Twitter's whistleblower testifies before Senate committee

By Clare Duffy, Brian Fung and Aditi Sangal, CNN

Updated 6:33 PM ET, Tue September 13, 2022
19 Posts
Sort byDropdown arrow
11:12 a.m. ET, September 13, 2022

Whistleblower: Here's what information Twitter collects on its users

From CNN's Clare Duffy

Peiter Zatko testifies before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13.
Peiter Zatko testifies before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13. (Sarah Silbiger for CNN)

Peiter Zatko detailed the kinds of information that Twitter collects on its users. According to Zatko, the list includes:

  • A user's phone number
  • The latest IP address a user has connected from, as well as past IP addresses
  • A user's current email, how long they've been using it and prior emails they've used
  • Where the company thinks a user lives
  • The location the company thinks a user is currently accessing Twitter from
  • What type of device a user is accessing Twitter from
  • The web browser a user is connected from
  • The language used by the user

Zatko claimed that all of the company's engineers — through their access to its internal production systems — could potentially access all of that user data.

"If they wanted to root around in the data and find it, they could, and some have," he said.

12:16 p.m. ET, September 13, 2022

What's stopping Twitter from deleting old user data?

From CNN's Brian Fung

One of Zatko's chief allegations against Twitter is that it does not reliably delete the data of users who cancel their accounts.

Expanding on that claim, Zatko told lawmakers Tuesday that the company's chief privacy officer had come to him admitting that Twitter has deliberately misled regulators who asked about Twitter's deletion practices.

"I was told straight out by the chief privacy officer that the [Federal Trade Commission] had come and asked, 'Does Twitter delete users' information?'," Zatko said. "He said, 'I need you to know this because other regulators are asking us, and this ruse is not going to hold up.'"

Twitter has allegedly told regulators that it deactivates user accounts but has been elusive about whether it fully deletes the data. In response to questions from CNN, Twitter has previously said it has workflows in place to "begin a deletion process" but has not said whether it typically completes that process.

Asked by Sen. Mazie Hirono whether Twitter has the capability to delete user data appropriately, Zatko said it would be possible if Twitter had better control of its data, but that it does not, in a "fundamental root problem" for the company.

"They need to know what data they have, where it is, why they got it and who it is attached to," Zatko said. "At that point, they would be able to delete."

11:25 a.m. ET, September 13, 2022

Twitter seemed "unwilling to put the effort" into rooting out foreign agents from its ranks, whistleblower says

From CNN's Clare Duffy and Aditi Sangal

Peiter Zatko testifies before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13.
Peiter Zatko testifies before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13. (Sarah Silbiger for CNN)

Peiter “Mudge” Zatko told lawmakers that when he raised concerns about a foreign agent on the company's payroll in a foreign office, the company seemed "unwilling to put the effort in" to root out that individual.

The response from an executive, according to Zatko, was: “Well, since we already have one, what is the problem if we have more? Let's keep growing the office.”

Zatko said that a lack of internal tracking of employees' actions within Twitter increased the risk of foreign agents operating inside the company and exploiting its data. He claimed that it was typically only when an outside agency alerted Twitter to a foreign operative inside the company that it would become aware of that person.

It was extremely difficult to track the people, there was a lack of logging and ability to see what they were doing and what information was being accessed… let alone to set steps for remediation," he said.

He added that "there were thousands of failed attempts to access internal systems that were happening per week and nobody was noticing" because of the lack of logging of how its internal systems were being used.

"This fundamental lack of logging inside Twitter is a remnant of being so far behind on their infrastructure and the engineering," he said.

10:48 a.m. ET, September 13, 2022

Whistleblower: FTC is at a disadvantage compared to powerful tech companies

From CNN's Brian Fung

Peiter Zatko testifies before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13.
Peiter Zatko testifies before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13. (Sarah Silbiger for CNN)

Even as lawmakers criticized Twitter for its alleged missteps, they also reserved some ire for the federal agencies charged with keeping Twitter accountable. Durbin and Grassley both highlighted what they viewed as a lack of enforcement. 

"I’m concerned that for almost ten years the Federal Trade Commission didn’t know or didn’t take strongly enough action to ensure Twitter complied with the consent decree,” Grassley said. "This is a consent decree that was intended to protect twitter users' personal information.”

As part of his testimony, Zatko said federal agencies like the FTC are under-resourced and at a disadvantage compared to powerful tech platforms. 

Zatko also said that Twitter was not afraid of the FTC as much as it was afraid of foreign regulators, such as France’s data protection authority, CNIL.

That’s because where Twitter expected US regulators to impose only one-time fines or penalties in response to any legal violations by the company, Twitter feared the prospect of foreign regulators imposing ongoing penalties or restrictions on its business going forward.

"One-time fines are priced in," he explained.

10:35 a.m. ET, September 13, 2022

Whistleblower: Twitter doesn't fully understand the data it collects

From CNN's Clare Duffy

Peiter "Mudge" Zatko testifies before the US Senate Judiciary Committee on Capitol Hill in Washington, on September 13.
Peiter "Mudge" Zatko testifies before the US Senate Judiciary Committee on Capitol Hill in Washington, on September 13. (Brendan Smialowski/AFP/Getty Images)

Zatko said that when he arrived at Twitter, he began asking: "Why do they keep having so many security incidents? The same amount year after year … What is fundamentally, under-the-hood broken? Where is the systemic failure?"

One part of the problem, he said, is that Twitter doesn't fully understand all the data it collects from users or why it collects that data.

He cited an internal study conducted by engineers which allegedly found that for only about 20% of the data it collects does the company know "why they got it, how it was supposed to be used, when it was supposed to be deleted." With the remainder of the data, the company often did not know what the data was or why it was being collected, Zatko said. Samples of that unknown data in the study included personally identifying information such as phone numbers and addresses, he claimed.

Zatko also said that bad actors with access to Twitter's system could potentially access and exploit that data because the company doesn't properly understand, and therefore protect, the data it collects.

10:38 a.m. ET, September 13, 2022

Zatko: "I did not make my whistleblower disclosures out of spite or to harm Twitter"

From CNN's Aditi Sangal

Peiter Zatko, is sworn in to testify before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13.
Peiter Zatko, is sworn in to testify before the Senate Judiciary Committee on Capitol Hill in Washington, on September 13. (Sarah Silbiger for CNN)

Former Twitter employee and whistleblower Peiter “Mudge” Zatko said that the platform's potential risk to national security and its users led him to decide it was "necessary to take on the personal and professional risk to myself and to my family of becoming a whislteblower."

"I did not make my whistleblower disclosures out of spite or to harm Twitter; far from that. I continue to believe in the mission of the company and root for its success. But that success can only happen if the privacy and security of Twitter's users and the public are protected," he told lawmakers on Tuesday.
10:54 a.m. ET, September 13, 2022

Sen. Grassley: Twitter CEO should step down if whistleblower's allegations are accurate

From CNN's Brian Fung

Senator Chuck Grassley speaks during a hearing with Twitter whistleblower Peiter Zatko in Washington, on Tuesday, Sept. 13.
Senator Chuck Grassley speaks during a hearing with Twitter whistleblower Peiter Zatko in Washington, on Tuesday, Sept. 13. (Eric Lee/Bloomberg/Getty Images)

Twitter CEO Parag Agrawal should step down if Zatko’s allegations are proven, according to Sen. Chuck Grassley, the Judiciary Committee’s top Republican. 

"I don’t see how Mr. Agrawal can maintain his position at Twitter” if Zatko’s claims turn out to be accurate, Grassley said. He also blasted the executive over a decision not to testify alongside Zatko despite a committee invitation to appear. 

According to Grassley, Twitter declined to make Agrawal available amid its concerns that his testimony could jeopardize the company’s ongoing litigation with billionaire Elon Musk. 

Twitter did not immediately respond to a request for comment.

10:55 a.m. ET, September 13, 2022

Durbin: Twitter security is "a matter of life and death" for dissidents

From CNN's Aditi Sangal

Senator Dick Durbin speaks during a hearing with Twitter whistleblower Peiter Zatko in Washington, on Tuesday, Sept. 13.
Senator Dick Durbin speaks during a hearing with Twitter whistleblower Peiter Zatko in Washington, on Tuesday, Sept. 13. (Eric Lee/Bloomberg/Getty Images)

Sen. Dick Durbin, the chair of the committee, pointed in his opening statement to the importance of security on Twitter for those who use the platform to criticize governments. Durbin specifically noted Saudi Arabia as an example:

"Earlier this year, a Saudi national who worked for Twitter was convicted by a federal jury for stealing the personal data of dissidents who criticized the Saudi regime and handing the data over to the Saudi government. This is a matter of life and death as we know for these dissidents as the butchering of Jamal Kashoggi made clear."

Durbin was referring to a former Twitter manager who was accused of spying for Saudi Arabia and convicted last month on six criminal counts, including acting as an agent for the country and trying to disguise a payment from an official tied to Saudi's royal family. Prosecutors said he used his insider knowledge to access Twitter accounts and dig up personal information about Saudi dissidents.

"Twitter is immensely powerful platform that cannot afford gaping security vulnerabilities," Durbin added.

10:49 a.m. ET, September 13, 2022

Whistleblower: Twitter "was over a decade behind" industry security standards when I joined

From CNN's Clare Duffy

Independent Security Consultant and Twitter Whistleblower Peiter "Mudge" Zatko sits to testify before the US Senate Judiciary Committee on Capitol Hill in Washington, on September 13.
Independent Security Consultant and Twitter Whistleblower Peiter "Mudge" Zatko sits to testify before the US Senate Judiciary Committee on Capitol Hill in Washington, on September 13. (Brendan Smialowski/AFP/Getty Images)

As he began his testimony Tuesday, Peiter “Mudge” Zatko laid out why he decided to become a whistleblower.  

When he joined the company, he said he discovered "this enormously influential company was over a decade behind" industry security standards ... "causing real harm to real people."

Zatko said he raised concerns about security vulnerabilities brought to him by Twitter's own engineers to the company's executives, but executives failed to act. He quoted writer Upton Sinclair, saying, "It is difficult to get someone to understand something when his salary depends on him not understanding something." This, he said, was the mentality of Twitter executives when he raised concerns.

"It's not far fetched to say a Twitter employee could take over the accounts of all of the senators in this room," he said.

"My genuine hope," he continued, "is that my disclosures help Twitter finally address its security failures and encourage the company to listen to its engineers and employees who have long reported the same issues I have disclosed.”