Testimony from Twitter whistleblower Peiter “Mudge” Zatco on Tuesday before the Senate Judiciary Committee “paints a very disturbing picture” of a company that sacrificed the safety of its users in favor of the almighty dollar. Ranking Member Senator Chuck Grassley expressed his dismay over allegations of the employment of “at least one Chinese agent” and other foreign assets in the company. He and Senator Dick Durbin wrote a letter to Twitter CEO, Parag Argawal on Sept. 12, questioning the company about its alleged “inadequate” protection of user data and national security.

On Tuesday, Grassley bolstered his case, citing DOJ indictments in 2019 of two Twitter employees who “used their positions to access private user data and then gave it to Saudi Arabia.” They accessed private data on “more than 6,000 users” who were of interest to Saudi Arabia, violating a 2011 consent decree with the FTC to protect private user information. Twitter outsources “a great deal of information” to foreign sources. Grassley warned the FTC lacks the resources to properly oversee Twitter’s compliance with the consent decree, and Zatco agreed.

Twitter Employees Indicted/https://www.justice.gov/opa/pr/two-former-twitter-employees-and-saudi-national-charged-acting-illegal-agents-saudi-arabia

Pieter “Mudge” Zatco’s Testimony

Zatco was on Twitter’s executive team from November 2020 to January 2022. He filed a complaint on Jul. 6, as evidenced by a cover letter from his attorneys requesting legal protections from retaliation. Zatco’s 84-page redacted disclosure was obtained by the Washinton Post in July. He was responsible for information security, privacy, engineering, physical security, information technology, and Twitter global support. He came forward because of grave concerns over its antiquated security standards. He repeatedly tried to warn its management and board and believes the company continues to mislead users, shareholders, and lawmakers. He said the company is at least “10 years behind its peers” in the realm of cyber security.

“Two basic issues” are at the core of Zatco’s worries. One, Twitter does not have a handle on “where data lives or where it comes from.” The company has no way to track who is looking at or using the data on its system. As a result, user data is insecure. Secondly, as a result of the lack of security, “about 4000 Twitter engineers” have “too much access to too much data into too many systems. You can think of it this way,” he added, “It doesn’t matter who has the keys if you don’t have any locks on the doors. It is not far-fetched to say that an employee inside the company could take over all the accounts of all of the senators in this room.”

The lack of security controls at the company can cause real-world problems for users and our national security. Once Twitter has access to key data points like phone numbers, addresses, emails, types of devices used, and geolocation data, there’s no limit to what they can potentially do with the information. It can cause “real harm to users and to national security,” said Zatco. The exchange with Senator Durbin of Illinois is illustrative of his unease with Twitter’s refusal to prioritize the security of its platform.

When Zatco first joined the company, he “discovered that thousands of users had access to the advertisers’ information including their bank accounts & routing numbers, and when I first joined, people could change that information.” He also gave current examples of how easy it is to identify users, their social and business networks, all of the Twitter accounts “they have tried to hide,” their other social media accounts, and their exact location at any given point in time.

While Twitter is banned for users in China, the platform has continued to allow advertising on the platform by companies located in China because of the lucrative income stream provided by such advertising. Zatco explained that when users click on Chinese ads, they will “presumably be redirected to a website controlled by the Chinese government.” The Chinese government then has access to “vast amounts of data” and the geolocations of “pro-democracy” citizens. In China, that can result in persecution or worse.

When Zatco brought his concerns about Chinese ads on Twitter to the executive in charge of sales, he said the response centered on profit, not on what was best for users. He was told the ads “would not stop.” Thus this “internal conundrum” became more about how Zatco and other concerned employees should “thread the needle” between revenues from the ads and how “to make employees comfortable with the fact Twitter was doing this.”

Zatco also explained that Twitter was a reactive, not a proactive, environment. Consistently, the company failed to think through problems or put strategies into place that would protect users and national security. Most of the time, Twitter employees had no idea what kind of information was being provided to the Chinese government—or any other entity for that matter. Twitter has no “testing, development, or staging environment,” said Zatco. It is all done live, in real-time.

“It is an oddity and an exception to the norm. Most companies will have a place where you test your software, where you build it, where you make sure it’s working the way you want it to. When you become an engineer, which is—half of the company are engineers, you are by default given some access to this live production environment. You were doing your testing, you were doing your work on live systems and live data irrespective of where you are in the world as an engineer. So if you were a foreign agent and you’re hired, if you’re an engineer, you’ve got access to all of the data that we talked about. Twitter doesn’t know what or where 80% of their data is. But also recall that [some of these Twitter engineers are] foreign agents [who] can have multiple goals. Sometimes it’s not just the engineers with technical access that they want. But it might be information about the plans of Twitter, what plans Twitter has to potentially censor information in the government or concede to a government request, or what plans they have for expansion in a particular environment. And it is very difficult to detect the agents and where they are in the system.”

Zatco’s July Disclosure

Elon Musk retracted his offer to buy Twitter in part because he contends upwards of 5% of the “users” on the Twitter platform are bots. Twitter filed a lawsuit in response. Zatco’s disclosure alleges that a May tweet from Agrawal about the bots was a lie. Agrawal stated the company is “incentivized to detect and remove as much spam” as they can. Zatco submitted pages of testimony allegedly proving Agrawal and Twitter were lying about the bots and many other issues in his public statements. He states that “deliberate ignorance was the norm at Twitter amongst the executive leadership team.” Zatco even promoted his program called #Protect Initiative to the Board of Directors in 2021. He designated elements of the initiative to track and eliminate bots. It appears the program was started and led to a “damning report on platform integrity” in “May or June of 2021.” The disclosure shows some of those findings on pages 17 and 18. It is unclear whether the program continued after he left in early 2022.

The disclosure also mentions the July 2020 hacking of Twitter by teenagers, further confirming Zatco’s claims of lax security measures by the company. The hackers took over the accounts of prominent political and business figures—Joe Biden, Barack Obama, Jeff Bezos, and Bill Gates, to name just a few. It was at the time “the largest hack of a social media platform in U.S. history.” The teens got the passwords from employees by pretending to be Twitter IT support employees. They were given credentials and able to use them to achieve “God-mode,” allowing them to “imposter tweet from any account they chose.”

On Tuesday, Twitter’s shareholders voted to approve Musk’s takeover of Twitter for $54.20 per share. A Court of Chancery in Delaware will rule on the fate of Musk’s offer in an October trial. During Tuesday’s hearing, Musk posted his usual terse tweet, this time with a box of popcorn emoji.