The Democratic and Republican leaders of the US Senate Judiciary Committee blasted Twitter for alleged security failures in a letter last night on the eve of today’s hearing featuring testimony from whistleblower Peiter “Mudge” Zatko.
“We write regarding recent allegations that Twitter has turned a blind eye to foreign intelligence infiltration, does not adequately protect user data, and has provided misleading or inaccurate information about its security practices to government agencies,” Judiciary Committee Chair Richard Durbin (D-Ill.) and ranking member Charles Grassley (R-Iowa) wrote to Twitter CEO Parag Agrawal.
Zatko, who was Twitter’s head of security from November 2020 until being fired in January 2022, alleged in his complaint that he “uncovered extreme, egregious deficiencies by Twitter in every area of his mandate including… user privacy, digital and physical security, and platform integrity/content moderation.” Zatko also claimed Twitter is guilty of “lying about bots to Elon Musk,” though his complaint doesn’t seem to disprove Twitter’s public disclosure that less than 5 percent of its monetizable daily active users (mDAU) are spam or fake.
Durbin and Grassley’s letter focused on Twitter’s alleged security failures, including “data security practices [that] may enable foreign governments and intelligence agencies to access sensitive data identifying Twitter users.” The foreign intelligence agency issue “is not a theoretical concern,” the senators wrote. “Last month, a federal jury convicted a former Twitter employee of acting as an unregistered foreign agent for the Kingdom of Saudi Arabia. While employed by Twitter, the defendant accepted payments in exchange for accessing and conveying the private information of Twitter users to the Saudi Royal family and other Saudi officials.”
Zatko alleges “ticking bomb” of security flaws
The Judiciary Committee invited Twitter to have someone appear at today’s hearing, but the company apparently declined. Zatko’s opening statement at the hearing said, “Upon joining Twitter, I discovered that the company had 10 years of overdue critical security issues, and it was not making meaningful progress on them. This was a ticking bomb of security vulnerabilities. Staying true to my ethical disclosure philosophy, I repeatedly disclosed those security failures to the highest levels of the company. It was only after my reports went unheeded that I submitted my disclosures to government agencies and regulators.”
Durbin and Grassley’s letter asked Agrawal to answer a list of questions by September 26. “How, if at all, does Twitter secure its live production systems and/or user data from potential access by foreign government operatives?” they asked. “To what degree are Twitter’s security teams capable of determining whether foreign government operatives or other nefarious actors have attempted to access sensitive systems or user data?”
They further asked how Twitter “ensure[s] that employees located in foreign countries are protected from influence by foreign governments” and that “employees are not actively working on behalf of foreign governments.” Zatko’s complaint also “raises questions about Twitter’s capacity to adequately address misinformation and disinformation, particularly in non-English speaking countries,” they wrote.
At today’s hearing, Zatko testified that he was “told that there was at least one agent of the MSS, which is one of China’s intelligence services, on the payroll inside Twitter,” Vice reported.
Senators probe employee access to data
Durbin and Grassley’s letter described claims that Twitter doesn’t have sufficient control over how employees access sensitive data. Zatko’s “disclosure suggests that more than half of the company’s full-time employees have privileged access to Twitter’s production systems, enabling several thousand employees to access sensitive user data—while, at the same time, Twitter reportedly lacks sufficient capacity to reliably know who has accessed specific systems and data and what they did with it,” they wrote.
The senators asked Agrawal how many engineers and other Twitter employees have “access to live production systems and/or user data” and asked several other questions about employee access and security. “To what degree do engineers at Twitter use live production data and test new software directly on the company’s commercial service, as opposed to segregated test systems?… If new software is not tested in a segregated test system, using test data, please explain why Twitter does not follow this practice, which many of its peer companies do,” they wrote.
Senators asked Agrawal to respond to claims that when the Federal Trade Commission “asked Twitter whether it fully deleted the data of users who left the service, Twitter deliberately misled the FTC by stating those accounts were ‘deactivated,’ even when the data was not fully deleted.”
They also asked Agrawal to confirm or refute allegations that “over 50 percent of Twitter’s 500,000 data center servers [use] noncompliant kernels or operating systems,” that many of these servers are “unable to support encryption at rest,” that over 30 percent of employee devices have software and security updates disabled, and that Twitter has “no mobile device management” for employee phones.
We contacted Twitter about the letter and will update this article if we get a response.