Twitter executives put profits ahead of security, leaving the door open to infiltration by foreign agents and hackers, the company's former head of security told Congress on Tuesday.
"Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors," Peiter Zatko testified during a Senate Judiciary Committee hearing. "The company's cybersecurity failures make it vulnerable to exploitation, causing real harm to real people."
Zatko, who's also known by his hacker name, Mudge, was hired to lead security at Twitter in 2020, after teenaged hackers took over high-profile verified accounts. He was fired in January of this year. In an 84-page federal whistleblower complaint made public last month, he accused the company of practicing lax security, neglecting user privacy, violating a 2011 settlement with the Federal Trade Commission, and knowingly employing foreign government agents who had access to internal systems and data.
His allegations have raised alarm bells in Washington, given Twitter's role as a place where government leaders, dissidents and businesses go to get their message out.
Zatko's disclosures have also thrown a new twist into Twitter's legal battle with Tesla CEO Elon Musk, who is trying to back out of a $44 billion deal to buy the company. The billionaire has seized on Zatko's claims of as further justification for walking away from the purchase without penalty.
In Tuesday's hearing, which ran for more than two hours, Zatko painted a portrait of a company plagued by widespread security issues and unable to control the data it collects. Calm and measured, he stuck closely to his expertise, unpacking technical details of Twitter's systems with real-world examples of how information held by the company could be misused.
"It's not far-fetched to say that an employee inside the company could take over the accounts of all of the senators in this room," he warned.
After the hearing, Twitter pushed back against Zatko's claims. "Today's hearing only confirms that Mr. Zatko's allegations are riddled with inconsistencies and inaccuracies," a company spokesperson said in a statement.
Here are five takeaways from the hearing:
Twitter was warned it hired a Chinese spy
Zatko alleged the company is highly vulnerable to abuse by foreign intelligence agents — but is unable or unwilling to root them out.
A week before his firing in January, he testified, the FBI told Twitter's security team that at least one agent from China's Ministry of State Security was on the company's payroll. Zatko said while he found that disturbing, given "the state of the environment at Twitter," he was not surprised.
"If you are not placing foreign agents inside Twitter — because it's very difficult to detect them [and] it is very valuable to a foreign agent to be inside there — as a foreign intelligence company, you're most likely not doing your job," he said.
Zatko also alleged that the Indian government had placed an agent inside Twitter. He testified that Twitter struggled to identify potential infiltration by foreign agents and typically was only able to do so when notified by outside agencies. The company was "unwilling to put the effort in" to hunt down bad actors within its ranks, he said.
"I'm reminded of one conversation with an executive when I said, 'I am confident that we have a foreign agent,'" Zatko recalled. "Their response was, 'Well, since we already have one, what does it matter if we have more?'"
Twitter says its hiring process is independent of foreign influence.
Zatko pins Twitter's failures on leaders, starting with CEO Parag Agrawal
Zatko placed the blame for Twitter's vulnerabilities squarely on a leadership team that he described as reactive, incompetent, and motivated by profit over safety.
"I saw that Twitter was a company that was managed by risk and by crises, instead of one that manages risk and crises. It would react to problems too late," Zatko told the senators.
Executives, he alleged, ignored warnings from him and other employees over Twitter's security flaws because they "lacked the competency to understand the scope of the problem."
Zatko described a company culture that avoided negativity and alleged executives presented selectively favorable information to the board.
"There was an internal culture of only reporting good results up," he said.
He accused leadership of prioritizing business over security, quoting writer Upton Sinclair: "It is difficult to get someone to understand something when his salary depends on him not understanding something."
Republican Sen. Charles Grassley of Iowa, the committee's ranking member, slammed Twitter CEO Parag Agrawal for turning down an invitation to testify alongside Zatko on Tuesday. He said Agrawal had declined due to Twitter's court battle with Musk.
"The business of this committee and protecting Americans from foreign influence is more important than Twitter's civil litigation in Delaware," Grassley said. "If these allegations are true, I don't see how Mr. Agrawal can maintain his position at Twitter."
Twitter can't control the data it collects, Zatko alleges
When Zatko joined Twitter, he said, he was struck that the company kept having recurring security lapses — "the same amount, year after year."
The root cause, he told senators, is that Twitter doesn't understand how much data it collects, why it collects it, and how it's supposed to be used.
That includes users' phone numbers, IP addresses, emails, the devices they use, their locations and other identifying information. What's more, he said, around half the employees at Twitter have access to that data.
"It doesn't matter who has keys if you don't have any locks on the doors," he said. "The concern there is anybody with access inside Twitter...could go rooting through and find this information and use it for their own purposes."
Zatko said that also raised red flags that Twitter may not be complying with its 2011 agreement with the FTC over misuse of email addresses that it told users it was collecting for security reasons, but then used for marketing. (In May, the FTC fined Twitter $150 million for violating that agreement.)
"How come we keep making these same mistakes?" Zatko said. "What is it that we are telling the FTC as Twitter that is incorrect?"
Democratic Sen. Dick Durbin of Illinois, the committee chairman, compared Twitter to a bank, saying users expect the company to protect the information they use when they sign up for accounts. "Twitter is an immensely powerful platform that cannot afford gaping security vulnerabilities," he said.
Twitter says it controls employees' access to data through a variety of measures, including background checks, detection systems and other controls.
Lawmakers call out regulators, too
Twitter's management wasn't the only target at the hearing. Senators called out failures by government to effectively respond to the risks raised by tech companies.
"I'm concerned that for almost 10 years, the Federal Trade Commission didn't know or didn't take strong enough action to ensure Twitter complied" with the 2011 settlement, Grassley said.
Zatko characterized the regulator as outmatched by Silicon Valley's deep pockets. "Honestly, I think the FTC is a little over their head, compared to the size of the big tech companies," he said. "They're left letting companies grade their own homework."
Sen. Richard Blumenthal, D-Conn., called for the creation of a new federal agency to protect user privacy and security. "To effectively address this problem, we need not only to insist on restructuring the company, but also likely restructuring, reforming and energizing our regulatory apparatus," he said.
Democratic Sen. Amy Klobuchar of Minnesota said Congress needs to face its own shortcomings. Despite bipartisan concern over the impact of tech companies, "we have not passed one bill out of the U.S. Senate when it comes to competition, when it comes to privacy, when it comes to better funding the agencies, when it comes to the protection of kids," she said.
Off Capitol Hill, Twitter-Musk drama plays out
Shortly after the hearing wrapped, Twitter shareholders voted to approve Elon Musk's deal to buy the company — a formality that had to happen despite the fact the two sides are headed to court in Delaware next month.
Musk is trying to call off the purchase, claiming Twitter misled him and other shareholders about how it counts the number of fake or spam accounts on the platform.
He's seized on Zatko's allegations to bolster his claims, and has added them to his legal arguments in Delaware Chancery Court.
During the hearing, Republican Sen. Lindsey Graham of South Carolina asked Zatko if he would buy Twitter, given what he knows.
"I guess that depends on the price," Zatko said.
On Tuesday, Musk hinted he was watching Zatko's testimony. In the first hour of the hearing, the billionaire tweeted a popcorn emoji.