• Business

‘Real Harm to Real People.’ Twitter Whistleblower ‘Mudge’ Testifies Over Security Failures

9 minute read

In his first public appearance since he made a series of explosive accusations against Twitter in a whistleblower complaint last month, Peiter “Mudge” Zatko, the company’s former security chief, on Tuesday told lawmakers that the social media platform was endangering both users and national security by prioritizing growth over fixing “egregious” security lapses.

“What I discovered when I joined Twitter was that this enormously influential company was over a decade behind industry security standards,” Zatko, a well-known hacker with three decades of experience in cybersecurity, told the Senate Judiciary Committee. “It doesn’t matter who has keys if you don’t have any locks on the doors…the company’s cybersecurity failures make it vulnerable to exploitation, causing real harm to real people.”

His somber appearance in a formal gray suit and a goatee was a far cry from the flowing long hair Zatko sported when he first appeared before the Senate 24 years ago. But he issued a similar warning this time around as he did then, when he alarmed lawmakers by claiming that he and his fellow hackers could take down the Internet in 30 minutes. “It’s not far-fetched to say that an employee inside the company could take over the accounts of all of the Senators in this room,” he said.

Zatko characterized Twitter’s deficiencies as a dire global and national security threat. “When an influential media platform can be compromised by teenagers, thieves, and spies, and the company repeatedly creates security problems on their own, this is a big deal for all of us.”

In 84 pages of disclosures submitted to U.S. regulatory agencies in July, Zatko, who invoked federal whistleblower protections, accused the $32 billion company’s top executives of violating the Federal Trade Commission Act and Securities and Exchange Commission regulations by misleading its users, board members and investors about critical security failures. These gaps left the platform open to security breaches, infiltration by foreign governments and exploitation by a range of bad actors, Zatko said.

“I think they would like to wave a magic wand and have all of these things fixed,” he told lawmakers on Tuesday. “But they’re unwilling to bite the bullet…and say ‘hey, we’re going to have to devote some time and money to get these basic things in place.'”

Read More: ‘Egregious Deficiencies,’ Bots, and Foreign Agents: The Biggest Allegations From the Twitter Whistleblower

“Twitter is an immensely powerful platform that cannot afford gaping security vulnerabilities,” said Sen. Richard Durbin, the chairman of the Senate Judiciary Committee. “Imagine if it’s a malicious hacker or a hostile foreign government breaking into the Presidents’ Twitter account, sending out false information, claiming there was a terrorist attack on one of our citizens? We could see widespread panic.”

Here are the key takeaways from Zatko’s testimony on Tuesday.

Independent Security Consultant and Twitter whistleblower Peiter "Mudge" Zatko testifies before the US Senate Judiciary Committee
Independent Security Consultant and Twitter whistleblower Peiter "Mudge" Zatko testifies before the US Senate Judiciary Committee on Capitol Hill in Washington, D.C., on September 13, 2022.Brendan Smialowski—AFP/Getty Images

“One crisis at a time”: Zatko described internal chaos at Twitter

Zatko described a company unwilling to commit the resources to patch up even basic vulnerabilities, and internal frustration at what he described as failures in leadership. “The engineers and the employees want this change,” he said about proposed fixes for the security and privacy issues plaguing the platform. “[But] it’s a culture where they’re only able to focus on one crisis at a time. And that crisis isn’t completed, it’s simply replaced by another crisis.”

Zatko’s claims landed in the middle of a heated legal dispute over Twitter’s agreement to sell the company to Elon Musk, making their credibility a multibillion-dollar issue. Last month, a judge ruled that Musk could amend his lawsuit against the company to include the allegations made by Zatko, who has been subpoenaed by Musk’s legal team.

After Zatko’s whistleblower complaint went public, it was revealed that two months earlier, the company had agreed to pay him more than $7 million in a settlement related to lost compensation. This included a non-disclosure agreement prohibiting him from disparaging the company, according to the Wall Street Journal.

Musk seemed to signal he was watching the hearings on Tuesday, tweeting the popcorn emoji. Less than an hour after the hearings ended, Twitter shareholders voted to approve Musk’s original deal. “There’s been a pile-on to Twitter, between Musk’s actions and now Mudge’s accusations, that have very much eroded the value of the stock,” says Natasha Lamb, managing partner at Arjuna Capital, which holds Twitter shares. “Investors view Musk’s purchase as potentially the only way out so that they can recoup value.”

Twitter and Musk are set to go to trial over the dispute on October 17.

Read More: The Twitter Whistleblower Needs You to Trust Him

Claims about Twitter’s links with foreign governments

Zatko talked at length about one of the most alarming sections of his disclosure: that Twitter had allowed an agent for the Indian government to be hired in its newly-created Indian office, giving that agent access to internal information. For the last few years, Twitter has been locked in a stand-off with the Indian government over the latter’s desire to censor posts in the country. Zatko says he believes the agent’s goal inside the company was to “understand Twitter’s negotiations with the court and the ministry.”

The whistleblower said Tuesday that once he learned about the agent, he set up a small team “just to track that person,” but it was “extremely difficult” to follow the agent’s actions or to contain their activities, due to the inadequacy of Twitter’s internal tools.

Zatko went on to accuse higher-ups of turning a blind eye to the situation, saying that when he told one executive about the alleged agent, he was told: “Since we already have one, what does it matter if we have more? Let’s keep growing the office.”

During his time at Twitter, Zatko also claims that some employees at the company expressed concerns that the Chinese government could collect data on the platform’s users, and described internal tensions with executives who wanted to maximize Chinese advertising revenue.

“The executive in charge of sales very shortly after I joined said, ‘This is a big internal conundrum, because we’re making too much money from these sales, we’re not going to stop,’” he said.

Zatko also revealed more information that his disclosures had hinted at. While in the redacted version of his whistleblower complaint that was made public he said he had warned Twitter that “one or more” of its employees were “working on behalf of another particular foreign intelligence agency,” he gave more details on Tuesday. The week before he was fired by the company, Zatko said, he learned that an agent of China’s Ministry of State Security was on the payroll at Twitter.

Twitter’s role in geopolitical crises

Zatko called the company’s lack of content moderators in other languages “stunning.” He insinuated that this deficiency contributed to the genocide of ​​Muslim Rohingya in Myanmar, in which hate speech and propoganda against the minority group fomented on social media platforms like Facebook and Twitter. “When something was happening in Myanmar, you can’t wait until after it happens and then go, ‘Where are the Burmese speakers?’ Twitter has to understand that 80% of their users are outside the U.S. You can’t create a healthy environment or serve the public conversation if all you can do is say, ‘Google Translate’ is doing the right job for me,’” he said.

Lawmakers also pointed out that Twitter’s prioritization of its growth over security and privacy measures had serious consequences for users living under authoritarian regimes.

“Earlier this year, a Saudi national who worked for Twitter was convicted by a federal jury for stealing the personal data of dissidents who criticized the Saudi regime and handing the data over to the Saudi government,” Durbin said. “This is a matter of life and death as we know for these dissidents.”

How the FTC has been “outgunned” by Big Tech

One of the reasons that Twitter was able to remain a “decade behind” its competitors on security, Zatko says, was a lack of pressure imposed on the company by regulators. In particular, the whistleblower said that the FTC was “absolutely outgunned” in the face of Big Tech; that the agency “left companies grading their own homework” and allowed them to hire their own auditors, which he said amounted to a conflict of interest.

“Clearly what we’re doing right now is not working,” Sen. Richard Blumenthal said.

Zatko told lawmakers that Twitter feared other foreign regulators far more than the FTC. In particular, he said that France’s data privacy watchdog Commission Nationale de l’Informatique et des Libertés (CNIL) “terrified” the company, because they asked technical and quantitative questions and wielded the ability to levy large recurring fines, as opposed to one-time FTC penalties that Twitter “priced in” to their business model.

Senators from both parties called for stepping up regulation

Zatko’s appearance, however temporarily, spurred a spirit of bipartisanship in Congress on Tuesday. Sen. Lindsay Graham pledged to partner with Elizabeth Warren, with whom he has “different perspectives on almost everything,” to create new legislation to regulate Big Tech. He said he hoped to create “a system more like Europe: a regulatory environment with teeth.”

“If Elizabeth Warren and Lindsay Graham can come together around that concept, I think we’re off to the races,” Graham said.

Many other senators on both sides of the aisle called for increased regulation and raised the idea of the creation of a new agency. Sens. Amy Kloubachar and Marsha Blackburn both called for a national privacy standard to protect users online. And Sen. Chris Coons used his time to advocate for the bipartisan bill he announced in December, the Platform Accountability and Transparency Act, which would require social media companies to undergo independent audits and publish much more data about how they operate.

More Must-Reads From TIME

Write to Vera Bergengruen at vera.bergengruen@time.com