Peiter Zatko, known as Mudge in the computer hacking community, testifies on cyber security at Twitter before the Senate Judiciary Committee on Capitol Hill in Washington, D.C., U.S., September 13, 2022. Photo by Sarah Silbiger for CNN
Twitter whistleblower says company is a decade behind industry security standards
03:07 - Source: CNN

Editor’s Note: Kara Alaimo, an associate professor in the Lawrence Herbert School of Communication at Hofstra University, writes about issues affecting women and social media. She was spokeswoman for international affairs in the Treasury Department during the Obama administration. The opinions expressed in this commentary are her own. Read more opinion articles on CNN.

CNN  — 

On Tuesday, Twitter’s former head of security, Peiter “Mudge” Zatko, testified before the Senate Judiciary Committee, painting a picture of a reckless company that doesn’t make basic efforts to prevent the massive collateral damage that could befall users and the country when people use the social media site.

Kara  Alaimo

It’s now up to the senators who heard his shocking testimony to take action to regulate Twitter and other social networks.

Zatko testified that, according to an informal study by Twitter engineers, when the company has collected data about users it has only known “why they got it, how it was supposed to be used, (and) when it was supposed to be deleted” about 20% of the time. So even if it wanted to delete data that falls in the other 80%, the company might not know how to find it. What’s more, Zatko says this data – which includes a lot of sensitive personal information like where the company thinks users live – could potentially be accessed by all of the company’s engineers. Zatko also said that, unlike many other companies, Twitter doesn’t have a separate testing platform for applications it builds, so engineers do their testing on actual user data – a situation he described as an “oddity.”

And, Zatko added, Twitter did not have a proper system to log which employees access or attempt to access user data, leaving the company unable to identify potential misuse.

So, it’s not surprising that serious security breaches are happening within the company. The former head of security of the social media company testified that he “saw with high confidence” a foreign agent placed by the Indian government within the company to monitor Twitter’s negotiations with the government.

In his disclosure, he also stated that the FBI told Twitter that it suspected an employee was a foreign asset for the Chinese government. (In August, a former manager at Twitter was convicted of spying for Saudi Arabia.)

But Zatko said the company doesn’t make serious efforts to root out spies and that when he discussed a possible foreign agent with one company executive, the person responded, “Well, since we already have one, what is the problem if we have more?”

In fact, Zatko said that Twitter’s security protocols are so lax and the personal information it has about users is so valuable that any foreign intelligence agency that doesn’t get their spies hired as Twitter engineers is “most likely not doing (their) job.”

Twitter vociferously disputes Zatko’s allegations. It has accused him of painting a “false narrative” and said he was fired for “ineffective leadership and poor performance” in January, after serving in the position since November 2020. A Twitter spokesperson told CNN that his testimony “only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies.”

But Zatko’s testimony suggests the company isn’t even making rudimentary efforts to protect user data. This should be terrifying for users. Imagine, for example, the possibility of a Twitter employee realizing from an IP address that a user was tweeting from an abortion clinic in a state where abortion is illegal and using that information to blackmail the user. Or think of the possibility of a staffer posting unauthorized tweets from a user’s account.

“It’s not far fetched to say a Twitter employee could take over the accounts of all of the senators in this room,” Zatko testified.

This possibility should have every American scared, whether or not they use the platform. As we saw with last year’s attack on the Capitol, a single tweet from a high profile account could promote mass violence in this country – or potentially sway the outcome of a race on election day.

What’s more, foreign governments could use user data to track the activities and movements of American spies and government officials, gaining valuable intelligence that could put our country’s security at risk.

Based on Zatko’s testimony, it’s astonishing that Twitter hasn’t mounted a bigger security effort in the face of these kinds of grave risks. And what his testimony tells us is that we simply can’t trust the people who run Twitter not to be careless in the future. We must look to the government to put regulations in place so that no social network has carte blanche to decide what data to collect about users and how to use and store it.

Get our free weekly newsletter

  • Sign up for CNN Opinion’s new newsletter.
  • Join us on Twitter and Facebook

    After hearing Zatko’s testimony, senators should be racing to introduce a bill to limit the data social networks store, as well as the amount of time they can keep it and who they can share it with. Senators should also require that companies limit employee access to user data, track who accesses user data to identify misuse and set up rigorous internal systems to root out spies and other nefarious uses of user data.

    Zatko’s testimony suggests that Twitter has let its users and the country down, failing to implement basic security precautions. Now, the ball is in the court of the senators who heard his disturbing testimony. If they fail to act, they will be just as responsible as Twitter for choosing not to take action to protect the security of Twitter users and the nation.