference.

Members of the US House Committee on Homeland Security last month sent Twitter CEO Parag Agrawal a letter demanding that he address Zatko's allegations and explain Twitter's readiness for the 2022 midterms.

"Twitter plays a unique role in our information and political ecosystems. Security flaws that put users' sensitive personal data within easy reach of a hacker looking to take control of a high-profile account or a foreign dictator looking for information on dissidents are nothing short of a threat to national security," Rep. Bennie Thompson and Rep. Yvette Clark, chairs of the Committee on Homeland Security and the Subcommittee on Cybersecurity, Infrastructure Protection, & Innovation, respectively, said in the letter.

For its part, Twitter earlier this month said it had activated its policies for safeguarding its platform ahead of the upcoming US midterm elections, plans that include labeling and reducing the spread of misinformation. The company also pushes reliable information to users, including localized election information; labels candidates for US House, US Senate and governor; trains state and local election officials about how to use the platform; and says it enforces its rules at scale, such as those prohibiting harassment, spam and manipulated media.

A company spokesperson said Twitter has "a cross-functional team around the globe that's focused on curbing the spread of misinformation and fostering an environment conducive to healthy, meaningful conversation on Twitter."

Read the full story.

Zatko could disclose more today than what's been disclosed so far in his official filings. Under questioning from lawmakers, Zatko could be asked to reveal new details of meetings he may have had, or other recollections from his time as Twitter's head of security, that may serve as further evidence of his claims.

To the extent Zatko may be under legal restrictions preventing him from discussing his time at Twitter, those limitations wouldn't apply to whistleblower testimony to lawmakers and the rest of the US government, according to Whistleblower Aid, the organization providing Zatko's legal representation.

That's part of why Tuesday's hearing carries such high stakes: It may be one of the few venues where the public may see Zatko speaking freely.