Having already submitted explosive whistleblowing revelations about Twitter’s security, privacy and spam failings to the Securities and Exchange Commission (SEC), former Twitter executive Peiter ‘Mudge’ Zatko (pictured) spoke to a committee of US Senators last week. These are seven of the most important points Zatko made during the two-hour hearing.
1. European Regulators are Scarier than US Regulators
Duh. The observation that the US has a lax regime for protecting personal data will come as no surprise to regular Commsrisk readers. It is still worth repeating Zatko’s insights into management attitudes to the Federal Trade Commission (FTC), the US consumer protection agency, and to regulators they deal with in other countries.
I think, honestly, the FTC is over its head. Compared to the size of the Big Tech companies and the challenge they have against them, they are left letting companies grade their own homework.
Some of the foreign regulators were much more feared than the FTC. For instance, the French CNIL… the French version of the FTC, terrified Twitter in comparison to the FTC. And when I looked at why, there was more of the fear that it wouldn’t be a one-time fine. One-time fines are priced in; one-time fines didn’t bother Twitter at all…
When asked why foreign privacy regulators outperform those in the USA, Zatko observed:
Some are simply much more aggressive and do not accept answers at face value, put very strict time constraints on requiring answers, require data to back up the answers, and threaten to preclude monetizing entire markets…
2. US Regulators Rely on Conversational Auditing
Although Zatko did not use the phrase, an audit professional would recognize the term ‘conversational auditing’ as being a flawed approach to eliciting information which relies on asking questions that are verbally answered by the auditee without the auditor taking any separate steps to verify the truth of the answers given. When asked how Zatko would improve the work done by US regulators, he reiterated an earlier observation and expanded upon it.
There were a lot of evaluations and examinations that were interview questions. So, essentially, the organization was allowed to grade their own homework. “Did you make things better?” “Yes, we did.” “Okay, check.” There wasn’t a lot of ground truth, there wasn’t a lot of quantified measurements, and a fair amount of the interviews came from companies, auditors, that Twitter themselves were able to hire.
3. Twitter Knows More Than You May Imagine
When asked if users appreciated how much data is being collected about them, Zatko responded with an example.
We had a user on Twitter that was harassing some members of the executive team and some members of the board… The CTO came to me and said: “Mudge, is this a real viable threat? Do I need to be worried? Who is this person?” And it took me maybe 30 minutes to reach out to an employee and say “what do we know about this person?” And then it only took that person maybe 10 minutes to get back to me and said: “Okay, here’s who they are, this is the address where they live, this is where they are physically at this moment, they’re on their phone, we know their phone number, we also know all of the other accounts they’ve tried to set up on the system and hide, and we know who they are on the other social media platforms as well.”
4. Twitter Is Banned in China, but the Chinese Government May Use Twitter to Spy on Activists Elsewhere
When asked about adverts from entities close to the Chinese government, Zatko observed:
The executive in charge of sales, very shortly after I joined, said “Mudge, this is a big internal conundrum, because we’re making too much money from these sales; we’re not going to stop. We need something that will make the employees more comfortable with the fact that we’re doing this”… which made me a bit uncomfortable. They didn’t know what people they were putting at risk or what information they were even giving to the government, which made me concerned that they hadn’t thought through the problem in the first place.
A further question asked Zatko if China had placed an intelligence agent inside Twitter.
This was made aware to me maybe a week before I was… summarily dismissed. I was told because the corporate security, physical security team had been contacted and was told there was at least one agent of the MSS, which is one of China’s intelligence services, on the payroll inside Twitter.
5. Spies Can Work Unhindered at Twitter Because the Company Does Not Maintain Logs Needed to Identify Inappropriate Access of Systems
Senator Diane Feinstein asked about Saudi Arabian infiltration of Twitter and infiltration by governments more generally. Zatko responded:
When we did know of a person inside, acting on behalf of a foreign interest as an unregistered agent, it was extremely difficult to track the people. There was a lack of logging and an ability to see what they were doing, what information was being accessed, or to contain their activities… [Twitter] simply lacked the fundamental abilities to hunt for foreign intelligence agencies and expel them on their own.
6. Twitter Cannot Delete Your User Data
When pressed by Senator Mike Lee as to whether Twitter intentionally retains personal data it should not, Zatko expressed the problem succinctly.
[Twitter] is unable because they do not know where it is, so they are unable to comply.
Lee asked follow-up questions to understand why Twitter made such poor technology decisions, leaving them unable to delete personal data. Zatko clarified:
If you knew where everything was in your database, you could go delete it. If you chose to make that a priority, to make sure that new data coming in was correctly registered, and to go back and figure out what data you have, and where it is, you could absolutely go delete it. But that hasn’t been prioritized over other projects, such as increasing revenue or users.
7. Twitter’s CEO Refused to Speak to the Committee Because It Could ‘Jeopardize’ the Attempt to Force Elon Musk to Acquire the Company
Senator Charles Grassley observed:
…Twitter’s CEO has refused to appear today. He rejected this committee’s invitation to appear by claiming that it would jeapordize Twitter’s ongoing litigations with Mr. Musk…
The current Twitter CEO, Parag Agrawal, was formerly the company’s CTO. Agrawal fired Zatko soon after his promotion to CEO. He refused to talk to the same Senators as Zatko but is not afraid to talk publicly. Agrawal has previously denounced Zatko as a disgruntled failure. He also tweeted several times to dispute Musk’s assertion that bots represent a greater share of Twitter’s user base than the company is willing to admit. It speaks volumes that an engineer who is now the boss of a free speech platform is unwilling to answer questions from the government about the integrity of his company’s systems without the support of a coterie of lawyers.