Twitter Whistleblower to Congress: Platform ‘Doesn’t Know What Data It Has, Where It Lives, or Where It Came From’

An image of Twitter's timeline on an Android phone is shown.  Twitter's blue logo pears as the background.

It probably sucks to be Twitter Lionel Bonaventure/AFP

Twitter essentially received a shellacking on Citol Hill on Tuesday after its ex-security chief Peiter Zatko told a room full of senators that the company is essentially an insecure hot mess infiltrated with more than one foreign government spy.

Hosted by the Senate Judiciary Committeethe hearing covered a range of serious allegations against Twitter made by Zatko, who in July sent a 200-page whistleblower complaint to federal agencies and lawmakers. The former employee, who was fired in January, lambasted the Twitter on numerous fronts, claiming that the social media network had cybersecurity failures that made it vulnerable to exploitation; that executives prioritized profits over security; that Twitter doesn’t know “what data [it] has, where it lives, or where it came from”; and that employees have access to too much user data and too many systems; among others.

Although Twitter CEO Parag Agrawal was invited to attend the hearing to offer the company’s point of view, Republican Sen. Chuck Grassley of Iowa said that Agrawal had declined to attend because it would “jeopardize” the company’s legal fight against Tesla CEO Elon Musk. Musk is trying to get out of his $44 billion deal to acquire Twitter. His legal has subpoenaed Zatko, who will comply.

The refusal didn’t go over well with Grassley—a self-proclaimed lover of Twitter—who criticized Agrawal’s decision.

„Many of the allegations directly implicate Mr. Agrawal, and he should be here to address them,” Grassley said. “So let me be very clear: The business of this committee and protecting Americans from foreign influence is more important than Twitter’s civil litigation in Delaware. If these allegations are true, I don’t see how Mr. Agrawal can maintain his position at Twitter.”

After Zatko’s testimony, a Twitter spokesperson told Gizmodo in an emailed statement that the whistleblower’s allegations didn’t make sense.

„Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies,” the Twitter spokesperson said.

Furthermore, Twitter underscored that foreign influence does not play a role in its hiring. In addition, the company explained that it had taken measures in place to monitor access to its data. These measures include background checks, access controls, and monitoring and detection systems, among others, according to the company.

Alexis Ronickher, an attorney for Zatko, did issue a statement after the hearing, calling it a „watershed moment.”

„Mr. Zatko is hopeful that the Committee’s work today has helped educate the public about just how dire the security and privacy situation is at Twitter and how impacted we all are by these failures,” Ronickher said. „He continues to believe that through this public disclosure process, real world harm for Twitter users may be avoided and our country’s national security better protected.”

While three-hour hearing featured many astounding revelations, here is a breakdown of the moments that most stood out to Gizmodo.

Twitter Doesn’t Know What Data They Have, So They Can’t Delete It

In his opening statement, Zatko cited novelist Upton Sinclair, famous for his 1906 novel The Jungle, who once said: “It is difficult to get a man to understand something when his salary depends on his not understanding it.”

This can be seen among the executive team at Twitter, Zatko said, explaining that the company doesn’t know what data it has, where it is, or where it came from. Consequently, according to the whistleblower, they can’t protect it.

In addition, when it comes to deleting user data, Zatko commented later on in the hearing that Twitter can’t delete data because it doesn’t know where it is.

The FBI Told Twitter That It Had At Least One Chinese Agent In The Company

Republican Sen. Chuck Grassley said that the FBI had informed Twitter that there was at least one Chinese foreign agent in the company. In addition, the senator revealed that it was suspected that India had managed to place at least two foreign agents in Twitter.

While CNN and the Washington Post, which had access to Zatko’s whistleblower disclosure, had previously reported that foreign agents were inside Twitter, it was not clear what countries they were from.

Zatko was also asked why Twitter did not have a system in place to limit the access spies from countries like India, Nigeria, and China possibly have at Twitter, which they could use to identify and punish dissidents. His answer was mind-boggling.

„I think they would like to, but they’re simply unwilling to put the effort in at the cost of other efforts, such as driving revenue,” the whistleblower explained. “I’m reminded of one conversation with an executive when I said, ‘I am confident that we have a foreign agent,’ and their response was, ‘Well, since we already have one, what does it matter if we have more? Let’s keep growing the office.’”

Twitter Has Way More Data on Users Than They Might Think

At this point in our digital lifetimes, it’s clear that online companies have way more information on us than we’d like to think they do. According to Zatko, Twitter has the following information on the average Twitter user:

  • Phone number
  • Latest IP address they’ve connected from
  • Other IP addresses users have connected from
  • Current email address and how long users have been using the email with the account
  • Prior emails for the account associated with the IP address
  • An inference of where users live
  • Whether they’re connected to Twitter right now
  • Whether users are still connected even if they’re not actively using the information on Twitter
  • Type of device users are connected with
  • Type of browser
  • Brand of the device and possibly specific device model
  • What language individuals are using connect to Twitter

It Seems Like One of Twitter’s Most Infamous Users Was Watching

As we all know, tech’s wackiest CEO has been searching high and low for a way to get out of buying Twitter and is currently battling it out in the courts. Although Musk did not explicitly say he was watching Zatko’s testimony to Congress, he did tweet out a popcorn emoji around the same time the hearing started.

In addition, Musk tweeted out a story from the New Yorker’s Ronan Farrow, published the same day of the hearing, detailing how many of the whistleblower’s former colleagues had been proached and offered money for information on him by numerous companies on behalf of their clients.

“Anyone know who the secret clients are? Let’s out them on Twitter rn haha,” Musk tweeted. In a subsequent tweet, he underlined that Zatko’s colleagues wanted to defend his credibility.

Lindsey Graham Seems to Have Given Musk an Assist

Focusing on the platform itself, Republican Sen. Lindsey Graham of South Carolina asked Zatko whether he would recommend that people continue to use Twitter or “take a time out.” The Twitter whistleblower explained that he felt the social media platform was a “hugely valuable service” that he didn’t want to see shut down. He wanted it to get better.

Here’s where things got a little weird. Out of nowhere, Graham suddenly asks Zatko whether he would buy Twitter, given what he knows about the company. Considering we’ve been talking about topics like privacy, security, data access, and foreign agents, that question seemed a bit off. Could Graham be trying to buddy up to Musk?

Zatko seemed taken back and peared to laugh nervously.

“I guess that depends on the price,” the ex-employee said.

Thousands of Twitter Employees Had Access to Advertisers’ Banking Information

It seems that all platforms tell us that access to our banking information is sacred and super protected. According to Zatko, not so at Twitter. The whistleblower explained that when he first joined Twitter, “thousands of users [workers] had access to the advertiser’s information, including their bank accounts and routing numbers.”

„When I first joined, people could change that information,” Zatko pointed out. „And you can understand why changing the banking account information of a company such as ple or Nike might be problematic.”