Twitter’s former security chief has told US Congress there was “at least one agent” from China’s intelligence service on the social network’s payroll and that the company knowingly allowed India to add agents to the company roster as well, potentially giving those nations access to sensitive data about users.
These were some of the troubling revelations from Peiter “Mudge” Zatko, a respected cybersecurity expert and Twitter whistleblower who appeared before the Senate Judiciary Committee to lay out his allegations against the company.
Mr Zatko told legislators that the platform is plagued by weak cyber defences that make it vulnerable to exploitation by “teenagers, thieves and spies” and put the privacy of users at risk.
“I am here today because Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors,” he said as he began his sworn evidence.
“They don’t know what data they have, where it lives and where it came from and so, unsurprisingly, they can’t protect it,” Mr Zatko said. “It doesn’t matter who has keys if there are no locks.”
“Twitter leadership ignored its engineers,” he added, in part because “their executive incentives led them to prioritise profit over security”.
In a statement, Twitter said its hiring process is “independent of any foreign influence” and access to data is managed through a host of measures, including background checks, access controls, and monitoring and detection systems and processes.
One issue that did not come up in the hearing was the question of whether Twitter is accurately counting active users, an important metric for its advertisers.
Tesla chief executive Elon Musk, who is trying to get out of a 44 billion dollar (£38 billion) deal to buy Twitter, has argued without evidence that many of Twitter’s roughly 238 million daily users are fake or malicious accounts, or “spam bots”.
The Delaware judge overseeing the case ruled last week that Mr Musk can include new evidence related to Mr Zatko’s allegations in the high-stakes trial, which is set to start on October 17.
Separately on Tuesday, Twitter’s shareholders voted overwhelmingly to approve the deal, according to multiple media reports.
Shareholders have been voting remotely on the issue for weeks. The vote was largely a formality, particularly given Mr Musk’s efforts to nullify the deal, although it does clear a legal hurdle to closing the sale.
Mr Zatko was the head of security for the influential platform until he was fired early this year. He filed a whistleblower complaint in July with Congress, the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission.
Among his most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming it had put stronger measures in place to protect the security and privacy of users.
Unknown to Twitter users, there is far more of their personal information disclosed than they — or sometimes even Twitter itself — realise, Mr Zatko said. He added that Twitter did not address “basic systemic failures” brought forward by company engineers.
The FTC has been “a little over its head”, and far behind European counterparts, in policing the sort of privacy violations that have occurred at Twitter, he said.
Senator Lindsey Graham, a Republican from South Carolina, said one positive result that could come out of Mr Zatko’s findings would be bipartisan legislation to set up a tighter system of regulation of tech platforms.
“We need to up our game in this country,” he said.
Many of Mr Zatko’s claims are uncorroborated and appear to have little documentary support. Twitter has called his description of events “a false narrative … riddled with inconsistencies and inaccuracies” and lacking important context.