By Zoe Kleinman & James Clayton
Technology editor
Twitter’s former head of security, Peiter Zatko, has told US lawmakers the firm is “misleading the public” about how secure the platform really is.
He claimed Twitter was “a decade behind” security standards, that users’ data is not sufficiently protected and that too many staff have access to it.
Mr Zatko was giving evidence following an 84-page long whistleblowing complaint he made about security practices inside the social network.
He was fired by the firm in January.
He also said “one-time fines” imposed by regulators over breaches of rules on data protection “didn’t bother Twitter at all”.
In his damning testimony, Mr Zatko described an organisation prioritising revenue generation above everything else.
At the start of the hearing he grew tearful about his role as a whistleblower, saying it was not a decision he had taken lightly.
“I’m risking my career and reputation… if something good comes out of it five or ten years down the line, it will be worth it,” he said later on.
He also said he still thought Twitter offered a good service but laughed when asked whether he would buy it – a wry nod to the saga of Elon Musk’s deal.
“Depends on the price,” he said.
National security
During his questioning, Mr Zatko said that employees had expressed concerns to him that Twitter was carrying advertising from “organisations which may or may not be associated with the Chinese government”, a potential national security risk.
When he raised concerns with Twitter executives he was told it would be “problematic” to lose that revenue stream, he said.
He also said he was troubled by Twitter’s attitude to other national security issues he had raised. He said “half the company” were engineers and they all had access to users’ personal information.
It is believed around 4,000 employees had access to this data. He said he was worried that rogue employees had the power to take information without leaving a trace.
He added that there was a danger that employees could “dox” users, where private information is posted online, though he had not seen this happen.
He said Twitter does not log the activity of employees who access private data – which surprised him.
He also said that Twitter’s security systems made it difficult to monitor potential espionage. In a previous statement Mr Zatko said that an Indian agent had been employed by the company .
“The company did not in fact disclose to users that it was believed by the executive team that the Indian government had succeeded in placing agents on the company payroll,” Mr Zatko said last month.
Musk and spam
He has previously supported Elon Musk’s claim that the platform has more spam and fake accounts than it has admitted – though he didn’t elaborate on this.
His testimony focussed on national security issues – and is not officially connected with Mr Musk’s attempt to pull out of his deal to buy Twitter for $44bn – that case is due to begin in October.
Even so, the flurry of accusations from a former senior employee will not help Twitter’s case.
Mr Zatko was personally hired by Twitter’s co-founder and former CEO Jack Dorsey, after a high-profile attack of the platform’s celebrity accounts.
The whistleblower said that peoples’ personal information was put at risk. Information held about users includes:
- Phone number
- IP address – from which a physical address could potentially be found.
- Email address
- Type of device
- Type of browser
- Location a user connected from
This data could enable an individual to be targeted in the real world, he said.
Mr Zatko has previously worked for the US government and Google, and is well-regarded in the information security community.
His lawyer John Tye described him as “a pretty remarkable guy”.
Senator Chuck Grassley from the US Judiciary Committee said in his opening remarks that Twitter CEO Parag Agrawal had declined to attend the hearing.
Mr Agrawal’s last activity on his own Twitter account was a re-tweet of the firm’s chairman Bret Taylor in response to Elon Musk on 4 August.
Twitter has said that Peiter Zatko lost his job because of ineffective leadership and poor performance, and that his allegations are both inaccurate and inconsistent.