US lawmakers sent Twitter more than a dozen questions about its security practices Monday, on the eve of a company whistleblower’s testimony before Congress in which he is expected to outline damning allegations of security and privacy vulnerabilities at the embattled social media company.
In a letter addressed to CEO Parag Agrawal, leading members of the Senate Judiciary Committee questioned Twitter about the steps the company takes to secure personal data on its platform; how it protects against insider threats and foreign intelligence operatives; and allegations it’s intentionally misled regulators about Twitter’s privacy protections for users, claims that could lead to billions of dollars in fines for Twitter if they are proven.
The committee also invited Agrawal to testify alongside the whistleblower, Peiter “Mudge” Zatko, according to a copy of the letter obtained by CNN. But a committee aide told CNN on Monday evening that the official witness list for Tuesday’s hearing remains unchanged and that Zatko continues to be the sole witness, an indication that Twitter has declined the invitation.
Twitter (TWTR) declined to comment.
The letter requests responses from Twitter by Sept. 26.
“If accurate, Mr. Zatko’s allegations demonstrate an unacceptable disregard for data security that threatens national security and the privacy of Twitter’s users,” wrote Sens. Dick Durbin and Chuck Grassley, the panel’s top Democrat and Republican, in the letter.
Zatko, who was Twitter’s head of security from November 2020 until his firing in January, filed a whistleblower disclosure to multiple US government agencies and lawmakers in July. The disclosure was first reported by CNN and The Washington Post in August. It alleges that Twitter lacks many basic internal security measures and grants roughly half of its employees, including all its engineers, privileged access to the company’s live, active service, including actual user data. It claims the company does not reliably delete the data of users who cancel their accounts, and that the company may even now have foreign spies on its payroll despite a US government tip to that effect.
Twitter has pushed back on Zatko’s allegations, accusing him of painting a “false narrative” of the company. It has said that while members of its product and engineering teams have the type of access Zatko describes, only those with a specific business justification are permitted to access the live Twitter product. It has also said that Twitter has internal processes to deactivate and to begin deleting the data of users who cancel their accounts, but the company has not said whether it typically completes that process. And the company has not publicly addressed Zatko’s allegations about possible foreign intelligence compromise.
The whistleblower disclosure, along with Tuesday’s congressional hearing, sets the stage for deeper probes of Twitter’s business operations just as it is poised to go to trial in an effort to force billionaire Elon Musk to follow through with a $44 billion acquisition he agreed to earlier this year. Musk has alleged, among other things, that Twitter’s failure to disclose the vulnerabilities outlined in Zatko’s whistleblower report is a breach of the acquisition contract Musk and Twitter both signed.
Twitter has disputed that claim and has insisted that it is Musk who has breached the contract. The two sides are set to face off at trial in October.