San Francisco U.S. politicians from both political camps have criticized Twitter for being too careless with user data and announced stricter monitoring of the company.
The occasion was a hearing of the former head of security of Twitter, Peiter Zatko on Tuesday. He accused the platform of employing agents of foreign intelligence services, not adequately protecting user data and violating fundamental security precautions.
In a letter, the Legal Committee of the US Senate now demanded more details from Twitter CEO Parag Agrawal. Senator Chuck Grassley, the ranking Republican on the committee, called on Agrawal to step down as CEO.
Meanwhile, in a special meeting on Twitter, the company’s shareholders voted to advance the sale of the platform to billionaire Elon Musk. Musk had initially signed a purchase agreement for around $ 44 billion and deliberately refrained from the usual auditing.
In July, he accused Twitter of providing false information and tried several times to dissolve the purchase agreement. With Tuesday’s vote, Twitter shareholders rejected Musk’s third attempt to withdraw from the purchase agreement. The start of a court case in Delaware on how to proceed with the purchase is scheduled for October 17.
In front of the Legal Committee, Zatko, who also calls himself Mudge, described a case in which a senior Twitter manager had been threatened by a user. It only took a technician about ten minutes to gather a lot of information about the user. “We had the real name, residential address, his exact whereabouts and his phone number,” Zatko said. He used the example to show that Twitter has significantly more information about its users than they consciously share themselves.
Former head of security: Twitter is a “ticking time bomb for security vulnerabilities”
Twitter is not in a position to adequately protect this information, Zatko warned. Around half of all Twitter employees would have access to such sensitive user data. It is hardly recorded which employee accessed which data. This means that Twitter is actually not in a position to trace abuse of its own employees. He tried to change this practice during his time at Twitter, but failed, Zatko said.
In addition, Twitter had worked directly or indirectly with foreign intelligence services. In the case of India, Twitter knowingly hired several employees of security services as employees, Zatko said. In the case of China, Twitter had created the technical possibilities that Chinese intelligence services could specifically spy on Chinese government critics.
In the case of Saudi Arabia, a few weeks ago, a former Twitter executive was found guilty by a US court of spying for Crown Prince Mohammed bin Salman dissidents on Twitter. Senator Chuck Grassley said Twitter had been warned by the US Federal police FBI that the company counted at least one spy from China among its employees. Zatko told the panel that the spy was an agent of the Chinese Ministry of State Security.
Zatko said he had urged his superiors to take stronger action against foreign spies within the company. However, a board member had replied to him: “Since we already have one (spy), what’s the problem if we have more? Let’s let the office continue to grow,“ Zatko quoted the Twitter manager as saying during the hearing.
Zatko’s latest allegations went beyond allegations he made in a complaint as a whistleblower to the U.S. Securities and Exchange Commission (SEC). Zatko was fired from Twitter in January. The company called Zatko’s allegations false.
Ex-head of security: France’s data protectors are sharper than US supervisors
Contrary to the legal requirements in a number of countries and also the European Union, Twitter does not delete user data, but only deactivates it, said Zatko. Twitter has already been the target of investigations in the United States. The handling of data could result in penalties. Nevertheless, Twitter management was only slightly concerned about the actions of the US authorities. On the other hand, Twitter had great respect for France’s data protection authority CNIL.
U.S. supervisors imposed one-time sentences. “They’re already priced in,” Zatko said. France’s data protection authority, on the other hand, deals with the technological details of the platform and can impose penalties again and again as long as a violation has not been resolved. Therefore, Twitter has greater respect for the French supervisors than for those from the United States.
Zatko enjoys a high reputation among cybersecurity experts and had worked for both Google and the US government. However, he was also criticized for a depiction of the situation on Twitter. For example, former Twitter developer Ian Brown publicly accused him of being responsible for the wrong priorities in dealing with security vulnerabilities. In addition, Zatko has provided little evidence for his allegations.
Allegations could overshadow court case over Twitter purchase
Zatko’s revelations could not only provoke reactions from US politicians and regulators. They will also be part of the court negotiations for the purchase agreement with Elon Musk. Musk had tweeted an emoji of a popcorn bag at the beginning of Zatko’s hearing.
So far, Wall Street has assumed that Musk will clearly lose the process, said analyst Daniel Ives of asset manager Wedbush. With the revelations of Zatko, the situation could change. “Zatko is like Pandora’s box for Twitter,” Ives wrote.
Zatko is represented by Whistleblower Aid, the same group that also represented Facebook whistleblower Frances Haugen. John Tye, founder of Whistleblower Aid and Zatko’s lawyer, told CNN that Zatko had not been in contact with Musk and that Zatko had started the whistleblower process before there was any indication of Musk’s involvement in Twitter.