Lawmakers on the Senate Judiciary Committee are expected to question Zatko about his claims that Twitter has undisclosed security and privacy vulnerabilities that could threaten users, investors and even U.S. national security.
What Zatko says in Tuesday’s hearing could lay the groundwork for further investigations by Congress, federal regulators and law enforcement officials. His testimony could also further complicate the legal battle over billionaire Elon Musk’s deal to acquire Twitter, and comes the same day Twitter shareholders are due to vote on the deal.
In a whistleblower sent to multiple lawmakers and government agencies in July, Zatko accused Twitter of failing to protect users’ personal information and exposing the most sensitive parts of its operation to too many people, potentially including foreign spies. . Zatko – who was Twitter’s chief security officer from November 2020 until his firing in January – also alleged that company executives, including CEO Parag Agrawal, deliberately misled regulators and its own board. directors of the company on its shortcomings.
Twitter slammed Zatko and broadly defended itself against the allegations, saying the disclosure paints a “false narrative” by the company. A company spokesperson said Zatko was fired for “ineffective leadership and poor performance.” Zatko himself argued in his disclosure that he was fired in retaliation for raising concerns about security vulnerabilities and alleged misrepresentations by Twitter executives to his board.
“Mr. Zatko’s allegations of widespread security breaches and interference by foreign state actors on Twitter raise serious concerns,” the senses said. Dick Durbin and Chuck Grassley, chairman and top Republican on the Senate Judiciary Committee, in a statement last month announcing the hearing.
Lawmakers are likely to focus on Twitter’s alleged missteps in protecting user data, as well as Zatko’s claims that the company is vulnerable to exploitation by foreign governments and could even now having foreign spies on his payroll. Zatko also alleged that Twitter violated its 2011 consent order with the Federal Trade Commission, a claim that, if true, could result in billions of dollars in fines for the company. Senior Twitter executives could also be held liable if it is proven that they were knowingly responsible for any violations.
Musk, who is currently fighting Twitter in court to back out of a $44 billion acquisition deal, is also likely to be watching Zatko’s testimony closely. Musk’s legal team sent a third letter to Twitter on Friday demanding the deal be terminated, saying an alleged $7.75 million payment made to Zatko in June, before it was disclosed to the whistleblower, violated the company’s obligations in the acquisition contract. The letter claimed the payment was revealed in a filing filed by Twitter earlier this month. Twitter retaliated Monday by calling Musk’s letter “invalid and unlawful” and saying it did not violate the agreement.
According to Whistleblower Aid, the organization providing legal representation for Zatko, any legal obligations to which Zatko might be subject do not prevent him from making disclosures to lawmakers and law enforcement.
Whistleblower Aid also represented Frances Haugen, the former Facebook employee who exposed the social media giant last year. His revelations prompted numerous congressional hearings, proposed bills, and changes by society.
A whistleblower with experience on Capitol Hill
Zatko is no stranger to Capitol Hill. In 1998, Zatko appeared before the Senate Committee on Governmental Affairs as part of a panel of ethical hackers who urgently told Congress that the technology used to access the Internet was insecure. “If you’re looking for computer security, the internet is not the place to be,” Zatko warned at the time.
Among Zatko’s most explosive claims are claims that roughly half of Twitter’s employees, including all of its engineers, have extensive access to the company’s active, live product, including real user data. That’s unlike other big tech companies, he says, where coding and testing takes place in special environments separate from the services consumers use. Zatko also alleges that Twitter fails to reliably delete data from users who cancel their accounts, in some cases because Twitter lost track of the information. The alleged failures represent violations of Twitter’s 2011 FTC consent order, Zatko claimed.
Twitter said members of its engineering and product teams are allowed access to Twitter’s platform if they have a specific business justification for doing so, but members of other departments – such as finance, legal, marketing, sales, human resources and support – can’t. Twitter also said it created internal workflows to ensure users know that when they cancel their accounts, the company will deactivate the accounts and initiate a deletion process. But Twitter declined to say whether it generally completes this process.
The disclosure — which includes a copy of a third-party consulting firm’s 2021 report on Twitter’s efforts to combat misinformation — accuses the company of having misaligned priorities between product and security teams and a reactive approach to misinformation and manipulation of the platform. For its part, Twitter says it has “a cross-functional team around the world focused on combating the spread of misinformation and fostering an environment conducive to healthy and meaningful conversation.”
The musk factor
Zatko’s testimony – and any action lawmakers and regulators take as a result – could also have implications for the legal battle over Musk’s efforts to walk away from the deal he struck to buy the company.
Zatko alleges that Twitter misled Musk and the public about the number of bots on its platform — an issue that has become central to Musk’s efforts to get out of the deal. The other allegations in his disclosure also introduce new wildcards into the fight.
Last week, a Delaware judge ruled that Musk could add to his allegations in the case based on the whistleblower’s disclosure. Zatko was due to be dropped off by Musk’s team on Friday.
Twitter pushed back on Musk’s letter, saying it is “based solely on statements made by a third party which, as Twitter has previously stated, are riddled with inconsistencies and inaccuracies and lack significant context.” The company reiterated its intention to close the deal at the agreed price and terms.
Musk and Twitter are set to go on trial for the deal in October, after the judge denied Musk’s request to delay proceedings following Zatko’s disclosure.