Twitter whistleblower: Security failures cause ‘real harm to real people’ – The Washington Post

On Sept. 13, Peiter Zatko testified before a Senate committee that Twitter executives misled the public about the failed state of its data security practices. (Video: The Washington Post)

A Twitter whistleblower on Tuesday testified before Congress that the company’s failure to secure sensitive data causes “real harm to real people,” prompting senators to grapple with Washington’s inability to effectively regulate major social networks.

View live politics updatesChevronRight

Peiter “Mudge” Zatko’s Senate testimony — which expanded on an 84-page complaint shared with regulators and The Washington Post this summer — said that Twitter executives misled the public, regulators and the company’s own board about its systemically broken defenses against hackers.

He described an executive team that was financially incentivized to ignore root problems, such as employees having too much access to data. Because the company wasn’t properly tracking data access, he claimed, it was impossible for the company to respond to critical national security risks — including access gained by potential foreign agents on its payroll.

Former security chief claims Twitter buried ‘egregious deficiencies’

Zatko, the company’s former security lead and a renowned hacker, grounded his at-times highly technical disclosures in examples of risks that lawmakers could connect to, suggesting this unfettered access could result in Twitter engineers sending unauthorized tweets from their accounts.

“It doesn’t matter who has keys if you don’t have any locks on the doors,” he said. “It’s not far-fetched to say an employee inside the company could take over the accounts of all the senators in this room.”

Twitter has said security and privacy are priorities at the company. “Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies,” said Rebecca Hahn, a Twitter spokeswoman. Twitter declined to say which of Zatko’s claims were inaccurate.

The federal government struggled for years with the growing influence of major tech companies, with lawmakers from both parties promising to pass regulations to protect Americans’ data, improve competition in the industry and keep children safe online. Yet no such bills have become law, despite dozens of hearings grilling some of the most powerful tech executives in the world, as well as former employees such as Zatko who are going public with alleged wrongdoing.

On Tuesday, lawmakers not only railed against Twitter, but also raised concerns about how their own inaction has prevented regulators such as the Federal Trade Commission from protecting Americans from alleged company abuses. They asked Zatko pointed questions about the ways smaller countries, such as France, have been able to pursue more aggressive oversight of data-privacy abuses.

“I believe this should be a watershed moment,” said Zatko attorney Alexis Ronickher, adding that she was heartened by the commitment from the senators to change regulation and enforcement.

With clock ticking, battle over tech regulation intensifies

In appearing before Congress to discuss his disclosures, Zatko joins a cohort of other tech whistleblowers who have turned to lawmakers to address allegedly improper activity in the tech industry. Zatko, who reported directly to former Twitter chief executive Jack Dorsey, was in a more senior position than Facebook whistleblower Frances Haugen or Cambridge Analytica whistleblower Christopher Wylie — raising the personal and professional stakes of his disclosure. Yet it remains to be seen whether Zatko’s allegations will spur action in a narrowly divided and often paralyzed Congress, in which intense industry lobbying, partisan division and competing priorities have thwarted previous efforts to rein in Silicon Valley.

Meanwhile, Twitter shareholders voted Tuesday to approve Elon Musk’s $44 billion acquisition offer, setting the world’s richest man on a collision course with the social media company as the two head to court in October. The approval — to accept Musk’s offer of $54.20 per share, far higher than the current share price of roughly $42 — was widely expected. Twitter has forged ahead with the deal, despite Musk’s attempts to back out because of what he says are problems with the company’s business.

Zatko’s testimony could also factor into Twitter’s ongoing litigation with Musk, who has already incorporated some of the arguments from the whistleblower’s complaint in court.

Zatko is also expected to meet with federal regulators, including the FTC, which could bring fines totaling hundreds of millions of dollars against Twitter for violating a previous consent order with the agency. Zatko has alleged that Twitter did not follow through on the commitments it made to the Federal Trade Commission to create a data-security program.

Ronickher declined to say whether Zatko was meeting with the agency while he was in D.C.

Twitter whistleblower exposes limits of FTC’s power

Zatko on Tuesday expanded on allegations in his redacted complaint regarding Twitter’s employment of suspected foreign government operatives, who may have had access to sensitive data because of the company’s lack of internal controls. He said agents for the Indian government and the Chinese government were on the company’s payroll.

A week before his January firing, Zatko testified, the FBI had warned security staff that a Chinese agent for the Ministry of State Security was employed at the company. Twitter ads paid for by the Chinese government also could have elicited information, including locations of users who click on them, he said.

Twitter whistleblower exposes limits of FTC’s power

Zatko’s testimony is already becoming a headache for Twitter and its chief executive, Parag Agrawal. Multiple senators slammed Agrawal for declining to testify before the Senate Judiciary Committee because of the company’s ongoing litigation with Musk.

Sen. Charles E. Grassley (R-Iowa), the committee’s top Republican, said that if Zatko’s allegations are true, Agrawal should be forced to step down as chief executive.

The disclosures Tuesday appeared to prompt some bipartisan soul-searching among lawmakers, many of whom spoke of a combined failure to bring enforcement against tech companies. Sen. Lindsey O. Graham (R-S.C.) said that he was working across party lines with Sen. Elizabeth Warren (D-Mass.) to create a regulatory system that would imitate one in Europe, where lawmakers have taken aggressive action to penalize American tech companies.

Graham and Warren are on opposite ends of the political spectrum, and Graham’s proposal signals how dramatically some Republicans’ positions on tech regulation have evolved in recent years. The party has historically favored a less stringent regulatory environment for businesses. A congressional aide, who spoke on the condition of anonymity to discuss ongoing negotiations, confirmed Warren was working with Graham, but a final agreement was “not imminent.”

Graham suggested a new regulator would address privacy, content moderation and foreign interference, and that it would provide an appeals process for users when companies remove their content.

“Your testimony today has legitimized what most of us feel is a process out of control, that the regulatory environment is insufficient to the task,” Graham said. “It’s time to up our game in this country.”

Twitter whistleblower won hacker acclaim for exposing software flaws

Multiple senators appeared interested in how other countries have approached regulating tech companies such as Twitter. Sen. Mazie Hirono (D-Hawaii) asked if French regulators had better standards to hold Twitter accountable. Zatko responded that France’s data regulator is “more feared” because “they dig in technically and go toward more quantitative results that are less easy for organizations to sort of wordsmith around.”

Sen. Richard Blumenthal (D-Conn.) floated the idea of creating a tech enforcement agency that would specifically address data security and national security threats posed by tech companies.

“I think the mounting evidence shows that the current regulatory structure is failing,” Blumenthal told The Post.

Zatko emphasized throughout the hearing that any regulations need to be enforced with independent audits and metrics, to ensure that well-resourced companies are unable to game the system.

He also called on lawmakers to consider legislation that would expand whistleblower protections to other government agencies, so that more employees would be able to disclose critical information to the government. Zatko and Haugen, the Facebook whistleblower, filed their complaints with the Securities and Exchange Commission, which has a dedicated program that offers rewards and protections for such complaints.

The FTC, the industry’s main tech regulator, does not have such a program, and the SEC does not protect whistleblowers at privately owned companies.

Early in the hearing, Zatko spoke about the personal and professional toll submitting his complaint had taken on him and his family. He said that he did not make his disclosures “out of spite or to harm Twitter.”

“What you did today will not be in vain,” Graham said.


Spread the love

Leave a Reply

Your email address will not be published.