san francisco US politicians from both political camps have criticized Twitter for its careless handling of user data and announced stricter monitoring of the company.
The occasion was a hearing with former Twitter security chief Peiter Zatko on Tuesday. He accused the platform of employing agents from foreign secret services, of not adequately protecting user data and of violating fundamental security precautions.
In a letter, the US Senate Judiciary Committee has now requested further details from Twitter CEO Parag Agrawal. Senator Chuck Grassley, the senior Republican on the committee, called on Agrawal to step down as CEO.
Meanwhile, in a special session on Twitter, the company’s shareholders voted to go ahead with selling the platform to billionaire Elon Musk. Musk had initially signed a purchase agreement for around 44 billion dollars and deliberately refrained from the usual audit.
In July, he accused Twitter of providing false information and tried several times to dissolve the purchase agreement. With Tuesday’s vote, Twitter shareholders rejected Musk’s third attempt to back out of the deal. A court hearing in Delaware is scheduled to begin on October 17 over how to proceed with the purchase.
Before the Judiciary Committee, Zatko, who also calls himself Mudge, described a case in which a senior Twitter manager was threatened by a user. It only took a technician about ten minutes to gather a lot of information about the user. “We had his real name, his home address, his exact whereabouts and his phone number,” Zatko said. He used the example to show that Twitter has significantly more information about its users than they consciously share.
Ex-security chief: Twitter is a “ticking time bomb for security vulnerabilities”
Zatko warned that Twitter was unable to adequately protect this information. Around half of all Twitter employees would have access to such sensitive user data. It is hardly recorded which employees have access to which data. This means that Twitter is actually not in a position to understand abuse by its own employees. He tried to change this practice during his time at Twitter but failed, Zatko said.
In addition, Twitter worked directly or indirectly with foreign secret services. In the case of India, Twitter knowingly hired several security personnel as collaborators, Zatko said. In the case of China, Twitter created the technical possibilities for Chinese secret services to spy on Chinese government critics.
In the case of Saudi Arabia, a few weeks ago a US court found a former Twitter manager guilty of spying on dissidents on Twitter for Crown Prince Mohammed bin Salman. Senator Chuck Grassley said Twitter had been warned by the FBI that the company had at least one Chinese spy on its staff. Zatko told the panel that the spy was an agent of China’s Ministry of State Security.
Zatko said he urged his superiors to take more action against foreign spies inside the company. However, one board replied: “Since we already have one (spy), what’s the problem if we have more? Let’s keep the office growing,” Zatko quoted the Twitter manager as saying during the hearing.
Zatko’s latest allegations went beyond allegations he made in a whistleblower complaint with the US Securities and Exchange Commission. Zatko was fired from Twitter in January. The company called Zatko’s allegations false.
Ex-security chief: France’s privacy advocates sharper than US supervisors
Contrary to the legal requirements in several countries and also in the European Union, Twitter does not delete user data, but only deactivates it, said Zatko. Twitter has already been the target of investigations in the United States. The handling of data could result in fines. Nevertheless, the Twitter management was only slightly concerned about the actions of the US authorities. On the other hand, Twitter had great respect for France’s data protection authority CNIL.
US supervisors imposed one-off penalties. “They’re already priced in,” said Zatko. France’s data protection authority, on the other hand, deals with the technological details of the platform and can always impose fines as long as a violation has not been remedied. Therefore, Twitter has more respect for the French supervisors than for those from the United States.
Zatko is well-respected among cybersecurity professionals and has worked for both Google and the US government. However, he was also criticized for depicting the situation on Twitter. Former Twitter developer Ian Brown publicly accused him of being responsible for wrong priorities when dealing with security gaps. In addition, Zatko had hardly provided any evidence for his allegations.
Allegations could overshadow court case over Twitter purchase
Zatko’s revelations could not only provoke reactions from US politicians and regulators. They will also be part of the court hearings about the purchase agreement with Elon Musk. Musk tweeted an emoji of a popcorn bag earlier in Zatko’s hearing.
So far, Wall Street has assumed that Musk will clearly lose the process, said analyst Daniel Ives from wealth manager Wedbush. The situation could change with Zatko’s revelations. “Zatko is like Pandora’s box for Twitter,” Ives wrote.
Zatko is represented by Whistleblower Aid, the same group that represented Facebook whistleblower Frances Haugen. John Tye, founder of Whistleblower Aid and Zatko’s attorney, told CNN that Zatko had not been in contact with Musk and that Zatko started the whistleblower process before there was any evidence of Musk’s involvement in Twitter.
More: Twitter shareholders approve Musk’s purchase – the most important questions and answers on the takeover dispute.