Ten Points from Peiter “Mudge” Zatko’s Twitter Testimony

Peiter “Mudge” Zatko testified today (September 13) at the “Senate Data Security at Risk: Testimony from a Twitter Whistleblower” Judiciary Committee hearing and a few of the points he mentioned I found incredibly interesting.

Peiter “Mudge” Zatko at the Senate Judiciary Committee Data Security at Risk: Testimony from a Twitter Whistleblower Hearing on September 13. Image from: https://www.livemint.com/news/world/twitter-is-misleading-public-peter-mudge-zatko-begins-testifying-to-congress-11663079489433.html

Here are ten points from the testimony Mr. Zatko gave today that I found the most interesting (in no particular order):

1. Twitter doesn’t have a dev environment, instead it is entirely a prod (live) environment, and all engineers (4,000+ employees or about half of the Twitter workforce) have some level of access to user data.
2. Twitter doesn’t know what data they collect or have logs about who has access about that data, but the data they do collect includes Personally Identifiable Information (PII) and other information that can be used for harm like in information or influence operations.
3. Twitter doesn’t have any central logging capabilities, this makes insider threats are a huge problem as Twitter doesn’t know or have the ability to really find out who has access to what data and how they use it.
4. Twitter management is aware of the issues Mr. Zatko brought up and mentioned from his testimony, but prioritizes growth instead — particularly with advertisers.
5. Regulators (specifically the FTC) are being misled, and the FTC doesn’t have the ability to really force change. Fine’s are considered to be built into the budget rather than a mitigating force in the United States. This is a little bit different for international regulators.
6. 80% of Twitter’s user base is outside of the United States and Twitter does not really have mechanisms for monitoring or reviewing those non-english users and tweets.
7. Foreign agents are aware and active in Twitter, however Twitter doesn’t appear to care and is more concerned with short term growth. In addition, Twitter doesn’t even attempt to identify foreign agents. In one case mentioned in the testimony, they knowingly hired a foreign agent.
8. Twitter is reactionary versus preventative on issues once identified. Twitter doesn’t really take action on anything (content or otherwise) unless it becomes public/on the news and causes uproar. Specifically, Mr. Zatko mentions Twitter being 10 years behind on security.
9. Twitter does not and cannot delete user data, potentially in violation with international regulatory laws like General Data Protection Regulation or the California Consumer Privacy Act.
10. Advertising (targeted, click-through, or other) is a big concern for information or influence operations against Twitter users, but also Twitter employees had/have access to change bank account information for third party advertisers like Apple or Nike without oversight.

The above points are just some of the testimony Mr. Zatko gave today, and a lot of information has come out from this hearing and will continue to. I am looking forward to seeing what is going to come from Mr. Zatko’s incredible decision to whistleblow on security at Twitter. Find the full Senate committee hearing here and Mr. Zatko’s own written testimony here.