This morning Jazz wrote about a letter the Senate Judiciary Committee sent to the CEO of Twitter asking a bunch of probing questions about the company’s security. This afternoon the committee received testimony from Peiter “Mudge” Zatko, the former employee turned whistleblower about what he saw during his time at the company.
One of the highlights came when Sen. Grassley asked Zatko about suspicious that a Chinese spy had infiltrated the company. Zatko said he learned about it just a week before he was fired. He said the company’s physical security team had been notified that at least one Chinese spy was on the payroll. Zatko said that given the state of Twitter’s security, that warning didn’t surprise him. He suggested that any foreign government that wasn’t putting agents in Twitter wasn’t really doing its job.
But even once the company knew about the problem, nothing much happened. “It was extremely difficult to track the people,” Zatko said. He continued, “There was a lack of logging and an ability to see what they were doing, what information was being accessed or to contain or to contain their activities.”
“They simply lacked the fundamental abilities to hunt for foreign intelligence agencies and expel them on their own,” he added.
Asked by Sen. Mike Lee why Twitter lacked a logging system to see what employees were doing with their access, Zatko replied that the company was more concerned about “driving revenue.” He then relayed a conversation he’d had with an unidentified executive at Twitter. “I’m reminded of one conversation with an executive when I said ‘I am confident that we have a foreign agent’ and their response was ‘Well, since we already have one what does it matter if we have more? Let’s keep growing the office.”
The reason China, or another authoritarian regime, might be eager to have a spy inside Twitter is easy to surmise. Twitter allows people to post statements critical of the Chinese government under pseudonyms that protect them from repercussions. But a spy inside the company would be able to peek behind the curtain and gather all kinds of information on people, including Chinese nationals living abroad, who might be using the service against China’s interests. And as we already know, China is not above pursuing and harassing its critics even right here in the US.
That’s just a tiny portion of Zatko’s testimony. CNN did a roundup of some of the other highlights.
- Zatko said that Twitter was not afraid of the US Federal Trade Commission as much as it feared actions by foreign regulators, such as France’s data protection authority, CNIL. The reason, he said is that Twitter expected US regulators to impose only one-time fines or penalties in response to any legal violations by the company. Those fines were “priced in” to its business, he said.
- Zatko detailed some of the personal information Twitter collects on users, including phone numbers and emails, IP addresses and the locations from which users access the platform.
- Zatko alleged that Twitter does not fully understand all of the user data it collects, why it is collected and where it is stored.
- Zatko alleged that it would be possible for a Twitter employee to take over and tweet from the accounts of Senators. “It’s not far fetched to say a Twitter employee could take over the accounts of all of the senators in this room,” he said, though he never saw such a thing happen in his time at the company.
You can see his full opening statement here.
Update: Elon Musk didn’t exactly say anything about today’s testimony but he did tweet this one emoji (he also changed his username).
— Naughtius Maximus (@elonmusk) September 13, 2022