Whistleblower: China and India had agents working for Twitter

WASHINGTON (AP) — Twitter’s former security chief told Congress Tuesday that there was “at least one agent” from China’s intelligence service on Twitter’s payroll and that the company knowingly allowed India to also add agents to the list. company’s list, which could give those nations access to sensitive data about users.

These were some of the troubling revelations from Peiter “Mudge” Zatko, a respected cybersecurity expert and Twitter whistleblower who appeared before the Senate Judiciary Committee to lay out his accusations against the company.

Zatko told lawmakers that the social media platform is riddled with weak cyber defenses that make it vulnerable to exploitation by “ teenagersthieves and spies” and put the privacy of its users at risk.

“I’m here today because Twitter’s leadership is misleading the public, lawmakers, regulators and even their own board of directors,” Zatko said as he began his sworn testimony.

“They don’t know what data they have, where it is and where it came from, so unsurprisingly they can’t protect it,” Zatko said. “It doesn’t matter who has keys if there are no locks.”

“Twitter’s leadership ignored its engineers,” he said, in part because “their executive incentives led them to prioritize profit over security.”

In a statement, Twitter said its hiring process is “independent of any foreign influence” and that access to data is managed through a series of measures, including background checks, access controls, and privacy systems and processes. monitoring and detection.

One issue that did not come up in the hearing was the question of whether Twitter accurately counts its active users, an important metric for its advertisers. Tesla CEO Elon Musk, who is trying to get out of a $44 billion deal to buy Twitter, has argued without evidence that many of Twitter’s estimated 238 million daily users are fake or malicious accounts, also known as “spam bots.”

Still, “that doesn’t mean Musk won’t use Zatko’s accusation that Twitter wasn’t interested in taking down the bots to try to bolster his argument for walking away from the deal,” said Insider Intelligence analyst Jasmine Enberg.

youtube video thumbnail

The Delaware judge overseeing the case ruled last week that Musk can include new evidence related to Zatko’s allegations in the high-stakes trial, which is set to begin Oct. 17. During the hearing, Musk tweeted a popcorn emoji, which is often used to suggest that one is sitting around waiting for the drama to unfold.

Separately on Tuesday, Twitter shareholders voted overwhelmingly to approve the deal, according to multiple media reports. Shareholders have been voting remotely on the issue for weeks. The vote was largely a formality, particularly given Musk’s efforts to void the deal, though it removes a legal hurdle to closing the sale.

Zatko’s message echoed one brought before Congress against another social media giant last year. But unlike that Facebook whistleblower, Frances Haugen, Zatko has not brought troves of internal documents to back up his claims.

Zatko was the influential platform’s head of security until he was fired earlier this year. He filed a whistleblower complaint in July with Congress, the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission. Among his most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had implemented stronger measures to protect the security and privacy of its users.

Senator Dick Durbin, an Illinois Democrat who heads the Judiciary Committee, said Zatko has detailed flaws “that may pose a direct threat to the hundreds of millions of Twitter users as well as American democracy.”

“Twitter is an immensely powerful platform and cannot afford huge vulnerabilities,” he said.

Unbeknownst to Twitter users, there is much more personal information being disclosed than they, or even Twitter itself, realize, Zatko testified. He said that Twitter did not address the “basic systemic flaws” presented by the company’s engineers.

The FTC has been “a little over its head,” and far behind its European counterparts, in policing the kinds of privacy violations that have occurred on Twitter, Zatko said.

Zatko’s accusation that Twitter was more concerned with foreign regulators than the FTC, Enberg said, “could be a wake-up call for US lawmakers” who have been unable to pass meaningful regulation on social media companies.

Sen. Lindsey Graham, a Republican from South Carolina, said one positive outcome that could come from Zatko’s findings would be bipartisan legislation to establish a stricter system of regulating tech platforms.

“We need to up our game in this country,” he said.

Many of Zatko’s claims are unsubstantiated and appear to have little documentary support. Twitter called Zatko’s description of the events “a false narrative… riddled with inconsistencies and inaccuracies” and lacking significant context.

Still, Zatko turned out to be a compelling whistleblower who has “a lot of credibility in this space,” said Ari Lightman, a professor of digital media and marketing at Carnegie Mellon University. But he said that many of the problems he raised are likely to be found in many other digital technology platforms.

“They avoid security protocols in the sense of innovating and operating very quickly,” Lightman said. “We gave digital platforms so much autonomy at the beginning to grow and develop. Now we’re at a point where we’re, ‘Wait a minute… This has gotten out of hand.’

Among Zatko’s claims that caught the attention of lawmakers was Twitter’s apparent negligence in dealing with governments seeking to land spy work within the company. Twitter’s inability to record how employees accessed user accounts made it difficult for the company to detect when employees were abusing their access, Zatko said.

Zatko said he spoke with “high confidence” about a foreign agent the Indian government placed on Twitter to “understand the negotiations” between India’s ruling party and Twitter over new social media restrictions and how well they were going. those negotiations.

Zatko also revealed Tuesday that he was told about a week before his dismissal that “at least one agent” from the Chinese intelligence service MSS, or the Ministry of State Security, was “on the payroll” on Twitter.

He said he was equally “surprised and shocked” by an exchange with current Twitter CEO Parag Agrawal about Russia, in which the current Twitter CEO, who was chief technology officer at the time, asked if it would be possible to “clear” content moderation and surveillance of the Russian government, since Twitter really “does not have the capacity or the tools to do things correctly”.

“And since they have elections, doesn’t that make them a democracy?” Zatko remembered Agrawal saying.

Sen. Charles Grassley, the committee’s ranking Republican, said Tuesday that Agrawal declined to testify at the hearing, citing ongoing legal proceedings with Musk. But the hearing is “more important than the Twitter civil litigation in Delaware,” Grassley said. Twitter declined to comment on Grassley’s comments.

In his complaint, Zatko accused Agrawal, as well as other senior executives and board members, of numerous violations, including making “false and misleading statements to users and the FTC about the security, privacy, and integrity of the Twitter platform.

Zatko, 51, first rose to prominence in the 1990s as a pioneer in the ethical hacking movement and later worked in high-level positions at an elite Defense Department investigative unit and at Google. He joined Twitter in late 2020 at the urging of then-CEO Jack Dorsey.


O’Brien reported from Providence, Rhode Island; Ortutay reported from Oakland, California.


Follow Marcy Gordon at https://twitter.com/mgordonap

Leave a Comment