Disclosure detailing alarming allegations about twitter security practices. Without objection, his disclosure will be entered into the record. The name is peter. Thank you for joining us. You are here to serve a subpoena, so that the public can hear the details of your disclosure. Youve alleged a number of security flaws and weaknesses within, flaws that may pose a direct threat to the safety and privacy of twitters hundreds of millions of users as well as Americas National security. This actually began in 20 11 when the ftc, the federal trade commission, first concluded that twitter was playing fast and loose with user data. They found that twitter had deceived customers and put their privacy at risk by failing to safeguard their personal information. The company was ordered by the ftc to protect the security, privacy, confidentiality and integrity of user data. But you have claimed those changes have never been made. And more broadly, you have alleged that compared to other companies, twitter Security Standards are made woefully deficient. Youve alleged that thousand of employees within the company have extraordinary access to Sensitive Information about twitter users and that there is no oversight of how that information is assessed. Some uses may be asking, what is the big deal . When you signed up for twitter, you knowingly hand over your email, phone number, and other information. But you expect these Companies Take precautions to protect the personal information you give them. It is like putting the money in the bank. They take it behind the counter and put it in a vault. At twitter, according to a witness today, the door to that vault is wide open and that vault contains a lot more information about you then you can imagine. Twitter doesnt just have access to your tweets and email address. It also has access to all of the data necessary to directly access your device, and even pinpoint your exact location. Say you are an american citizen, exercising your First Amendment freedom and a political protest. Or maybe you are a woman seeking Reproductive Health care. If you are a twitter user, it may not just be you at the protest or health care facility. Unbeknownst to you, someone else might be right there with you in your pocket or purse. Of course, many of us are comfortable with our phones having location data. It is helpful. But when that data isnt secure, we become vulnerable to bad actors, scammers, stalkers, even Foreign Agents. Earlier this year, a Saudi National who worked for twitter was convicted by a federal jury for stealing the personal data of dissidents criticized the regime and handing the data over to the saudi government. This is a matter of life and death as we know for these dissidents as the butchering of Jamaal Khashoggi made clear. Theres also the matter of twitters reach. It is one of the largest megaphones that World Leaders ever had at their disposal. Weve already seen what can happen when smalltime actors break into twitter account belonging to government officials, but what if next time it isnt two teenagers trying to pull a scam . Imagine if it is a malicious hacker or a hostile Foreign Government breaking into the president s twitter account or sending out false information, claiming there was a terrorist attack in one of our cities. The bottom line is this twitter is an immensely powerful platform that cannot afford gating security vulnerabilities. Today, we have a chance to engage in good faith, bipartisan discussion to ask what needs to be done. Politicians on both sides of the aisle have criticized twitter. I, for one, believe that twitter should be doing far more to combat hate speech and conspiracy theories. I would urge my colleagues to set some of these borders and differences aside and try to find the Common Ground we need to establish Security Standards. With that, i turned to Ranking MemberRanking Member senator grassley. Thank you, a very important issue that you have brought before this committee and i thank you for doing it. I, for 1, 1 people to know that i love using twitter. But we also know that Big Tech Companies such as twitter collect vast amounts of data on americans. In the hands of foreign adversaries, this data is a gold mine of information that could be used against americas interest. Twitter has a responsibility to ensure that the data is protected and doesnt fall into the hands of foreign powers. Americans like me expect that twitter will protect that information. Thanks to a whistleblower who comes forward, weve learned that twitter has not secured the data of tens of millions americans were countless other users. That whistleblower is here today. So we welcome you. He comes before the committee today not only as an expert in the field of cybersecurity, but also as a whistleblower. I think all of my colleagues know that i have a great deal of admiration for whistleblowers. Ive always said that whistleblowers are patriotic individuals who often sacrifice their own career as well as their livelihood to root out fraud and abuse. Thank you very much for being here. Because of these disclosures, weve learned that data from twitter users was potentially exposed to foreign intelligence agencies. For example, his disclosure indicates that india was able to place at least two suspect foreign assets within twitter. The soldiers also note that the fbi notified twitter of at least one chinese agent in the company. Based on allegations, twitter also suffers from a lack of Data Security. Due to that failure, thousands of twitter employees can access user data. That data that they dont need access to in order to do their job, yet they have access. And the foreign assets work for twitter. That means these foreign assets can also access the data. To put a finer point on the allegations, twitter has allegedly used the data it collects and the tools it has to locate individuals who made threats against board members. In the hands of a Foreign Agent embedded at twitter, a foreign adversary could use the same technology to cut down prodemocracy dissidents within their country, but also to spy on americans. This has actually happened in the past. In 2019, two twitter employees were indicted by the fbi. They used their position at twitter to Access Private user data and then gave it to saudi arabia. These Foreign Agents were able to access and provide personal information on more than 6000 individuals of interest to the saudi government. Simply put, the whistleblower disclosures paint a very disturbing picture of a company that is solely focused on profit at any expense, including at the expense of safety and security of its users. Additionally, it has been alleged that twitter knowingly violated a consent agree a decree that it entered into with the federal trade commission in 2011. That Consent Decree required twitter address their access failures. However, instead of complying and fixing these very serious security matters, intensely misled twitters board of directors. So im concerned that for all those years, the federal trade commission didnt know or didnt take Strong Enough action to ensure twitter complied with the Consent Decree. This is a Consent Decree that was intended to protect twitter users personal information. As Congress Considers federal data privacy legislation, i think it is important that we see these revelations of how twitter views its obligations with federal regulators. Congress should also be mindful of the ftcs ability or lack thereof to successfully oversee these important issues. Twitter also needs to answer questions about its content moderation. It was revealed to this committee that twitter outsources a great deal of that moderation to Foreign Countries. They have posted 2000 employees from other countries whose job it is to screen tweets by americans. They also lack the appropriate amount of translators to ensure that tweets in other languages are complying with twitters own rules. Much had limited visibility to content moderation, so these are questions that need to be answered in full by twitter because we cant expect march to respond to them. Unfortunately, this committee will not be able to get answers about content moderation because twitters ceo has refused to appear today. He rejected this committees invitation to appear, claiming that it would jeopardize twitters ongoing litigations with mr. Muska. Many of the allegations directed at , and he should be here to address them. So let me be very clear. This committee protecting america from foreign influence is more important than twitters civil litigation in delaware. In conclusion, if these allegations are true, i dont see how he can maintain this position in twitter. I will continue to conduct a thorough investigation in that process. You will have six minutes for an Opening Statement and six minutes of questioning to followup. We start with the customary oaf and i ask that you please stand for that purpose. Please raise your right hand. Do you affirm the testimony you are about to give will be the truth, the whole truth, and nothing but the truth, so help you god . Let the record reflect that the witness is answered in the affirmative. I appreciate your attendance here. I think your microphone may need thank you very much, sir. Chairman durbin, Ranking Member grassley, members of the committee, i appear before you today to answer questions about the submission in disclosures about cybersecurity concerns in my years while working at twitter. My name is peiter zatko but i am more often referred to by my online handle. For 30 years, my mission has been to make the world better by making it more secure. From november 2020 until january 2022, i was a member of twitters executive team. In my role, i was responsible for security, privacy, physical security, information technology, and twitter Global Support. I am here today because twitters leadership is misleading the public, lawmakers, regulators, and even its own board of directors. What i discovered when i joined twitter with that this enormously Influential Company was over a decade behind industry Security Standards. The companys cybersecurity failures make it vulnerable to exploitation, causing real harm to real people. And when an influential media platform can be compromised by teenagers and spies and the company repeatedly creates Security Problems on their own, this is a big deal for all of us. When i brought concrete evidence of these fundamental problems to the executive team, and repeated the the alarm of the real risks associated with them, there were problems brought to me by the engineers and the company themselves. The executive team chose instead lawmakers in the public instead of addressing them. This leads to obvious questions. Why did they do that, and what were the problems and vulnerabilities identified . So that is when im here to talk about. First, why did they do that . To put it bluntly, twitter leadership ignored its engineers because key leadership lacked the competency to understand the scope of the problem, but more importantly, their exec executive incentives led them to prioritize profits over security. Upton sinclair famously said it is difficult to get a man to understand something when his salary depends on his not understanding it. This mentality is exactly what i saw at the executive level at twitter. So what are the problems i discovered . Two basic issues. First, they dont know what data they have, where it lives, or where it came from. Unsurprisingly, they cant protect it. This leads to the second problem, which is that employees have to have too much access to too much data into too many systems. You can think of it this way, which is it doesnt matter who has the keys if you dont have any locks on the doors. The vulnerability is not in the abstract. It is not farfetched to say in employee inside the company could take over the accounts of all of the senators in this room. Given the real harm the users to National Security, i determined it was necessary to take on the personal and professional risk to myself and to my family of becoming a whistleblower. I did not make my disclosures despite or to harm twitter. I continue to believe in the mission of the company and route for its success. But that can only happen if the privacy and security of twitter users and the public are protected. Accepting an executive position at twitter, i made a personal commitment to mr. Dorsey, the board, the public, and myself. That i would drive the changes needed at twitter to protect the users, the platform, and democracy. That is what i am continuing to do here today. I stand by the statements i made in my disclosures and i am here to answer any questions you may have about them. Thank you. Thank you, mr. Zatko. Each member will have six minutes to ask you questions. Those of us who are not experts but who rely on the internet every day for personal and professional reasons know that many times we are given disclosures, lengthy disclosures that scroll across the screen which are hardly ever read. They usually end up at the bottom box and that is as far as we go with a warning about what we are getting into. Can we get into the real world now and talk about whether or not consumers across america have a right to be warned if they are opening a twitter account as to what is going to happen with their data . For example, if i disclose my name and my address and my email address, i expect that that may be vulnerable, somebody could use that at some future time. I hope not, but it could happen. What i infer from your testimony and what we have read about your findings is that there is a lot more information being collected by twitter beyond that basic information that is going to be used by a handful of different purposes, is that correct . Yes, i entirely concur. When you sign up for an account, i hope that the company is responsible. Not to say that they would like the data to be used correctly and safely, but that they are actually able to quantifiably, internally guarantee that is the case. As far as the type of data, i believe senator grassley referred to an incident. We had a user on twitter that was some members of the executive team and the board. This person came to me and said this is a real, viable threat. Do i need to be worried . Who is this person . It took me maybe 30 minutes to reach out to an employee and say what do we know about this person . It took that person maybe 10 minutes to get back to me and say ok, here is who they are, this is the address where they live, this is where they are physically at this moment, they are on their phone, we know their phone number and all of the other accounts they have tried to set up on the system, and we know that they are on other social media platforms as well. So unbeknownst to a twitter account user, there was access to information far beyond what you think you have disclosed that can be found. Should there be a warning . You say at one point twitter has about 20 of its data registered and managed, meaning the company is incapable of securing this Sensitive Information it collects. Tell me, that is a pretty stark statement that suggests a warning to users, literally anything you disclose or use the account for could be used for bad purposes. Yes. In this case, my concern was more that twitter didnt even know what it was collecting. This was one of the problems because i kept looking at why do they have so many Security Issues . The same amount year after year. Why are the same percentages from the same systems problems . Why are to closing on this . What is fundamentally under the hood and broken . Where is the systemic failure . It turned out that the engineers on their own, they werent given the time and the resources to do this part of their job. That only about 20 of the information that they had, that they were collecting, did they know why they got it, how it was given to them, how it was supposed to be used, when it was supposed to be deleted. The remaining 80 , i refer you to the disclosures was we know that our systems are using some of this other data, but we dont know what it is. And a lot of the data, they just recognized we dont even know what these are. A huge amount of data. And that included personally identifying information, phone numbers, addresses. So for me, the concern is anybody with access inside twitter who has access to the production environment that has it can get that information to use for their own purposes. So the data being managed, the one with the twitter account is vulnerable in that regard. It wouldnt exactly get a passing grade to twitter when it comes to the security of information. On the other cited the ledger, would you agree that there were agencies that had some responsibility to make sure that american consumers, privacy and security is protected . So that was something that came to mind as well. This is over a decade. However we been watching this, especially since there were at least for the exact same problem collected for security purposes . How can we keep making these same mistakes . What is the fcc missing, or what is it that we are telling the ftc that is incorrect . Honestly, i think the ftc is a little in over their head. Compared to the Big Tech Companies and the challenge they have against them, they are left letting companies graded their own homework and i think that is one of the big challenges. I am running out of time. I will just say that i think that the area of great concern as well is the access of Foreign Governments and foreign agencies to americans signing up for twitter at least vulnerable to that possibility. We know that the conviction of individuals in saudi arabia by the saudi government is Proof Positive of that possibility. Thank you very much. Im picking up where the chairman just left off. The comment is Chinese Government bans twitter. Companies based in china advertise on the platform. They have presumably been redirected to a website to go for the Chinese Government to collect vast amounts of data. With respect to prodemocracy chinese citizens, is twitter endangering their life by allowing china to advertise on the platform . I think that is a very valid concern, sir. That was a concern raised to me by the employees inside twitter who were disturbed that, in a country where the service was not allowed to be used and provide a voice to the public, that that money was being accepted from organizations that may or may not be associated with the Chinese Government and i believe there was a news article just a day or so ago saying that they did identify that there were governments related to china advertising on the platform in violation of twitters own policy. The executive in charge of sales very shortly after i joined, there was this big internal conundrum. We are making too much money from these sales. We are not going to stop. We need something that will make the employees more comfortable with the fact that we are doing this. We need to figure out how to essentially thread this needle, which made me a bit uncomfortable. And they didnt know what people they were putting at risk or what information they were even giving to the government, which made me concerned that they had not thought through the problem in the first place, that they were putting their users at risk for. And that was a very common problem where i saw that twitter was a company that was managed by risk and by crises instead of one that manages risk and crises. It was very reactionary. It would react too late. I think you just answer this question, but i want to ask it and see if you have set all you wanted to on the subject. While at twitter, you raised concerns about chinese advertisement. What was twitters response . In a nutshell, it was we are already in bed, it would be problematic if we lost that revenue stream, so figure out a way to make people comfortable with it. According to your disclosure, thousands of twitter employees have access to twitter user data and internal systems. That includes over 4000 engineers which is half of twitters workforce. However, you stated that they dont need that kind of widespread access to perform their job duties. Based on twitters lack of Data Security, what kind of access would Foreign Agents have, and what kind of data would they be able to obtain. Please explain why this is a problem and how it could impact you as National Security. Let me break that down into two parts of an answer. Twitter has engineers and nonengineers. Twitter does not have at least when i was there in january of 2022 does not have a testing environment where it develops a staging environment. This is an oddity, this is an exception to the norm. Most companies have a place where you test yourself, you make sure that it is working the way you want it to. Think about somebody building an airplane and saying i am going to put in a windtunnel, i am not going to put passengers on it or put it in the air. The running systems, the live data. When you become an engineer, and half of the company are engineers, you are by default given some access to this production environment. You are doing the testing, you are doing your work on live systems and live data, irrespective of where you are in the world as an engineer. So if you are a Foreign Agent hired as an engineer, youve got access to all of that data that we talked about. The 80 that twitter does not know, that engineers studied and realizes personallyidentifying information, other information where there is a lack of access because there is too much data and they just dont know where everything is, so they have to give access. But also recall that Foreign Agents can have multiple goals. Sometimes it is not just the engineers and the technical access that they want, but it might be information about the plans of twitter. What plans twitter has potentially to censor information on the government or concedes to a government request, or what plans they have for expansion in a particular environment. In most cases, that is what i saw with high confidence from india to stained negotiations and how well they were going with having difficulties with twitter in india. In your disclosure, you mentioned that the fbi notified twitter that one of their employees was suspected of being a Chinese Foreign asset. Were you and others at twitter at all surprised by that . This was made aware to me maybe a week before i was dismissed. I had been told because the physical Security Team had been contacted and there was at least one agent on the payroll inside twitter. While it was disturbing to hear, i and many others are recognizing the state of the environment and twitter for really thinking it is very difficult valuable tool for agents. Senator feinstein . On august 10, 2022, a federal jury convicted a florida twitter employee of acting as an unregistered Foreign Agent for the kingdom of saudi arabia. The individual accepted payments in exchange for accessing and conveying the private information of twitter users to saudi officials. That individual is one of two former twitter employees charged by the department of justice for their efforts to provide saudi officials with the personal information of dissidents and activists critical of the saudi regime, including Sensitive Data that can identify and locate these individual users. Another question. As head of security, can you describe the types of efforts you seem by Foreign Governments to infiltrate, control, exploit, and convey on twitter and share what steps twitter and regulators should have taken to protect against these attacks . Yes, maam. One of the disturbing things that i saw based on the 10 years behind where i would expect a modern tech company to be was a lack of ability to internally look forward and identify inappropriate access within their own systems. Other than the person who i believe was a Foreign Agent placed in this position from india, it was only going to the to be from an outside agency or somebody alerting twitter that somebody already existed that they would find the person. What i did notice when we did know of a person inside acting on behalf of a foreign interest as an unregistered agent, it was extremely difficult to track the people. There was a lack of logging and an ability to see what they were doing, what information is being accessed, or to contain their activities, let alone set steps for remediation and constitution of any damage. They certainly lacked the fundamental abilities to hunt for ford intelligence agencies and expose them on their own. You said it was difficult to track. Explain exactly what you mean about that, and secondly, what could be done to curb that . One of the most senior engineers at the company came to me not long after i was there and said you should know that this company doesnt really have centralized logging. We dont log the activities of the systems. I was surprised by this. Most tech companies, most companies i know of even not in tech have logs of what is happening in their systems, and this tells you who is doing what, where, when it happened. Later on in my tenure i learned that there were thousands of failed attempt to access internal systems that were happening per week, and nobody was noticing. And when they brought this up, people said who is it, what is it . I said that is what were trying to find out. This fundamental lack of logging is a remnant of being so far behind on not being given the ability to put things in place, to modernize. I can give an example. Lets suppose you have five credit cards and you are receiving statements each month, but only two of those statements give you detailed transactions. First off, three of those credit cards, youre not going to be able to look at the transactions. Those remaining two, you kind of wing it and say i need all those credit cards to stay alive. That is kind of the analogy i have for the logging situation at twitter. Trying to understand an adversary identified inside as doing it can be pretty challenging without logs. Have you thought about how one would design legislation which would maintain some basic, necessary rights, and yet cover this area . Well, ive been thinking a lot about the regulators because of course, i was very curious as to how was twitter still operating like this aimed at addressing a fair amount of this. I noticed a few things. One, there were a lot of evaluations and examinations which were interview questions. Essentially, the organization was allowed to grade their own homework. There wasnt a lot of ground truth. There wasnt a lot of quantified measurements. And a fair amount of the came from companies that twitter themselves were able able to hire, so i think that is maybe a conflict of interest. I also noticed that of all of the regulators, some of the foreign regulators were much more feared in the ftc. For instance, the French Version of the ftc. Terrified of twitter in comparison to the ftc. And when i looked at why, it was because there was more of the fear that it would not be a one time pry. Longtime funding did not bother twitter at all. When i saw the reason, it was much less than we had been concerned about and each time in my discussions with the chief privacy officer, with privacy engineers, and the executives, they said ok, we will pay that and keep kicking the can down the road and maybe we will get another one time fine. Wall street did not seem to care because it wasnt a longterm problem that was ongoing. What did make these companies afraid was that there was a risk of, hey, you have mishandled the same type of data repeatedly. Maybe we are not going to let you to mishandled the data . Peiter if twitter mishandled email addresses repeatedly, the concern was if the ftc were to tell it that we are not allowed to monetize email addresses because of our continued inability to handle them correctly, will then we might not be on fair footing with our competitors, and that scared them and made them move. I believe Something Like that did happen to facebook, which has been used as a sort of cautionary tale inside organizations. I think the regulators have tools that do work, but they are not able to see which tools in the toolbelt are the ones actually working. Thank you, senator feinstein. Thank you very much, mr. Chairman. Thanks for being here. In your disclosures, you include information that twitter has of privacy engineering and the chief privacy officer reported the following to the board of directors toward the end of 2021. This is a quote. Every new employee has access to data they do not need to have access to. It also added that until twitter could reach the point of the system to manage and access the data, they were at risk of access or use of data. They also reported that our inability to delete data compounds that risk, as we retain data that we should not have, and which is therefore accessible by people who do not need to have access to this data. Tell me, what action was taken by twitters board of directors in response to this rather shocking information . Peiter this is not the first time the board of directors has been made aware of that. There was no change or mandate or charge before the board of directors. Sen. Lee what do they mean when they refer to the inability to delete data . Why is that significant . Peiter if you dont know where your data is as we talked about, these large amounts of data and somebody says ive left the system and maybe the ftc asks heavy deleted all the user data . Have you deleted all the user data . You cant respond in the affirmative. Sen. Lee if you deleted the account. Peiter correct, because you dont know where this data lives in the systems because you dont know what data you have access to. Sen. Lee so are you saying that twitter is actually unable to delete data, or just unwilling . Peiter it is unable, because they do not know where it is. They are unable to comply. Sen. Lee ok. But this has resulted from a deliberate decision at some point to abduct protocols that dont allow them to do that, right . Peiter to choose other priorities rather than to correctly register and track where the data lives. Sen. Lee but it is physically possible. You could have a database in which you could track that. Peiter absolutely. If you knew where everything was in your database, you could delete it if you chose to make that a priority. You could absolutely go deleted, but that has not been prioritized with projects such as increasing revenue or users. Sen. Lee now, im concerned as i assume most or all americans would be those who have become aware of these concerns, that twitter has seemingly turned a blind eye, rather deliberately, to some pretty significant security risks. Essentially, compromising their own personal data and putting geolocation information both to hackers and to Foreign Government agents and to other people who, for whatever reason, whether for corporate espionage purposes or other commercial purposes or otherwise might want to gain access to this information. Based on your disclosures, it seems to me that twitter ceo is more concerned with increasing influence and profits from Foreign Countries and with protecting user data from foreign spies or hackers. Now, you claim that twitter has hired four government agents as sort of the cost of doing business in countries like india , nigeria, and china. Related, twitter has knowingly hired these government spies, so it cannot risk losing access to users and markets in those countries. Or in the case of china, to not lose access to out of building revenues. To these engineers who are suspected of being Foreign Agents, do they have access to all user data, or just a certain subset of user data . Peiter to be very specific, the incident was not an engineer, and as i mentioned, i think that was put in place more to understand twitters intentional negotiations with the ministry of india, to have inside information. Sen. Lee they work with other people who were, themselves, engineers . Peiter yes, sir, there were numerous engineers in the office. Im sorry, im focused on that part of your question. Sen. Lee can i ask you this is there any way detract what data they access, or the data that they share . Peiter we found that to be very difficult. We had to set up a specific, small team individually to try to create a unique environment just to allow us to track and monitor one individual because of the lack of general logging and Access Control that we found to be unscalable and not reproducible should there be any other people like that. There was a lack of basic, fundamental Access Control. Sen. Lee im almost out of time, but i need to know this why would twitter not create a tracker or a logging system to follow this sort of thing, to make sure it was handled correctly . Particularly given that they know that many Foreign Governments like india and nigeria and china, they specifically want to access and use that data to find and root out and punish dissidents . Why would they want to do that . Why would they subject their own users to this kind of harm with the great implications that it carries for those countries . Peiter i think they would like to, but they are simply unwilling to put the effort in at the cost of other efforts such as driving revenue. I am reminded of one conversation with an executive where i said i am confident that we have a Foreign Agent and the response was well, since we already have one, what does it matter if we have more . Sen. Lee thank you. Senator klobuchar . Sen klobuchar thank you. Following up on that point, i just returned from ukraine, seeing the extent of the damage inflicted by the russian invasion. I was troubled to learn of twitters leadership that recently considered agreeing to the putin regimes request to censor and surveilled russian twitter users. Twitter ultimately did not agree to the request as far as i understand. What can you tell us about requests made by Foreign Governments and the risks that those demands pose, and why would a company like twitter consider agreeing . Peiter i was very surprised and shocked by that oneonone conversation which i had prior to his assuming the ceo role. I understand it out of a frustration of the inability to perform, and this kind of comes in the content moderation which was conversation that i had with twitter. We dont really have the ability and tools to do this correctly. This is a lot of work, it is not driving our main executive goals. Is there a way that we can simply punt . Since they have elections, doesnt that make them a democracy . Peiter thank you. Sen. Klobuchar thank you. I am a big believer that these companies, not just twitter, have to invest more in protecting data and protecting the public. Ive heard senator durbin talk to you about the agencies, and you agree with me that the agencies in the u. S. Are underfunded when it comes to taking on these major cases. Im going to put the mirror back on ourselves here in congress. Do you think it would be helpful if we had some privacy legislation in congress . I think one thing that would be very helpful is that the ftc and other regulators dont have laws or rules that would create whistleblower protection programs for people while they were still in these organizations. I think that is where a lot of information, and a lot of people share the information. When i came on board, they were excited that there was an executive that was listening and that was willing to ruffle feathers, that was willing to fight for some of these things. Peiter sen. Klobuchar are you aware that senator grassley and i actually passed a bill to change the fees that got through this committee unanimously, passed through the senate, sitting somewhere in purgatory over in the house that would allow us to maybe be as scary as france, or some other country, and that we have been unable to get that decisive, probably being the 50th hearing beside commerce and judiciary . We have not passed one bill out of the u. S. Senate when it comes to competition, when it comes to privacy, when it comes to better funding the agencies. When it comes to the protection of kids. And so at some point, when we talk about the agencies, we had better be putting the mirror on ourselves, because i was listening to your quote and it is difficult to get someone to understand something when his salary depends on him not understanding it. Could you talk about the lack of action in congress and how that has actually created an environment where these Companies Feel like they can do anything from destroying our newspapers and public good to basically not taking correct actions when it comes to hacking . Peiter that is your world, not mine. I appreciate the effort you are doing. What i did see is that any laws or bills passed or actions in the past, if they are not able to be quantified and externally audited, by an independent viewer, has gained a lot by what i saw inside big tech in the ability to sort of answer in the affirmative without actually doing what the intention was of the regulation. Sen. Klobuchar from accountability to require digital platforms and researchers, the independent experts for addressing found serious problems, made recommendations how could independent groups help . Peiter independent groups having independent eyes and providing ground truth on that, i think it should be clear first off, the engineers and the employees, much as changed. The culture and i can speak primarily on twitter because that is the company i have been involved with it is a culture where they dont prioritize they are only able to focus on one crisis at a time. And that crisis is not completed, it is simply replaced by another crisis. I think they would like to have all of these things fixed, but they are unwilling to bite the bullet and strategically say, hey, we are going to have to develop the time and money to get these basic things in place and do the legwork rather than just react to what is coming in that they hear from a hearing like this or from the news. Sen. Klobuchar last thing, you talked about how twitter is not enough focused on removing misinformation and hate speech, particularly within a language that employees didnt even speak. Obviously you cannot check whether or not a tweet violates rules if you dont speak the language. Ive had my own experience directly conveying the misinformation spread about me that resulted in having an effect Death Threats on a number of my family. And nothing ever changed. Exception finally, regular media reported that it was a lie. Those other kinds of things that happen to people in this building because of the misinformation that is rampant on social media. Could you comment about what you think they should be doing about that . Peiter im very sorry to hear about that. The lack of language was stunning to me. This was a situation where i brought in a worldclass leader for twitter Global Support who also identified this and they started saying we cant react to a language situation. But something was happening more and more. You cant wait until after it happens and then go, where are the native speakers . Those translators were already hired elsewhere. You have to understand, 80 of twitter has to understand 80 of the users are outside of the United States. You cant create a healthy environment. You cant serve the public conversation if all you can do is look at it and say i hope that the translator is doing the job for me. Sen. Klobuchar thank you. Thank you, senator klobuchar. Senator kennedy . Senator kennedy thank you, mr. Chairman. Mr. Zatko, give me 30 seconds. Strike that. Senator grassley is an active user on twitter. I will use him as an example. Give me 30 seconds on the type of information twitter has on senator grassley. Or someone like him. Peiter if there was somebody that just came to me and said hey, weve got a problem with this user sen. Kennedy just give me 30 seconds on the type of information twitter has on the average user. Peiter sure. The phone number, the latest ip address they have connected from , is this the current email, how long have they been using that email account, what are their prior emails, former ip address, where do we think they live, where do we think they are connected right now, are they still connected or actively using the information, what type of device are they connected with, what type of web browser are they using, which computer, what language did they connect in . Those are some of the systems. Sen. Kennedy thank you for that. And i want to understand you are telling this committee that all of the engineers and half of the employees of twitter have access to senator grassleys account . Peiter half of the employees of twitter are engineers. The engineers are by default given some access sen. Kennedy do they have access . Peiter from what i saw, if they wanted to root around in the data and find it, they could find it. Sen. Kennedy let me understand. Im not trying to trick you. From your testimony, i understand that half of all of the engineers and half of the employees at twitter have access to senator grassleys account. Is that correct . Peiter based upon what i saw, technically, yes. Sen. Kennedy and if they go into senator grassleys account if an engineer does, for example twitter doesnt know that that engineer has done that . Is that correct . Peiter it would be difficult to find that, correct. Sen. Kennedy so you dont have a login and logout system. Peiter there was not the easy ability for me to find which engineers had logged into which systems and what data they had accessed. Sen. Kennedy ok. So this engineer who can secretly go into senator grassleys account and get all this information, twitter has no idea what the hell he is going to do with that information, does it . Peiter no. Sen. Kennedy so that engineer, twitter could sell it, for example, couldnt eat . Peiter im sorry, what . Sen. Kennedy could sell it. Peiter ive seen numerous accounts on underground forums offering such access. Whether those are valid or not, i have seen offers to access to delete accounts. Sen. Kennedy so that engineer could just call one of his buddies and say you dont like senator grassley, let me give you some information here that you may want to use against him. That engineer do that . Would twitter know that the engineer had done that . Peiter not necessarily. Sen. Kennedy now, did mr. Dorsey know all of this . Peiter i did explain this to mr. Dorsey. My understanding is he did not understand this prior to me cluing him in. Sen. Kennedy does he understand it now . Peiter i believe sen. Kennedy how about your ceo . Peiter i believe so. He has been there for 10 years and rose up through the ranks in engineering and he has talked with engineers and they have told sen. Kennedy is that a yes . Peiter i believe yes. Sen. Kennedy how about salesforce. Does he know about this . Peiter i do not know whether he understands. Sen. Kennedy youve got an executive from master collar. Im going to probably mispronounce the last name. From mastercard. Does this boardmember know about it . Peiter i do not know if she knows that. Sen. Kennedy is this the kind of thing that a reasonable boardmember would inquire about . Peiter i would think so, but ive also seen what was presented to the board was not representative. Did the board ever ask . The board did not ask these directly. Even after these problems with Foreign Agents . Now when i was there during the meeting. They just sat there . They focused on other topics. Dr. Lee is a professor at stanford, does he know all of this . Same response. I did not see questions on this specific topic. Someone that used to be with google. Peiter same response. Action, patrick shea was the one where i brought up this instance, he had the roof. He was very upset. Sen. Kennedy did he fix it . Peiter no, he asked for followup information. Sen. Kennedy why hasnt twitter fixed this . Peiter there were other priorities. Sen. Kennedy it is about the money, isnt it . Peiter its about whatever crisis and the other priorities. Sen. Kennedy the fixes would cost them money, wouldnt it . Peiter it would take focus away from other aspects. Sen. Kennedy it would cost money, wouldnt it . Peiter most likely, yes. Sen. Kennedy twitter for a while was going to go into the porn business. Did they do that . Peiter i dont know that they did that. I did not know they were going to go into that business. Sen. Kennedy while they were. Do know why they decided not to . Sen. Kennedy i do know peiter i do know there were discussions about eightrelated information and the discussions internally i heard were simply concerns about lack of tools to correctly regulate or constrain it. Sen. Kennedy so it wasnt a moral issue, it was why did they not go in the porn business . Peiter i do not know. Sen. Kennedy lastly, who sets the standards for censorship at twitter . Peiter i believe that comes out of counsel. Sen. Kennedy your lawyer . Peiter i believe so. Sen. Kennedy do they talk with the board about it . Peiter i have been advised out of an abundance of caution i should not comment on any twitter counsel conversations for a superb twitter might have served. Sen. Kennedy thank you. Thank you senator kenny peed senator kennedy. Thank you for you being here, your extraordinarily insightful and significant us to money here today, as a substantial professional and personal risk and your cooperation with me and my staff off the record in providing details important to our understanding and the more of it made public i think the better. Would you agree twitter has put its users health and safety severely at risk . Peiter yes, sir. And up at the National Security severely at risk . Peiter yes sir. That they have misled their own board of directors . Peiter yes sir. In that event, the management ought to be certainly restructured, shipped, changed, correct . Peiter yes, sir. Sen. Blumenthal that kind of structural reform is necessary to achieve changes within the company. Peiter that is my belief. Sen. Blumenthal you also said this company has misrepresented facts to Government Agencies, most especially the ftc, that is correct, isnt it . Peiter yes, that is correct. Sen. Blumenthal i think you shared in your complaint that twitter management was intending to mislead as well regulators about compliance with the Consent Decree, correct . Peiter that is correct. Sen. Blumenthal how high in the twitter management would you say that intend to mislead in effect to see Government Agencies when . Peiter to the ceo, i do not know to what level inside of the board. They did not know because of misrepresentation or chose not to push. Sen. Blumenthal the misleading of Government Agencies is one of the reasons why stronger action has not been taken . Peiter i could very well be sir. Sen. Blumenthal but it also, in effect, is the result of a lack of bigger and law enforcement, whether because of inadequate resources or a failure of will. Peiter that could be as well, sir. Sen. Blumenthal the most recent settlement with twitter was a payment of 150 million earlier this year, the ftc and department of justice stated twitter violated the 2011 Consent Decree, that is no surprise, but the size of the penalty, a mere 150 million amounts to the kind of burden on us average drivers when we pay the toll to go into manhattan. Given that its profit in the Second Quarter this year was about 1. 18 billion, correct . Peiter that is correct. While i was there, the concern only really was about a significantly higher amount, significantly higher, or that would have been a more institutional restructuring risk but that amount would have been of little concern while i was there. Sen. Blumenthal to effectively address this problem, we need not only to insist on restructuring the company but also likely restructuring, reforming, and energizing our regulatory apparatus. Not only as to twitter but also as to other Internet Companies and platforms, would you agree . Peiter i would. The intent of the regulators is the right intent but it is not being followed or correctly adhered to. Sen. Blumenthal all of what youre seeing, everything in your complaint and a lot of what we have heard in this committee and other committees lead me to think we need a new agency. As reluctant as i am to suggest a new government bureaucracy, i dont think it needs to be a government bureaucracy with a lot of new people but it needs to be a new means of enforcement here to bring cases to the department of justice focusing on Privacy Security and protecting users as well as our National Security. Would you agree . Peiter i had not consider that. I will have to think about that. That is an interesting approach. Sen. Blumenthal im not reaching any conclusions what what we are doing right now is not working. You would agree to that . Peiter yes. What ive seen, the tools used out of the toolbelt are not working and i do believe other tools in the tool belt do work but the regulators are not able to quantify and get measurements that would show them to switch to the other tools they have. Sen. Blumenthal what are the remedies that for example other countries have that enable them to better protect privacy . Peiter some are simply much more aggressive and do not accept answers at face value, put strict time constraints on requiring answers, requiring data to back of the answers, and threatened to preclude monetizing entire markets such as maybe you will not be allowed to monetize in france or maybe you wont be allowed to use particular data sourcing in france. And you have a week to respond sort of approach. Sen. Blumenthal let me finish on that note, to expand on this and claire theory of the case, essentially users and their information are twitters product. They are the means to monetize the eyeballs on the site to collect, use, and monetize that information is the twitter business. So their reckless disregard for their usershealth and safety and the National Security is a product of that incentive, would you agree . Peiter yes, sir. That is why i understand the m in manned out to be monetizing average daily users. Sen. Durbin thank you. Thank you, mr. Chairman, for joining us. Im a grandmother and a mother. I want to talk with you about this process twitter has gone through. They tried to start a new subscriptionbased Adult Entertainment section. Are you familiar with that . Peiter no, im not. While they had to scrap the plans because an internal team found they had too much child and nonconsensual pornography that was on their site already. Are you aware of that . Peiter unfortunately, that does not surprise me. Theres a federal court case against twitter because the site repeatedly refused to take down tweets of children as young as 13 and 14 performing sex acts in photographs and videos. These were posted by sex traffickers who were impersonating a teenage female. So, my question is, why . For what reason would twitter refuse to take down this sexually explicit content if it knew it was affecting underaged children . Why would they leave this up . Why would they refuse to take this down . Peiter from what i saw, and on the area of adult content, because that was brought up, their concern was certain advertisers did not want adult content to appear next to ads they were putting and that was a concern inside of the company, the lack of peiter they had a monetary sen. Blackburn they had a monetary concern but not moral concern . Peiter i cant speak to the morals of the people internally but there was a concern whether or not they could even correctly identify and get ahead of this because they lacked the basic tools and resources in those teams and it would have to be in reaction after things were posted. Sen. Blackburn so what do they do to police this sexually explicit material, especially when it pertains to children . Peiter that was not under my area, so i do not have information to talk specifically to that. Sen. Blackburn ok. So there is not a Standard Operating Procedure to block this, to down . Peiter i believe they have or i was told they have some voluntary self tagging and Self Reporting of whether you are an adult content account but im not aware of the other processes or procedures in the company. Sen. Blackburn let me ask you about the ftc. Senator blumenthal was just asking you about that. Did you ever participate in calls or meetings with the ftc, in which you heard specific misrepresentations made by twitter . Peiter no, maam. I was not in the calls. Sen. Blackburn you had no direct knowledge . Peiter i got direct briefings from the people who were in the calls telling me what they did. Sen. Blackburn so it was all secondhand. Peiter correct, from the people involved in the calls. Sen. Blackburn did the ftc come to twitter and identify specific conduct or representations that concern them . Peiter that would be a question you have to ask the chief privacy officer, who would have been the recipient of those outreach. Sen. Blackburn let me ask you about the issue of click through ads. I know many times our adversaries will, through a company in china, specifically, the ccp will be part owner of a company. So they use clickthrough ads to gain access to platform user data, including china, including other adversaries, and including places where twitter is block and they are finding ways to evade the tracking and to get into these networks. In your experience, is this a typical black this typical practice that happens at the Global Platforms . Peiter clickthrough ads to expose a risk nonclickthrough as do not. If you can get an get a user to click through, you would get the information i was describing, ip address, browser, from the ip address you could determine their geolocation or whether they were using a vpn or not if that is allowed in your country and you could interrogate that persons computer or get them to provide more information, maybe that they do not know they are providing directly to you thinking it is there an ad on a service. Sen. Blackburn could this be remedied in any way and senator klobuchar talked about this, the National Privacy standard. If we had a National Privacy standard, would that help to secure an individuals Information Online and would help in any way in policing these click through ads . Peiter i think addressing in general the difference of the information or making people aware and then providing a context around when a user knows they are providing information and what information they are providing no longer to the service they thought they were interacting with could definitely benefit a user. Sen. Blackburn i want to ask you one thing about censorship. During your time at twitter, did you participate in any conversations or meetings where content moderation decisions were made based on a posters political views . Peiter i never investigated or was or heard of decisions on that particular topic. I was focused on the crisis and fires in the area of my domain. Sen. Durbin thank you, senator blackburn. Senator kunz . Sen. Coons thank you much. Thank you for coming forward. This is yet another eyeopening moment for our public, nation, and for this committee. We know social media and new Communications Technologies have empowered people across the world to connect and share information at an unprecedented scale but we also know concentrating all this information and resources on a few hands comes with greater risks. So your whistleblower complaint contains really striking allegations, which shed light on several key realities and i wanted to focus on those. The first, as you stated in a number of exchanges with my colleague is the public lacks any credible way to assess whether major platforms and Technology Companies are protecting or prioritizing a user privacy. I wanted to talk a bit about a bill i have that senator klobuchar also mentioned that would help strengthen some of that transparency. And the second i will get to is these platforms are a target for foreign actors, something where the subcommittee i chair is having a dedicated hearing tomorrow afternoon. You commissioned an independent report regarding twitters platform integrity and their ability to combat misinformation, disinformation, and to that report found, twitter is consistently behind the curve on acting on disinformation and misinformation threats. And that twitter does not have the ability to measure the impact of its work to protect site integrity. What ive concluded from your testimony today is twitter lacks the ability to measure the effects of interventions it implemented because of decisions by management, and because of the lack of a credible Regulatory Oversight agency and penalty. Is that correct . Do i understand your testimony correctly . Peiter yes, sir. The inability internally came from 10 years of security and engineering that kept accruing. Sen. Coons your complaint also details how twitters executive team was concerned the report you had commissioned would be damaging if it got out and they worked to intentionally remove or modify information that might be especially embarrassing for twitter, is that correct . Peiter yes, sir. I found that disturbing. The company i hired, with the knowledge of the other executives in the head of site integrity, which did not report to me, but that this independent organization was going to analyze and do gap analysis, the Company Reach out to me and said hey, twitter is jumping in and making a separate contract and telling us not to provide you the results to your own work. This does not feel right to us, what is going on . Peiter so a lot of the sen. Coons so a lot of the information regulators and congress relies on on regulating social Media Companies comes from the companies themselves. As you put it, they are essentially grading their own homework. So the conclusion we ought to reach is the information we received is not trustworthy from some social media platforms. Peiter that is what i experienced. Sen. Coons i really stay bill was senator portman, senator klobuchar, where earlier we are looking for additional republican cosponsors, called the platform accountability and transparency act. It would allow external researchers to look at these kinds of problems, to better understand and analyze the algorithms that drive social media and some of their practices. Would empowering researchers and mandating better disclosure help hold companies more accountable and cause them to invest more resources in site integrity . Peiter yes, sir. One of the things we learn from the study and what im hopefully shedding light on in my disclosures is just how much a gap there is between twitter and some of twitters peers. And even learning that sort of discrepancy would help understand and raise the level of hygiene for these organizations and their ability to perform their tasks and ability for us to accept what they are saying is whether it could be true or not. Sen. Coons this also opens up enormous National Security risks as you testified earlier, there is roughly half of twitters employees that had unnecessary access to vast amounts of sensitive user data. Senator kennedy was asking earlier to give us a quick sense of what information twitter might have about any of us on this committee and it is deeper and broader and i suspect if you had gone further it unlocks a whole profile that can give really dramatic insights into members of law enforcement, members of the military, of congress, and their families, their travel, their preferences, their actions, their consumer activities, all of that has real consequences. He wrote in your complaint the Indian Government forced footer to hire Indian Government agents who then had direct and unsupervised access to data and a former twitter employee was convicted as working as an agent of the saudi kingdom. How, do you think it is for foreign entities or hostile agencies to successfully install sympathetic actors at twitter, and why might they do so . Peiter if theres any number there are any number of reasons, many reasons why you would do so. In particular to not just identify people of interest or track groups of interest but also maybe look at whether or not twitter has identified your agents or your Information Operations, what other governments has twitter possibly identified, and remember, outside of the ability to access large amount of data on the engineering side, you would want to know what twitters plan is as far as whether they will see to your demands for control of information within their environments were not in order to change different types of political pressures such as strongarming. And as we saw that country was even threatening to put twitter employees in jail if twitter did not change particular activities on the platform. Sen. Coons with 80 of twitters users outside of the United States and with twitter having a deep access and resources to critical leaders in our country and other countries i think this is generally concerning. Tomorrow afternoon, the subcommittee i chair and subcommittee on Privacy Technology and the law senator and i will be holding a hearing on how to further understand the depth to which hostile actors and adversaries are going to obtain american citizen data. That will expand on a lot of topics we pursue today. I hope members of the committee will attend. I want to thank you for your testimony and mr. Chairman for the chance to participate in todays hearing. Sen. Durbin we will take a fiveminute break after senator cotton kotten asks his questions. Senator cotton. Sen. Cotton thank you for your very important testimony this money. I want to start with questions about twitters censorship policies. I know you were not at twitter for much of 20 20 but i wanted to start with an example from june 2020, specifically may, as leftwing street militias were rioting and looting in our streets. I posted on the website the National Guard and activeduty military were used to stop the writing in the past most recently 1992 in the alley rights. Within hours, the low levels at Twitter Office contacted my staff and said if i do not delete the tweet, my account would be permanently locked. My staff worked with a lowlevel employee, calling her on several occasions because she seemed reluctant to put anything in writing in an email and document the accuracy of my comment and gave examples of how other elected officials have used similar language. The 30 minute window pass, my account was not locked. Ultimately she said that twitter would not take any action about my account. I know it was before you began at twitter but from your experience, what a lowlevel twitter employee typically have the authority to permanently locked the accounts of an elected member of congress . Peiter from my experience, they should not have the authorization to do it, though it would probably be a lowlevel employee instructed to do it. Sen. Cotton so she was likely taking direction from more senior officials at the company . Peiter not knowing the situation, i cannot comment on the specific one but that is the sort of activity i would see there. And i can confer that i did notice a reluctance to put a lot of things in writing on particular topics. Sen. Cotton i noticed in the emails that were sent to you, he seemed reluctant to put things in writing or made statement about what he was going to verbally express to the board yet did not express those things. Sticking with censorship, i know you werent there in the lead up to the 2020 election but once you arrived, a couple days after the election, you selected an outside company to do an evaluation of twitters censorship policies, finding twitters content controls are ad hoc and informal, those are two direct quotes. And the policy decisions behind it are made mostly by twitter staff at San Francisco frequently during a time of crisis. Is that accurate . Peiter i did not hire them to do a report on censorship, but that was the platform manipulation organization and yes, how you cite the report is what they found. Sen. Cotton when it says frequently in time of crisis, what kind of crisis was the report referring to . Peiter i believe this is from what i experienced if something was brought up in the media, if a government brought it up and somehow it became public really publicly aware or there was an ongoing outage to the system or some active disruption. Sen. Cotton thank you. The report does go on to say according to twitter employees interviewed, twitter usually sensors information only if it is flagged by reporters or News Headlines partners, which it means to include academic organizations and other social Media Companies or political officials. Does twitter have special channels of communication with fellow social Media Companies like facebook . Peiter if they do, i believe they would be ad hoc. I am not aware of official ones that would not have been within my organizations. Sen. Cotton what about other socalled partners like pharmaceutical companies or advocacy groups . Peiter i am not aware of those again. That would be out of counsel or other organizations. Sen. Cotton so saying ad hoc, you think these cases, you think an executive at a Pharmaceutical Company that does not act what is being posted on the website or leftwing activist at a washington think tank would use preexisting relationships to contact someone at twitter on an ad hoc basis . Peiter i do not know. Sen. Cotton how can they coordinate if they dont have some sort of channel of communication set up . Peiter in the report attached from the organization, they talked about this information, which i believe my understanding was the Site Integrity Team spoke with other organizations and with other social Media Companies about ongoing disinformation or platform manipulation. I do not know anything beyond what was in the report for the topic. Sen. Cotton you said something earlier i want to come back to, this is not an exact quote but it was something along the lines of if you dont have a foreign Intelligence Officer inside of twitter, you are probably not doing a good job as an intelligence agency. Is that close enough . Peiter that is close enough. I worked for the government, i held a highlevel position, i worked running research and development in programs with the department of defense and intelligence communities and, from my interactions with these people, these organizations, twitter would be a gold mine from my understanding from people in the community who focus on foreign intelligence organizations and assets. If you placed someone in twitter as i believe as we know has happened, it would be difficult to twitter to find them. They would probably be able to stay there for a long period of time and again significant amount of information to provide back on either targeting people or information as to twitters decisions and discussions and to the direction of the company. Sen. Cotton does that include in twitters u. S. Officers versus overseas or is that distinction immaterial given the way twitter functions . Peiter i believe that is immaterial and both. Sen. Cotton thank you. Peiter my pleasure. Sen. Durbin thank you, senator cotton. We will take a fiveminute break and return to senator whitehouse. The Senate Judiciary committee taking a break from this hearing with twitters former head of security peiter zatko. He accuses the company of negligence with their security. The hearing expected to resume in a few minutes. You are watching live coverage of the hearing on cspan. Take a look back during the break at some of the testimony from earlier. Peiter chairman durbin, Ranking Member grassley, members the committee, i. Before you today to answer questions about Cyber Security concerns ikes parents working at twitter. My name is peiter zatko, but i am more often referred to by my online handle, mudge. My mission has been to make the world better by making it more secure. From november 2020 until january 2022, i was a member of twitters executive team. In my role i was responsible for information security, privacy engineering, information technology, and twitter Global Support. Im here today because twitter leadership is misleading the public, lawmakers, regulators, and even its own board of directors. What i discovered when i joined twitter is that the synonymously Influential Company was over a decade behind industry Security Standards. The companys cybersecurity failures make it vulnerable to exploitation, causing real harm to real people. When an influential media platform can be compromised by teenagers, thieves, and spies, and the company repeatedly creates Security Problems on their own, this is a big deal for all of us. When i brought concrete evidence of these fundamental problems to the executive team and repeatedly sounded the alarm of the real risks associated with them, and as problems were brought to me by the engineers employees of the company themselves, the executive team chose instead to mislead its board, shareholders, lawmakers, and the public, instead of addressing them. This leads to two obvious questions, why did they do that, and what were the problems and vulnerabilities identified. That is what im here to talk about. First, why did they do that . To put it bluntly, twitter leadership ignored its engineers because key parts of leadership lacked confidence to understand the scope of the problem, but more importantly, executive incentives led them to prioritize products over security. Upton sinclair famously said it is difficult to get a man to understand something when his salary depends on his not understanding it. This mentality is exactly what i saw at the executive level at twitter. What are the problems i discovered . Two basic issues. First, they dont know what data they have, where it lives, or where it came from. And so unsurprisingly, they cant protect it. This leads to the second problem, which is the employees have to have too much access to too much data and too many systems. You can think of it this way it doesnt matter who has keys if you dont have any locks on the doors. This kind of a vulnerability is not in the abstract. It is not farfetched to say that an employee inside the company can take over the accounts of all senators in this room. Given the real harm users and National Security, i determined it was necessary to take on the personal and professional risk to myself and to my family of becoming a whistleblower. I did not make my whistleblower disclosures out of spite or to harm twitter. Far from that. I continue to believe in the mission of the company and route for its success. That success can only happen if the privacy and security of twitter users in the public are protected. Accepting an executive position at twitter, i made a commitment to mr. Dorsey, the board, the greater public, and myself that i would drive the changes needed at twitter to protect the users, the platform, and democracy. That is what im continuing to do here today. I stand by the statements i made in my lawful disclosures, and i am here to answer any questions you may have about them. Thank you. Sen. Durbin thank you, mr. Zatko. I will start the questioning. As i mentioned, each member will have six minutes to ask you questions. Those of us who are not experts but rely on the internet everyday for personal and professional reasons know that many times we are given disclosures, lengthy disclosures, that scroll across the screen and hardly ever read, in my estimation, and usually end up with the bottom box that says approve. That is as far as we go warning when we are getting into. Can we get into the real world and talk about whether or not consumers across america are right to be warned if they are opening or using a twitter account as to what is going to happen with data . If i disclose my name in my address and my email address i expect and may be vulnerable. Somebody could use that at some future time. You hope not, but it could happen. But what i inferred from your testimony is that there is a lot more information being collected by twitter beyond the basic information that is going to be used by them for different purposes. Is that a fact . Peiter yes, i entirely concur. When we sign up from an account, i hope that the company is being responsible and not just saying that they are would like the data to be used correctly and safely, but that they are actually able to quantifiably, internally guarantee that that is the case. As far as the type of data, i believe senator grassley referred to an incident we had, a user on twitter that was harassing some members of the executive team and members of the board. As an example, this person came to me and said, mudge, is this a viable threat . Do i need to be worried . Who is this person . It took me 30 minutes to reach out to an employee and say what do we know about this person. And only took that person 10 minutes to get back to me and said here is who they are complicit the address where they live, this is where they are physically at this moment. They are on their phone, we know their phone number. We know the other accounts they have tried to set up on the system and hide. And we know who they are on the other socialmedia platforms as well. Sen. Durbin so unbeknownst to a tort or account user,there istwitter account user, there is accessed information far beyond what you have disclosed that may be found. You said at one point that twitter has about 20 percent of its vast trove of data registered and managed, meaning the company is incapable of securing Sensitive Information it collects. That is a pretty stark statement, and suggests a warning to users is that literally anything you disclose or use the account for is traceable and could be used for bad purpose. Peiter yes, in this case my concern is more that twitter didnt even know what it was collecting. This was one of the problems because i kept looking at white do i have so many secure why do i have so many security incidents, the same amount year after year . Why arent we closing on this . What is fundamentally under the hood broken . Where is the systemic failure . It turned out from an internal study that the engineers did on their own, because they werent given the time and the resources to do this as part of their job, that only about 20 of the information that they had that they were collecting did they know why they got it, why the person had given it to them, how it was supposed to be used, when it was supposed to be deleted. And the remaining, i think was 80 i refer you to the disclosures from the specific numbers was, hey, we know our systems are using this other data, we dont know what it is. A lot of the data they just recognized, we dont even know what these are. Petabytes, huge amounts of data. They did a sampling, including personally identifying information, phone numbers, addresses. For me, the concern there is anybody with access inside twitter, and half the company has access to the production environment that has this, could go rooting through and find this information and use it for their own purposes. Sen. Durbin if 80 of the data that is being collected sen. Durbin resuming the hearing. Sen. Whitehouse for questions. Sen. Whitehouse . Thank you very much. Mr. Zatko, i wanted to follow up a little bit on the repeated suggestions you have made in your testimony that the cybersecurity vulnerabilities will expose the United States to risks and to attacks and that security failures threaten the countrys National Security. Good with that . Peiter yes, sir. Sen. Whitehouse i guess he didnt add buyers we saw the same thing with facebook when they were taking ads with payments denominated in rubles and not figuring out that might have been russians behind those ads, and you mentioned concerns about hidden chinese ad buyers. If we could talk a little bit more about the National Security risks associated with, for instance, the unregistered saudi Foreign Agent who worked at twitter or the pressure to hire Indian Government agents, walk us through a scenario of how an individual planted in twitter like that could create a National Security risk for United States, and if you would, a particular reference to the fact that, at least when i use twitter, im sending stuff out thats intended to be public. So, how in that environment can a Foreign Agent create a National Security risk of any significant nature . Peiter yes, sir. There are several aspects to that. There is the nonPublic Information that we have spoken about earlier today. Your phone number, your email address, things that are not advertised to the world. I believe 200 million, if we want to say, regular users, not necessarily from a national severity standpoint, twitter in 2020 internally assessed that they logged information on 200 million users, email addresses, phone numbers, other information like that. This is the information that you need in order to start taking over other peoples accounts. With their phone number and an email address, i can hijack your phone number, i can change your gmail, coinbase, ameritrade, other accounts. I can cause financial harm that way. I can assume your identity. More importantly, i probably want to be able to understand your whereabouts, your network, and understand i will give you an example, in Foreign Governments are concerned, and we could apply that to the United States, there were requests for information about members of the farmers protest. There might be organizations or groups in the United States where once i know your home address and your home phone number, i can approach you in real life. I can put pressure on you, i can possibly recruit you. You can be an unwitting accomplice. I can influence you or target you for influence operations in the real world. Sen. Whitehouse let me just offer the thought that my home address and phone number and email address are pretty widely known, and indeed, in the public domain. How does twitter access to that information is there more . What is the difference between being able to look me up in the phone book and having twitter access the information . Peiter having been in the Public Sector myself, yes, a lot of my information became known. There is also a lot of people who are in particular roles where that information is not known, and the targeting of them perhaps staff, aides, people around you influencing to build that network, which we have seen not in twitter, but which the u. S. In the Intelligence Community has seen as part of the Intelligence Community. Sen. Whitehouse ok, so just lay that out for me a little bit more, given that so much of this information is available through other channels. What with the endgame the four what with the endgame be for, lets say, a Foreign Government trying to put pressure on somebody who could take a difference or make a difference or a decision to the benefit of the foreign country . Peiter identifying a relative, family member, colleague who has Financial Issues or has other elements that can be leveraged against them, to help them influence you in a particular fashion without your awareness. Sen. Whitehouse somebody would be able to create a sort of family or personal network around an individual twitter user and extract information about folks and then to work folks in that network . Peiter that is one particular aspect sen. Whitehouse how would that take place . If somebody has gotten into the twitter system, how would they find that out . Peiter it might be used in combination with other data election sources. One of the concerns about u. S. People traveling to other countries is was there information in the opm database, and cannot information be crossindexed across can that information be crossindexed across the Health Industry databases that have been lost . Do we know that this person has a particular political bias on twitter and start to try all of these things together for people of influence or access within governments are within sensitive positions. Sen. Whitehouse thanks very much. My time is up. Senator sen. Durbin senator graham im sorry, senator cornyn. Sen. Cornyn i want to explore the kind of data on american citizens that can be used for appropriate organ appropriate services for you are familiar with the concept of ubiquitous surveillance, are you . Peiter i can put those together and get the general context, i believe, sir. Yes. Sen. Cornyn basically all the cameras that are publicly posted data on your smartphone. You talked about geolocation data, the type of transactions you engage in, where your home is, how much you paid for it. Even google earth may have taken a picture of your home or your pace of place of business. There are already huge volumes of Data Available for whatever purposes, even above and beyond what social media collects, correct . Peiter yes, sir, there is a lot of information about a lot of us in many different ways available through technology right now. Sen. Cornyn and i daresay, i bet most americans cant fathom the volume of data, and that is without even getting to things like social media. For example, 2015 i think it was, there was a hack of the office of Personnel Management records. I think was 22 million records of government employees, including the applications for security clearances, was hacked reportedly by the peoples republic of china. If people decide that they want to figure out their family ancestry and use one of the dna testing companies, my understanding is many of the testing much of the testing is outsourced to places like china, where obviously it is not secure from Chinese Government access. We were talking about the privacy concerns of americans. This is not just limited to platforms like twitter and social media, correct . Peiter that is correct, sir. I was informed i was in that opm database and my security clearance information was collected as well. Sen. Cornyn turning to twitter, you have talked about the lack of what i would call protection from Insider Threats in the Intelligence Community. A few are working the Intelligence Community, they have logging protocols on who accesses what information. It can be determined if there was inappropriate access. That is the sort of protocols or mechanisms that were not available in places like twitter when you work to, correct . Peiter yes, sir, correct. Sen. Cornyn and so anyone who could get access to that information could, on top of all of the information that i ask you about earlier outside of social media, if you look at the cumulative data picture, is that the kind of information that Foreign Governments like the peoples republic of china are regularly accessing for their purposes . Peiter i cant say whether they are regularly accessing. I dont have that direct information. I am aware that some people and organizations have gotten very good across very large amounts of Data Collected very good at cross indexing across very large amounts of data. Twitter would be a decent contribution to that multisource collection. Sen. Cornyn and that is where things like Artificial Intelligence can come into comb or mine vast sources of data for more targeted or narrow purpose. Peiter the ability to collect and mine, yes, as been augmented by modern ai techniques. Sen. Cornyn so there are what i would call defensive concerns about peoples or individuals or governments access to your personal data, but there are also offensive concerns is welcome and that is where the issue of disinformation or a term that became popularized during the 2016 election aftermath was active measures. These are efforts by Foreign Governments for Intelligence Service to actively create a narrative or a message that is simply propaganda by this Foreign Government that could be used to influence American Public opinion. Is that accurate . Peiter yes, sir, not just american. That is happened worldwide, such as in myanmar, in 20 facebook acknowledging that disinformation campaigns on the platform contribute to genocide. Sen. Cornyn and as you pointed out earlier, when you look at the Data Available on each one of us as american citizens for whatever purposes, good or ill, there is also a lot of information about who we interact with. Something in the Intelligence Community, sometimes they talk about pattern of life. Maybe you want to talk about a network of friends and associates, family members, and the like, from which inquiring minds could obtain Additional Data about us. Peiter yes, and to your point, Information Operations are a concern. Twitter acknowledges they do happen on the platform. They have disclosed numerous ones, and they are aware of others that are ongoing. Sen. Cornyn i am aware that tiktok, which is a chinese company, i believe, and even instagram, which is owned by facebook, have 13yearold age restrictions in terms of terms of use. But there is no limitation on peoples ability to pretend to be an adult, pretend to be somebody they are not, and gain access to social media account and use it for whatever purpose they wish. Peiter i cant speak to tiktok or facebook. Im not familiar with their internal technology for agegating. I do know that was a challenge at twitter, and the majority of agegating was voluntary Self Reporting of what your age was. Sen. Cornyn finally, can you tell me, do you have recommendations based on your 30 years of experience in terms of Data Security on what sort of regulations or laws that congress and the federal government should consider passing . We dont have time to talk about all of those here today, but we would certainly welcome any of your recommendations and insights. Do you think this needs to be an area where the federal government needs to be actively engaged . Peiter yes, sir, i do. I would be happy to supplement my written report. Sen. Cornyn thank you. Sen. Durbin thank you, senator cornyn. Senator hirono. Sen. Hirono thank you for coming to testify, mr. Zatko. Your testimony and all your responses to the various questions we asked you says to me that the situation regarding Data Security and national Security Issues with regards to twitter is massive, that twitter is not doing very much to be helpful at all. In fact, there are major disincentives to twitter doing anything to spending the time or the resources to address the concerns that you raise. For example, the fcc, very under resourced with regard to china to keep twitter under any kind of Consent Decree entered into back to 2011, more recently they are contemplating making twitter pay 150 million for some misuse of information, 150 millidollars 150 million fine for a multibillion Dollars Companies nothing for any incentives for them to change what they are doing. And yes, there is information out there from so many different sources, including appliances, cars, and anything else. However, twitter is a huge, if i can call it, single platform to access. Who is going to force twitter really to do anything if we were to adopt some of the legislation that is contemplated, if we dont have an agency that can implement and enforce that law, then we are back where we started. What is it going to take to force twitter to change its ways . Peiter well, this starts at the top at twitter, and you need an executive team that is willing to go in and say the executive team themselves acknowledged, and i heard them say we have 10 years of unpaid debt here and at some point we need to get ahead of they need to prioritize that. The boards primary role is to make sure the right executives are in charge of the company, the ceo in particular, to make sure they are sending the company in the right direction. This needs to be a longterm incentive rather than shortterm incentive for the companies, because the shortterm incentives just mean they are going to tactically run from fire to fire and not actually pay down debt for a longlived, valuable company. Sen. Hirono your discussion of twitter is mainly focused on the shortterm monetary incentives. Who is going to force them to look at the longterm . Do people need to go to prison . What do we need to do to get twitter to what you are telling me, they cannot even identify Foreign Agents in their midst. Peiter yes, maam. And you know, to be blunt, some Foreign Agents would be pretty good difficult to identify. But some in this case are not, and there only to my awareness being identified they are not even attempting to. I think Holding People accountable is a good start. I think that is something that people are concerned of. What you can only hold people accountable if you can measure and quantify what their targets are and what changes need to happen. And if you say, such as what i saw, twitter needs to have a Mature Software security program, that is a very ambiguous and qualitative term. Holding accountability and setting quantitative goals and standards that can be measured and audited independently i believe is what is going to be required to change management structures and drive change in companies when it is needed, such as this. Sen. Hirono so we dont even have the kinds of standards to which we can hold twitter accountable to, is that right . Peiter from what i saw, they were able to be answered in the affirmative without actually meaningfully making the intent of the regulators was correct, but then you can say, yes, i found this, hold up an isolated example, and allow somebody to assume that example was the whole environment sen. Hirono excuse me, so do french regulators have better standards to which the hold twitter accountable to . Peiter my understanding is one of the reasons the french are more fear is they dig in technically and go towards more quantitative results better, less easy for organizations to sort of wordsmith around. Sen. Hirono i think that is something we can learn a lesson from good learn a lesson from. Specifically, you discover twitter compromises user data long after the users close their accounts. In fact, they say that the account is activated but the data is not deleted. The time of your departure from twitter, is that the companys continuing general practice, that they dont really eliminate the data . Peiter yes, i was told straight out by the chief privacy officer that the ftc had come and asked, does twitter delete user information when they leave the platform. The reason this person tells me this, i need you to know this because other regulars are asking us, and this ruse is not going to hold up. Instead of answering whether we delete user data, we intentionally replied that we deactivate users and try to sidestep the program because we know we do not delete user data and cannot comply if they demand this. Sen. Hirono you would think that would be something they could do technically to be able to delete data, because for the users to deactivate your account means there should be nothing there of your account. Is this something technically that they could do . Peiter this goes to one of the fundamental problems i mentioned in my Opening Statement, which was they would need to know what data they have and where it is and why they got it and who its attached to to do that. If they do that, which should be a fundamental expectation i would have is a user, at that point they could delete the information. Senator hirono thank you. Senator graham for six minutes. Senator graham thank you for coming to the committee and giving us your insight. Something good will come from. Do you believe that . Mr. Zatko i hope so i resting my career and reputation, if something good comes from this five, 10 years down the road it will have been worth it. Senator graham you are willing to take that risk . Mr. Zatko yes. I have been doing this for 30 years. People who have known me in the industry know that im willing to put it on the line hoping that we can improve things. Senator graham im going to work with my democratic colleagues to make sure this is not in vain. Do you still use twitter . Mr. Zatko i still have an account on twitter. I read it. I have not tweeted since i left. Senator graham given what you know, would you recommend all of us continue to use twitter . Should we take a timeout . Mr. Zatko i think tweut certificate a hugely valuable service. Senator graham no matter what you said today you are ok with the rest of us tweeting . Mr. Zatko i think people should look at the information they are getting off it differently. People should put pressure on tweut enand ask questions from the public as well as the government and regulators senator graham you are not asking to shut down but asking them to get better . Mr. Zatko absolutely. Senator graham senator graham would you buy twitter . Mr. Zatko that depends on the price. Senator graham fair enough. The reason i ask that for the rest of us we take what you say seriously its unnerving. Im going to use twitter but ill use it differently. If nothing good comes out of this, shame on us all. Let me just tell you where im headed. There is no way to deal with this without bipartisanship, from my point of view. Im working with Elizabeth Warren, of all people, we have different perspectives on almost everything, but we have come to believe its now time to look at social media platforms anew. We have this general understanding among ourselves that the regulatory system regarding social media is not working effectively. Do you agree . Mr. Zatko based upon what i saw a lot of things arent working effectively, yes. Senator graham the federal trade commission, thats the primary regulator for twitter as far as we know. Mr. Zatko i do not believe that twitter should have been able to be viewed as in compliance senator graham do you know when the 23er8 trade commission was founded . Mr. Zatko no, sir. Senator graham 1914. A lot has happened since 1914. World ward i, world war ii, explosion of social media. Would you say given what you know it seems like the regulatory bodies are outgunned here . Mr. Zatko im big tech i think they are outgunned. Senator graham wig time bigtime. I want people to understand paying 150 million fine seems to be of little consequence. Is that your testimony . Mr. Zatko absolutely. Senator graham imagine what i just said , mr. Chairman. A company doesnt mind paying 150 million get back to doing what they are tkofplgt one of the things aim trying to do with senator warren and others is create a consequence for these organizations to give them an incentive to do better. Dont you think thats where we should be headed . Mr. Zatko yes, sir, i do. Senator graham one thing do you have a car . Mr. Zatko yes. Senator graham do you have a driver license . Mr. Zatko yes, sir. Senator graham if you driver a car you need a license. Real estate, you need a license. Practice as a lawyer, you need licensed. Is there any licensing requirement to run a social Media Company . Mr. Zatko not beyond not to the best of my knowledge. Senator graham can you sue a social Media Company when they do you wrong . Mr. Zatko i do not know. Senator graham the answer is no. They are not licensed. You cant sue them. To be shocked you have a problem thats naive on our part. Heres what i promise to you, we are going to take your testimony, we are going to learn from it. We are going to create a system more like europe. A Regulatory Environment with teeth. An agency that came about after 1914, with the power to deal with privacy issues, content moderation, if you want to be in this space you have to harden your sights against foreign interference, you have to protect your sites against criminality, and if somebody takes your content down, youll have an appeal process outside the group who did it. Does that sound kind of like where we need to be going . Mr. Zatko those all sound good to me. I would measurable and transparent. Senator graham we are headed that way with my good friend who is going to join the grahamwarren team. We are going to come up with a regulatory system to make sure that people in this space pay a better attention. They have consequences that they dont change their behavior. Its long past due. Would you say that the companies we are talking about are some of the most powerful in the history of the world . Mr. Zatko i dont know, sir. Senator graham im ill say that. These Companies Make massive amounts of money. They are virtually unregulated. Their regulatory body was founded in 1914. They are completely outgunned. Under our law you cant sue them when you are wrong. Having said all that there is much value to these companies. Facebook, twitter, google. But there is a dark side. We are going to address the dark side. I will just close with this. Your testimony today has legitimatized what most of us feel is a process out of control. That the Regulatory Environment is insufficient to the task. Its time to up our game in this country. Im not about butt putting these out of business. Im about making them do business in a normal way and take their job more seriously. 23 Elizabeth Warren and Lindsey Graham can come together around that concept, we are off to the races as a body. Thank you very much. What you did today will not be in vain. Mr. Zatko thank you very much, sir. If what i have done can contribute to positive change, it will be worth it. Thank you. Thank you, senator graham. Mr. Zatko thank you for joining us. I would like to ask you about what you encountered in terms of the corporate incentives at the top of the company. Something like pushing passes and security updates to employee devices. Cyber hygiene is not easy, thats a relatively low cost way to mitigate a lot of risk. There is significant risk here. Reputational risk, financial risk. Why based upon your experience working within twitters corporate twittership would the company not have elected to take that step, to mitigate risk in that relatively low cost way or other steps like that . Mr. Zatko i didnt see any financial incentives at the top levels that would then give prioritization to such efforts. In fact, i saw incentives counter to that. And combined with a culture where the Company Needs a crisis to operate and is driven by crises, those didnt afford time or focus from what i saw to do the basic chair ossoff what are the incentives against Something Like patching . Mr. Zatko ill give you an example. One of the things i was surprised while i was there we did a media day from the executives for the street. First one that twitter had done in a very long time. It set very Ambitious Goals for revenue growth. Goals i was kerpbtd the company concerned the company would not be able to hit. Not too many months after that there was an internal Value Creation award presented to me offering 10 million if we tripled these growth goals. I raised concerns saying i dont know how we can do that unless we entirely cut corners everywhere. I do not like this incentive structure. How are we going to be able to devote resources to the basics such as fixing security patching, getting the systems up to date, building a development and testing environment for all of the chair osive how is the growth incentive hostile to Something Like pushing Software Updates to employee devices . Given as i understand it a fundamental security practice, a basic cyber hygiene practice, why were you unable to implement a change like that base line hygiene practice where you want all employee devices to be updated to the latest version . Mr. Zatko i brought that up numerous times. I was repeatedly told that 92 of the systems had Security Software. I kept asking what is the Security Software reporting . It took me a monthplus to get the truth that 30 of the systems were not turned off Software Updates. There was a culture of not reporting bad results up. Only reporting good results up. Because that was the internal incentive structure. You are rewarded based upon relationships and how you performed in a in an madgecy. Not in an emergency not for identifying existing errors and doing the groundwork for keeping the lights on and running the business. My inability to find such basic information was disturbing. Chair ossoff you couldnt get the official to get a system to push passes out. You couldnt make it happen . Mr. Zatko i had the authorization. I couldnt get the real information because people were misrepresenting to the executive team and executive team was further misrepresenting only good news and incorrect news to the board. It took me several months to start going and getting ground truth and find out this had been a culture of only present good and positive reports. Thats how you move forward. Chair ossoff talk about the data, much of it no doubt sensitive, within twitters possession and some of the most alarming aspects of your disclosure and testimony the extent to which twitter may not know what it has. What would be of course you dont know what you dont know. What would be an example of the kinds of data sets that twitter might possess but not fully understand it possesses . What would be the mechanisms other than monitoring user activity by which it would have accumulated such date aa . Mr. Zatko one example i was surprised to see in an internal incident review in 2020, 50 million twitter employees information had been exposed. That number confused me because twitter doesnt have 50 million employees. Twitter has all of the information of all past employees, contractors, and other users because they havent deleted that data. They kept it in the system. Those systems would expose that information. That was surprising to me. The second part of your question . Chair ossoff im running low on time. Let me get to my next point. The risks associated with targeted advertising whether for the purpose of inducing targeted users to click on links that could then harvest data about their devices or their web use or location or possibly inject malwear or for targeted influence campaigns, can you please talk about what you observed and what you viewed to be the risks associated with the advertising model of the capability of enterprise clients of twitters to target ads and links to specific users . Mr. Zatko so that area wasnt specifically my domain. That was under the executive of sales engineering. The parts that i believe are relevant were not only the additional report that we talked about earlier with the Information Operations, but i did see data sets internally to the organization when i first joined, thousands of users had access to the advertisers information, including their Bank Accounts and routeing numbers. When i first joined people could change that information and you could understand why changing the banking account information of a company such as apple or nike might be problematic. Chair ossoff final question and ill yield to senator holly and follow up with you on this one for the record to get as much detail as possible. What records, documents, or Technical Information with as much specificity as you can muster right now would you suggest the congress should seek from twitter to understand the extent of the alleged lack security practice, but also what data may have been exfiltrated, when by whom, what the National Security risk might be. What should we kaoebg from this company so we can assess the level of risk and threat and make policy accordingly . Mr. Zatko i submitted i believe 100plus pages in my disclosure with data. Talking about the sources of that data and providing a road map for investigators. I will do it a disservice trying to summarize the large numbers of sources and locations of the data, but hopefully my lawful disclosures provide that road map and im happy to follow up. Chair o os f ossoff mr. Holly for six minutes. Senator holly i want to make sure i got this straight. You stated today and in your report that about 4,000 twitter employees are classified as engineers, is that right . Mr. Zatko yes, sir. At the time half of the employees, there were 7,000plus fulltime employees. Senator holly that means these 4,000ish employees would have had access to live user data all over twitter, they could access individual users personal information. Have i got that right . Mr. Zatko yes, sir. They would have accession to the production environment f they spent the time to meander around and look around, they would find they could access these large data. Senator holly including geolocation . Mr. Zatko i know twitter has i. P. Locations. They do use Geolocation Services based upon i. P. Addresses. Senator hawleyily 4,000 employees. Extraordinary. Those employees if they wanted to to get this information and docs twitter users. Mr. Zatko thats a concern of mine, yes. Senator hawley thats a significant concern. 4,000 people with the ability to docs individual users who pick up the phone and use twitter. Have you ever seen it happen . Mr. Zatko i have seen numerous situations where twitter engineers had to patch a problem and i said what was the problem . They said engineers could tweet as anybody. The data was exposed in this part. It was always reactionary, in finding these wounds left and right and putting bandaid on them because of the underlying problems were not addressed. The broad access to too much information. Senator hawley when you say twitter engineers could tweet as anybody. What does that mean . Mr. Zatko that meant a twitter engineering understanding how the running systems and data flows were operating could then access and inject or put forward information as, as i mentioned in my oral statement, any of the senators sitting here today. Senator hawley have you ever seen that happen . Mr. Zatko not with no, not directly. Senator hawley are you concerned it has happened . Do you have some reason to believe it has happened . Mr. Zatko the number of cases reported to me by individual engineers say, hey, we found this im going to try to have somebody fix it. Where that was the problem and we wouldnt know if it happened in the past. Yes, i am concerned. Senator hawley thats pretty significant testimony. Let me make sure i understand this point. Facebook whistleblower came forward a couple years ago now, came to me in my office and told us that facebook they at least had policies on the books that restricted back End Developers from accessing user data. Whether or not those policies were followed, who knows. Is it your testimony to me that twitter had no similar policies in place that would have restricted these 4,000 engineers from accessing user data . Mr. Zatko not technical enforcement. Technical policies that were enforced. I did see basic policies such as hey, are you not supposed to access inappropriate systems. I also saw policy saying that your work laptops should only run on the following setups. I was aware that i dont believe any of the laptops were in compliance with those policies. Senator hawley none. Mr. Zatko based upon the policy i read, i do not believe they were in compliance with that policy. Senator hawley zero compliance with their policy. Extraordinary. Let me ask you about this. That same Facebook Whistleblower told us a couple years ago now that twitters content moderation staff routinely kpwhrab brownwaited with content moderators at facebook and google. Is that true to your knowledge . Do you have information about that . Mr. Zatko that would be in a team under counsel. I wouldnt have firsthand knowledge of that. Senator hawley are you aware of any twitter policies that would have prohibited coordination and content moderation between facebook, google, and twitter . Mr. Zatko not to the best of my knowledge. Senator hawley its possible. Mr. Zatko yes. Senator hawley let me ask you about this. Are you aware of any communications regarding content moderation with twitter staff and the United States government in your time at the company . Mr. Zatko im familiar with the conversations that happened through the department of Homeland Security. The traffic light protocol. Where there are messages sent out to organizations about threats that maybe the f. B. I. Or other organizations had insight into. Senator hawley earlier this year, documents we obtained from a different whistleblower at the department of Homeland Security exposed that the disinformation board that the department of Homeland Security set up, that first on the disinformation board of list of companies to meet with was twitter. They had an extensive memo, which is Public Information now. We released it. You can look at t they had a memo prepared with notes for this meeting with twitter, talking about cooperation and content moderation. Frankly in monitoring americans speech. Now we know that thousands of twitter employees have access to that. This was all in the documents. I guess my question to you is, i know you werent in those meetings, why do you suppose that the disinformation board had twitter first on the list of entities to come to to talk about coordinating, monitoring american speech . Mr. Zatko i cant opine on that. I can say that twitter is a tremendously influential platform. We do know there are Information Operations being run on twitter. Senator hawley do you think twitter has proved so phraoeupbt to government pressure to censorship and monitoring people. The hunter biden story, we know that twitter killed the hunter biden reporting. We know Mark Zuckerberg said the f. B. I. Pushed facebook to do it. Twitter killed it completely. Locked up accounts trying to report what we know was a true story. How about by your own report you claim that the twitter c. E. O. Proposed kaeufbg to the russian governments demands to censor content on twitter and spy on its users. You noted this occurred even as you were directing employees to prepare for the russian invasion of ukraine. That sounds like an executive team thats pretty darn phraoeupbt to the demands of governments to weaponize their platform to control information, to spy on its users, whats your view . Mr. Zatko i wasnt there when the hunter biden issue happened. Dont have any information on that. I wasnt briefed into it or involved in any of the investigations. The c. E. O. Was the c. T. O. At the time when he proposed to me that, hey, what do you think about let russia perform their own moderation. They are a democracy. Why should we why shouldnt we let them do it . I didnt know what to think at the time. I was a little flabbergasted. Senator hawley i think i know what to think which is that twitter has been all too eager to take private information from its users without telling them. To sell it and monetize it without their permission. To expose them to the worst kind of security threats. To censor them, spy on them. You have paint add picture of a company that is not only out of control but is truly in many ways a maligned actor. I thank you for being willing to testify. Thank you. Chair ossoff thank you, senator hawley. Thank you for appearing before the committee today. The hearing record will remain open for one week for submission of materials for the record. And with that this hearing is adjourned. [captions Copyright National cable satellite corp. 2022] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy visit ncicap. Org] taeutd the u. S. House gavels in for legislative work at 2 p. M. Eastern. As three new members of congress will be sworn in today. And lawmakers will work on 18 suspension bills dealing with veterans, sex trafficking, transportation, and infrastructure. They are also expected to consider a resolution to honor the late Queen Elizabeth ii. You can watch live coverage of the house beginning at 2 p. M. Eastern here on cspan. Or on cspan now. Our free video app. President biden is scheduled to talk about recently approved p legislation dealing with taxes, health care, and climate change. Hes at the white house this afternoon. Watch live coverage beginning at 3 p. M. Eastern on cspan now. Our free video app. Cspan is your unfiltered view of government. We are funded by these Television Companies and more. Including wow. The world has changed. Today the fast reliable Internet Connection is something no one can live without. So wow is there for our customers. With speed, reliability, value, and choice. Now more than ever it all starts with great internet. Wow. Wow, supports cspan as a Public Service along with these other Television Providers giving awe front row seat to democracy. Pakistans ambassador to the u. S. Talked about the record levels of flooding in his home country. And the unprecedented devastation. Saying the a land submerged under water is about the size of wyoming. About 33 Million People have been affected. Hosted by the National Press club, this is an hour