Twitter's whistleblower testifies before Senate committee

By Clare Duffy, Brian Fung and Aditi Sangal, CNN

Updated 6:33 PM ET, Tue September 13, 2022
16 Posts
Sort byDropdown arrow
10:48 a.m. ET, September 13, 2022

Whistleblower: FTC is at a disadvantage compared to powerful tech companies

From CNN's Brian Fung

Peiter Zatko testifies before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13.
Peiter Zatko testifies before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13. (Sarah Silbiger for CNN)

Even as lawmakers criticized Twitter for its alleged missteps, they also reserved some ire for the federal agencies charged with keeping Twitter accountable. Durbin and Grassley both highlighted what they viewed as a lack of enforcement. 

"I’m concerned that for almost ten years the Federal Trade Commission didn’t know or didn’t take strongly enough action to ensure Twitter complied with the consent decree,” Grassley said. "This is a consent decree that was intended to protect twitter users' personal information.”

As part of his testimony, Zatko said federal agencies like the FTC are under-resourced and at a disadvantage compared to powerful tech platforms. 

Zatko also said that Twitter was not afraid of the FTC as much as it was afraid of foreign regulators, such as France’s data protection authority, CNIL.

That’s because where Twitter expected US regulators to impose only one-time fines or penalties in response to any legal violations by the company, Twitter feared the prospect of foreign regulators imposing ongoing penalties or restrictions on its business going forward.

"One-time fines are priced in," he explained.

10:35 a.m. ET, September 13, 2022

Whistleblower: Twitter doesn't fully understand the data it collects

From CNN's Clare Duffy

Peiter "Mudge" Zatko testifies before the US Senate Judiciary Committee on Capitol Hill in Washington, on September 13.
Peiter "Mudge" Zatko testifies before the US Senate Judiciary Committee on Capitol Hill in Washington, on September 13. (Brendan Smialowski/AFP/Getty Images)

Zatko said that when he arrived at Twitter, he began asking: "Why do they keep having so many security incidents? The same amount year after year … What is fundamentally, under-the-hood broken? Where is the systemic failure?"

One part of the problem, he said, is that Twitter doesn't fully understand all the data it collects from users or why it collects that data.

He cited an internal study conducted by engineers which allegedly found that for only about 20% of the data it collects does the company know "why they got it, how it was supposed to be used, when it was supposed to be deleted." With the remainder of the data, the company often did not know what the data was or why it was being collected, Zatko said. Samples of that unknown data in the study included personally identifying information such as phone numbers and addresses, he claimed.

Zatko also said that bad actors with access to Twitter's system could potentially access and exploit that data because the company doesn't properly understand, and therefore protect, the data it collects.

10:38 a.m. ET, September 13, 2022

Zatko: "I did not make my whistleblower disclosures out of spite or to harm Twitter"

From CNN's Aditi Sangal

Peiter Zatko, is sworn in to testify before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13.
Peiter Zatko, is sworn in to testify before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13. (Sarah Silbiger for CNN)

Former Twitter employee and whistleblower Peiter “Mudge” Zatko said that the platform's potential risk to national security and its users led him to decide it was "necessary to take on the personal and professional risk to myself and to my family of becoming a whislteblower."

"I did not make my whistleblower disclosures out of spite or to harm Twitter; far from that. I continue to believe in the mission of the company and root for its success. But that success can only happen if the privacy and security of Twitter's users and the public are protected," he told lawmakers on Tuesday.
10:54 a.m. ET, September 13, 2022

Sen. Grassley: Twitter CEO should step down if whistleblower's allegations are accurate

From CNN's Brian Fung

Senator Chuck Grassley speaks during a hearing with Twitter whistleblower Peiter Zatko in Washington, on Tuesday, Sept. 13.
Senator Chuck Grassley speaks during a hearing with Twitter whistleblower Peiter Zatko in Washington, on Tuesday, Sept. 13. (Eric Lee/Bloomberg/Getty Images)

Twitter CEO Parag Agrawal should step down if Zatko’s allegations are proven, according to Sen. Chuck Grassley, the Judiciary Committee’s top Republican. 

"I don’t see how Mr. Agrawal can maintain his position at Twitter” if Zatko’s claims turn out to be accurate, Grassley said. He also blasted the executive over a decision not to testify alongside Zatko despite a committee invitation to appear. 

According to Grassley, Twitter declined to make Agrawal available amid its concerns that his testimony could jeopardize the company’s ongoing litigation with billionaire Elon Musk. 

Twitter did not immediately respond to a request for comment.

10:55 a.m. ET, September 13, 2022

Durbin: Twitter security is "a matter of life and death" for dissidents

From CNN's Aditi Sangal

Senator Dick Durbin speaks during a hearing with Twitter whistleblower Peiter Zatko in Washington, on Tuesday, Sept. 13.
Senator Dick Durbin speaks during a hearing with Twitter whistleblower Peiter Zatko in Washington, on Tuesday, Sept. 13. (Eric Lee/Bloomberg/Getty Images)

Sen. Dick Durbin, the chair of the committee, pointed in his opening statement to the importance of security on Twitter for those who use the platform to criticize governments. Durbin specifically noted Saudi Arabia as an example:

"Earlier this year, a Saudi national who worked for Twitter was convicted by a federal jury for stealing the personal data of dissidents who criticized the Saudi regime and handing the data over to the Saudi government. This is a matter of life and death as we know for these dissidents as the butchering of Jamal Kashoggi made clear."

Durbin was referring to a former Twitter manager who was accused of spying for Saudi Arabia and convicted last month on six criminal counts, including acting as an agent for the country and trying to disguise a payment from an official tied to Saudi's royal family. Prosecutors said he used his insider knowledge to access Twitter accounts and dig up personal information about Saudi dissidents.

"Twitter is immensely powerful platform that cannot afford gaping security vulnerabilities," Durbin added.

10:49 a.m. ET, September 13, 2022

Whistleblower: Twitter "was over a decade behind" industry security standards when I joined

From CNN's Clare Duffy

Independent Security Consultant and Twitter Whistleblower Peiter "Mudge" Zatko sits to testify before the US Senate Judiciary Committee on Capitol Hill in Washington, on September 13.
Independent Security Consultant and Twitter Whistleblower Peiter "Mudge" Zatko sits to testify before the US Senate Judiciary Committee on Capitol Hill in Washington, on September 13. (Brendan Smialowski/AFP/Getty Images)

As he began his testimony Tuesday, Peiter “Mudge” Zatko laid out why he decided to become a whistleblower.  

When he joined the company, he said he discovered "this enormously influential company was over a decade behind" industry security standards ... "causing real harm to real people."

Zatko said he raised concerns about security vulnerabilities brought to him by Twitter's own engineers to the company's executives, but executives failed to act. He quoted writer Upton Sinclair, saying, "It is difficult to get someone to understand something when his salary depends on him not understanding something." This, he said, was the mentality of Twitter executives when he raised concerns.

"It's not far fetched to say a Twitter employee could take over the accounts of all of the senators in this room," he said.

"My genuine hope," he continued, "is that my disclosures help Twitter finally address its security failures and encourage the company to listen to its engineers and employees who have long reported the same issues I have disclosed.” 

10:06 a.m. ET, September 13, 2022

FBI warned Twitter it may have Chinese agent on payroll, Sen. Grassley says

From CNN's Brian Fung

The FBI has warned Twitter it may have at least one Chinese agent on its payroll, according to Sen. Chuck Grassley, summarizing previously undisclosed details of an allegation by Twitter whistleblower Peiter “Mudge” Zatko against his former employer. 

A previously reported version of Zatko’s whistleblower disclosure — submitted to authorities in July and first reported by CNN and The Washington Post in August — indicated that the US government had provided Twitter with specific information that at least one of its employees, perhaps more, may be working for a foreign intelligence agency. 

But that version of the disclosure did not identify which country the suspected agent may have been affiliated with.

"Because of [Zatko’s] disclosures, we’ve learned that personal data from Twitter users was potentially exposed to foreign intelligence agencies,” Grassley said in his opening remarks during a whistleblower hearing involving Zatko on Tuesday. "For example, his disclosures indicate that India was able to place at least two suspected foreign assets within Twitter. His disclosures also note that the FBI notified Twitter of at least one Chinese agent in the company.”

Twitter has not publicly responded to Zatko’s allegations of foreign intelligence compromise, though it has accused Zatko more generally of spreading a “false narrative” about the company. 

The company did not immediately respond to a request for comment on Grassley's remarks.

10:00 a.m. ET, September 13, 2022

NOW: The Twitter whistleblower hearing kicks off

Peiter Zatko arrives at the Senate building for the Data Security at Risk hearing in Washington on Tuesday, September 13.
Peiter Zatko arrives at the Senate building for the Data Security at Risk hearing in Washington on Tuesday, September 13. (Sarah Silbiger for CNN)

The hearing featuring Twitter whistleblower Peiter “Mudge” Zatko has kicked off.

Zatko appeared before lawmakers Tuesday in a dark gray windowpane suit and light blue tie. He walked in holding a wooden cane — which has flames on it — and he sat before the committee at a low table in the center of the massive Hart Senate office hearing room, which had been changed from its initial location to accommodate a larger audience.

It's his first public appearance since his bombshell allegations against Twitter were reported last month by CNN and The Washington Post. He previously alleged Twitter has undisclosed security and privacy vulnerabilities.

US lawmakers sent Twitter more than a dozen questions about its security practices Monday, on the eve of the whistleblower's testimony.

9:11 a.m. ET, September 13, 2022

Who is Peiter "Mudge" Zatko?

From CNN's Sean Lyngaas

Peiter Zatko, known as Mudge in the computer hacking community, poses for a portrait in Washington, D.C., on August 22, 2022.
Peiter Zatko, known as Mudge in the computer hacking community, poses for a portrait in Washington, D.C., on August 22, 2022. (Sarah Silbiger for CNN)

With his decision to go public with his concerns, Peiter "Mudge" Zatko could find himself at the center of renewed regulatory scrutiny of Twitter, as happened when Frances Haugen blew the whistle on Facebook.

Before joining Twitter, Zatko, now 51, led an influential cybersecurity grantmaking program at the Pentagon, worked at a Google division for developing cutting-edge technology, helped build the cybersecurity team at fintech firm Stripe, and advised US lawmakers and officials on how to plug security holes in the internet.

Twitter hired Zatko in November 2020 to beef up cybersecurity and privacy at the company in the wake of a high-profile hack, allegedly spearheaded by a Florida teenager, in July 2020 that compromised the Twitter accounts of some of the most famous people on the planet, including then-presidential candidate Joe Biden. The senior executive role meant Zatko reported directly to then-CEO Jack Dorsey, according to the disclosure.

Some who've worked alongside Zatko over the last three decades paint a picture of him as a principled technologist with a knack for making the complex accessible and an earnest desire to fix problems, as he's done for much of his career working with the public and private sector. The decision to blow the whistle, they say, is in keeping with that approach.

His career has shown that "there was more to hacking than just one-upping each other, that there was actually a social good and impact that you could have," said Dug Song, chief strategy officer at Cisco Security, who has known Zatko since the 1990s. 

Read the full story.