Former Twitter security chief Peiter “Mudge” Zatko will appear before lawmakers in Washington on Tuesday. He is expected to give damning evidence of data and information security flaws on the social media platform, after highlighting a litany of concerns in a whistleblower complaint last month.
The former hacker, widely respected in his field as an information security specialist, joined Twitter on November 16, 2020 and was fired on January 19, 2022. His complaint relates to allegations of incompetence and fraud on Twitter, saying it uncovered “extreme and egregious shortcomings by Twitter in all areas of its mandate”, including weak controls over employee access to user data and interference by foreign governments .
The Senate Judiciary Committee hearing is not directly to the benefit of Elon Musk, who is trying to pull out of a $44billion (£38billion) deal to buy Twitter and has been cleared to include Zatko’s revelations as another reason to walk away. Musk’s attorneys interviewed Zatko on Sept. 9. But if Zatko’s actions are going to have an immediate impact, it will be during a trial in Delaware on October 17, where Twitter is trying to force Musk to buy the company on terms he agreed to in April.
Here are some questions Zatko might face on Tuesday.
How big are the information security issues on Twitter?
This is a catch-all question that is likely to be broken down into several parts in terms of questions from the legislator, given the amount of detail in the allegations contained in Zatko’s complaint.
He is likely to be questioned over several allegations, including that Twitter mishandled users’ email addresses and phone numbers, that more than 50% of its 500,000 data center servers are running outdated software or have other known security issues, and that employees have installed spyware on their work computers at the request of outside organizations.
How important is the intervention of a foreign state on Twitter?
Zatko’s complaint says he was aware of “several episodes” of Twitter being penetrated by foreign intelligence agencies or being complicit in threats against democracies. Examples used were that the Indian government forced Twitter to hire government agents who had access to user data and that executives allowed the platform to become dependent on revenue from Chinese “entities” which could then be able to access information about users in China who had bypassed a block. The complaint adds that Twitter received “specific information from a U.S. government source that one or more company employees were working on behalf of another particular foreign intelligence agency.”
Lawmakers will want to know if the output of the platform, which plays a highly influential role in politics and the media in several countries, could be manipulated as a result.
How big is Twitter’s bot problem?
In a section of the complaint titled “lying about bots to Elon Musk,” Zatko raises questions about Twitter’s approach to bots, essentially arguing that the company has no control over the issue. Lawmakers should ask Zatko how big the problem really is and how it needs to be tackled.
Musk cited the prevalence of bot accounts on Twitter — which are not run by humans and are designed to disrupt and manipulate users’ experiences — as a key reason for declaring his removal from the takeover.
In his complaint, Zatko says Parag Agrawal, Twitter’s chief executive, lied when he tweeted that Twitter executives had “incentives to detect and remove as much spam as possible.”
Tesla CEO claims Twitter deliberately miscounted the number of bots on the platform. The company has consistently stated that the number of bots on its platforms represents less than 5% of its monetizable daily active users (mDAUs – accounts that can see advertisements and therefore have commercial value to the company).
Zatko says there are several million active accounts that aren’t considered mDAU but are part of the average user’s experience on the platform, making it a shoddy experience. This doesn’t quite align with Musk’s argument that Twitter deliberately underestimates the number of bots among its mDAUs. Zatko says he doesn’t include them in his mDAU total, but he doesn’t get rid of them entirely.
Nevertheless, Zatko’s filing claims that management had no desire to properly measure bot accounts because they feared that “if specific measurements became public, it would harm the company’s image and valuation. “. It could at least be important for a shareholder lawsuit and, overall, Zatko vehemently asserts that Twitter can’t deal with bots because it uses “outdated” programs and “understaffed” monitoring teams. “.
How credible are you as a witness?
Twitter hit back at Zatko’s allegations, saying he was fired by Agrawal for “ineffective leadership and poor performance”. Referring to its claims, the company added: “What we have seen so far is a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context. Mr. Zatko’s allegations and opportunistic timing appear designed to garner attention and harm Twitter, its customers and its shareholders. Security and privacy have long been company-wide priorities at Twitter and will continue to be.
Nonetheless, Zatko has a considerable pedigree, having made a name for himself as an ethical hacker who helped organizations identify flaws in their systems before taking on senior roles at Google, payments company Stripe and the Department American Defense. This long career and his reputation for professional rigor led the general manager of Twitter at the time, Jack Dorsey, to hire him.
Is there a leadership problem at Twitter?
Zatko’s complaint is scathing about the company’s management standards. Zatko’s allegations against Agrawal include the chief executive asking him in December 2021 to provide information security documents to Twitter’s board risk committee that Agrawal knew to be “false and misleading.” The complaint says Twitter’s security issues had “developed under Agrawal’s watch.” The complaint raises concerns about the level of leadership in general, pointing to an ‘extremely disengaged’ Dorsey – who resigned last year – who spoke a total of 50 words to Zatko in telephone conversations over a 12-month period .
Did Twitter mislead investors?
Zatko’s complaint says, “For years, through numerous public statements and SEC filings, Twitter has made material misrepresentations and omissions, and engaged in acts and practices that operate as a deception. towards its users and shareholders, with regard to security, confidentiality and integrity.” Twitter disputes this. Regarding the complaint’s impact on Musk’s takeover, Boston College Law School professor Brian Quinn said, “Twitter will likely respond that even if they haven’t disclosed that a disgruntled employee had complained about their security, they revealed that data security and privacy issues were risks to the business.
Whistleblower on Twitter: what questions will Peiter Zatko face from lawmakers?