Twitter's whistleblower testifies before Senate committee

By Clare Duffy, Brian Fung and Aditi Sangal, CNN

Updated 2233 GMT (0633 HKT) September 13, 2022
29 Posts
Sort byDropdown arrow
3:09 p.m. ET, September 13, 2022

Twitter responds to whistleblower's testimony

From CNN's Clare Duffy

Peiter Zatko testifies before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13.
Peiter Zatko testifies before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13. (Sarah Silbiger for CNN)

Twitter on Tuesday afternoon responded to Zatko's testimony by reiterating a statement it made after his disclosure was initially made public.

Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies," a Twitter spokesperson said in a statement to CNN.

The spokesperson added that the company's hiring process is independent of foreign influence, and that access to internal company data is managed through measures such as background checks, access controls and monitoring systems.

The company declined to respond directly to a list of specific allegations by Zatko, including about the company's purported inability to detect whether foreign agents are on its payroll and claims that the FBI has warned Twitter it may have had at least one Chinese agent in the company.

2:14 p.m. ET, September 13, 2022

Sen. Hawley: Zatko's testimony is "really significant"

By CNN's Brian Fung

Senator Josh Hawley questions Peiter Zatko as he testifies during a Senate Judiciary Committee hearing in Washington, on September 13.
Senator Josh Hawley questions Peiter Zatko as he testifies during a Senate Judiciary Committee hearing in Washington, on September 13. (Sarah Silbiger for CNN)

Zatko's hearing showed the extent to which Twitter may be vulnerable to foreign exploitation, making his testimony "really significant," Sen. Josh Hawley told CNN on Tuesday.

Some of Zatko's most concerning allegations, Hawley said, were that Twitter's now-CEO, Parag Agrawal, had proposed making concessions to Russia's government and that Twitter may be providing Chinese entities with information that could be used to unmask people within China who may be illegally accessing Twitter, Hawley said.

There is also no reason to believe Twitter has meaningfully addressed a US government tip about a Chinese intelligence agent on Twitter's payroll, another of Zatko's explosive allegations, Hawley said.

"Nothing [Zatko] said today allays concerns on that score," Hawley told CNN.

1:37 p.m. ET, September 13, 2022

Whistleblower's attorney corrects the record on one detail from testimony

From CNN's Brian Fung

In his testimony Tuesday, Peiter Zatko misspoke when he told Sen. Jon Ossoff that Twitter had accidentally leaked the personal information of 50 million employees, according to Whistleblower Aid, the organization providing Zatko with legal representation.

"The 50 million number was a misstatement, and Mudge will issue a correction to the committee," said John Tye, Zatko's attorney and founder of Whistleblower Aid. The correct number, he added, is reflected in Zatko's original disclosure to the US government.

That filing claims that 20,000, not 50 million, current and former Twitter employees have been affected by data leaks involving the company.

During Tuesday's hearing, Zatko had claimed that an internal incident report showed 50 million employees being affected by such breaches, and that Zatko was confused by the figure because Twitter does not have 50 million employees, but does hold extensive records on current and former employees that it does not delete.

Twitter has previously said it has about 7,000 current employees.

1:23 p.m. ET, September 13, 2022

Twitter shareholders vote in favor of Elon Musk's $44 billion takeover deal

From CNN's Rishi Iyengar

Twitter shareholders on Tuesday voted in favor of Musk's $44 billion takeover deal, a value of $54.20 per share. The company's stock opened Tuesday at just under $41 per share, nearly 25% below the deal price. 

The vote came days after Musk's third letter to Twitter seeking to terminate their deal, with this one pegged to a purported $7.75 million severance payment the company made to its former head of security, Peiter Zatko, who later blew the whistle about its alleged security and privacy vulnerabilities.

The outcome of the vote was announced shortly after Zatko concluded testifying on Capitol Hill.

12:49 p.m. ET, September 13, 2022

Here's what the Twitter whistleblower told lawmakers during Tuesday's hearing

From CNN's Clare Duffy

Peiter Zatko is s before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13.
Peiter Zatko is s before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13. (Sarah Silbiger for CNN)

In a wide-ranging hearing that lasted more than two hours, Twitter whistleblower Peiter Zatko told lawmakers about a range of concerns he has about the company.

Here are some of the highlights:

  • Zatko alleged that Twitter is extremely vulnerable to being penetrated and exploited by agents of foreign governments. At one point in his tenure, Zatko said he raised concerns with an executive that he was confident a foreign operative was on the payroll at a foreign office. The response from the executive, according to Zatko, was: “Well, since we already have one, what is the problem if we have more? Let's keep growing the office.”
  • Zatko said that Twitter was not afraid of the US Federal Trade Commission as much as it feared actions by foreign regulators, such as France’s data protection authority, CNIL. The reason, he said is that Twitter expected US regulators to impose only one-time fines or penalties in response to any legal violations by the company. Those fines were "priced in" to its business, he said.
  • Zatko detailed some of the personal information Twitter collects on users, including phone numbers and emails, IP addresses and the locations from which users access the platform.
  • Zatko alleged that Twitter does not fully understand all of the user data it collects, why it is collected and where it is stored.
  • Zatko alleged that it would be possible for a Twitter employee to take over and tweet from the accounts of Senators. "It's not far fetched to say a Twitter employee could take over the accounts of all of the senators in this room," he said, though he never saw such a thing happen in his time at the company.

Twitter did not immediately respond to requests for comment from CNN about many of Zatko's allegations.

12:27 p.m. ET, September 13, 2022

Whistleblower: Twitter employees had the ability to tweet from lawmakers' accounts

From CNN's Clare Duffy

Peiter Zatko testified that due to its poor security posture, it was possible for Twitter engineers to tweet from other users’ accounts, including those of lawmakers -- though he never saw an employee do so.

“I have seen numerous situations where Twitter engineers had to patch a problem and I said, ‘what was the problem?’ and they said, ‘oh, engineers could tweet as anybody, the data was exposed in this part,’” Zatko said. “It was always reactionary in finding these wounds left and right and putting bandaids on them because the systemic underlying problems were not addressed."

He added: “A Twitter engineer, understanding how the running systems and the data flows were operating could then access and inject, or put forward, information as … any of the senators sitting here today.” 

Zatko said he never saw such a thing happening during his time at the company but added “I am concerned” that it may have happened previously. 

2:25 p.m. ET, September 13, 2022

Sen. Graham asks Zatko if he would buy Twitter

From CNN's Clare Duffy

Senator Lindsey Graham questions Peiter Zatko during a Senate Judiciary Committee in Washington, on September 13.
Senator Lindsey Graham questions Peiter Zatko during a Senate Judiciary Committee in Washington, on September 13. (Kevin Dietsch/Getty Images)

Sen. Lindsay Graham hinted at Elon Musk's bid to buy — and then get out of buying — Twitter when he asked whistleblower Peiter Zatko whether he would buy the company, given what he knows.

Would you buy Twitter, given what you know, if you had the money?" Graham asked.

Zatko laughed and then responded, "I guess that depended on the price."

2:07 p.m. ET, September 13, 2022

Twitter users need to look at information they get from the platform "differently" and ask questions, whistleblower says

From CNN's Aditi Sangal

Peiter Zatko testifies before the Senate Judiciary Committee on data security at Twitter, in Washington, on September 13.
Peiter Zatko testifies before the Senate Judiciary Committee on data security at Twitter, in Washington, on September 13. (Kevin Dietsch/Getty Images)

Sen. Lindsey Graham asked former Twitter security chief Peiter “Mudge” Zatko if he would recommend that Twitter users continue to use the social media platform given the information he has offered in his whistleblower disclosures and his testimony Tuesday.

"I think Twitter is a hugely valuable service," Zatko said. "I think people should look at the information they’re getting off of it differently, and I think people should put pressure on Twitter and ask questions from the public as well as from the government and the regulators."

Graham offered, "You're not asking to shut them down, you're asking them to get better?"

“Absolutely, sir,” Zatko replied.

11:44 a.m. ET, September 13, 2022

Twitter whistleblower explains why governments would try to put their agents in the company's ranks

From CNN's Aditi Sangal

Peiter Zatko testifies before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13.
Peiter Zatko testifies before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13. (Sarah Silbiger for CNN)

Peiter “Mudge” Zatko alleged in his whistleblower disclosures and in his testimony on Tuesday that Twitter may have foreign spies currently on its payroll. He said there may be a number of reasons why governments would try to place agents in the company's ranks.

Among the reasons, he said, it would serve "not just to identify people of interest or track groups of interest, but also to maybe look at whether Twitter has identified your agents or your information operations [and] what other governments has Twitter possibly identified."

"Remember, outside of the ability to access large amounts of data on the engineering side you would want to know what Twitter’s plan is as far whether they will cede to your demands for control of information within their environments or not in order to change different types of political pressures, such as strongarming," he said.