Економіка

U.S. senators expressed empathy with Twitter’s former security chief during a hearing on Tuesday as he outlined serious concerns about the influential social media platform.

“It doesn’t matter who has keys if you don’t have any locks on the doors. And this kind of vulnerability is not in the abstract. It’s not far-fetched to say an employee in the company could take over the accounts of all of the senators in this room,” said Peiter “Mudge” Zatko in testimony before the Senate’s Judiciary Committee.

“Given the real harm to users and national security, I determined it was necessary to take on the personal and professional risk to myself and to my family of becoming a whistleblower.”

Zatko, appearing under subpoena, added he was not making the disclosures “out of spite or to harm Twitter.”

Zatko, who made a number of revelations previously in an 84-page complaint to the Securities and Exchange Commission and other U.S. government regulatory agencies, said that executive incentives compel Twitter executives to prioritize profits over security.

“There was a culture of not reporting bad results up, only reporting good results up,” Zatko told the senators.

Judiciary Committee Chairman Senator Dick Durbin, a Democrat, noted that according to Zatko, “the door to that vault is wide open and that vault contains a lot more information about you than you can imagine.”

Several senators, from both the Democratic and Republican parties, expressed concern that Twitter’s vulnerabilities could constitute a national security threat.

“This data is a gold mine of information that could be used against America’s interest. Twitter has a responsibility to ensure that the data is protected and doesn’t fall into the hands of foreign powers,” said Chuck Grassley, the ranking Republican senator on the committee.

“Your testimony today has legitimized what most of us feel is a process out of control, that the regulatory environment is insufficient to the task,” said Senator Lindsey Graham a Republican. “It’s time to up our game in this country.”

Graham said he is working with Senator Elizabeth Warren, a Democrat, to create a regulatory system that would have “teeth,” similar to what has been enacted in Europe.

“I’m not reaching any conclusions, but clearly what we’re doing right now is not working,” said Richard Blumenthal, a Democrat on the committee, who raised the possibility of creating a new government agency to regulate tech companies and protect consumers.

One senator, Mazie Hirono, a Democrat, appeared exasperated that Twitter has not been held to account even though it has paid a $150 million fine for violating a consent decree with the Federal Trade Commission on protecting users’ data.

“Do people need to go to prison?” she asked Zatko.

“I think holding people accountable is a good start,” he replied.

Zatko, a former high-profile computer hacker who became head of cybersecurity research at a Defense Department research and development agency known as DARPA and subsequently worked at Google before joining Twitter in 2020, also testified there were suspected foreign agents working inside Twitter — from China, India and Nigeria — and that there was no way to track their access to company databases, including those containing users’ personal information.

Zatko said when he raised his concern with another Twitter executive about a particular suspected foreign agent inside the company that person replied: “Well, since we already have one, what does it matter if we have more?”

Twitter’s hiring process is independent of any foreign influence and access to data is managed through measures including background checks, access controls, and monitoring and detection systems and processes, according to a Twitter company spokesman.

“Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies,” a Twitter company spokesperson, who declined to be publicly identified, responded to VOA and did not elaborate.

Twitter Chief Executive Officer Parag Agrawal declined to voluntarily appear before the committee on Tuesday. Durbin and Grassley told reporters they will discuss issuing a subpoena to compel the executive to appear.

Zatko “continues to believe that through this public disclosure process, real world harm for Twitter users may be avoided and our country’s national security better protected,” said his attorney, Alexis Ronickher, in a statement following the hearing.

Following Zatko’s testimony, Twitter announced that its shareholders have approved a $44 billion takeover offer from Tesla Chief Executive Officer Elon Musk. But since making the bid, the billionaire has terminated the agreement, accusing Twitter of misrepresenting the number of authentic users. Twitter has countersued, and the matter is scheduled to be heard in Delaware’s chancery court next month.

A judge in the state of Delaware ruled last week that Zatko’s claims can be included in Musk’s case against Twitter.
…

Peiter “Mudge” Zatko, the Twitter whistleblower who is warning of security flaws, privacy threats and lax controls at the social platform, will take his case to Congress Tuesday. 

Senators who will hear Zatko’s testimony before the Senate Judiciary Committee are alarmed by his Twitter allegations at a time of heightened concern over the safety of powerful tech platforms. 

It’s Zatko’s second Capitol Hill appearance, and in some ways a 21st-century echo of his first. In 1998, he testified before a Senate panel along with fellow members of a hacker collective who warned about the security dangers of the then-emerging internet age. 

Zatko, a respected cybersecurity expert, was Twitter’s head of security until he was fired early this year. He brought the stunning allegations to Congress and federal regulators, asserting that the influential social platform misled regulators about its cyber defenses and efforts to control millions of “spam” or fake accounts. 

Sen. Dick Durbin, the Illinois Democrat who chairs the panel, has said that if Zatko’s claims are accurate, “they may show dangerous data privacy and security risks for Twitter users around the world.” 

Musk battle

Zatko’s accusations are also playing into billionaire tycoon Elon Musk’s battle with Twitter. The Tesla CEO is trying to get out of his $44 billion bid to buy the company; Twitter has sued to force him to complete the deal. The Delaware judge overseeing that case ruled last week that Musk can include new evidence related to Zatko’s allegations in the high-stakes trial set to start October 17. 

The allegation that Twitter engaged in deception in its handling of automated “spam bot” accounts is at the core of Musk’s attempt to back out of the Twitter deal. 

At the same time, many of Zatko’s claims are uncorroborated and appear to have little documentary support. In a statement, Twitter has called Zatko’s description of events “a false narrative.” 

Also Tuesday, Twitter’s shareholders are scheduled to vote on the company’s pending buyout by Musk. The vote is something of a formality given that the deal is on hold while the court case plays out. But if the measure passes as expected, it would pave the way for a Musk takeover should Twitter prevail in court. 

Zatko also filed complaints with the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission. Among his most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had put stronger measures in place to protect the security and privacy of its users. 

The SEC is questioning Twitter about how it counts fake accounts on its platform. Twitter uses counts of its presumably real users to attract advertisers, whose payments make up about 90% of its revenue. The “spam bots” have no value to advertisers because there’s no person behind them. 

San Francisco-based Twitter has an estimated 238 million daily active users worldwide. The company says it removes 1 million spam accounts daily. 

‘Egregious deficiencies’

Zatko’s 84-page complaint alleges that he found “extreme, egregious deficiencies” on the platform, including issues with “user privacy, digital and physical security, and platform integrity/content moderation.” 

It accuses CEO Parag Agrawal and other senior executives and board members of making “false and misleading statements to users and the FTC” about these issues. Twitter denies those claims and has said that Zatko was fired in January for “ineffective leadership and poor performance.” Zatko’s attorneys say the performance claim is false. 

Twitter also hinted that Zatko’s complaint might be designed to bolster Musk’s legal fight with the company. Twitter called Zatko’s complaint “a false narrative” that is “riddled with inconsistencies and inaccuracies, and lacks important context.” 

News of Zatko’s complaint surfaced August 23, almost two months before the Twitter-Musk trial is scheduled to begin. One of Zatko’s attorneys has said “he’s never met Elon Musk. Doesn’t know Elon Musk. They know people in common.” 

The company also says it has significantly tightened security since 2020. 

Among Zatko’s specific allegations: 

— The company had such poor cybersecurity that it easily could have been exposed to outside attacks or attempts to siphon off its internal data. 

—The company lacked effective leadership, with its top executives practicing “deliberate ignorance” of pressing problems. Zatko described former CEO Jack Dorsey as “extremely disengaged” during the last months of his tenure, to the point where he wouldn’t even speak during meetings on complex issues. Dorsey stepped down in November 2021. 

—That Twitter knowingly allowed the government of India to place its agents on the company payroll, where they had “direct unsupervised access” to highly sensitive data on users. It makes a parallel but less detailed accusation that Twitter took funding from unidentified Chinese entities who may have gained access enabling them to access the identities and sensitive data of Chinese users who secretly use Twitter, which is officially banned in China. 

Better known by his hacker handle “Mudge,” Zatko, 51, first gained prominence in the 1990s. He was the best-known member of the Boston-based collective L0pht, which pioneered ethical hacking, embarrassing companies including Microsoft for poor security. His work raised awareness in the computing world that forced such major companies to take security seriously. He co-founded the consultancy @Stake, which was later acquired by Symantec. 

Zatko later worked in senior positions at the Pentagon’s Defense Advanced Research Projects Agency and Google. He joined Twitter at Dorsey’s urging in late 2020, the same year the company suffered an embarrassing security breach involving hackers who broke into the Twitter accounts of world leaders, celebrities and tech moguls, including Musk, attempting to scam their followers out of bitcoin. 
…