The former Chief of Security at the social media company Twitter testified before the U.S. Senate Judiciary Committee hearing on Tuesday, stating under oath there are massive security holes in Twitter's security.
Peiter “Mudge” Zatko stated Twitter does not have the ability to protect data from hackers and breaches, nor maintain an access log to know who is accessing the data. For example, he said, “an employee could take over the accounts of all the senators in this room.”
Zatko testified, “They don’t know what data they have, where it lives and where it came from and so, unsurprisingly, they can’t protect it," adding, “It doesn’t matter who has keys if there are no locks.”
“Twitter leadership ignored its engineers,” Zatko said, in part because, “their executive incentives led them to prioritize profit over security.”
The hearing is leading to support for bipartisan privacy and tech bills, and federal regulatory targeting of tech giants that Zatko says have not prioritized user security as required. Senators called for Twitter management to be completely overhauled, and for U.S. regulatory agencies to step up their investigation and enforcement.
Zatko testified that as the company's former Chief of Security, he thinks Twitter's deficiencies are a matter of national security. He claims Twitter is more than, "a decade behind industry security standards."
He further testified that Twitter has failed minimum necessary standards and basic security safeguards, saying Twitter employees have, “too much access to too much data,” and that Twitter does not have systems to track or log who is accessing what data or when.
He also alleged Twitter does not properly monitor its nearly 4,000 employees and over 2,000 have been automatically granted open access to massive uncatalogued user information, including user name, geolocation, address, telephone number, and emails. A Twitter engineer, Zatko said, could steal an identity or tweet as any user they chose, including elected officials.
Neither can Twitter protect the privacy of its own employees, according to Zatko, whose written statement said the personal data over 20,000 of Twitter's employees, both current employees and the undeleted info on former employees, have been included in the company's several security breaches.
Zatko also claimed the governments of China and India had Twitter hire individuals who were government agents and give them access to what he described as, “vast amounts of sensitive data.”
Twitter responded by saying, “Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies" and that their hiring practices are free from foreign influence. It further stated that they run background checks and do have access controls, and monitoring and deception systems, though they did not refute Zatko's claims that thousands of employees, many of them Twitter engineers, are given unfettered access to massive amounts of user data.
The FTC issued a consent decree to Twitter in 2011, in response to earlier problems with Twitter failing to protect user privacy and data, but Zatko was critical of its lack of enforcement follow-through, which he said was akin to, "letting companies grade their own homework." Zatko testified that a company can "wordsmith around," “hold up an isolated example,” knowingly mislead regulators into “assum[ing] that example was the whole environment.”
By contrast, Zatko said Twitter executives were much more fearful about regulators in Europe, such as the CNIL, France's Data Protection Authority in charge of enforcing the GDPR, the EU's powerful General Data Protection Regulation.
The U.S. does not yet have a federal comprehensive privacy protection law nor a central federal enforcement agency, though the proposed American Data Privacy and Protection Act (ADPPA) is currently under consideration in Congress.
photo credit: Greg Nash
Twitter's platform is plagued by weak cyber defenses that make it vulnerable to exploitation by “teenagers, thieves and spies” that put at risk the privacy of its users and employees. Whistleblower Peiter “Mudge” Zatko, former Twitter Chief of Security