Peiter Zatko, the Twitter whistleblower, goes to Washington

On August 23, the Washington Post and CNN published stories about alleged security failures at Twitter, based on a whistleblower complaint written by Peiter Zatko, the company’s former head of security, who was fired by the company in January. Among Zatko’s more serious allegations were that Twitter executives, including Parag Agrawal, its CEO, deliberately misled both the company’s board of directors and federal regulators about Twitter’s security procedures, and that the company gave agents of foreign governments access to “sensitive user data.” Zatko’s complaint was also shared with several members of Congress as well as the Federal Trade Commission, the Securities and Exchange Commission, the Justice Department, and the Senate Intelligence Committee. 

On Tuesday, Zatko appeared before a hearing of the Senate Judiciary Committee to discuss his complaint, and spent more than two and a half hours detailing his allegations. He told the committee that, before he was fired, the FBI had notified Twitter that “there was at least one agent” of China’s Ministry of State Security “on the payroll” at the company. Zatko also alleged that Twitter was incapable of tracking when and where its own employees accessed its systems, an arrangement he said made it impossible for Twitter to find foreign agents who might be gaining access to internal data. According to Zatko, the company was only able to find these agents when informed of their presence by external entities such as the FBI; in one case, he said, he’d told a Twitter executive he was “confident” there was a foreign agent inside the company. “Their response was: ‘Well, since we already have one, what does it matter if we have more? Let’s keep growing the office,’” Zatko told the committee.

In 2019, the New York Times reported that two former Twitter employees were charged with acting as agents of the government of Saudi Arabia and using their positions to gain access to information about users who were critical of the Saudi government. (One of the individuals was convicted on multiple charges, including acting as a foreign agent and conspiracy, last month by a court in California; the other left the country before he could be arrested.) Zatko also told the committee that the Chinese government could have easily acquired information about Twitter users who clicked on ads, including the locations of those users. “Twitter’s unsafe handling of the data of its users and its inability or unwillingness to truthfully represent issues to its board of directors and regulators have created real risk to tens of millions of Americans, the American democratic process, and America’s national security,” Zatko told the committee.

Twitter has said Zatko’s termination from the company was related to performance issues. In a statement issued after Tuesday’s hearing, the company didn’t respond to any of his specific allegations, but said they were “riddled with inconsistencies and inaccuracies.” Twitter maintains that its security processes and rules around network access are robust. Following Zatko’s testimony, however, a number of members of the Senate committee voiced their support for more stringent government regulation of social networks. In his original complaint on Twitter’s failures, Zatko alleged that the company was in breach of an eleven-year-old consent decree from the FTC related to the handling of user data. Although Zatko didn’t provide an opinion on the idea of new regulatory powers during his testimony, he did tell the Senate committee that he believes lax regulation by the Federal Trade Commission allows platforms such as Twitter to “grade their own homework.”

Dick Durbin, a Democratic senator from Illinois and chairman of the Judiciary Committee, compared users trusting Twitter with their data to the way depositors trust a bank with their money, but said Zatko’s testimony shows that, “at Twitter, the vault is wide open.” Lindsey Graham, the Republican senator from South Carolina, said during his comments that the situation at Twitter reinforces the need for “a regulatory environment with teeth.” According to a report from Bloomberg, Graham is working on legislation to that end—a law that might require platforms such as Twitter and Facebook to be licensed by a federal regulator—and is trying to form alliances with others, including Democratic senator Elizabeth Warren of Massachusetts. Richard Blumenthal, a Democratic senator from Connecticut, said that he’s open to a new technology regulator that could “help shift the balance of power between immensely profitable companies and the agencies charged with protecting consumers,” according to a Bloomberg story.

Elon Musk has also continued to use Zatko’s allegations as ammunition for his ongoing attempt to cancel his own agreement to acquire Twitter for $44 billion. Last week, Musk told Twitter that a $7 million severance payment it gave Zatko was a breach of the terms of the acquisition agreement, because Musk wasn’t notified of the payment first. (Not surprisingly, Twitter disagreed with Musk’s take.) On Tuesday, after Zatko’s testimony, Twitter’s shareholders voted to accept Musk’s acquisition offer—a final step in a process Musk hopes to suspend, and which the two parties will take to Delaware’s Chancery Court in a case scheduled to begin next month. Despite Zatko’s testimony about Twitter’s alleged security lapses, his accusations are unlikely to have a significant impact on Musk’s legal battle, according to a number of financial experts who were surveyed by the Financial Times. “For this to affect the trial, it has to amount to a material adverse effect or fraud, which is a very high standard,” Anat Alon-Beck, a legal scholar, told the FT.

Sign up for CJR's daily email

Here’s more on Twitter:

  • Ticking bomb: In his opening statement at the Senate Judiciary Committee hearing, Zatko said that he was not making his accusations out of spite or malice. When he first joined Twitter, he said, “I discovered that the company had ten years of overdue critical security issues, and it was not making meaningful progress on them. This was a ticking bomb of security vulnerabilities. Staying true to my ethical disclosure philosophy, I repeatedly disclosed those security failures to the highest levels of the company. It was only after my reports went unheeded that I submitted my disclosures to government agencies.”
  • Opposition research: People who have worked with Zatko at Twitter or elsewhere have been contacted by sources looking for information about his credibility, Ronan Farrow reports for The New Yorker. Farrow’s story includes the text of a message sent to an acquaintance of Zatko’s that referenced “a project regarding leadership in tech” and a client who was “hoping to speak to an experienced professional about a particular individual you may have worked with” in a “45–60 minute compensated phone consultation.” The messages and emails, Farrow wrote, appeared to be from research-and-advisory companies—“part of a burgeoning industry whose clients include investment firms and individuals jockeying for financial advantage.”
  • Data hoarding, I: Zatko listed the kinds of information that Twitter collects on its users, which includes their phone number; the last IP address a user connected from, as well as previously used IP addresses; a user’s current email address, how long they’ve been using it, and prior email addresses they’ve used; where the company thinks a user lives; the location the company thinks a user is currently accessing Twitter from; what type of device a person is using to access Twitter; the Web browser they are using; and the language they are using Twitter in. Zatko told the Senate committee that any of the company’s engineers could easily access all of that user data if they wanted to.
  • Data hoarding, II: Zatko said that one of the problems with Twitter’s data-handling practices is that the company doesn’t understand all the data it collects from users or why it collects it, CNN reported. Zatko “cited an internal study conducted by engineers which allegedly found that for only about 20% of the data it collects does the company know why they got it, how it was supposed to be used, and when it was supposed to be deleted.” With the rest of the data, Zatko said, the company often “did not know what it was or why it was being collected,” according to CNN.

 

Other notable stories:

  • Ben Smith published a memo that he sent out on Wednesday listing the editorial staff for Semafor, the news startup he cofounded with Justin Smith, former head of Bloomberg Media. The list includes Prashant Rao, former international editor of The Atlantic; Joe Posner, who started Vox Media’s video unit in 2014; Gina Chon, a former columnist with Reuters’s Breakingviews; Tasneem Nashrulla, former deputy news director at BuzzFeed; Yinka Adegoke, a former editor with Rest of World; Alexis Akwagyiram, former digital editor at the Financial Times; Benjy Sarlin of NBC News; David Weigel, a former reporter with the Washington Post; and Shelby Talcott from the Daily Caller.
  • Brian Stelter, the former CNN media correspondent and erstwhile host of the network’s Reliable Sources show, is joining the Shorenstein Center on Media, Politics, and Public Policy at Harvard’s Kennedy School as the fall 2022 Walter Shorenstein Media and Democracy Fellow, the center announced this week. As part of his duties, Stelter will “convene a series of discussions about threats to democracy and the range of potential responses from the news media,” the center said. CNN canceled Stelter’s show in mid-August, as part of a series of changes at the network.
  • Emily Ann Russell writes for CJR about “The Objectivity Wars,” a panel discussion on Tuesday cohosted by Columbia University’s Lipman Center for Journalism and Civil and Human Rights and CJR. Panelists included Masha Gessen, staff writer at The New Yorker; David Greenberg, professor of journalism and media studies at Rutgers; Wesley Lowery, a Pulitzer Prize–winning journalist formerly with the Washington Post; Andie Tucher, a professor of journalism at Columbia; and Lewis Raven Wallace, co-director of Press On. Watch the conversation in full here.
  • Kara Swisher, a veteran technology journalist who now hosts a New York Times podcast called Sway, wrote a Twitter thread about how much of the early work that she and Walt Mossberg did at All Things Digital, which they founded while they were both with the Wall Street Journal, has vanished. “This is a thread on the ephemeral nature of content, who owns your work & why creators need to own their IP,” Swisher wrote. “This hit home when I was doing research for my memoir on covering the rise of Silicon Valley. Why? Because most of the work we did at All Things Digital has gone poof.” Swisher says she and Mossberg offered to buy the archives from the Journal when they left, but the offer was refused.
  • Twitter is still the place where media publishers collectively have the largest audiences, followed by Facebook and Instagram, according to an Axios analysis of eighty-two major news, entertainment, and sports publishers. “National Geographic, by far, has the largest social following across its main accounts, with more than 340 million followers over six major platforms (not taking into account duplication),” Sara Fischer and Kerry Flynn reported. The next closest publisher, the BBC, has more than 150 million followers across its main accounts on those platforms, followed by CNN and ESPN.
  • NYT Cooking, the subscription recipe site from the New York Times, is launching a new sideline, according to the Hollywood Reporter: $95 at-home cooking kits curated by guest chefs. “Beginning on Wednesday, readers can visit the New York Times online store to be notified when the kits are available for purchase,” the Hollywood Reporter wrote. “At launch, NYT Cooking will offer three different kits created by the chefs Nina Compton, Chintan Pandya and Naoko Takei Moore, in partnership with Times cooking journalists.”
  • Teen Vogue profiled Jack Corbett, a twenty-five-year-old producer on NPR’s Planet Money podcast whom the magazine calls “a TikTok wunderkind.” Corbett claims he is just “a guy from Ohio,” but to the hundreds of thousands of fans who follow the Planet Money TikTok account, Teen Vogue says, Corbett is “a wacky-professor figure, a talented TikTok comedian, and most importantly, a guide through the largely inaccessible world of economics.” Corbett often expresses gratitude and even confusion that NPR lets him make his oddball videos in the first place, Teen Vogue writes, “but, in all likelihood, it is exactly that affable, down-to-earth nature that makes Corbett such a good front man.”

 

Has America ever needed a media watchdog more than now? Help us by joining CJR today.

Mathew Ingram is CJR’s chief digital writer. Previously, he was a senior writer with Fortune magazine. He has written about the intersection between media and technology since the earliest days of the commercial internet. His writing has been published in the Washington Post and the Financial Times as well as by Reuters and Bloomberg.

TOP IMAGE: Twitter whistleblower Peiter Zatko walks back to his seat after a break during a Senate Judiciary hearing examining data security at risk, Tuesday, Sept. 13, 2022, in Washington. (AP Photo/Jacquelyn Martin)