The vote followed testimony Tuesday morning from a Twitter whistleblower, who alleged the company’s failure to secure sensitive data causes “real harm to real people.”
Peiter “Mudge” Zatko’s Senate testimony — which expanded on an 84-page complaint shared with regulators and The Washington Post this summer — alleged that Twitter executives misled the public, regulators and the company’s own board about the failed state of its data security practices.
He described an executive team that was financially incentivized to ignore root problems, such as employees having far too much access to data. Because the company wasn’t properly tracking data access, he alleged, it was impossible for the company to respond to critical national security risks — including access gained by potential foreign agents on its payroll.
Zatko, the company’s former security lead and a renowned hacker, grounded his at-times highly technical disclosures in examples of risks that lawmakers could connect to, suggesting this unfettered access could result in Twitter engineers sending unauthorized tweets from their accounts.
“It doesn’t matter who has keys if you don’t have any locks on the doors,” he said. “It’s not far-fetched to say an employee inside the company could take over the accounts of all the senators in this room.”
Twitter has previously said Zatko’s allegations appeared to be “riddled with inaccuracies,” and that security and privacy are priorities at the company. Twitter did not respond to requests for comment regarding Zatko’s testimony.
Zatko’s testimony could also factor into Twitter’s ongoing litigation with Musk, who has already incorporated some of the arguments from the whistleblower’s complaint in court.
Zatko on Tuesday expanded on allegations in his redacted complaint regarding Twitter’s employment of suspected foreign government operatives, who may have had access to sensitive data due to the company’s lack of internal controls. He said that at least two agents for the Indian government and one for the Chinese government were on the payroll of the company.
A week before his January firing, Zatko alleged that the FBI had warned security staff that a Chinese agent for the Ministry of State Security was on the payroll. Twitter ads paid for by the Chinese government could have elicited information including locations of users who click on them, he alleged.
Zatko’s testimony is already becoming a headache for Twitter and its chief executive, Parag Agrawal. Multiple senators slammed Agrawal for declining to testify before the Senate Judiciary Committee because of the company’s ongoing litigation with Musk.
Sen. Charles E. Grassley (R-Iowa), the committee’s top Republican, said if Zatko’s allegations are true, Agrawal should be forced to step down as chief executive.
The disclosures Tuesday appeared to prompt some bipartisan soul-searching among lawmakers, many of whom spoke of a combined failure to bring enforcement against tech companies.
Zatko has alleged that Twitter did not follow through on the commitments it made to the Federal Trade Commission to create a data security program.
Sen. Lindsey O. Graham (R-S.C.) said that he was working across party lines with Sen. Elizabeth Warren (D-Mass.) to create a new regulatory system that would imitate one in Europe, where lawmakers have taken aggressive action to penalize American tech companies.
Graham and Warren are on opposite ends of the political spectrum, and Graham’s proposal signals how dramatically some Republicans’ positions on tech regulation have evolved in recent years. The party has historically favored a less stringent regulatory environment for businesses.
Graham suggested a new regulator would address privacy, content moderation and foreign interference, and that it would provide an appeals process for users when companies remove their content.
“Your testimony today has legitimized what most of us feel is a process out of control, that the regulatory environment is insufficient to the task,” Graham said. “It’s time to up our game in this country.”
Sen. Richard Blumenthal (D-Conn.) floated the idea of creating a new tech enforcement agency, which would specifically address data security and national security threats posed by tech companies.
“I think the mounting evidence shows that the current regulatory structure is failing,” Blumenthal told The Post.
Zatko emphasized throughout the hearing that any new regulations need to be enforced with independent audits and metrics, to ensure that well-resourced companies are unable to game the system.
He also called on lawmakers to consider legislation that would expand whistleblower protections to other government agencies, so that more employees would be able to disclose critical information to the government. Zatko and Frances Haugen, a prominent Facebook whistleblower, filed their complaints with the Securities and Exchange Commission, which has a dedicated program that offers rewards and protections for such complaints. The FTC, the industry’s main tech regulator, does not have such a program.
Early in the hearing, Zatko spoke about the personal and professional toll submitting his complaint had taken on him and his family. He said that he did not make his disclosures “out of spite or to harm Twitter.”
“What you did today will not be in vain,” Graham said.
