Transcript: Twitter Whistleblower Testimony to Senate Judiciary Committee
Justin Hendrix / Sep 13, 2022
Today the Senate Judiciary Committee, chaired by Senator Dick Durbin (D-IL), hosted a hearing with former Twitter security chief Peiter "Mudge" Zatko to explore his recent disclosures about the company's security practices and handling of content moderation decisions.
What follows is a flash transcript of the hearing, in which Zatko appeared under subpoena. For quotes, please check copy with the video posted here.
Senator Dick Durbin (D-IL):
This meeting of the Senate Judiciary Committee will come to order.
In 2006, the new social networking platform marked its debut when Jack Dorsey posted a message that he was quote, "just setting up my Twitter." At the time Dorsey's startup, which allowed users to share short messages with their followers, was a novelty. But in the coming years, it would become increasingly a source, an important source of news and social discourse. As it gathered millions of users around the world, Twitter now plays an outsized role in politics, culture, and even in democracy itself.
As Twitter has grown, so have the risks posed by bad actors looking to exploit its opportunities and the data it holds in July, 2022 teenagers hacked into the accounts of Twitter employees, gaining access to a number of high profile accounts, including now president Biden and former president Obama. Those two teenagers then sent a series of tweets from the accounts and scam Twitter users out of more than a hundred thousand dollars in Bitcoin in response, then CEO of Twitter Dorsey turned to a trusted name in the world of cyber security to lead an overhaul of Twitter's security practices.
And for more than a year, that's what this individual tried to do until he was terminated by Twitter and their new CEO this past January. Last month, this individual released a whistleblower disclosure detailing and number of alarming allegations about security practices. Without objection, his disclosure will be entered into the record. That whistleblower's name is Peter Zatko or as he's more commonly known, Mudge. Thank you for joining us.
You are here pursuant to a subpoena, not because you were opposed to appearing before the committee, but so the public can hear the details of your disclosure. You've alleged a number of security, flaws and weaknesses within Twitter flaws that may pose a direct threat to the safety and privacy of Twitter's hundreds of millions of users, as well as America's national security. The story actually began in 2011. When the FTC, the federal trade commission first concluded the Twitter was playing fast and loose with user data. They found that Twitter had quote deceived customers and put their privacy at risk by failing to safeguard their personal information. The company was ordered under the, by the FTC to quote, "protect the security, privacy, confidentiality, and integrity of user data." But you've claimed those changes have never been made. And more broadly, you allege that compared to other technology companies, Twitter security standards remain woefully deficient. You allege that thousands of employees within the company have extraordinary access to sensitive information of Twitter's users. And that there is little oversight over how that information is assessed. Some Twitter users tuning in this morning may be asking, well, what's the big deal? When you sign up for Twitter, you knowingly hand over your email, your phone number, other information. That's how it is with most social media companies. But you expect do we, not that these companies will take precautions to protect the personal information you give them.
It's like depositing money at the bank. When you hand your money to the teller, they take it behind the counter and put it in a vault. But at Twitter, according to our witness today, the door to that vault is wide open and that fault contains a lot more information about you than you can imagine. Twitter doesn't just have access to your tweets and mail address, email address. They also have access to all of the data necessary to directly access your device and even pinpoint your exact location. Say you're an American citizen. You're exercising your first amendment freedom at a political protest, or maybe you're a woman seeking reproductive healthcare. If you're a Twitter user, it may not just be you at the protest or in that healthcare facility, unbeknownst to you. Someone else may be right there with you in your pocket or purse. Of course, many of us are comfortable with some of the programs on our phones, having location data it's helpful.
But when that data isn't secure, we become vulnerable to bad actors, scam artists, stalkers, even foreign agents to give an example. Earlier this year, a Saudi national who worked for Twitter was convicted by a federal jury for stealing the personal data of dissidents who criticized the Saudi regime and handing the data over to the Saudi government. This is a matter of life and death. As we know for these dissidents, as the butchering of Jamal Khashoggi made clear, there's also the matter of Twitter's reach. It was one of the largest microphones that local that world leaders ever had at their disposal. We've already seen what can happen when small time hackers break into Twitter accounts, belonging to government officials. But what if, what if next time it isn't two teenagers trying to pull a crypto scam. Imagine if it's a malicious hacker or a hostile foreign government breaking into president the President's Twitter account or sending out false information claiming there was a terrorist attack on one of citizens. We could see widespread panic.
The bottom line's this. Twitter is immensely powerful platform that cannot afford gaping security vulnerabilities. Today. We have a chance to engage in a good faith bipartisan discussion to ask what needs to be done. A final point, politicians on both sides of the aisle have criticized Twitter. I for one, believe that Twitter should be doing far more to combat the proliferation of hate speech and conspiracy theories. Republicans on the other hand claim that Twitter censors their conservative speakers. I urge my colleagues to set some of these partisan differences aside and try to find the common ground. We need to establish security standards that will be raised today by our whistleblower. With that, I turn to our ranking member, Senator Grassley.
Senator Chuck Grassley, (R-IA):
Thank you, Chairman Durbin.A very important issue that you have brought before this committee and I thank you for doing it. I, for one want people to know that I love using Twitter but we also know that big tech companies, such as Twitter collect vast amounts of data on Americans in the hands of foreign adversaries, this data is a goldmine of information that could be used against America's interest. Twitter has a responsibility to ensure that the data is protected and doesn't fall into the hands of foreign powers. Americans rightly expect that Twitter will protect that information. Thanks to a whistleblower that comes forward. We've learned that Twitter hasn't secured the data of tens of millions of Americans and countless other users that whistleblower is here today. So we welcome you much. He comes before the committee today, not only as a expert in the field of cyber security, but also as a whistleblower.
I think all of my colleagues know that I have great deal of admiration for whistle blowers. I've always said that whistle blowers are patriotic individuals who often sacrifice their own career as well as their livelihood to root out waste fraud and abuse. Thank you very much for being here because of mud's disclosures. We've learned that personal data from Twitter users was potentially exposed to foreign intelligence agencies. For example, his disclosure indicates that India was able to place at least two suspect foreign assets within Twitter. His disclosures also note that the FBI notified Twitter of at least one Chinese agency in the agent in the country company, I should say based on allegations, Twitter also suffers from a lack of data security due to that failure. Thousands of Twitter employees can access user data, that data that they don't need access to in order to do their job yet they have access.
And if foreign assets work for Twitter, that means these foreign assets can also access the data to put a finer point on the allegations. Twitter has allegedly used data collects and the tools it has to geolocate individuals who made threats against board members in the hands of a foreign agent embedded at Twitter. A foreign adversary could use the same technology to track down pro-democracy dissidents within their country, but also spy on Americans. This has actually happened in the past. In 2019, two Twitter employees were indicted by the FBI. They used their position at Twitter to access private user data and then gave it to Saudi Arabia. These foreign agents were able to access and provide personal information on more than 6,000 individuals in,of interest,to the Saudi government. Simply put the whistleblower disclosures, paint, a very disturbing picture of a company's that's,solely focused on profit at any expense, including at the expense of safety and security of its users.
Additionally, it's been alleged that Twitter knowingly violated a consent decree that it entered into with the federal trade commission, 2011, that consent decree required Twitter to address their excess control failures. However, instead of complying with the consent decree and fixing these very serious security matters, it alleged that Twitter executives, specifically CEO Agrawal, intentionally misled Twitter's board of directors. So I'm concerned that for almost 10 years, the Federal Trade Commission didn't know or didn't take strong enough action to ensure Twitter complied with the consent decree. This is a consent decree that was intended intended to protect Twitter users, personal information as Congress considers federal data privacy legislation. I think it's very important that we draw on these revelations about how Twitter views its obligations with federal regulators. Congress should also be mindful of the FTC's ability or lack thereof to successfully oversee these important issues.
Twitter also needs to answer questions about its content moderation. It was revealed to this committee that Twitter outsources, a great deal of consent moderation to foreign countries. They have close to 2000 employees in other countries who job is to, is to screen tweets by Americans. They also lack the appropriate amount of translators to ensure that tweets and other languages are complying with Twitter's own rules. Mudge had limited visibility to content moderation while at Twitter. So these are questions that need to be answered in fall by Twitter, because we can't expect mud to respond to them. Unfortunately, this committee will not be able to get answers about content moderation because Twitter's CEO has refused to appear today. He rejected this committee's invitation to appear by claiming that it would jeopardize Twitter's ongoing litigations with Mr. Musk. Many of the allegations, directively implicate Mr. Agrawal, and he should be here to address them. So let me be very clear. The business of this committee and protecting Americans from foreign influence is more important than Twitter's civil litigation in Delaware. In conclusion, if these allegations are true, I don't see how Mr. Agrawal can maintain his position at Twitter going forward. Chairman Durbin, and I will continue to conduct a thorough and in depth investigation today, each hearing is a part of that process. Thank you.
Senator Dick Durbin (D-IL):
Thanks Senator Grassley. Mr. Zatkoyou will have six minutes for an opening statement and then each member will be given six minutes of questioning to follow up. We start with the customary oath, and I ask that you please stand for that purpose. Please raise your right hand. Okay.
Do you affirm the testimony you're about to give before this committee will be the truth, the whole truth and nothing but the truth of so help you God? Let the record reflect that the witness has answered in the affirmative. And now I appreciate your attendance here. And the floor is yours. I think your microphone may need,
Peiter Zatko:
Thank you very much, sir. Chairman Durbin, Ranking Member Grassley, members of the Committee. I appear before you today to answer questions about information I submitted and written disclosures about cybersecurity concerns I observed while working at Twitter. My name is Peter Zatko, but I'm more often referred to by my online handle as Mudge. For 30 years, my mission has been to make the world better by making it more secure. From November 2020 until January 2022, I was a member of Twitter's executive team. In my role, I was responsible for information security, privacy engineering, physical security, information technology, and Twitter global support I'm here today because Twitter leadership is misleading the public, lawmakers, regulators, and even its own board of directors. What I discovered when I joined Twitter was that this enormously influential company was over a decade behind industry security standards. The company's cybersecurity failures make it vulnerable to exploitation causing real harm to real people.
And when an influential media platform can be compromised by teenagers, thieves, and spies, and the company repeatedly creates security problems on their own. This is a big deal for all of us. When I brought concrete evidence of these fundamental problems to the executive team, and repeatedly sounded the alarm of the real risks associated with them. And these were problems brought to me by the engineers and employees of the company themselves, the executive team chose instead to mislead its board shareholders, lawmakers, and the public, instead of addressing them, this leads to two obvious questions. Why did they do that? And what were the problems and vulnerabilities identified? And that's what I'm here to talk about. So first, why did they do that? To put it bluntly, Twitter leadership ignored ex ignored its engineers because key parts of leadership lacked the competency to understand the scope of the problem. But more importantly, their executive incentives led them to prioritize profits over security. Upton Sinclair famously said it is difficult to get a man to understand something when his salary depends on his not understanding it. This mentality is exactly what I saw at the executive level at Twitter.
So what are the problems? I discovered two basic issues. First. They don't know what data they have, where it lives or where it came from. And so unsurprisingly, they can't protect it. And this leads to the second problem, which is the employees then have to have too much access to too much data. And to too many systems, you can think of it this way, which is it doesn't matter who has keys. If you don't have any locks on the doors and this kind of vulnerability is not in the abstract, it's not far fetched to say that employee inside the company could take over the accounts of all of the senators in this room given to the real harm, given the real harm to users and national security. I determined it was necessary to take on the personal and professional risk to myself and to my family of becoming a whistle blower.
I did not make my whistle blower disclosures out of spite or to harm Twitter. Far from that. I continue to believe in the mission of the company and root for its success, but that success can only happen if the privacy and security of Twitter's users and the public are protected and accepting an executive position at Twitter, I made a personal commitment to Mr. Dorsey, the board, the greater public and myself that I would drive the changes needed at Twitter to protect the users, the platform and democracy. That's what I'm continuing to do here today. I stand by the statements I made in my lawful disclosures. And I am here to answer any questions you may have about them. Thank you.
Senator Dick Durbin (D-IL):
Thank you, Mr. Zatko, I'll start the questioning. And as I mentioned, each member will have six minutes to ask you questions. Those of us who are not expert, but rely on the internet every day for personal professional reasons, know that many times we are given disclosures, lengthy disclosures would scroll across the screen, which are hardly ever read my estimation and usually end up with a bottom box that said ''approve,' and that is as far as we go of warning about what we're getting into. Can we get into the real world now and talk about whether or not consumers across America have a right to be warned if they're opening or using a Twitter account as to what's going to happen with their data? For example, if I disclose my name in my address and my email address, I expect that that may be vulnerable. Somebody could, could use that in some future time. You hope not, but it could happen. But what I infer from your testimony and what we've read about your findings is there's a lot more information being collected by Twitter, beyond that basic information that is going to be used by them for different purposes. Is that a fact?
Peiter Zatko:
Yes. I, I entirely concur. I mean, when we sign up for an account, you know, I hope that the company is being responsible and not just saying that they are, you know, would, would like the data to be used correctly and safely, but that they're actually able to quantifiably internally, you know, guarantee that that is the case. As far as the type of data I believe Senator Grassley you know, referred to an incident. We had a user on Twitter that was harassing some members of the executive team and some members of the board. And as an example this person, the CTO came to me and said much you know, is this a real viable threat? Do I need to be worried? You know, who is this person? And it took me maybe 30 minutes to reach out to an employee and say, what do we know about this person? And then it only took that person, maybe 10 minutes to get back to me and said, okay, here's who they are. This is the address where they live. This is where they are physically at this moment, they're on their phone. We know their phone number. We also know all of the other accounts that they've tried to set up on the system and hide, and we know who they are on the other social media platforms as well.
Senator Dick Durbin (D-IL):
So unbeknownst to a Twitter account user there's access to information far beyond which you think you've disclosed that can be found. Should there be a warning? You say at one point Twitter has about 20% of its vast trove of data registered and managed, meaning the company is incapable of securing the sensitive information it collects. Tell me- that is a pretty stark statement and suggests that a warning to users- is that literally anything that you disclose or use the account for is traceable and could be used for bad purpose?
Peiter Zatko:
Yes. in this case my concern was more that Twitter didn't even know what it was collecting. And this was one of the problems because I kept looking at why do they keep having so many security incidents, the same amount, you know, each year after year, why are the same percentages you know, from the same systemic problems, why aren't we closing on this? What is fundamentally under the hood broken, where is the systemic failure? And then it turned out from an internal study that the engineers did on their own because they weren't given you know, the, the cover and the time and the resources to do this as part of their job, that only about 20% of the information that they had, that they were collecting. Did they know why they got it? You know, why the person had given it to them, how it was supposed to be used, you know, when it was supposed to be deleted.
You know, so and that the remaining, I think it was 80%. I refer you to the disclosures for the specific numbers was, Hey, we know that our systems are using some of this other data, but we don't know what it is. And then a lot of the data they just recognized, we don't even know what these are petabytes huge amounts of data. And they did a sampling and that included personally identifying information, phone numbers, addresses. So for me, the concern there is anybody with access inside Twitter and half the company has access to the production environment that has, this could go rooting through and find this information and use it for their own purposes.
Senator Dick Durbin (D-IL):
So if 80% of the data that is being collected is in fact, registered are not registered and managed. And the one with the Twitter account person is vulnerable in that regard. I wouldn't exactly give a passing grade to Twitter when it comes to the security of information that they've gathered. Now, let me ask you on the other side of the ledger, would you grade as well, the government agencies that have some responsibility to make sure that the American consumer's privacy and security is protected, for example, the Federal Trade Commission, Securities and Exchange Commission and others.
Peiter Zatko:
So that was something that I was I, that came to mind as well. I said, we've had a 2011 consent decree. This is, this is over a decade. How have we been passing this? Especially since there were at least two more times where there were violations for the exact same problem, the misuse of email data that was collected for security purposes, but then turned around and used for marketing, which was a violation of the assumption of why you were providing them the data, how come we keep making these same mistakes. Hasn't, you know, what is, what is the FTC missing or, or what is it that we are telling the FTC as Twitter that is incorrect? And I think, I think honestly, I think the FTC is, is a little, you know, over their head they've, they've compared to the size of the big tech companies and the challenge they have against them. They're left letting companies grade their own homework. And I think that's one of the big challenges
Senator Dick Durbin (D-IL):
I'm running out of time. And I'll just say that I think that the area of great concern as well is the access of foreign governments and foreign agencies to the same data Americans signing up for Twitter have no idea that they are at least vulnerable to that possibility. And we know that the conviction of individuals in Saudi Arabia or for dealing with the Saudi government is proof positive of that possibility. Thank you very much. Senator Grassley.
Senator Chuck Grassley, (R-IA):
Yeah. I'm gonna take off where the Chairman just left off. The communist Chinese government bans Twitter, yet companies based in China, advertise on the platform. When a user clicks on such an advertisement they've presumably redirected to a website controlled by the Chinese government, which can collect vast amounts of data and track their location with respect to pro democracy, Chinese citizens is Twitter endangering their lives by allowing China to advertise on the platform.
Peiter Zatko:
I think, I think that's a very valid concern, sir. And that was a concern that was raised to me by the employees inside Twitter, who were disturbed that in a country where the service was not allowed to be used and provide the a voice to the public. But that money was being accepted from organizations that may or may not be associated with the Chinese government. And I believe there was a Reuters article just a day or so ago saying that they did identify that there were governments related to China advertising on the platform possibly in violation of Twitter's own policies. The executive in charge of sales very shortly after I joined said much, this is a big internal conundrum because we're making too much money from these sales. We're not going to stop. We need something that will make the employees more comfortable with the fact that we're doing this figure out how we essentially thread this needle or frame it which made me a bit uncomfortable. And they didn't know what people they were putting at risk or what information they were even giving to the government, which made me concerned that they hadn't thought through the problem in the first place that they were putting their users at risk for. And that was a very common problem where I saw that Twitter was a company that was managed by risk and by crises, instead of one that manages risk in crises, it was very reaction. It would react to problems too late.
Senator Chuck Grassley, (R-IA):
I think you just answered this question, but I want to ask it and see if, if you've said all you wanted to on the subject while at Twitter, you raised concerns with their policy, allowing Chinese advertisement. What was Twitter's response?
Peiter Zatko:
In, in a nutshell, it was we're already in bed. It would be problematic if we lost that revenue stream. So figure out a way to make people comfortable with it. Okay.
Senator Chuck Grassley, (R-IA):
According to your disclosure, thousands of Twitter employees have access to Twitter, use a data and internal systems that includes nearly 4,000 engineers, which is half of Twitter's workforce. However, you've stated that they don't need that kind of widespread access to perform their job duties based on Twitter's reported, lack of data security, what kind of access would foreign agents have and what kind of data would they be able to obtain in your answer? Please explain why this is a problem and how it could impact us national security.
Peiter Zatko:
Yes, sir. Let me break that down into two parts of an answer. So Twitter has engineers and non-engineers Twitter does not have, at least when I was there, which was up until January of 20, 22, does not have a testing environment or a development or staging environment. This is, this is an oddity. This is an exception to the norm. Most companies will have a place where you test your software, where you build it, where you make sure it's working the way you want it to think about somebody building an airplane and saying like, I'm gonna put it in a wind tunnel. I'm gonna build it in an environment. I'm not gonna put passengers on it, put it in the air and then figure out how to build it or tweak the engines. At that point. Twitter just has the production environment, the running systems, the live data, when you become an engineer, which is half of the company or engineers, you are by default, given some access to this live production environment, you are doing your testing.
You are doing your work on live systems and live data irrespective of where you are in the world as an engineer. So if you are a foreign agent and you are hired and you are an engineer, you've got access to all of that data that we talked about, the 80% that Twitter doesn't know what's in yet, yet the engineers studied and, and realized is personally identifying information, other sensitive information where there's a lack of access controls because they have too much data and they just didn't know where everything is. So they have to get everybody access and the systems can access the information, but also recall that foreign agents can have multiple goals. And sometimes it's not just the engineers or the technical access that they want, but it might be information about the plans of Twitter, what plans Twitter has to potentially censor information in a government or concede to a government's request or what plans they have for expansion in a particular environment. And in those cases, that's where I saw with high confidence, a foreign agent placed from India to understand the negotiations and how well they were going for or against India's party who was having difficulties with, with Twitter in India.
Senator Chuck Grassley, (R-IA):
In your disclosure, you mentioned that the FBI notified Twitter that one of their employees was suspected of being a Chinese foreign asset. Were you and others at Twitter at all surprised by that?
Peiter Zatko:
This was made aware to me maybe a week before I was surprised and, and summarily dismissed. I had been told because the corporate security physical security team had been contacted and told that there was at least one agent of the MSS, which is one of China's intelligence services on the payroll inside Twitter while it was disturbing to hear I, and many others had recognizing the state of the environment at Twitter. We're really thinking if you are not placing foreign agents inside Twitter- because it's very difficult to detect them, it is very valuable to a foreign agent to be inside there- as a foreign intelligence company. You're most likely not doing your job.
Senator Dick Durbin (D-IL):
Thank you. Thanks Senator Grassley, Senator Feinstein.
Senator Dianne Feinstein (D-CA):
Thanks, Mr. Chairman. On August 10th, 2022, a federal jury convicted a former Twitter employee of acting as an unregistered foreign agent for the kingdom of Saudi Arabia while employed by Twitter, the individual accepted payments in exchange for accessing and conveying the private information of Twitter users to Saudi officials. That individual is one of two former Twitter employees charged by the department of justice for their efforts to provide Saudi officials with the personal information of dissidents and activists critical of the Saudi regime, including sensitive data that could identify and locate these individual users. Now, the question as head of security, Mr Zatko, can you describe the types of efforts you've seen by foreign governments to infiltrate control exploit or surveil Twitter and its users and share what steps Twitter and regulators should have taken to protect against these attacks?
Peiter Zatko:
Yes ma'am thank you. One of the disturbing things that I saw based upon being 10 years behind where I, I would expect a modern tech company to be was a lack of an ability to internally look for and identify inappropriate access within their own systems. Other than the person who I believed with high confidence to be a foreign agent placed in a position from India and from it was only going to be from an outside agency or somebody alerting Twitter that somebody already existed, that they would find the person what I did notice when we did know of a person inside acting on behalf of a foreign interest as an unregistered agent it was extremely difficult to track the people. There was a lack of logging and an ability to see what they were doing, what information was being accessed or to contain their activities, let alone set steps for remediation and possible reconstitution of any damage. They simply lacked the, the fundamental abilities to hunt for foreign intelligence agencies and expel them on their own.
Senator Dianne Feinstein (D-CA):
Could you said it was difficult to track explain exactly what you mean about that, what you mean? And secondly, what could be done to correct that?
Peiter Zatko:
One of the most senior engineers in the company came to me not long after I was there and said much. You should know that this company doesn't really have centralized logging. We don't log the activities of the systems. I was surprised by this most tech companies most companies I know of, even not in tech, you know, have logs about what's happening on their systems. And this tells you who tried to log in, who was doing what, where, when it happened later on in my tenure I learned that there were thousands of failed attempts to access internal systems that were happening per week and nobody was noticing. And when we brought this up, people said, well, well, who is it? What is it? And I said, that's what we're trying to find out. Why wasn't this?
Why weren't we even being aware of this, this fundamental lack of logging inside Twitter is, you know, a remnant of being so far behind on their infrastructure and the engineering and the engineers, not being given the ability to put things in place to modernize. I can give an example, let's suppose you have five credit cards and you're receiving statements each month. But only two of those statements gives you detailed transactions. And you wanna see if there's fraud on your credit cards? Well, first off three of those credit cards, you're not gonna be able to look at the transactions. You just know the total bill and those remaining to you. Don't have time to go through the transactions and look for it. So you kind of wing it and say, I need all those credit cards to stay alive. So you just keep paying off the bills. That's kind of the analogy I have for the production environment and the logging situation at Twitter. So you can understand that, trying to understand what an adversary inside identified is doing, can be pretty challenging without logs.
Senator Dianne Feinstein (D-CA):
Have you thought about how one would design legislation, which would maintain some basic necessary rights and yet cover this area?
Peiter Zatko:
Well, I've been thinking a lot about the regulators because of course I was very curious as to you know, how was, was Twitter still operating like this since there was a 2011 consent decree that was aimed at addressing a fair amount of this? I noticed a few things. One, there were a lot of evaluations and examinations, which were interview questions. So essentially the organization was allowed to degrade their own homework. Did you make things better? Yes, we did. Okay. Check. There wasn't a lot of ground truth. There wasn't a lot of quantified measurements and a fair amount of the interviews came from companies auditors that Twitter themselves were able to hire. So I think that's a little bit of a maybe conflict of interest. I also noticed that of all of the regulators some of the foreign regulators were much more feared than the FTC, for instance, the French CNIL, the French version of the FTC, terrified Twitter in comparison to the FTC.
And when I looked at why it was because there was more of a fear that it wouldn't be a one time fine. One time fines are priced in one time, fines didn't bother Twitter at all. When they re I saw the recent amount of the fine, that was much less than we had been concerned about. And each time it was a one time fine in my discussions with the chief privacy officer, with the privacy engineer head, that was a and, and the executives, the thought was, okay, we'll pay that. And we can keep kicking the can down the road and hope, you know, maybe we'll get another one time fine wall street didn't seem to care because it wasn't a long term problem that was ongoing. What did make these companies afraid was if there was a risk of, Hey, you've mishandled the same type of data repeatedly, maybe we're not going to let you monetize that type of ...
Senator Dianne Feinstein (D-CA):
Sorry, who mishandled the data?
Peiter Zatko:
Oh, so if Twitter, for example, Twitter mishandled, email addresses repeatedly. And if a concern was, if the FTC were to come in and tell us that we're not allowed to monetize email addresses because of our continued inability to handle them correctly, well, then we might not be on fair footings with our competitors and that scared them and made them move. I believe something like that did happen to, to Facebook which has been used as a sort of cautionary tale inside organization. So I think the regulators have tools that do work, but they're not able to see which tools in their tool belt are the ones actually working. And they're using the ones the one time finds that the companies aren't really afraid
Senator Dick Durbin (D-IL):
Thank you, Senator Feinstein, Senator Lee.
Senator Mike Lee (R-UT):
Thank you very much, Mr. Chairman, Mr. Zatko thanks for being here. In your disclosures, you include information that Twitter's head of, of privacy engineering and the chief privacy officer reported the following to the board of directors toward the end of 2021. This is a quote. "Every New employee has access to data. They do not need to have access to for the purpose of their role." And also added that until Twitter could reach the point where it could implement a system to manage access to data. They were quote "at risk of inappropriate access or use of data." They also reported that our inability to delete data compounds that risk as we retain data that we should not have, and which is therefore accessible by people who do not need to have access to this data. Tell me Mr. Zatko, what, what action was taken by Twitter's board of directors in response to this rather shocking information?
Peiter Zatko:
This is not the first time the board of directors had been made aware of that or told this and there was no change or mandate or charge put forward by the board of the directors.
Senator Mike Lee (R-UT):
What do they mean by when they refer to the inability to delete data? What, why is that significant
Peiter Zatko:
If you don't know where your data is, as we talked about these large amounts of data, and somebody comes in and says, I've left the system, you know and maybe the FTC asks, well, you know, have you deleted all the user data? You can't respond in the affirmative because, and
Senator Mike Lee (R-UT):
If you've deleted the account,
Peiter Zatko:
Correct, because you don't know where else this data lives in systems, because you don't know where, what data you have and where it is. That's correct.
Senator Mike Lee (R-UT):
So does this mean that Twitter is actually unable to delete data or is it just unwilling?
Peiter Zatko:
It is unable because they do not know where it is, so they're unable to comply.
Senator Mike Lee (R-UT):
Okay. So they're but this has resulted from a, a deliberate decision at some point to adopt protocols that don't allow them to do that right.
Peiter Zatko:
To, to choose other priorities rather than to correctly register and track and understand where their data lives.
Senator Mike Lee (R-UT):
It is physically possible. I mean, you, you could have a database in which you could track.
Peiter Zatko:
Yeah, absolutely. If you, if you knew where everything was in your database, you could go delete it. If you chose to make that a priority, to make sure that the new data coming in was correctly registered and to go back and figure out what data you have and where it is. You could absolutely go delete it. But that hasn't been prioritized over other projects such as in increasing revenue or users.
Senator Mike Lee (R-UT):
Now I'm concerned as, as I assume, most are all Americans would be those who become aware of, of these concerns, that Twitter has seemingly turned blind eye rather deliberately to some pretty significant security risks potentially compromising their own personal data, including geolocation information both the hackers and to foreign government agents and to other people who, for whatever reason, whether for corporate espionage purposes, for other commercial purposes, or otherwise might want to gain access to this information based on your disclosures. It seems to me that that Twitter CEO is more concerned with in increasing influence and profits from foreign countries than with protecting user data from foreign spies or hackers. Now you claim that Twitter has hired foreign government agents at the cost of doing as sort of the cost of doing business in countries like India, Nigeria, and, and China. And as you've related, Twitter has knowingly hired these government spies. So as to not risk losing access to users and markets in those countries, or in the case of China to not lose access to advertising revenues, do these engineers who are suspected of being foreign agents, do they have access to all user data, or just a certain subset of the user data?
Peiter Zatko:
To be very specific, the Indian incident was not an engineer. And as I mentioned to the other Senator I think that was put in place more to understand Twitter's intent and negotiations with the court and the ministry of India before Twitter, you know, to have an inside information to understand, but he
Senator Mike Lee (R-UT):
Worked with other people who were themselves engineers. And had access to them.
Peiter Zatko:
Yes, sir. There, there were numerous engineers in the, in the Indian office. I'm sorry. I focused on that and I lost the other part of your question.
Senator Mike Lee (R-UT):
So let me ask you this. Is there any way to track what data they access or the, the data that they share?
Peiter Zatko:
We found that to be very difficult. We had to set up a, a specific small team individually to try and create a unique environment, just to allow us to track and monitor and log one individual because of the lack of general logging and access control that we found would be unscalable and not reproducible. Should there be any other people like that? It was a lack of basic fundamental tools and access control.
Senator Mike Lee (R-UT):
Okay. So I'm almost out of temp, but I, I need to know this. Why would Twitter not create a, a, a tracking or a logging system to follow this sort of thing, to make sure that it was handled correctly, particularly given that they know that many foreign governments like India and Nigeria and China specifically want to access and use that data to find and root out and punish dissidents, why would they want to do that? Why would they want to subject their own users to this kind of harm with the grave implications that it carries, especially in those countries?
Peiter Zatko:
I think they would like to, but they're simply unwilling to put the effort in, at the cost of other efforts such as driving revenue. I'm reminded of one conversation with an executive. When I said, I am confident that we have a foreign agent and their response was well since we already have one, what does it matter if we have more, let's keep growing the office, right.
Senator Dick Durbin (D-IL):
You. Senator Lee, Senator Klobuchar.
Senator Amy Klobuchar (D-MN):
Thank you very much chairman thank you, Mr. Zatko. following up in that point, I just returned from Ukraine where Senator Portman and I saw firsthand the extent of the damage inflicted by the Russian invasion. I was troubled to learn that according to your written disclosures, Twitter's leadership recently considered agreeing to the Putin regime's request to censor and surveil Russian Twitter users. Twitter ultimately did not agree to Putin's request as far as I understand. What can you tell us about requests made by foreign governments and the risks that those demands pose and why would a company like Twitter consider agreeing to request to censor surveil users?
Peiter Zatko:
I was very surprised and shocked by that conversation with I had, which I had with Mr. Agarwal. This was prior to his assuming the CEO role. I understand to be it out of a frustration of the inability to perform. And this kind of goes into content moderation, which we talked about before. And while that wasn't my main bailiwick, and I've been informed, I shouldn't go into details about conversations I've had with Twitter counsel. There was a, we don't really have the ability and tools to do things correctly. This is a lot of work. It's not, you know, driving our main executive incentive goals. Is there a way that we can simply punt and since they have elections, doesn't that make them a democracy?
Senator Amy Klobuchar (D-MN):
Thank you. I am a big believer that these companies and not just Twitter, have to invest more in protecting data and protecting the public. And I heard Senator Durban talk to you about the agencies, right? And you, I think, agree with me that the agencies in the us are underfunded when it comes to taking on these major cases. But I wanna turn to ourselves and put the mirror back on ourselves here in Congress. Do you think it would be helpful if we passed some privacy legislation in Congress?
Peiter Zatko:
I, I think one thing that would be very helpful is that the FTC and other regulators don't have laws or rules that would create whistleblower protection programs for people while they were still in these organizations. Mm-Hmm <affirmative>. And I think that's where, I mean, I learned a lot of information. A lot of people wanted to share the information. When I came on board, they were excited that there was an executive that was listening and that was willing to ruffle feathers that was willing to fight for some of these things because they had tried to raise them.
Senator Amy Klobuchar (D-MN):
Yeah, I think I understand. Yes. Are you aware that Senator Grassley and I actually passed a bill to change the merger fees that pass through this committee unanimously pass through the Senate. It's now sitting somewhere in purgatory over in the house that would allow us to fund the FTC. So maybe they would be as scary as France or some other country, and that we have been unable to pass that. Or actually, despite this probably being our 50th hearing between I'm looking at Senator Blackburn between commerce and judiciary. We have not passed one bill out of the us Senate when it comes to competition, when it comes to privacy, when it comes to better finding the agencies when it comes to the protection of kids at Senator Blumenthal and Senator Blackburn have worked on. And so at some point when we talk about the agencies, I think we better be putting the mirror on ourselves because I was listening to your quote from Sinclair Lewis and Minnesotan. It is difficult to get someone to understand something when his salary depends on him, not understanding it. Could you talk about the lack of action in Congress and how that is actually created an environment where these companies feel like they can do everything from destroying our newspapers and our public good to basically not taking correct actions when it comes to hacking.
Peiter Zatko:
So that's your world, not mine. I appreciate the efforts and the work that you're doing. What I did see is that any laws or bills pass or actions in the past, if they are not able to be quantified and externally audited by an independent viewer get gamed a lot by what I saw inside big tech in their ability to sort of answer in an affirmative without actually doing what the intention was of the rule law or regulation. Mm-Hmm,
Senator Amy Klobuchar (D-MN):
One other bill I wanna mention and center teamed up here with Senator Coons and Portman on this Platform, Accountability and Transparency Act to require digital platforms to give researchers access to data. And the independent experts that you hired to audit Twitter's processes for addressing disinformation, found serious problems, made recommendations. But however, I think Twitter's leadership didn't listen in your view, why do you think Twitter failed to act on the recommendations made related to the disinformation and how could independent groups help?
Peiter Zatko:
Yeah, I'm a big fan of independent groups, groups having having independent eyes and, and providing ground truth on that. I think this is, I should be clear, you know, first off the, the engineers and the employees want this change the culture, and I can speak primarily about Twitter because that's what I, I'm here to talk about in the most recent, big tech company I've been involved with. It's a culture where they, they don't prioritize. They're only able to focus on one crisis at a time and that crisis isn't completed, it's simply replaced by another crisis. Right? So I think they would like to wave a magic wand and have all of these things fixed, but they're unwilling to bite the bullet and look strategically and say, Hey, we're gonna have to devote some time and money to get these basic things in place. And to be honest with their investors, the public, their board themselves, and do the legwork rather than just react to what's coming in, that they hear from a hearing like this or from the news just until the next crisis
Senator Amy Klobuchar (D-MN):
Long as opposed to us putting some long term rules in place. Last thing you talked about in your disclosures that Twitter does not have enough resources focused on removing misinformation and hate speech in particularly you noted that half of the content flag for review in Twitter spaces features was in a language that employees didn't even speak. Obviously you can't check whether tweet violates Twitter's rules. If you don't speak the language I have had my own experience directly conveying a misinformation that was put out on me that resulted in an attack on a member of my family. And I dunno if you knew that, cuz I told Jack Dorsey about it and nothing ever changed except when finally regular media reported that it was a lie. But those are the kinds of things that happened to people in this building because of the misinformation that is rampant on social media. Could you comment about what you think they should be doing about that?
Peiter Zatko:
I'm very sorry to hear about that. The lack of language was stunning. To me this was a situation where I brought in a, a world class leader for Twitter global support who also identified this. And we started saying, we, you can't react to a language situation when something was happening in Mayan, Mar you can't wait until after it happens. And then go, where are the Burmese speakers? Let's see who we can hire. Those translators are already hired elsewhere. You have to understand. 80% of Twitter has to understand 80% of their users are outside of the United States. You can't create, you know, a healthy environment. You can't serve the public conversation. If all you can do is look at it and say, I hope Google translate's doing the right job for me.
Senator Amy Klobuchar (D-MN):
Thank you.
Senator Dick Durbin (D-IL):
Thanks Senator Klobuchar, Senator Kennedy.
Senator John Kennedy (R-LA):
Thank you Mr. Chairman. Mr. Zatko give me 30 seconds. Well strike that. Senator Grassley is an active user on Twitter. I'll use his account as an example. Give me 30 seconds on the type of information Twitter has on Senator Grassley or someone like him.
Peiter Zatko:
If I was if, if there was somebody just like what the CTO came to me and said, Hey, we've got a problem with this user. Is this user just,
Senator John Kennedy (R-LA):
Just gimme 30 seconds on the type of information?
Peiter Zatko:
Sure.
Senator John Kennedy (R-LA):
The Twitter has on the average Twitter user.
Peiter Zatko:
Sure. what's the phone number? What's the latest IP address they've they've connected from? Are there other IP address they've connected from? Is this the current email? How long have they been using that email with the account? What are the prior emails for it, from the IP address? There's a, where do we think they live? Where do they, we think they're connected to right now? Are they still connected, even if they're not actively using the information, what type of device are they connected with? What type of web browser are they using? Which brand is it possibly? Which computer, what language did they connect in it? Those are at some of the front end systems. Thank
Senator John Kennedy (R-LA):
You for, thank you for that. And I'm gonna be sure understand, you're telling, you're telling this committee that all of the engineers and half the employees of Twitter have access to Senator Grassley's account.
Peiter Zatko:
Half of the employees of Twitter are engineers. The engineers are by default given some access to do they production environment. If it is from what I saw, if they wanted to route around in the data and find it, they could find it. And, I believe some have.
Senator John Kennedy (R-LA):
Let me try that again. I'm gonna be sure understand. Okay. I'm not trying to trick you from what, from your testimony. I understand that half of all of the engineers and half of the employees at Twitter have access to Senator Grassley's account, is that correct?
Peiter Zatko:
Based upon what I saw technically, yes. Okay.
Senator John Kennedy (R-LA):
And if they go into Senator Grassley's account, if an engineer does, for example, Twitter doesn't know that that engineer has done that, is that correct?
Peiter Zatko:
It would be difficult to find the logs showing that is my understanding. Correct.
Senator John Kennedy (R-LA):
Okay. So you don't have a log in and logout system.
Peiter Zatko:
There was not an easy ability for me to find which engineers had logged into which systems and what, and what data that they had accessed.
Senator John Kennedy (R-LA):
Okay. So this engineer who, who can secretly go into Senator Grassley's account and get all this information Twitter has no idea what the hell he's that, that engineer's gonna do? What? That information does it
Peiter Zatko:
Under the hood? No.
Senator John Kennedy (R-LA):
Okay. So, so that engineered Twitter could sell it for example, couldn't he,
Peiter Zatko:
I'm sorry. Could what?
Senator John Kennedy (R-LA):
Could sell it.
Peiter Zatko:
Could sell access. I've I've seen numerous accounts on underground forums offering to sell such access, whether those are valid or not, but I've seen the offers to sell access to accounts, to delete accounts, to unban accounts. Well,
Senator John Kennedy (R-LA):
That engineer could just call one of his buddies and say, Hey, you don't like Senator Grassley. Let me give you some information here. And, and you may want to use it against him. Could that engineer do that?
Peiter Zatko:
With the access they have?
Senator John Kennedy (R-LA):
Would Twitter know that the engineer had done that?
Peiter Zatko:
Not necessarily.
Senator John Kennedy (R-LA):
Okay. Now did, did Mr. Dorsey know all this?
Peiter Zatko:
I did explain this to Mr. Dorsey. my understanding is he did not understand this prior to bringing me in. And that was one of the reasons that he wanted.
Senator John Kennedy (R-LA):
Does he understand it now?
Peiter Zatko:
I believe after seeing this here,
Senator John Kennedy (R-LA):
How about your CEO? Does he understand this?
Peiter Zatko:
I believe since he has been there for 10 years and what rose up through the ranks in engineering and he has talked to the engineers and he, and they have told
Senator John Kennedy (R-LA):
Is that a yes?
Peiter Zatko:
I, I believe yes, I believe.
Senator John Kennedy (R-LA):
Yes. How about Mr. Bret Taylor from Salesforce? He's the chairman of your board? Does he know all this?
Peiter Zatko:
He knows what put in my reports. I do not know whether he understands it.
Senator John Kennedy (R-LA):
All right. You've got, you've got an executive from MasterCard, Mimi. I'm gonna probably mispronounce the last name. Mimi Alemayehou for MasterCard. Does this board member know that?
Peiter Zatko:
I do not know if she, if she knows that.
Senator John Kennedy (R-LA):
Is this the kind of thing that a reasonable board member would inquire about?
Peiter Zatko:
I would, I would think so, but I've also seen that what was presented to the board was not representative did they
Senator John Kennedy (R-LA):
Did, did the, did during your time there, did the board ever ask
Peiter Zatko:
The board did not ask these directly, no.
Senator John Kennedy (R-LA):
Even after all these problems with foreign agents,
Peiter Zatko:
Not when I was there during the board meetings.
Senator John Kennedy (R-LA):
Just sat there?
Peiter Zatko:
On, they focused on other topics in other parties.
Senator John Kennedy (R-LA):
Right? Dr. Lee, he's, he's a professor at Stanford. Does he know all this?
Peiter Zatko:
Same response. I did not see any questions on this specific topic while I was ...
Senator John Kennedy (R-LA):
Patrick Pichette. He used to be with Google.
Peiter Zatko:
Same response, sir.
Senator John Kennedy (R-LA):
Right.
Peiter Zatko:
Oh, Patrick Pichette. Yeah, Patrick Pichette was the one who, when I brought up this instance, he hit the roof. He was very upset. He did.
Senator John Kennedy (R-LA):
Did he fix it?
Peiter Zatko:
No. He asked for follow on information and ...
Senator John Kennedy (R-LA):
Why hadn't Twitter fix this?
Peiter Zatko:
There were other priorities.
Speaker 7:
It's about the money. Isn't it?
Peiter Zatko:
It's about whatever crisis and the other priorities.
Senator John Kennedy (R-LA):
To fix this would cost the money. Wouldn't it?
Peiter Zatko:
It would take away focus on other priorities.
Senator John Kennedy (R-LA):
Cost them money. Wouldn't it?
Peiter Zatko:
Most likely, yes. Yeah.
Senator John Kennedy (R-LA):
Okay. Twitter for a while was gonna go into the porn business. Did, did they do that?
Peiter Zatko:
I don't know that they did that. That's I didn't know they were going to go into the porn business.
Senator John Kennedy (R-LA):
Okay. Well, they were, do you know, know why they decided not to?
Peiter Zatko:
I do know that there were discussions about content or about age related information. And the discussions internally that I heard were simply concerns about lack of tools to correctly regulate or, or constrain it.
Senator John Kennedy (R-LA):
So it wasn't a moral issue. It was, they didn't. Why, why didn't they go in the porn business?
Peiter Zatko:
I do not know.
Senator John Kennedy (R-LA):
Okay. Sounded like you knew a little bit about it. Last question. I'll ask you quickly, Mr. Chairman, who sets the standards for censorship at Twitter?
Peiter Zatko:
I believe that comes out of counsel.
Senator John Kennedy (R-LA):
Your lawyers.
Peiter Zatko:
I, I believe so, sir.
Senator John Kennedy (R-LA):
And they do they talk with the board about it?
Peiter Zatko:
I have been advised out of an abundance of caution that I shouldn't comment on any Twitter counsel conversations for attorney-client privilege that Twitter might assert.
Senator John Kennedy (R-LA):
Thank you, Mr. Chairman.
Senator Dick Durbin (D-IL):
Thank you, Senator Kennedy, Senator Blumenthal.
Senator Richard Blumenthal (D-CT):
Thanks Mr. Chairman. thank you and Senator Grassley for holding this hearing and thank you, Mr. Zatko for your being here, your extraordinarily insightful and significant testimony here today. It's substantial professional and personal risk, which is the tradition of whistleblowers and your cooperation with me and my staff off the record in providing details that are important to our understanding and the more the, of it that's made public. I think the better would you agree with me that Twitter has put its users health and safety severely at risk?
Peiter Zatko:
Yes sir.
Senator Richard Blumenthal (D-CT):
And it's put the national security severely at risk.
Peiter Zatko:
Yes, sir. That was part of my disclosure.
Senator Richard Blumenthal (D-CT):
Management has misled its own board of directors.
Peiter Zatko:
Yes, sir.
Senator Richard Blumenthal (D-CT):
And in that event, the management ought to be certainly restructured, shifted, change, correct?
Peiter Zatko:
Yes sir.
Senator Richard Blumenthal (D-CT):
That kind of structural reform is necessary to achieve changes within the company.
Peiter Zatko:
That is my belief.
Senator Richard Blumenthal (D-CT):
You've also said that this company has misrepresented facts to government agencies most, especially the FTC. That's correct isn't it?
Peiter Zatko:
Yes. That is correct, sir.
Senator Richard Blumenthal (D-CT):
And I think you shared in your complaint that Twitter management was intending to mislead as well, French and Irish regulators about compliance with the consent decree, correct?
Peiter Zatko:
Yes, sir. That's correct.
Senator Richard Blumenthal (D-CT):
How high in the Twitter management would you say that intent to mislead and in effect, deceive government agencies went
Peiter Zatko:
To the CEO. I do not know to what level inside the board. They did not know because of misrepresentation or chose not to push.
Senator Richard Blumenthal (D-CT):
The misleading of government agencies is one of the reasons why stronger action hasn't been taken?
Peiter Zatko:
That could very well be sir.
Senator Richard Blumenthal (D-CT):
But it also in effect is the result of a lack of vigor in law enforcement, whether because of inadequate resources or a failure of will,
Peiter Zatko:
That could be as well sir.
Senator Richard Blumenthal (D-CT):
In fact the most recent settlement with Twitter, which was a payment of 150 million earlier this year, the FTC and department of justice stated that Twitter violated the 2011 consent decree. That's no surprise, but the size of the penalty, a mere $150 million amounts to the kind of burden on us average drivers, when we pay the toll to go into Manhattan, given that it's profit in the second quarter of this year was about 1.18 billion, correct?
Peiter Zatko:
That is correct while I was there. The concern only really was about a significantly higher amount significantly higher, or if it would've been a more institutional restructuring risks, but that amount was, would, would've been a very little concern while I was there
Senator Richard Blumenthal (D-CT):
To effectively address this problem. We need not only to insist on restructuring the company, but also likely restructuring, reforming and energizing our regulatory apparatus, not only as to Twitter, but also as to other internet companies and platforms. Would you agree?
Peiter Zatko:
Yes, I would. The intent of the regulators I think is the right intent, but it is not being followed or correctly adhered to.
Senator Richard Blumenthal (D-CT):
All of what you're saying, everything in your complaint. And a lot of what we've heard in this committee and in other committees leads me to think we need a new agency as reluctant as I am to suggest a new government bureaucracy. I don't think it needs to be a government bureaucracy with a lot of new people, but it needs to be a new means of enforcement here to bring cases to the department of justice, focusing on privacy security and protecting users, as well as our national security. Would you agree?
Peiter Zatko:
I had not considered that. I will have to think about that as a very interesting approach.
Senator Richard Blumenthal (D-CT):
I'm not reaching any conclusions, but clearly what we're do doing right now is not working. You would agree with that.
Peiter Zatko:
Yes. What, what I have seen the tools that are used outta the tool belt are not working. I do believe other tools in the tool belt do work, but the regulators aren't able to quantify and get measurements that would show them to switch to the other tools they have.
Senator Richard Blumenthal (D-CT):
What are the remedies that for example, other countries have that enable them to better protect privacy?
Peiter Zatko:
Some are simply much more aggressive and do not accept answers at face value put very strict time constraints on requiring answers, require data to back up the answers and threaten to preclude monetizing entire markets, such as maybe you won't be able to allow, be allowed to monetize in France, or maybe you won't be allowed to use particular data source in France, you know, and you have a week to respond sort of approach.
Senator Richard Blumenthal (D-CT):
And let me just finish on that note to expand on the Upton Sinclair theory of the case here essentially users and their information are Twitter's product product. They are the means to monetize the eyeballs on the site to collect use and monetize that information is the Twitter business. And so their reckless disregard for their users, health and safety, and for the national security is a product of that incentive. Would you agree?
Peiter Zatko:
Yes, sir. And that's why I understand the M in MDAU to be monetizable daily average users.
Senator Dick Durbin (D-IL):
Thank you, Senator Blumenthal, Senator Blackburn.
Senator Marsha Blackburn (R-TN):
Thank you, Mr. Chairman, thank you for joining us today. I'm a mother and a grandmother, and I want to talk with you about this process. Twitter has gone through, they tried to start a new subscription based adult entertainment section. Are you familiar with that?
Peiter Zatko:
No, ma'am I am not,
Senator Marsha Blackburn (R-TN):
You're not. Okay. Well, they had to scrap the plans because an internal team found that they had too much child and nonconsensual pornography that was on their site already. Are you aware of that?
Peiter Zatko:
No, ma'am unfortunately it does not surprise me.
Senator Marsha Blackburn (R-TN):
Okay. Well, there's a federal court case right now against Twitter because the site repeatedly refused to take down tweets of children as young as 13 and 14, performing sex acts in photographs and in videos. And these were posted by sex traffickers who were impersonating a teenage female. So my question is why, what, for what reason would Twitter refuse to take down this sexually explicit content? If it knew that it was affecting underage children, why would they leave this up? And why would they refuse to take this down?
Peiter Zatko:
From what I saw and in on the area of adult content because that was brought up in the concern was certain advertisers didn't want adult content to appear next to ads they were putting. And that was a concern inside the company. The lack of a...
Senator Marsha Blackburn (R-TN):
They had a monetary concern, but not a moral concern.
Peiter Zatko:
They had, they had a, there was a I can't speak to the morals of the people internally, but there was a concern whether or not they could even correctly identify and get ahead of this because they lacked the basic tools and the resources in those teams. And it would have to be in a reaction after things were posted and maybe brought to their attention.
Senator Marsha Blackburn (R-TN):
So what do they do to police this sexually explicit material, especially when it pertains to children?
Peiter Zatko:
Unfortunately that was not under my area. So I don't have information to talk specifically to that.
Senator Marsha Blackburn (R-TN):
Okay. So there's not a standard operating procedure to block this, to pull it down.
Peiter Zatko:
I believe they do have or I was told that they have some voluntary self tagging and self-reporting of whether you are an adult content account, but I am not aware of the other processes or procedures in the company.
Senator Marsha Blackburn (R-TN):
Let me ask you about the FTC. Senator Blumenthal was just asking you about that. Did you ever participate in calls or meetings with the FTC in which you heard specific misrepresentations made by Twitter?
Peiter Zatko:
No, ma'am I was not in the, the calls, I got briefings.
Senator Marsha Blackburn (R-TN):
You had no direct knowledge?
Peiter Zatko:
Correct. Well, I got, I got direct briefings from the people who were in the calls telling me what they did.
Senator Marsha Blackburn (R-TN):
All right. So it was all secondhand.
Peiter Zatko:
Correct. From the people involved in the calls.
Senator Marsha Blackburn (R-TN):
Okay. did the FTC come to Twitter and identify specific conduct or representations that concerned them?
Peiter Zatko:
That would be a question that you'd have to ask the chief privacy officer who would've been the recipient of those outreach.
Senator Marsha Blackburn (R-TN):
Okay. Let me ask you about the issue of click through ads, because I know that many times our adversaries will through a company in China and specifically the CCP will be part owner of a company. So they use click through ads to gain access, to platform, user data, including China, including other adversaries and including places where Twitter is blocked. And they're finding ways to evade the tracking and to get into these networks in your experience, is this a typical practice that happens at the global tech platforms,
Peiter Zatko:
Click through ads, do expose a risk that non click through ads do not. If you can get a user to click through you get the information that I was describing before the IP address the browser from the IP address, you can determine the I P G O location, or whether they're using a VN or not, if that is allowed in your country and then you can further interrogate that person's computer or get them to provide more information maybe that they don't know they're providing directly to you thinking it's through an add on a service, just
Senator Marsha Blackburn (R-TN):
Could this be remedied in any way? And Senator Klobuchar talked to you about this, a national privacy standard. If we had a national privacy standard, would that help to secure an individual's information online and would it help in any way in policing these click through ads?
Peiter Zatko:
I think addressing in general the difference of the information or, or making people aware and then providing a context around when a user knows that they are providing information and what information they're providing no longer to the service they thought they were interacting with could definitely benefit a user.
Senator Marsha Blackburn (R-TN):
Wanna ask you one thing about censorship. And during your time at Twitter, did you participate in any conversations or meetings where content moderation decisions were made based on a posters, political views?
Peiter Zatko:
I never investigated or was or heard of decisions on that particular topic. I was focused on the crisis and fires in the areas of my domain.
Senator Dick Durbin (D-IL):
Thank you, Senator Blackburn. Thank you, Senator Coons.
Senator Chris Coons (D-CT):
Thank you, Chairman Durbin, Ranking Member Grassley. And thank you, Mr. Za. Thank you much for coming forward. This is yet another eye-opening moment for our public, for our nation and for this committee, we know that social media and new communications technologies have empowered people across the world to connect and share information at an unprecedented scale. But we also know that concentrating all this information, all these resources in just a few hands comes with great risks. So your whistleblower complaint contains really striking allegations, which shed light on several key realities. And I wanted to focus on those. The first, as you've stated in a number of exchanges with my colleagues, is that the public lacks any credible way to assess whether and how major platforms and technology companies are protecting or prioritizing user privacy. And I want to talk for a bit about a bill that I've got that Senator Klobuchar also mentioned that would help strengthen some of that transparency.
Senator Chris Coons (D-CT):
And then the second, which I'll get to later is that these platforms are a target for foreign actors. Something where a subcommittee I chair is having a dedicated hearing tomorrow afternoon. You commissioned an independent report regarding Twitter's platform integrity and their ability to combat misinformation, disinformation, and that report found, and I'm quoting, Twitter's consistently behind the curve in acting against disinformation and misinformation threats, and that Twitter doesn't have the ability to measure the impact of its work to protect site integrity. What I've concluded from your testimony today is that Twitter lacked the ability to measure the effects of interventions it implemented because of decisions by management and because of the lack of a credible regulatory oversight agency and penalties. Is that correct? Do I understand your testimony correctly?
Peiter Zatko:
Yes, sir. The inability internally came from 10 years of security and engineering debt that just kept accruing.
Senator Chris Coons (D-CT):
Your complaint also details how Twitter's executive team was concerned that the report that you'd commissioned would be damaging if it got out and that they worked to intentionally remove or modify information that might be especially embarrassing for Twitter. Is that correct?
Peiter Zatko:
Yes, sir. I, I found that very disturbing the company that I hired with the knowledge of the other executives and the head of site integrity which did not report to me, but that this independent organization was going to analyze and do gap analysis. The company reached out to me and said, Hey, much Twitter is jumping in and making us open a separate contract and telling us not to provide you the results to to your own work, you know, to your own work. This does not feel right to us what's going on. Right?
Senator Chris Coons (D-CT):
So a lot of the information that both regulators and Congress relies on when considering how to regulate social media companies comes from the companies themselves, is I think you put it before they're essentially grading their own homework. So the conclusion we ought to reach is the information we receive. Isn't trustworthy from some social media platforms.
Peiter Zatko:
Yes, sir. That's what I experienced.
Senator Chris Coons (D-CT):
So I've released a bill with Senator Portman, Senator Klobuchar referenced it. Earlier we are looking for additional Republican co-sponsors it's called the platform, accountability and transparency act. It would allow external researchers to look at exactly these kinds of problems to better understand and analyze the algorithms that drive social media and some of their practices would empowering researchers and mandating better disclosure, help hold companies more accountable and cause them to invest more resources, site integrity.
Peiter Zatko:
Yes, sir. In fact, I think one of the things that we learned from that study and what I am hopefully shedding light on in my lawful disclosures is just how much a gap there is between Twitter and some of Twitter's peers and even learning that sort of discrepancy would help understand and raise the level of, of hygiene for these organizations and their ability to perform their tasks and the ability for us to accept what they're saying as to whether it, it could possibly be true or not.
Senator Chris Coons (D-CT):
Th this also opens up enormous national security risks. As you testified earlier there's roughly half of Twitter's employees that had unnecessary access to vast amounts of sensitive user data as Senator Kennedy was asking you earlier, just give us a quick sense of what information Twitter might have about Senator Grassley or about any of us on this committee. And it, it is deeper and broader. And I suspect if you'd gone further, it then unlocks a whole profile that can give really dramatic insight into members of law enforcement members of the military members of Congress in their families, their travel, their preferences, their actions, their consumer activities all of that has some real consequences. You wrote in your complaint, the Indian government forced Twitter to hire Indian government agents who then had direct an unsupervised access to data and a former Twitter employee was convicted last August of working as an agent of the Saudi kingdom. How common do you think it is for foreign entities for hostile agencies to successfully install sympathetic actors at Twitter? And why might they do so
Peiter Zatko:
Well, if there's any number of reasons you know, there are many of reasons why you would do so in particular to not just identify people of interest or track groups of interest, but also to maybe look at whether or not Twitter has identified your agents or your information operations what other governments has Twitter possibly identified, and remember, you know, outside of the ability to access large amounts of data on the engineering side you would want to know what Twitter's plan is as far as whether they will seed to your demands for control of information within their environments or not in order to change different types of political pressure, such as strong arming. And as we saw that that country was even threatening to put Twitter employees in jail, if Twitter didn't change particular activities on the, on the platform.
Senator Chris Coons (D-CT):
Well, with 80% of Twitter's users outside the United States and with Twitter, having a deep access and resources to critical leaders in our country and other countries, I think this is genuinely concerning tomorrow afternoon. The subcommittee I chair, the subcommittee on a privacy technology in the law Senator Sasse, and I will be holding a hearing on how to further understand the depth to which hostile actors and adversaries are going to obtain American citizens data. And that'll expand on a lot of the topics we've pursued today. I hope members of the committee will attend. I wanna thank you for your testimony, Mr. Chairman for the chance to participate in today's hearing.
Senator Dick Durbin (D-IL):
You, Senator Coons. We're gonna take a five minute break after Senator Cotton asked his questions. Senator Cotton.
Senator Tom Cotton (R-AR):
Thank you, Mr. Zatko for your very informative testimony this morning. I wanna start with some questions about Twitter's censorship policies. I, I know you weren't at Twitter for most of 2020 but I wanna start with an example from June of 2020, specifically me as leftwing street militias were riding and looting in our streets. I posted on the website that the national guard and even the active duty military have been used to stop stri in the past. Most recently in 1992 in the LA riots within a couple hours, a low level employee at Twitter's Washington office contacted my staff and said that if I did not delete that tweet, that my account would be permanently locked. My staff worked with the slow level employee calling her on several occasions, cuz she seemed very reluctant to put anything in writing in an email. They documented the accuracy of my comment and gave examples of how other elected officials had used similar language. The 30 minute window passed my account was not locked ultimately. She said that Twitter would not take any action about my account. As I said, I know it was before you began at Twitter, but from your experience would a low level Twitter employee typically have the authority to permanently lock the account of an elected member of Congress?
Peiter Zatko:
Fom my experience, they should not have the authorization to do it, although it would probably be a low level level employee that would be instructed to do it.
Senator Tom Cotton (R-AR):
So she was likely taking direction from more senior officials at the company?
Peiter Zatko:
Not knowing the situation. I can't comment on the specific one, but that is the sort of activity that I would see there. And I can concur that. I did notice a reluctance to put a lot of things in writing on particular
Senator Tom Cotton (R-AR):
Topics. I noticed that in the emails that Mr Agarwal sent to you, he seemed very reluctant to put things in writing or made statements about what he was gonna verbally express to the board. Yeah. And apparently did not express those things. Sticking with the censorship. Again, I, like I said, I know you weren't there in the lead up to the 2020 election, but once you arrived just a couple days after the election you selected an outside company to do an evaluation of Twitter's censorship policies, the report that you commission found that Twitter's content controls are ad hoc and informal. Those are two direct quotes and the policy decisions behind it are made mostly by small group of Twitter staff at San Francisco quote "frequently during a time of crisis." Is that accurate?
Peiter Zatko:
I I didn't hire them to do a, a report on censorship, but that was the platform manipulation organization. And yes, how you cite the report as what they found.
Senator Tom Cotton (R-AR):
It says frequently in a time of crisis, what kind of crisis was the report referring to?
Peiter Zatko:
Um I, I believe the report also said, and this is from what I experienced. If something was brought up in the media, if a government brought it up, if somehow it became publicly aware or if there was, you know, an ongoing outage to the system or some active disruption or crisis.
Senator Tom Cotton (R-AR):
Yeah. So that, thank you for that. Cuz the report does go on to say that according to Twitter employees interviewed Twitter, usually censors information, quote, "only if it is flagged by reporters or news headlines partners, which it means to include academic organizations and other social media companies or political officials." So does Twitter have special channels of communication with fellow social media companies like Facebook to discuss called misinformation?
Peiter Zatko:
If they do, I believe that they would be ad hoc. I am not aware of official loans that would not have been within my organization.
Senator Tom Cotton (R-AR):
Okay. What about other so-called partners like pharmaceutical companies or advocacy groups?
Peiter Zatko:
I am not aware of those again, that would be out of counsel or other organizations.
Senator Tom Cotton (R-AR):
So, so saying ad hoc, you think in these cases just say executive at a pharmaceutical company that doesn't like what's being posted on the website or a left wing activist at a Washington think tank would just use preexisting relationships to contact someone at Twitter on an ad hoc basis.
Peiter Zatko:
I do not know.
Senator Tom Cotton (R-AR):
Well, how can they, how can they coordinate if they don't have some kind of channel of communication set up?
Peiter Zatko:
In, in the report that was an attachment from the organization. They talked about disinformation operations, which I do believe my understanding was that the site integrity team spoke with other organizations and with other social media companies about ongoing disinformation or platform manipulation. I do not know anything beyond what was in the report for that topic.
Senator Tom Cotton (R-AR):
You said something earlier. I just wanted to come back to, I, I, this isn't an exact quote, but I, I wanna give you a chance to elaborate a little bit. It was something along the lines of, if you don't have a foreign intelligence officer inside Twitter, you probably aren't doing a very good job as an intelligence agency. Is that close enough?
Peiter Zatko:
Yeah, that's, that's close enough, sir. I worked for the government. I held a high level position. I worked running research and development and programs for the department of defense and intelligence communities. And from my interactions with these people and these organizations Twitter would be a gold mine from my understanding from people in the community who focus on for an intelligence organizations and assets, if you placed somebody in Twitter, as I believe that, you know, as we know has happened it would be very difficult to Twitter to find them they would probably be able to stay there for a long period of time and gain significant amount of information to provide back on either targeting people or on information as to Twitter's decisions and discussions and to the direction of the company.
Senator Tom Cotton (R-AR):
And does, does that include in Twitter's US offices versus overseas or, or is that distinction immaterial given the way Twitter functions?
Peiter Zatko:
I believe that's immaterial in both.
Senator Tom Cotton (R-AR):
Thank you.
Peiter Zatko:
My pleasure, sir.
Senator Dick Durbin (D-IL):
Thank you, Senator Cotton. We're gonna take a five minute break return to Senator Whitehouse.
Senator Dick Durbin (D-IL):
Senator Whitehouse for questions.
Senator Sheldon Whitehouse (D-RI):
Thank you very much. Mr. Zatko, I just wanted to follow a little bit on the repeated suggestions that you've made in your testimony that the cyber security vulnerabilities will expose the United States to risk and to attacks and the Twitter security failures threatened the country's national security. Good with that?
Peiter Zatko:
Yes, sir.
Senator Sheldon Whitehouse (D-RI):
Okay. So I get hidden ad buyers. We saw the same thing with Facebook when they were taking ads with the payments denominated in rubs and not bothering to figure out that there might have been Russians behind those ads. And you've mentioned concerns about hidden Chinese ad buyers. But if we could talk a little bit more about the national security risk associated with, for instance, the unregistered Saudi foreign agent who worked at Twitter or the pressure to hire Indian government agents, walk us through a scenario of how an individual planted in Twitter, like that could create a national security risk for the United States. And if you would make particular reference to the fact that at least when I use Twitter, I'm sending stuff out it's intended to be public. So how in that environment can a foreign agent create national security risk of any significant nature?
Peiter Zatko:
Yes, sir. There are several aspects to that. There's the non-public information that we've spoken about earlier today, your location your phone number, your email address, things that aren't advertised to the world. In fact, I believe 200 million. If we wanna say regular users, not necessarily from a national security standpoint, Twitter in 2020 internally assessed that they lost information on 200 million users for email addresses, phone numbers, other information like that. This is the information that you need in order to start taking over other people's accounts with your phone number and an email address. I can hijack your phone number. I can then change your Gmail, your Coinbase, your Ameritrade, your other accounts. I can cause financial harm. That way I can then assume your identity, but more importantly I probably want to be able to understand your whereabouts your network and understand, well, I'll give you an example in foreign governments a concern, and then we can apply that to the United States. There were requests for information about members in the farmers the farmers' protest. There might be organizations or groups in the United States where once I know your home address and your home phone number, I can approach you in real life. I can put pressure on you. I could possibly recruit you. You could be a witting or unwitting accomplice, and then I could influence you or target you for influence operations in the real world.
Senator Sheldon Whitehouse (D-RI):
Let me just offer the thought that my home address, phone number and email address are pretty widely known and indeed in the public domain. So how does Twitter access to that information? Is there more, or what's the difference between being able to look me up in the phone book and having Twitter access to that information,
Peiter Zatko:
Having, having been a, in the public sector myself, yes. A lot of my information became known. There's also a lot of people who are in particular roles where that information is not known and the targeting of them perhaps staffers, perhaps aids, perhaps people around you influencing to build that network, which we have seen within not not Twitter, but which the us and the intelligence communities have seen as part of the great game and the intelligence communities in the world.
Senator Sheldon Whitehouse (D-RI):
Okay. So just play that out for me a little bit more given that so much of this information is available through other channels. What would the end game be for, let's say, a foreign government seeking to put that kind of pressure on somebody who could make a presumably make a difference or a decision about to the benefit of the foreign country,
Peiter Zatko:
Perhaps identifying a relative, a family member, a colleague who is in financial issues, or has other elements that can be leveraged against them to help them influence you in a particular fashion without your awareness.
Senator Sheldon Whitehouse (D-RI):
So you're able to, somebody would be able to create a sort of family or personal network around an individual Twitter user and extract information about folks in that network
Peiter Zatko:
That is one particular aspect that intelligence communities are.
Senator Sheldon Whitehouse (D-RI):
And how would that do, how would that take place through the, if somebody's gotten into the Twitter system, how did they find that out?
Peiter Zatko:
Well, it might be used in combination with other data collection sources, for instance, one of the concerns of us people traveling to other countries is, was there information in the op OPM database? And can that information be cross indexed against the healthcare industry databases that have been lost? Do we know that this person has a particular, particular political bias on Twitter and start to tie all of these things together for people of influence or access within governments or within sensitive positions?
Senator Sheldon Whitehouse (D-RI):
Thanks very much. My time is up.
Senator Dick Durbin (D-IL):
Thanks, Senator white house, Senator Graham, I'm sorry. Senator Cornyn,
Senator John Cornyn (R-TX):
Mr. Zatko, I want to explore just in the next six minutes, the kind of data that is available on American citizens that can be used for appropriate or inappropriate purposes. You're familiar with the concept of ubiquitous technical surveillance. Aren't you?
Peiter Zatko:
I can understand those words together and, and, and get the general context. I believe, sir. Yes.
Senator John Cornyn (R-TX):
Basically all the cameras that are publicly posted data on your smartphone, you've already talked about geolocation data. The type of transactions you engage in where your home is, how much you paid for it. Even Google earth may have taken a picture of your home or your place of business. So there's already huge volumes of data available for whatever purposes even above and beyond what social media collects, correct?
Peiter Zatko:
Yes, sir. There is a lot of information about a lot of us in many different ways available through technology right now.
Senator John Cornyn (R-TX):
And I dare say, I bet most Americans just can't fathom the volume of data and that's without even getting to things like social media, for example, in 2015, I think it was, there was a hack of the office of personnel management records. I think it was 22 million records of government employees, including their applications for security clearances was hacked reportedly by the people's Republic of China. And then if people decide that they want to figure out their family ancestry and use one of the DNA testing companies my understanding is many of the testing, much of the testing is outsourced to places like China, where obviously it's not secure from Chinese government access. And so when we're talking about the privacy concerns of Americans this is a, this is not just limited to platforms like Twitter and social media, correct?
Peiter Zatko:
That is correct, sir. I, I was informed I was in that OPM database and that my information and my security clearance information was collected as well.
Senator John Cornyn (R-TX):
And turning to Twitter. You've already talked about the lack of what I would call protection from insider threats in the intelligence community, if you, if you're working in the intelligence community, they have logging protocols that will determine who accesses what information correct. So it can be audited later on to determine whether there'd been inappropriate access that's the sort of protocols or mechanisms that you've, that were not available at places like Twitter when you worked there, correct?
Peiter Zatko:
Yes, sir. Correct.
Senator John Cornyn (R-TX):
And so anyone who could get access to that information could on top of all the information that I ask you about earlier outside of social media, if you'd look at the cumulative data picture, is that the kind of information that foreign governments like the people's Republic of China are regularly accessing for for their purposes?
Peiter Zatko:
I can't say whether they're regularly accessing, I don't have that direct information. I have been I am aware that some people in organizations have gotten very good at cross indexing across very large amounts of data collected on numerous people from various sources, OPM, medical, et cetera. Twitter would be a very decent contribution to that. No multi-source collection
Senator John Cornyn (R-TX):
And that's where things like artificial intelligence can come in to comb or mine, vast sources of data for more targeted or narrow purpose. Is that right?
Peiter Zatko:
The ability to collect in mine yes, has been augmented by modern AI techniques.
Senator John Cornyn (R-TX):
So there are what I would call defensive concerns about people's or individuals or government's access to your personal data, but there are also offensive concerns as well. And that's where the issue of disinformation or of term that became popular or popularized during the 2016 election aftermath was active measures. These are efforts by foreign governments perhaps foreign intelligence services to actively create a narrative or a message that is essentially propaganda by this foreign government that can be used to try to influence American public opinion. Is that, is that accurate?
Peiter Zatko:
Yes, sir. Not just American that has happened worldwide, such as Myanmar and in 2018 Facebook acknowledging that the disinformation campaigns on their platform contributed to genocide.
Senator John Cornyn (R-TX):
And as you pointed out earlier, it's not just when, when you're looking at the data that is available on each one of us as American citizens for whatever purposes for good or ill. There's also a lot of information about who we interact with, right? There's something in the intelligence community. Sometimes they talk about pattern of life. Maybe you'd want to talk about a network of friends and associates, family members, and the like from which inquiring minds could obtain additional data about us.
Peiter Zatko:
Yes. And, and to your point, information operations are of a concern Twitter acknowledges that they do happen on their platform. They have disclosed numerous ones and they are aware of others that are ongoing.
Senator John Cornyn (R-TX):
I'm aware that TikTok, which is a Chinese company, I believe and even Instagram which is owned by Facebook have 13 year old age restrictions in terms of their terms of use. But there's no there's no limitation on people's ability to pretend to be an adult, to pretend to be somebody that they're not and gain access to a social media accounts and to use it for whatever purpose that they wish.
Peiter Zatko:
I can't speak to TikTok or Facebook. I'm not familiar with their internal technology for age G. I do know that that was a challenge at Twitter. And from what I was told, the majority of age G was voluntary self-reporting of what your age was.
Senator John Cornyn (R-TX):
And finally, if the, if can you tell me, do you have recommendations based on your 30 years of experience in terms of data security and what sort of regulations or laws that Congress and the federal government should consider passing? We don't have time to talk about all those here today. But we'd certainly welcome any of your recommendations and insights. Do you think this needs to be an area where the federal government needs to be actively engaged?
Peiter Zatko:
Yes, sir. I do. I'd be happy, happy to supplement my written, my written report.
Senator John Cornyn (R-TX):
Thank you.
Senator Dick Durbin (D-IL):
Thanks Senator Cornyn. And Senator Hirono.
Senator Mazie Hirono (D-HI):
Thank you, Mr. Chairman, thank you for coming to testify, Mr. Zatko, your testimony and all of the, your responses to the various questions we asked you says to me that this the situation regarding data security and national security issues with regard to Twitter is massive and that Twitter is not doing very much to, to be helpful at all. In fact, there are major disincentives to Twitter doing anything to spending the, the time or the resources to address the concerns that you raise. So for example, the FTC very out resource with regard to trying to, to keep Twitter under any kind of even a consent decree that was entered into, but back in 2011, and more recently, their contemplating making Twitter pay 150 million for some misuse of information, 150 million fine for a multi-billion dollar company is nothing to provide any kind of incentives for them, for them to change what they're doing. And yes, there is information out there from so many different sources, including our appliances and cars and everything else. However, Twitter is a huge, if I can call it a single platform where one can access information. So what, who is going to force Twitter really to do anything, if we were to adopt some of the legislation that's contemplated, if we don't have an agency that can implement and enforce that law, then we are back where we started from. So what, what, what is it gonna take to force Twitter to change its ways? Well
Peiter Zatko:
This starts at, at the top in Twitter, and you need an executive team that is willing to go in and say, you know, the executive team themselves acknowledged. And I heard them say, we have 10 years of unpaid debt here that at some point we really need to get ahead of they need to prioritize that. And to my understanding, you know, a board's primary role is to make sure the right executive executives are in charge of the company the CEO in particular, to make sure they are, they are, you know, sending the company in the right direction. This needs to be a long term incentive rather than short-term incentives for the companies, because the short term incentives just mean that they're going to ally run from fire to fire and not actually pay down debt for a long lived valuable company.
Senator Mazie Hirono (D-HI):
So your description of Twitter though, is they're, they're mainly focused on the short term monetary incentives. Who's gonna force them to look at the long term, do people need to go to prison? I mean, what, what do we need to do to to get Twitter, to at least they, from what you're telling me, they cannot even identify foreign agents in their midst.
Peiter Zatko:
Yes, ma'am and you know, to be blunt, some foreign agents will probably be pretty good and difficult to identify, but some were in this case, not, and there only to my awareness being identified when they're brought to them, they're not even attempting to. I think like I, I think holding people accountable is a good start. I think that is something that people are concerned of, but what you can only hold people accountable, if you can measure and quantify what their targets are and what changes need to happen. And if you say such as what I saw you know, Twitter needs to have a mature software security program or security program. That's a very ambiguous and qualitative term. So holding accountability and setting quantitative goals and standards that can be measured and audited independently I believe are, is what's going to be required to change management structures and drive change in companies when it's needed such as this.
Senator Mazie Hirono (D-HI):
So we don't even have the kind of standards to which we can hold Twitter accountable too. Is that right from,
Peiter Zatko:
From what I saw they were able to be answered in the affirmative without actually meaningfully making the, the intent of the regulators was correct, but you could then say, yes, I've done this, hold up an isolated example and allow somebody to assume that that example was at, you know the whole environment, knowing that you're misleading.
Senator Mazie Hirono (D-HI):
Excuse me. So do French regulators have better standards to which to hold Twitter accountable? To
Peiter Zatko:
My understanding is that one of the reasons the French canal is more feared is that they dig in technically and go towards more quantitative results that are less easy for organizations to sort of wordsmith around in their response and answers.
Senator Mazie Hirono (D-HI):
I think that's something we can learn a lesson from, but specifically, are you sure that you discovered Twitter compromises its user data long after the user has closed their accounts? In fact, you stated that the accounts are simply deactivated while the data is not fully deleted at the time of your departure from Twitter was the, the company was that the company's continuing general practice that they don't really eliminate the, the, the data.
Peiter Zatko:
Yes, I, I was told straight out by the chief privacy officer that the FTC had come and asked do, does Twitter delete user information when they leave the platform? And the reason this person told me this is, he said, I need you to know this because other other regulators are asking us and this ruse is not going to hold up. So instead of answering whether we delete user data, we intentionally have replied, we deactivate users and try to sidestep the program because we know we do not delete user data and cannot comply with that. If they demand us to,
Senator Mazie Hirono (D-HI):
You would think that that would be something that they could do to technically to be able to actually delete data, because for the users to deactivate your account means that there should be nothing there of your account information, et cetera, isn't this something technically that they could do.
Peiter Zatko:
This goes to the, one of the fundamental root problems I mentioned in my opening oral statement, which is they would need to know what data they have, where it is and why they got it. And how long, you know, who is attached to, in order to do that, if they did that, which should be a fundamental expectation that I would have as a user. Yes. At that point they could absolutely delete the information.
Senator Mazie Hirono (D-HI):
Thank you.
Senator Dick Durbin (D-IL):
Senator Graham's recognized for six minutes.
Senator Lindsey Graham (R-SC):
Uh thank you very much for coming to the committee and giving us your insight, something good will come from this. Do you believe that?
Peiter Zatko:
I hope so. I'm, I'm basically risking my career and reputation and if something good comes from this five, 10 years down the road, it will have been worth it itself.
Senator Lindsey Graham (R-SC):
And you're willing to take that risk cause it's that important to you?
Peiter Zatko:
Yes. I I've been doing this for 30 years. People who know me in the industry know that, you know, I I'm willing to put it all on the line, hoping that we can improve things.
Senator Lindsey Graham (R-SC):
Well, I'm gonna work with my Democratic colleagues to make sure this is not in vain. Let me ask you a question. Do you still use Twitter?
Peiter Zatko:
I still have an account on Twitter. I still read it occasionally. I have not tweeted since I've left.
Senator Lindsey Graham (R-SC):
Given what, you know, would you recommend that all of us continue to use Twitter or should we take a time out?
Peiter Zatko:
I think Twitter is a hugely valuable service. It really shapes.
Senator Lindsey Graham (R-SC):
So no matter what you said today, you're okay with the rest of us still tweeting.
Peiter Zatko:
I think people should look at the information they're getting off of it differently. And I think people should put pressure on Twitter and ask questions from the public as well as from the government and regulators. You're
Senator Lindsey Graham (R-SC):
Not asking to shut 'em down. You're asking them to get better.
Peiter Zatko:
Absolutely, sir. Okay.
Senator Lindsey Graham (R-SC):
Would you buy Twitter given what, you know?
Peiter Zatko:
<Laugh>
Senator Lindsey Graham (R-SC):
If you had the money?
Peiter Zatko:
Yes. Well yeah, I guess that depended on the price. <Laugh>
Senator Lindsey Graham (R-SC):
That's fair enough. But I guess the reason I asked that, you know, for the rest of us, we take what you say seriously is pretty unnerving. I'm gonna good and use Twitter, but I'll use it differently. And if nothing good comes out of this shame on us all. So let me just tell you where I'm headed. There's no way to deal with this without bipartisanship, from my point of view. So I'm working with Elizabeth Warren of all people. We have different perspectives on most everything, but Elizabeth and I have come to believe that it's now time to look at social media platforms are new, and we have this general understanding among ourselves that the regulatory system regarding social media is not working effectively. Do you agree with that
Peiter Zatko:
Based upon what I saw? A lot of things aren't working effectively? Yes, sir.
Senator Lindsey Graham (R-SC):
Okay. The Federal Trade Commission that's the primary regulator for Twitter as far as we know.
Peiter Zatko:
I do not believe that Twitter should have been able to be viewed as in compliance
Senator Lindsey Graham (R-SC):
With Twitter. Well, my point is, do you know when the federal trade commission was founded?
Peiter Zatko:
No, sir. I do not.
Senator Lindsey Graham (R-SC):
1914. A lot has happened since 1914, World War I, World War II in an explosion of social media. Would you say given what, you know, it seems like the regulatory bodies are sort of outgunned here on Big Tech?
Peiter Zatko:
I think they're absolutely outgunned.
Senator Lindsey Graham (R-SC):
Yeah. They're like big time outgunned and I want people to understand paying 150 million fines seems to be a little consequence. Is that your testimony?
Peiter Zatko:
In this case? Absolutely.
Senator Lindsey Graham (R-SC):
Okay. So just imagine what I just said, Mr. Chairman, a company doesn't mind paying $150 million and just get back on to doing what they're doing. So one of the things I'm trying to do with Senator Warren and others is create a consequence for these organizations to give them an incentive to do better. Don't you think that's where we should be headed?
Peiter Zatko:
Yes, sir. I do.
Senator Lindsey Graham (R-SC):
Okay. One thing that do you have a car?
Peiter Zatko:
Yes, sir. I
Senator Lindsey Graham (R-SC):
Do. Do you have a driver's license? Yes, sir. Okay. If you drive a car, you need a license. If you sell a real estate, you need a license. If you practice law, you need a license. If you're involved in the secur business, you need to get license. Is there any license licensing requirement to run a social media company?
Peiter Zatko:
Not beyond, not, not to the best of my knowledge, sir.
Senator Lindsey Graham (R-SC):
Okay. Can you Sue a social media company when they do you wrong?
Peiter Zatko:
I do not know.
Senator Lindsey Graham (R-SC):
Well, the answer is no, so they're not licensed. You can't sue them. And to be shocked that we have a problem is kind of naive on our part. So here's what I promise to you that we're gonna take your testimony. We're gonna learn from it. We're gonna create a system more like Europe, a regulatory environment with teeth an agency that came about after 1914, with the power to deal with privacy issues, content moderation. If you're gonna be in this space, you have to harm your sites against foreign interference. You have to protect your sites against criminality. And if somebody takes your content down, you'll have an appeal process outside the group who did it. Does that sound kind of like where we need to be going?
Peiter Zatko:
Those all sound good to me. And I would hope measurable and transparent. And thank you, sir.
Senator Lindsey Graham (R-SC):
Well, we're headed that way with my good friend, Senator Hawley, who's gonna join the Graham Warren team. We're gonna come up with a regulatory system to make sure that people in this space pay better attention. They have consequences if they don't change their behavior, it's long past due. Would you say that the companies we're talking about are some of the most powerful in the history of the world?
Peiter Zatko:
I, I don't know, sir.
Senator Lindsey Graham (R-SC):
Well, I'll say that I will say that these companies make massive amounts of money. They're virtually unregulated. Their regulatory body was founded in 1914. They're completely outgunned. And under our law, you can't sue them when you're wronged. Having said all that, there's a much value to these companies, Facebook, Twitter, Google a, they add value to life, but there's a dark side and we're going to address the dark side. So I will just close with this. Your testimony today has legitimized. What most of us feel is a process outta control that the regulatory environment is insufficient to the task. It's time to upper game in this country. I'm not about putting these people out of business. I'm about making them do business in a normal way and take their job more seriously. And if Elizabeth Warren and Lindsay Graham can come together around that concept, I think we're off to the races as a body. Thank you very much. What you did today will not be in vain.
Peiter Zatko:
Thank you very much, sir. If, if what I've done can contribute to positive change, it will be worth it. Thank you.
Senator John Ossoff (D-GA):
Thank you, Senator Graham. Mr. Zatko, thank you for joining us much. Thank you for joining us. I'd like to ask you about what you encountered in terms of the corporate incentives at the top of the company something like pushing patches and security updates to employee devices, cyber hygiene is, is not easy, but that's a relatively low cost way to mitigate a lot of risk. And there is significant risk here, reputational risk, financial risk. So why based upon your experience working within Twitter's corporate leadership, would the company not have elected to take that step to mitigate risk in that relatively low cost way or other steps like that?
Peiter Zatko:
I didn't see any financial incentives at the top levels that would then give prioritization to such efforts. In fact, I saw incentives counter to that and combined with a culture where the company needs a crisis to operate and is driven by crises. Those didn't afford time or focus from what I saw to do the basic security.
Senator John Ossoff (D-GA):
What, what are the incentives against something like patching?
Peiter Zatko:
So it was just, so I'll give you an example. One of the things that I was surprised while I was there we did a, a, a media day from the executives for the street. It was the first one that Twitter had done in a very long time. It set very ambitious goals for growth, for revenue growth goals that I was concerned that the company would not be able to hit not too many months after that, there was an internal value creation award presented to me offering 10 million if we tripled these growth goals growth goals. And I raised concern saying, I don't know how we can do that unless we entirely cut corners everywhere. I do not like this incentive structure. How are we going to be able to devote resources to the basics such as fixing security, patching, getting the systems up to date, building a, a development and testing environment for all of the
Senator John Ossoff (D-GA):
Different, okay. But how is the growth incentive hostile to something like pushing software updates to employee devices and given that, that, that is a, you know, as I understand it, a fundamental security practice, a basic cyber hygiene practice, why were you unable to implement a change like that, that sort of baseline hygiene practice where you'd want all employee devices to be updated to the latest version?
Peiter Zatko:
Yes, I, I brought that up. Numerous times I was repeatedly told that that, you know, 92% of the systems had security software and I kept asking, what is the security software reporting? It took me a month plus to get the truth that 30% of the systems were not received. They had turned off software updates. There was a culture of not reporting bad results up only reporting good results up because that was the internal incentive structure. You were rewarded based upon relationships and how you performed in a in, in an emergency, not for identifying existing errors and doing the groundwork for keeping the lights on running the business. My inability to find such basic information was disturbing. So
Senator John Ossoff (D-GA):
You, you couldn't get the authorization for example, to implement an MDM system or some system to push patches out to user devices, or you, you just couldn't work the bureaucracy to make it happen.
Peiter Zatko:
I, I had the authorization, I couldn't give, I couldn't get the, the real information because people were misrepresenting to the executive team. And the executive team was then further misrepresenting, only good news and incorrect news to the, the board. So it took me several months to start going and getting Dr. Ground truth and to find out that this had been a culture of only present good and positive reports up and that's how you move forward in the company. Okay.
Senator John Ossoff (D-GA):
Let's talk about the data. Much of it, no doubt sensitive within Twitter's possession and, and some of the most alarming aspects of your disclosure and testimony is that the extent to which Twitter may not know what it has what would be an, and of course you don't know what you don't know, but what would be an example of the kinds of data sets that Twitter might possess, but not fully understand it possesses and what would be the mechanisms other than monitoring user activity by which it would've accumulated such data?
Peiter Zatko:
Sure. one example, I was surprised to see that in an internal incident review in 2020, 50 million Twitter employees, information had been exposed. And that number confused me because Twitter doesn't have 50 million employees. Twitter has all of the information of all past employees, contractors, and other users, because they haven't deleted that data. They've kept that data in that system. And that those systems when they're exposed, exposed that information, that was surprising to me. I, sorry, what was the second part of your question, sir?
Senator John Ossoff (D-GA):
No, that that's, that's helpful and I'm, I'm running low on time. So I wanna get to this next point. And I, I know some of my colleagues have covered it, but the, the risks associated with targeted advertising whether for the purpose of inducing targeted users to click on links that could then harvest data about their devices or their web use or their location, or possibly inject malware or for targeted influence campaigns. Can you, can you please talk about what you observed and what you view to be the risks associated with the advertising model of the capability of enterprise clients of Twitter's to target ads and links to specific users?
Peiter Zatko:
Yes. so that area wasn't specifically my domain that was under the executive of sales engineering. The parts that I believe are relevant were not only the additional report that we talked about earlier with the information operations, but I did see that datasets internally to the organization when I first joined thousands of users had access to the advertisers information, including their bank accounts and routing numbers. And when I first joined people could change that information. And you could understand why changing the banking account information of a company such as apple or Nike might be problematic,
Senator John Ossoff (D-GA):
Final question. And, and then I'll yield a Senator or Hawley, and, and I'm gonna follow up with you on this one for the record as well, to get as much detail as possible, but what records, documents, or technical information with as much specificity as you can muster right now, would you suggest that the Congress should seek from Twitter to understand the extent of the alleged lack security practices, but also what data may have been exfiltrated when, and by whom what the level of national security risk might be, what should we be seeking from this company so that we can assess the level of risk and the threat and make policy accordingly?
Peiter Zatko:
Yes, sir. I submitted I believe a hundred plus pages in my disclosure with data talking about these sources of that data and providing a roadmap for investigators. I will do it a disservice, trying to summarize the large numbers of sources and locations of that data, but hopefully my lawful disclosure is provide that roadmap and I'm happy to follow up.
Senator John Ossoff (D-GA):
Okay. We'll review it in, in full and send you any follow ups. Thanks for your testimony. Senator Hawley for six minutes.
Senator Josh Hawley (R-MO):
Thank you very much, Mr. Chairman, Mr. Zco. Thank you for being here. Thanks for your testimony. Thank you. I, I wanna just make sure I got this straight you've you've stated today. And, and in your report that about 4,000 Twitter employees are classified as engineers, is that right?
Peiter Zatko:
Yes, sir. At the time, half the employees, I believe there were 7,000 plus full-time employees.
Senator Josh Hawley (R-MO):
Got it. And that means that these 4,000 ish employees would've had access to live user data, all data, all over Twitter, they could access individual users' personal information, including their live data. Have I got that right?
Peiter Zatko:
Yes, sir. If they so they would have access to the production environment. If they spent the time to meander around and look around, they would find that they could access these large TROs of data,
Senator Josh Hawley (R-MO):
Including geolocation data. Did you testify to that earlier today?
Peiter Zatko:
That the, I know that Twitter has IP locations and that they do use geolocation services based upon IP addresses. Wow.
Senator Josh Hawley (R-MO):
4,000 employees with access to that data. That's extraordinary. So those employees would be in a position then if they wanted to, to get this information and, and docs Twitter users. Is that fair to say?
Peiter Zatko:
That is a concern of mine, sir? Yes.
Senator Josh Hawley (R-MO):
Wow that's a significant concern, 4,000 people with the ability to docs, individual users who pick up the phone and <laugh> use Twitter. That's extraordinary. Have you ever seen it happen?
Peiter Zatko:
I have seen numerous situations where Twitter engineers had to patch a problem. And I said, what was the problem? And they said, oh, engineers could tweet as anybody. The data was exposed in this part. And it was always reactionary rather in finding these wounds left and right, and putting bandaids on them because the systemic underlying problems were not addressed the broad access to too much information and too many systems.
Senator Josh Hawley (R-MO):
When you say Twitter engineers could, could tweet as anybody. Tell me what that means.
Peiter Zatko:
That meant a Twitter engineer understanding how the running systems and the data flows were operating, could then access and inject or put forward information. As, as I mentioned in my oral statement any of the senators sitting here today.
Senator Josh Hawley (R-MO):
And have you ever seen that happen?
Peiter Zatko:
Not with the, no, not directly
Senator Josh Hawley (R-MO):
You, not directly do, are you concerned? It has happened. Do you have some reason to believe it may have happened?
Peiter Zatko:
The number of cases that were reported to me by individual engineers saying, Hey, we found this, I'm gonna try and have somebody fix it where that was the exact problem. And we wouldn't know if it had happened in the past. Yes, I am concerned.
Senator Josh Hawley (R-MO):
Wow. I think that's pretty significant testimony. Let me, let me make sure that I understand also just this point, a Facebook whistle blower came forward a couple of years ago. Now came to me into my office and told us that at Facebook, they at least had some policies on the books that restricted backend developers from using or from accessing user data. Now, whether or not those policies were ever followed, who really knows, but is, is it your testimony to me that Twitter had no similar policies in place that would've restricted these 4,000 engineers from accessing user data in this
Peiter Zatko:
Way, not technical enforcement technical policies that were enforced. I did see basic policies such as, Hey, you're not supposed to access inappropriate systems, but I also saw policies saying that your work laptops should only run in the following situ setups. And I was aware that I don't believe any of the laptops were in compliance with those policies.
Senator Josh Hawley (R-MO):
None of the laptops.
Peiter Zatko:
Based upon the policy that I read. I do not believe any of the laptops were in compliance with that security policy.
Senator Josh Hawley (R-MO):
Zero, zero in compliance with their policies. That's extraordinary. Let, let me, let me ask you about this, that, that same Facebook whistle blower told us a couple of years ago now that Twitter's content moderation staff routinely collaborated with content moderators at, at Facebook and Google. Is that true to your knowledge? Do you have any information about that,
Peiter Zatko:
That that would be in a, a, a team under counsel and I wouldn't have firsthand knowledge of that.
Senator Josh Hawley (R-MO):
Are, are you aware of any Twitter policies that would have prohibited coordination on content moderation between Facebook, Google and Twitter?
Peiter Zatko:
Not to the best of my knowledge. I am not aware.
Senator Josh Hawley (R-MO):
Okay. So it, it, it's, it's very, it's imminently possible is what you're saying. Yes,
Peiter Zatko:
Yes sir.
Senator Josh Hawley (R-MO):
Let me ask you about this. Are you aware of any communications regarding content moderation with Twitter staff and the United States government in your time at the company?
Peiter Zatko:
Uh I'm familiar of the conversations that happen through Department of Homeland Security, the traffic light protocol whether are messages sent out to organizations about threats that maybe the FBI or other organizations had insight into.
Senator Josh Hawley (R-MO):
So earlier this year, documents that we obtained from a different whistle blower at the Department of Homeland Security exposed that the disinformation board, that the Department of Homeland security set up that first on the disinformation board's list of companies to meet with was Twitter. And they had an extensive memo, which by the way, is public information. Now we've released it. You can go and look at it, but they had a memo prepared with notes for this meeting, with Twitter, talking about cooperation and content moderation, and frankly, in monitoring American's speech. And now we know that thousands of Twitter employees have access to that. This was all in these documents. I guess my question to you is, and I know you weren't in those meetings, but why do you suppose that the disinformation board had Twitter first on the list of entities to come to, to talk about coordinating, monitoring American speech?
Peiter Zatko:
I, I can't opine on that, but I can say that Twitter is a tremendously influential platform. And we do know that there are information operations, you know, being run on, on Twitter.
Senator Josh Hawley (R-MO):
Do you think it's maybe because Twitter has proved so pliant to government pressure to censorship and monitor people. I'm thinking of, you know, first of all, the Hunter Biden story, we now know that Twitter killed the Hunter Biden reporting. We know mark Zuckerberg has said that the FBI pushed Facebook to do so Facebook throttled it down, Twitter killed it completely wouldn't, you know, locked up accounts that were trying to report. And what we now know was a true story, or how about by your own, in your own report, you claimed that the Twitter CEO proposed caving to the Russian government's demands to censor content and Twitter and spy on its users. And you noted that this occurred even as you were directing employees to prepare for the Russian invasion of Ukraine, that sounds like an executive team. That's pretty darn client to the demands of, of governments to weaponize effectively their platform, to control information, to spy on its users. What's your view?
Peiter Zatko:
I, the, I wasn't there when the Hunter Biden issue happened and I don't have any information on that. I wasn't briefed into it or involved in any of the investigations. The CEO was the CTO at the time when he proposed to me that, Hey, what do you think about you know, why don't we just let Russia perform their own moderation? They're a democracy. So why should, why should we why shouldn't we let them do it? I didn't know what to think at the time then, sir, I was a little flabbergasted.
Senator Josh Hawley (R-MO):
Well, I think I know what to think which is that Twitter has been all too eager to take private information from its users, without telling them to sell it and monetize it without their permission to expose them to the worst kind of security threats to censor them, to spy on them. I mean, this, you have painted a picture of a company that is not only out of control, but is truly in many ways of malign actor. And I, I thank you for being willing to be here and testify. Thank you, Mr. Chairman.
Senator Dick Durbin (D-IL):
Thank you, Senator Hawley. Thank you for appearing before the committee today, the hearing record will remain open for one week for submission of materials for the record. And with that, this hearing is adjourned.
