[inaudible conversations] [inaudible conversations] this meeting of the Senate Judiciary committee will come to order. In 2006, the new social networking platform marked its debut when jack dorsey posted a message that he was just setting up my twitter. At the time dorseys startup which allowed users to share short messages was a novelty but in the coming years it would become increasingly a source of news and social discourse as it gathered millions of users around the world. Twitter now plays an outsized role in politics, culture and even democracy itself. As twitter has grown, so the risk posed by bad actors looking to exploit its opportunities in the data it holds. In july 2020, two teenagers hacked into the accounts of twitter employees gaining access to a number of highprofile accounts including now President Biden and former president obama. Those two teenagers then sent a series of tweets and scammed twitter users out of more than 100,000 in coin. In response, then ceo twitter dorsey turned to a trusted name in the world cybersecurity to lead an overhaul of twitters security practices. For more than a year thats what this individual tried to do until he was terminated by twitter and the new ceo this past january. Last month this individual released a whistleblower disclosure detailing a number of alarming allegations about twitters security practices. Without objection his disclosure will be entered into the record. That whistleblowers name is peter zatko or as he is more commonly known, mudge. Inc. You for joining us. You are here pursuant to a subpoena, not because you were opposed to appearing before the committee but so the public can hear the details of your disclosure. You have alleged that a number of security flaws and weaknesses within twitter, flaws that may pose a direct threat to the safety and privacy of twitters hundreds of millions of users as well as Americas National security. The story began in 2011 when the federal trade Commission First concluded that twitter was playing fast and loose with user data. They found twitter had, quote, deceived customers and put their privacy at risk by failing to safeguard their personal information. The company was ordered by the ftc to, quote, protect the security, privacy, confidentiality and integrity of user data. You have claimed those changes have never been made and more broadly, you allege compared to other Technology Companies twitter Security Standards remain woefully deficient. You allege thousands of employees within the company have extraordinary access to Sensitive Information of twitters users and there is little oversight over how that information is assessed. Some twitter users may be asking what is the big deal . When you sign up for twitter you knowingly hand over your email, phone number, other information. Thats how it is with most social Media Companies but you expect these companies will take precautions to protect the personal information you give them. Like depositing money at the bank. When you hand your money to the teller they take it behind the counter and put it in a vault about at twitter according to our witness today, the door to the vault is wide open and it contains a lot more information about using you can imagine. Twitter doesnt just have access to your tweets and email address, they have access to all the data necessary to directly access your device and even pinpoint your exact location. Say you are an american citizen exercising First Amendment freedom at a political protest, maybe you are a woman seeking Reproductive Health care. If your twitter user, unbeknownst to you, someone else may be right there with you in your pocket or purse. Many of us are comfortable with the programs having location data, it is helpful, but when the data isnt secure week become vulnerable to bad actors, scammers, stockers, even Foreign Agents. To give an example earlier this year, Saudi National who worked for twitter was convicted by a federal jury for stealing the personal data of dissidents who criticized the saudi regime and handing the data to the saudi government. This is a matter of life and death for these dissidents as the butchery of Jamal Khashoggi made clear and there is the matter of twitters reach, one of the largest megaphones World Leaders ever had at their disposal. We have seen what can happen with smalltime actors breaking into twitter accounts belonging to government officials but what if next time it isnt two teenagers trying to pull a crypto scam . Imagine if it is a malicious hacker or hostile Foreign Government breaking into the president s twitter account or sending out false information claiming there was a terrorist attack. We can see widespread panic. The bottom line, that cannot afford gaping security vulnerabilities. We have a chance to engage in good faith bipartisan discussion to ask what needs to be done. A final point. Politicians on both sides of the aisle have criticized twitter. I for one believe twitter should be doing far more to combat proliferation of hate speech. Republicans on the other hand claim twitter sensors conservative speakers. I urge my colleagues to set these differences aside and try to find the Common Ground they need to establish Security Standards that will be raised by our whistleblower. With that i turned to Ranking Member senator grassley. Thank you. A very important issue you have brought before this committee and i thank you for doing it. I for one want people to know that i love using twitter. But we also know the Big Tech Companies such as twitter collect vast amounts of data on americans in the hands of foreign adversaries this data is a gold mine of information that could be used against americas interests. Twitter has a responsibility to ensure that the data is protected and doesnt fall into the hands of foreign powers. Americans rightly expect that twitter will protect that information. Thanks to a whistleblower that comes forward, weve learned that twitter has secured the date of tens of millions of americans and countless other users, that whistleblower is here today, so we welcome you, mudge. He comes before the committee not only as an expert in the field of cybersecurity, but also as a whistleblower. I think all of my colleagues know that i have a great deal of admiration for whistleblowers. I have always said whistleblowers are patriotic individuals who often sacrifice their career as well as their livelihood to root out waste, fraud, and abuse. Thank you for being here. Because of mudges disclosures weve learned personal data from twitter users was potentially exposed to foreign intelligence agencies. His disclosure indicates that india was able to place at least two suspects foreign assets within twitter. Disclosures also note the fbi notified twitter of at least one Chinese Agency in the country. Company, i should say. Based on allegations twitter also suffers from a lack of data security. Due to that failure, thousands of twitter employees can access user data. That data that they dont need access to in order to do their job yet they have access and foreign assets work for twitter, that means foreign assets can also access the data. To put a finer point on the allegations, twitter has allegedly used data it collects and tools it has 2 geolocation individuals who make threats against board members, in the hands of a Foreign Agent embedded at twitter a foreign adversary could use the same technology to track down prodemocracy dissidents within their country, but also to spy on americans. This has happened in the past. In 2019, two twitter employees were indicted by the fbi, they used their position at twitter to Access Private user data and then gave it to saudi arabia. These Foreign Agents were able to access and provide personal information on 6000 individuals, with interests to the saudi government. Simply put, the whistleblower disclosures paint a very disturbing picture of companies solely focus on profit at any expense including at the expense of safety and security with its users. Additionally, it has been alleged twitter knowingly violated Consent Decree it entered with the federal trade commission in 2011, it required twitter to address their control failures but instead of complying with consent to creek, it alleged twitter executives, intentionally misled twitters board of directors. After 10 years, the federal trade commission didnt take Strong Enough action to ensure twitter complied to the Consent Decree. This is a Consent Decree that is intended to protect twitter users personal information. And privacy legislation, to draw on these revelations how twitter views its obligation of federal regulators. Congress should also be mindful of the ftcs ability and lack thereof to successfully oversee these important issues. Twitter needs to answer questions about moderation. Twitter outsources a great deal of consent to Foreign Countries, close to 2000 employees and other countries whose job is to screen tweets by americans, an appropriate amount of translators to ensure the tweets in other languages are complying with twitters and rules. Mudge had limited visibility to content moderation so these are questions that need to be answered in full by twitter because we cant expect mudge to respond to them. Unfortunately, this committee will not get answers about content moderation because twitters ceo refused to appear today. He rejected the committees invitation to appear by claiming it would jeopardize twitters ongoing medications with mr. Musk. They directly implicate mr. Walt so he should be here. The business of this committee, protecting americans from foreign influence, is more important than twitters simple litigation in delaware. In conclusion if these allegations are true i dont see how he can maintain his position at twitter. Looking forward, chairman durbin and i will conduct a thorough and in depth investigation, each hearing as part of that process. Thank you. Mister zatko, you have six minutes for an Opening Statement and each member will be given six minutes questioning to follow up. We start with the customary oath and i asked you to stand for that purpose. Please raise your right hand. The you are from the testimony you are about to give this committee is the truth, the whole truth and nothing but the truth so help you god . Let the record reflect the witness has answered in the affirmative. Appreciate your attendance and the floor is yours. I think your microphone may need thank you very much. Ranking member grassley, members of the committee. I appear before you today to answer questions about information i submitted in written disclosures about cybersecurity concerns while working at twitter. My name is peter zatko but i more often referred to by my online handle as mudge. For 30 years, my mission has been to make the world better by making it more secure. From november 2020 until january 2022 i was a member of twitters executive team. In my role i was responsible for information security, privacy engineering, physical security, information technology, and twitter Global Support. I am here today because twitter leadership is misleading the public. Lawmakers, regulators, and even its own board of directors. What i discovered when i joined twitter was that this enormously Influential Company was over a decade behind industry Security Standards. The companys cybersecurity failures make it vulnerable to exploitation, causing real harm to real people. And when an influential media platform can be compromised by teenagers and spies and the company repeatedly creates Security Problems on their and the company repeatedly creates Security Problems on their own. This is a big deal for all of us. When i brought concrete evidence of of the fundamental problems to the executive team, and repeatedly sounded the alarm of the real risks associated with them, these were problems brought to me by the engineers and employees of thepr company themselves, the executive team chose instead to mislead its board shareholders, lawmakers and the public instead of addressing them. This leads to two obvious questions. Why did they do that, and what were the problems and vulnerabilitiess identified . And thats what im here to talk about. N so first, why did they do that . To put it bluntly, twitter leadership ignored its engineers because key parts of leadership lacked the competency to understand the scope of the problem, but more importantly there executive incentives led them to prioritize profits over security. Upton sinclair famously said it is difficult to get a man to understand something when his salary depends on his not understanding it. This mentality is exactly what i saw at the executive level at twitter. So what are the problems i discovered . Two basic issues. First, they dont know what data they have, where it lives, or where it came from and so unsurprisingly they cant protect it. And this leads to the second problem which is, the employees within have to have too much access to too much data and to too many systems. You can think of it this way, which is a doesnt matter who has keys if you dont have any locks on the doors. And this kind of vulnerability is not in the abstract. Its not farfetched to say that employee inside the company could take over the accounts of all of the senators in this room. Given to the real harm given the real harm to users and National Security i determined it was necessary to take on the personal and professional riskpe to myself and to my family of becoming a whistleblower. I did not make my whistleblower disclosures out of spite or to harm twitter. Apart from that. I continued belief in the the mission of the company and root for its success. But that success can only happen if the privacy and security of twitters users and the public are protected. And accepting an executive position at twitter i made a personal commitment toit mr. Dorsey, the board, the Greater Public and myself that i would drive the change is needed at twitter to protect the users, the platform, and democracy. Thats what im continuing to do here today. I stand by the statements i made in my lawful disclosures and im here to answer any questions you may have about them. Thank you. Thank you, mr. Zatko. I will start the question. As the midget each member six minutes to ask you questions. Those of us who are not expert but rely on the internet every day for personal, professional reasons know that many times where given disclosures, lengthm disclosures of a scroll across the screen which i hardly ever read, my estimation, and usually end up with a bottom box said approved, that is as far as we go, warning about what were getting into. Can we get into the real world now and talket about whether or not consumers across america have a right to be warned if theyre opening or using a twitter account as to whats going to happen with their data . For example, if i disclose my name and my address and my email address, i expect that that may be vulnerable, somebody could use that in some future time. You hope not but it could happen. But what i inferred from your testimony and what weve read about your findings is theres a lot more information being collected by twitter beyond the basic information that is going to be used by them for different purposes. Is that a fact . Yes. I entirely concur. I mean, when we sign up for an account, i hope that the company is being responsible and not just saying that they would like the data to be used correctly and safely but that they are actually able to quantifiably internally guarantee that that is the case. As far as the type of data, i believe senator grassley, you know, refer to an incident. We had a user on twitter that was harassing some members of the executive team and some members of the board, as an example of this person the ce to me and said mudge, is this a real viablee threat . Do i need to be worried . Who is this person . And it took me maybe 30 minutes to reach out to an employee and say what do we know about this person . And then it only took that person may be ten minutes to get back to me m and said, okay, who heres to the archon heres the address with a lid, this is what you are physically at this moment. They are on the phone. When other phone number. We also know allll of the other accounts they try to set up on the system and id, and we know who they are on the other social media platforms as well. So unbeknownst to a twitter account user, there is accessed information are beyond what you think youve disclosed that can be found. Should there be a warning . You say at one point twitter has about 20 of its vast trove of data registered and managed meaning the company is incapable of securing the i Sensitive Information it collects. Ns tell me, that is a pretty stark statement and suggests that a warning to users is that literally anything that you disclose or use the account for is traceable and could be used for bad purpose. Yes. In this case my concern was more that twitter didnt even know what it was collecting. And this was one of the problems because i kept looking at why do they keep having so many security incidents, the same amount each year after year. Why are the same percentages from the same systemic problems . Why arent we closing on this . What is fundamentally under the hood broken . Wheres the systemic failure quick . And internet from an internal study that the interested unknown because they were not given the cover and the time and the resources to do this as part of the job, that only about 20 of the information that they had that they were collecting did they know why they got it, why the person had given it to them, how it was supposed to be used, when it was supposed to be so, and the remaining i think 80 i r refer you to the disclosures for the specific numbers was hey, we know that our systems are using some of this other data that we dont know what it is. And then a lot of the data they just recognize we dont even know what these are, petabytes, huge amounts of data. And he did a sampling of that included personally identifying information, numbers, addresses. So for me the concern there is anybody with access insideso twitter, and half the company has access to the production environment that has this, could go rooting through and find this information and use for their own purposes. So if 80 of the data that is being collected is, in fact, registered or not registered and managed, and the one with a twitter account person is vulnerable in that regard, i wouldnt exactly give a passing grade to twitter when it comes to the security of information that theyve gathered. Now let me ask you on the other side of the ledger. Would you grade as well the Government Agencies that have some responsibility toha make se that the American Consumers privacy and security is protected . For example, the federal trade commission, securities and Exchange Commission and others. So that was something that i was, they came to mind as well. I said wed had a 201111 Consent Decree. This is over a decade, however we then passing this especially since the were at least two more times where there were violations for the exact same problem, the misuse of email data that was collected for security purposes that then turned around and used for marketing which was a violation of the assumption of why you were providing them the data. How can we keep making the same mistakes . What is the ftc missing are what is it that we are telling the ftc as twitter that is incorrect . The and i think honestly i thk ftc is a little over their head. They have compared to the size of the Big Tech Companies and the challenge they have against them, theyre they are g companies grade their own homework. And i think thats one of the big challenges. Im running at time and ill just say that i think that the area of great concern as well is the access the Foreign Governments and foreign agencies to the same data. Americans signing up for twitter have no idea that they are at least vulnerable to that possibility and we know that the conviction of individuals in saudi arabia for dealing with the saudi government is Proof Positive of that possibility. Thank you very much. F senator grassley. Im going to take off where the chairman just left off. The communist Chinese Government bans twitter, yet Companies Based in china advertise on the platform. When a user clicks on such an advertisement they presumably redirected to a website controlled by the Chinese Government which can collect vast amounts of data and track their location. With respect to prodemocracy chinese citizens, is twitter endangering their lives by allowing china to advertise on the platform . I think thats a very valid concern, and that was a concern that was raised to me by the employees inside twitter who were disturbed that in a country where the service was not allowed to be used and provide a voice to the public, but that money was being accepted from organizations that may or may not be associated with the Chinese Government. And i believe that was a reuters article just a day or so ago saying that theyy did identify that the governments related to china advertising on the platform possibly in violation of twitters own policies. The executive in charge of sales very shortly after ie joined sd mudge this is a big internal conundrum, because we are making too much money on the sales, we are not going to stop. We need something that will make the employees more comfortable with the fact that were doing this. Figure out how we essentially thread this needle or frame it, which made me a bit uncomfortable. And they didnt know what people they were putting at risk or what information they were even giving to the government which made me concern that they hadnt thought through the problem in the first place, that theyre putting their users at risk for. And that was a very common problem where i saw twitter was a company was managed by risk and by crises instead of one that manages risk and crises. So it was very reaction it would react to problems too late. I think you just answered this question but i want to ask and see if you said all you want to on the subject. While at twitter you raised concerns with their policy allowing chinese advertisement. What was twitters response . In a nutshell, it was where already in bed, it would be problematic if we lost that revenue stream, so figure out a way to make people comfortable with it. Okay. According to your disclosure thousands of twitter employees have access to twitter user data and internal systems. That includes nearly 4000 engineers, which is half of twitters workforce. However, you stated that they dont need that kind of widespread access to perform their job duties. Basedon on twitters reported lk of data security, what kind of access would Foreign Agents have and what kind of data with to be able to obtain . In your answer please explain why this is a problem and how it could impact u. S. National security. Yes, sir. Let me break that down into two parts of an answer. So twitter has engineers and nonengineers. Twitter doesha not have, at leat when i was there, which was up until january of 2022, does not have a testing environment for a development or stagingng environment. This is an oddity. This is an exception to the norm. Most companies will haven a ple where you test your software, where you build it, were you make sure its working the way you want it to. Think about somebody building an airplane and sang like im going to put in a wind tunnel, im going to build it in an apartment. Im not going to put it passengers ongo it, put it in te air and then figure how to build or tweak the engines at that point. Twitter just as the production environment. The running systems, the live data. When you become an engineer, which is half of the company are engineers, you are by default given some access to the sly production environment. You are doinguc your testing, yu doing your work on live systems and live data. Irrespective of where you are in the world as an engineer. So if you were a Foreign Agent and you are hired and youre an engineer, youve got access to all of that data that we talked about. The 80 the twitter doesnt know whats in, yet the engineers studied and realize that personally identifying information, othered Sensitive Information, where theres a lack of Access Controls because they have too much of data and they just did know everything is so they have to give everybody access and the systems can access the information. But also recall that Foreign Agents can have multiple goals, and sometimes itsip not just te engineers or the technical access that they want but it might be information about the plans of twitter, what plans twitter has to potentially sensor information in the government or concede to a governments request or t what plans they have for expansion any particular environment. And in those cases that tori saw with high confidence a Foreign Agent placed from india to understand the negotiations and how well they were going for or against indias party, who is having difficulties with twitter in india. In your disclosure you mention that the fbi notified twitter that one of their employees was suspected of being a Chinese Foreign asset. Were you and others at twitter at all surprised by that . This was made aware to me maybe a week before i was surprised and summarily dismissed. I had been told because the corporate security, physical Security Team had been contacted and told that there was at least one agent of the mss, which is one of chinas Intelligence Services on the payroll inside twitter. While it was disturbing to hear, i and many others had, recognizing the state of the environment at twitter, were really thinking if you are not placing for agents inside twitter is its very difficult to detect them, it is very valuable to a Foreign Agent to be inside their as a foreign Intelligence Company you are most likely not doing your job. Thank you. Thanks, senator grassley. Senator feinstein. Thanks, mr. Chairman. On augl jury convicted a florida twitter employee of acting as an unregistered Foreign Agent for the kingdom of saudi arabia. The individual accepted payments in exchange for accessing and conveying the private information of twitter users to saudi officials. That individual is one of two former twitter employees charged by the department of justice for their efforts to provide saudi officials with the personal information of dissidents and activists critical of the saudi regime, including Sensitive Data that can identify and locate these individual users. Another question. As head of security, can you describe the types of efforts you seem by Foreign Governments to infiltrate, control, exploit, and convey on twitter and share what steps twitter and regulators should have taken to protect against these attacks . Yes, maam. One of the disturbing things that i saw based on the 10 years behind where i would expect a modern tech company to be was a lack of ability to internally look forward and identify inappropriate access within their own systems. Other than the person who i believe was a Foreign Agent placed in this position from india, it was only going to the to be from an outside agency or somebody alerting twitter that somebody already existed that they would find the person. What i did notice when we did know of a person inside acting on behalf of a foreign interest as an unregistered agent, it was extremely difficult to track the people. There was a lack of logging and an ability to see what they were doing, what information is being accessed, or to contain their activities, let alone set steps for remediation and constitution of any damage. They certainly lacked the fundamental abilities to hunt for ford intelligence agencies and expose them on their own. You said it was difficult to track. Explain exactly what you mean about that, and secondly, what could be done to curb that . One of the most senior engineers at the company came to me not long after i was there and said you should know that this company doesnt really have centralized logging. We dont log the activities of the systems. I was surprised by this. Most tech companies, most companies i know of even not in tech have logs of what is happening in their systems, and this tells you who is doing what, where, when it happened. Later on in my tenure i learned that there were thousands of failed attempt to access internal systems that were happening per week, and nobody was noticing. And when they brought this up, people said who is it, what is it . I said that is what were trying to find out. This fundamental lack of logging is a remnant of being so far behind on not being given the ability to put things in place, to modernize. I can give an example. Lets suppose you have five credit cards and you are receiving statements each month, but only two of those statements give you detailed transactions. First off, three of those credit cards, youre not going to be able to look at the transactions. Those remaining two, you kind of wing it and say i need all those credit cards to stay alive. That is kind of the analogy i have for the logging situation at twitter. Trying to understand an adversary identified inside as doing it can be pretty challenging without logs. Have you thought about how one would design legislation which would maintain some basic, necessary rights, and yet cover this area . Well, ive been thinking a lot about the regulators because of course, i was very curious as to how was twitter still operating like this aimed at addressing a fair amount of this. I noticed a few things. One, there were a lot of evaluations and examinations which were interview questions. Essentially, the organization was allowed to grade their own homework. There wasnt a lot of ground truth. There wasnt a lot of quantified measurements. And a fair amount of the came from companies that twitter themselves were able able to hire, so i think that is maybe a conflict of interest. I also noticed that of all of the regulators, some of the foreign regulators were much more feared in the ftc. For instance, the French Version of the ftc. Terrified of twitter in comparison to the ftc. And when i looked at why, it was because there was more of the fear that it would not be a one time pry. Longtime funding did not bother twitter at all. When i saw the reason, it was much less than we had been concerned about and each time in my discussions with the chief privacy officer, with privacy engineers, and the executives, they said ok, we will pay that and keep kicking the can down the road and maybe we will get another one time fine. Wall street did not seem to care because it wasnt a longterm problem that was ongoing. What did make these companies afraid was that there was a risk of, hey, you have mishandled the same type of data repeatedly. Maybe we are not going to let you to mishandled the data . Peiter if twitter mishandled email addresses repeatedly, the concern was if the ftc were to tell it that we are not allowed to monetize email addresses because of our continued inability to handle them correctly, will then we might not be on fair footing with our competitors, and that scared them and made them move. I believe Something Like that did happen to facebook, which has been used as a sort of cautionary tale inside organizations. I think the regulators have tools that do work, but they are not able to see which tools in the toolbelt are the ones actually working. Thank you, senator feinstein. Thank you very much, mr. Chairman. Thanks for being here. In your disclosures, you include information that twitter has of privacy engineering and the chief privacy officer reported the following to the board of directors toward the end of 2021. This is a quote. Every new employee has access to data they do not need to have access to. It also added that until twitter could reach the point of the system to manage and access the data, they were at risk of access or use of data. They also reported that our inability to delete data compounds that risk, as we retain data that we should not have, and which is therefore accessible by people who do not need to have access to this data. Tell me, what action was taken by twitters board of directors in response to this rather shocking information . Peiter this is not the first time the board of directors has been made aware of that. There was no change or mandate or charge before the board of directors. Sen. Lee what do they mean when they refer to the inability to delete data . Why is that significant . Peiter if you dont know where your data is as we talked about, these large amounts of data and somebody says ive left the system and maybe the ftc asks heavy deleted all the user data . Have you deleted all the user data . You cant respond in the affirmative. Sen. Lee if you deleted the account. Peiter correct, because you dont know where this data lives in the systems because you dont know what data you have access to. Sen. Lee so are you saying that twitter is actually unable to delete data, or just unwilling . Peiter it is unable, because they do not know where it is. They are unable to comply. Sen. Lee ok. But this has resulted from a deliberate decision at some point to abduct protocols that dont allow them to do that, right . Peiter to choose other priorities rather than to correctly register and track where the data lives. Sen. Lee but it is physically possible. You could have a database in which you could track that. Peiter absolutely. If you knew where everything was in your database, you could delete it if you chose to make that a priority. You could absolutely go deleted, but that has not been prioritized with projects such as increasing revenue or users. Sen. Lee now, im concerned as i assume most or all americans would be those who have become aware of these concerns, that twitter has seemingly turned a blind eye, rather deliberately, to some pretty significant security risks. Essentially, compromising their own personal data and putting geolocation information both to hackers and to Foreign Government agents and to other people who, for whatever reason, whether for corporate espionage purposes or other commercial purposes or otherwise might want to gain access to this information. Based on your disclosures, it seems to me that twitter ceo is more concerned with increasing influence and profits from Foreign Countries and with protecting user data from foreign spies or hackers. Now, you claim that twitter has hired four government agents as sort of the cost of doing business in countries like india , nigeria, and china. Related, twitter has knowingly hired these government spies, so it cannot risk losing access to users and markets in those countries. Or in the case of china, to not lose access to out of building revenues. To these engineers who are suspected of being Foreign Agents, do they have access to all user data, or just a certain subset of user data . Peiter to be very specific, the incident was not an engineer, and as i mentioned, i think that was put in place more to understand twitters intentional negotiations with the ministry of india, to have inside information. Sen. Lee they work with other people who were, themselves, engineers . Peiter yes, sir, there were numerous engineers in the office. Im sorry, im focused on that part of your question. Sen. Lee can i ask you this is there any way detract what data they access, or the data that they share . Peiter we found that to be very difficult. We had to set up a specific, small team individually to try to create a unique environment just to allow us to track and monitor one individual because of the lack of general logging and Access Control that we found to be unscalable and not reproducible should there be any other people like that. There was a lack of basic, fundamental Access Control. Sen. Lee im almost out of time, but i need to know this why would twitter not create a tracker or a logging system to follow this sort of thing, to make sure it was handled correctly . Particularly given that they know that many Foreign Governments like india and nigeria and china, they specifically want to access and use that data to find and root out and punish dissidents . Why would they want to do that . Why would they subject their own users to this kind of harm with the great implications that it carries for those countries . Peiter i think they would like to, but they are simply unwilling to put the effort in at the cost of other efforts such as driving revenue. I am reminded of one conversation with an executive where i said i am confident that we have a Foreign Agent and the response was well, since we already have one, what does it matter if we have more . Sen. Lee thank you. Senator klobuchar . Sen klobuchar thank you. Following up on that point, i just returned from ukraine, seeing the extent of the damage inflicted by the russian invasion. I was troubled to learn of twitters leadership that recently considered agreeing to the putin regimes request to censor and surveilled russian twitter users. Twitter ultimately did not agree to the request as far as i understand. What can you tell us about requests made by Foreign Governments and the risks that those demands pose, and why would a company like twitter consider agreeing . Peiter i was very surprised and shocked by that oneonone conversation which i had prior to his assuming the ceo role. I understand it out of a frustration of the inability to perform, and this kind of comes in the content moderation which was conversation that i had with twitter. We dont really have the ability and tools to do this correctly. This is a lot of work, it is not driving our main executive goals. Is there a way that we can simply punt . Since they have elections, doesnt that make them a democracy . Peiter thank you. Sen. Klobuchar thank you. I am a big believer that these companies, not just twitter, have to invest more in protecting data and protecting the public. Ive heard senator durbin talk to you about the agencies, and you agree with me that the agencies in the u. S. Are underfunded when it comes to taking on these major cases. Im going to put the mirror back on ourselves here in congress. Do you think it would be helpful if we had some privacy legislation in congress . I think one thing that would be very helpful is that the ftc and other regulators dont have laws or rules that would create whistleblower protection programs for people while they were still in these organizations. I think that is where a lot of information, and a lot of people share the information. When i came on board, they were excited that there was an executive that was listening and that was willing to ruffle feathers, that was willing to fight for some of these things. Peiter sen. Klobuchar are you aware that senator grassley and i actually passed a bill to change the fees that got through this committee unanimously, passed through the senate, sitting somewhere in purgatory over in the house that would allow us to maybe be as scary as france, or some other country, and that we have been unable to get that decisive, probably being the 50th hearing beside commerce and judiciary . We have not passed one bill out of the u. S. Senate when it comes to competition, when it comes to privacy, when it comes to better funding the agencies. When it comes to the protection of kids. And so at some point, when we talk about the agencies, we had better be putting the mirror on ourselves, because i was listening to your quote and it is difficult to get someone to understand something when his salary depends on him not understanding it. Could you talk about the lack of action in congress and how that has actually created an environment where these Companies Feel like they can do anything from destroying our newspapers and public good to basically not taking correct actions when it comes to hacking . Peiter that is your world, not mine. I appreciate the effort you are doing. What i did see is that any laws or bills passed or actions in the past, if they are not able to be quantified and externally audited, by an independent viewer, has gained a lot by what i saw inside big tech in the ability to sort of answer in the affirmative without actually doing what the intention was of the regulation. Sen. Klobuchar from accountability to require digital platforms and researchers, the independent experts for addressing found serious problems, made recommendations how could independent groups help . Peiter independent groups having independent eyes and providing ground truth on that, i think it should be clear first off, the engineers and the employees, much as changed. The culture and i can speak primarily on twitter because that is the company i have been involved with it is a culture where they dont prioritize they are only able to focus on one crisis at a time. And that crisis is not completed, it is simply replaced by another crisis. I think they would like to have all of these things fixed, but they are unwilling to bite the bullet and strategically say, hey, we are going to have to develop the time and money to get these basic things in place and do the legwork rather than just react to what is coming in that they hear from a hearing like this or from the news. Sen. Klobuchar last thing, you talked about how twitter is not enough focused on removing misinformation and hate speech, particularly within a language that employees didnt even speak. Obviously you cannot check whether or not a tweet violates rules if you dont speak the language. Ive had my own experience directly conveying the misinformation spread about me that resulted in having an effect Death Threats on a number of my family. And nothing ever changed. Exception finally, regular media reported that it was a lie. Those other kinds of things that happen to people in this building because of the misinformation that is rampant on social media. Could you comment about what you think they should be doing about that . Peiter im very sorry to hear about that. The lack of language was stunning to me. This was a situation where i brought in a worldclass leader for twitter Global Support who also identified this and they started saying we cant react to a language situation. But something was happening more and more. You cant wait until after it happens and then go, where are the native speakers . Those translators were already hired elsewhere. You have to understand, 80 of twitter has to understand 80 of the users are outside of the United States. You cant create a healthy environment. You cant serve the public conversation if all you can do is look at it and say i hope that the translator is doing the job for me. Sen. Klobuchar thank you. Thank you, senator klobuchar. Senator kennedy . Senator kennedy thank you, mr. Chairman. Mr. Zatko, give me 30 seconds. Strike that. Senator grassley is an active user on twitter. I will use him as an example. Give me 30 seconds on the type of information twitter has on senator grassley. Or someone like him. Peiter if there was somebody that just came to me and said hey, weve got a problem with this user sen. Kennedy just give me 30 seconds on the type of information twitter has on the average user. Peiter sure. The phone number, the latest ip address they have connected from , is this the current email, how long have they been using that email account, what are their prior emails, former ip address, where do we think they live, where do we think they are connected right now, are they still connected or actively using the information, what type of device are they connected with, what type of web browser are they using, which computer, what language did they connect in . Those are some of the systems. Sen. Kennedy thank you for that. And i want to understand you are telling this committee that all of the engineers and half of the employees of twitter have access to senator grassleys account . Peiter half of the employees of twitter are engineers. The engineers are by default given some access sen. Kennedy do they have access . Peiter from what i saw, if they wanted to root around in the data and find it, they could find it. Sen. Kennedy let me understand. Im not trying to trick you. From your testimony, i understand that half of all of the engineers and half of the employees at twitter have access to senator grassleys account. Is that correct . Peiter based upon what i saw, technically, yes. Sen. Kennedy and if they go into senator grassleys account if an engineer does, for example twitter doesnt know that that engineer has done that . Is that correct . Peiter it would be difficult to find that, correct. Sen. Kennedy so you dont have a login and logout system. Peiter there was not the easy ability for me to find which engineers had logged into which systems and what data they had accessed. Sen. Kennedy ok. So this engineer who can secretly go into senator grassleys account and get all this information, twitter has no idea what the hell he is going to do with that information, does it . Peiter no. Sen. Kennedy so that engineer, twitter could sell it, for example, couldnt eat . Peiter im sorry, what . Sen. Kennedy could sell it. Peiter ive seen numerous accounts on underground forums offering such access. Whether those are valid or not, i have seen offers to access to delete accounts. Sen. Kennedy so that engineer could just call one of his buddies and say you dont like senator grassley, let me give you some information here that you may want to use against him. That engineer do that . Would twitter know that the engineer had done that . Peiter not necessarily. Sen. Kennedy now, did mr. Dorsey know all of this . Peiter i did explain this to mr. Dorsey. My understanding is he did not understand this prior to me cluing him in. Sen. Kennedy does he understand it now . Peiter i believe sen. Kennedy how about your ceo . Peiter i believe so. He has been there for 10 years and rose up through the ranks in engineering and he has talked with engineers and they have told sen. Kennedy is that a yes . Peiter i believe yes. Sen. Kennedy how about salesforce. Does he know about this . Peiter i do not know whether he understands. Sen. Kennedy youve got an executive from master collar. Im going to probably mispronounce the last name. From mastercard. Does this boardmember know about it . Peiter i do not know if she knows that. Sen. Kennedy is this the kind of thing that a reasonable boardmember would inquire about . Peiter i would think so, but ive also seen what was presented to the board was not representative. Did the board ever ask . The board did not ask these directly. Even after these problems with Foreign Agents . Now when i was there during the meeting. They just sat there . They focused on other topics. Dr. Lee is a professor at stanford, does he know all of this . Same response. I did not see questions on this specific topic. Someone that used to be with google. Peiter same response. Action, patrick shea was the one where i brought up this instance, he had the roof. He was very upset. Sen. Kennedy did he fix it . Peiter no, he asked for followup information. Sen. Kennedy why hasnt twitter fixed this . Peiter there were other priorities. Sen. Kennedy it is about the money, isnt it . Peiter its about whatever crisis and the other priorities. Sen. Kennedy the fixes would cost them money, wouldnt it . Peiter it would take focus away from other aspects. Sen. Kennedy it would cost money, wouldnt it . Peiter most likely, yes. Sen. Kennedy twitter for a while was going to go into the porn business. Did they do that . Peiter i dont know that they did that. I did not know they were going to go into that business. Sen. Kennedy while they were. Do know why they decided not to . Sen. Kennedy i do know peiter i do know there were discussions about eightrelated information and the discussions internally i heard were simply concerns about lack of tools to correctly regulate or constrain it. Sen. Kennedy so it wasnt a moral issue, it was why did they not go in the porn business . Peiter i do not know. Sen. Kennedy lastly, who sets the standards for censorship at twitter . Peiter i believe that comes out of counsel. Sen. Kennedy your lawyer . Peiter i believe so. Sen. Kennedy do they talk with the board about it . Peiter i have been advised out of an abundance of caution i should not comment on any twitter counsel conversations for a superb twitter might have served. Sen. Kennedy thank you. Thank you senator kenny peed senator kennedy. Thank you for you being here, your extraordinarily insightful and significant us to money here today, as a substantial professional and personal risk and your cooperation with me and my staff off the record in providing details important to our understanding and the more of it made public i think the better. Would you agree twitter has put its users health and safety severely at risk . Peiter yes, sir. And up at the National Security severely at risk . Peiter yes sir. That they have misled their own board of directors . Peiter yes sir. In that event, the management ought to be certainly restructured, shipped, changed, correct . Peiter yes, sir. Sen. Blumenthal that kind of structural reform is necessary to achieve changes within the company. Peiter that is my belief. Sen. Blumenthal you also said this company has misrepresented facts to Government Agencies, most especially the ftc, that is correct, isnt it . Peiter yes, that is correct. Sen. Blumenthal i think you shared in your complaint that twitter management was intending to mislead as well regulators about compliance with the Consent Decree, correct . Peiter that is correct. Sen. Blumenthal how high in the twitter management would you say that intend to mislead in effect to see Government Agencies when . Peiter to the ceo, i do not know to what level inside of the board. They did not know because of misrepresentation or chose not to push. Sen. Blumenthal the misleading of Government Agencies is one of the reasons why stronger action has not been taken . Peiter i could very well be sir. Sen. Blumenthal but it also, in effect, is the result of a lack of bigger and law enforcement, whether because of inadequate resources or a failure of will. Peiter that could be as well, sir. Sen. Blumenthal the most recent settlement with twitter was a payment of 150 million earlier this year, the ftc and department of justice stated twitter violated the 2011 Consent Decree, that is no surprise, but the size of the penalty, a mere 150 million amounts to the kind of burden on us average drivers when we pay the toll to go into manhattan. Given that its profit in the Second Quarter this year was about 1. 18 billion, correct . Peiter that is correct. While i was there, the concern only really was about a significantly higher amount, significantly higher, or that would have been a more institutional restructuring risk but that amount would have been of little concern while i was there. Sen. Blumenthal to effectively address this problem, we need not only to insist on restructuring the company but also likely restructuring, reforming, and energizing our regulatory apparatus. Not only as to twitter but also as to other Internet Companies and platforms, would you agree . Peiter i would. The intent of the regulators is the right intent but it is not being followed or correctly adhered to. Sen. Blumenthal all of what youre seeing, everything in your complaint and a lot of what we have heard in this committee and other committees lead me to think we need a new agency. As reluctant as i am to suggest a new government bureaucracy, i dont think it needs to be a government bureaucracy with a lot of new people but it needs to be a new means of enforcement here to bring cases to the department of justice focusing on Privacy Security and protecting users as well as our National Security. Would you agree . Peiter i had not consider that. I will have to think about that. That is an interesting approach. Sen. Blumenthal im not reaching any conclusions what what we are doing right now is not working. You would agree to that . Peiter yes. What ive seen, the tools used out of the toolbelt are not working and i do believe other tools in the tool belt do work but the regulators are not able to quantify and get measurements that would show them to switch to the other tools they have. Sen. Blumenthal what are the remedies that for example other countries have that enable them to better protect privacy . Peiter some are simply much more aggressive and do not accept answers at face value, put strict time constraints on requiring answers, requiring data to back of the answers, and threatened to preclude monetizing entire markets such as maybe you will not be allowed to monetize in france or maybe you wont be allowed to use particular data sourcing in france. And you have a week to respond sort of approach. Sen. Blumenthal let me finish on that note, to expand on this and claire theory of the case, essentially users and their information are twitters product. They are the means to monetize the eyeballs on the site to collect, use, and monetize that information is the twitter business. So their reckless disregard for their usershealth and safety and the National Security is a product of that incentive, would you agree . Peiter yes, sir. That is why i understand the m in manned out to be monetizing average daily users. Sen. Durbin thank you. Thank you, mr. Chairman, for joining us. Im a grandmother and a mother. I want to talk with you about this process twitter has gone through. They tried to start a new subscriptionbased Adult Entertainment section. Are you familiar with that . Peiter no, im not. While they had to scrap the plans because an internal team found they had too much child and nonconsensual pornography that was on their site already. Are you aware of that . Peiter unfortunately, that does not surprise me. Theres a federal court case against twitter because the site repeatedly refused to take down tweets of children as young as 13 and 14 performing sex acts in photographs and videos. These were posted by sex traffickers who were impersonating a teenage female. So, my question is, why . For what reason would twitter refuse to take down this sexually explicit content if it knew it was affecting underaged children . Why would they leave this up . Why would they refuse to take this down . Peiter from what i saw, and on the area of adult content, because that was brought up, their concern was certain advertisers did not want adult content to appear next to ads they were putting and that was a concern inside of the company, the lack of peiter they had a monetary sen. Blackburn they had a monetary concern but not moral concern . Peiter i cant speak to the morals of the people internally but there was a concern whether or not they could even correctly identify and get ahead of this because they lacked the basic tools and resources in those teams and it would have to be in reaction after things were posted. Sen. Blackburn so what do they do to police this sexually explicit material, especially when it pertains to children . Peiter that was not under my area, so i do not have information to talk specifically to that. Sen. Blackburn ok. So there is not a Standard Operating Procedure to block this, to down . Peiter i believe they have or i was told they have some voluntary self tagging and Self Reporting of whether you are an adult content account but im not aware of the other processes or procedures in the company. Sen. Blackburn let me ask you about the ftc. Senator blumenthal was just asking you about that. Did you ever participate in calls or meetings with the ftc, in which you heard specific misrepresentations made by twitter . Peiter no, maam. I was not in the calls. Sen. Blackburn you had no direct knowledge . Peiter i got direct briefings from the people who were in the calls telling me what they did. Sen. Blackburn so it was all secondhand. Peiter correct, from the people involved in the calls. Sen. Blackburn did the ftc come to twitter and identify specific conduct or representations that concern them . Peiter that would be a question you have to ask the chief privacy officer, who would have been the recipient of those outreach. Sen. Blackburn let me ask you about the issue of click through ads. I know many times our adversaries will, through a company in china, specifically, the ccp will be part owner of a company. So they use clickthrough ads to gain access to platform user data, including china, including other adversaries, and including places where twitter is block and they are finding ways to evade the tracking and to get into these networks. In your experience, is this a typical black this typical practice that happens at the Global Platforms . Peiter clickthrough ads to expose a risk nonclickthrough as do not. If you can get an get a user to click through, you would get the information i was describing, ip address, browser, from the ip address you could determine their geolocation or whether they were using a vpn or not if that is allowed in your country and you could interrogate that persons computer or get them to provide more information, maybe that they do not know they are providing directly to you thinking it is there an ad on a service. Sen. Blackburn could this be remedied in any way and senator klobuchar talked about this, the National Privacy standard. If we had a National Privacy standard, would that help to secure an individuals Information Online and would help in any way in policing these click through ads . Peiter i think addressing in general the difference of the information or making people aware and then providing a context around when a user knows they are providing information and what information they are providing no longer to the service they thought they were interacting with could definitely benefit a user. Sen. Blackburn i want to ask you one thing about censorship. During your time at twitter, did you participate in any conversations or meetings where content moderation decisions were made based on a posters political views . Peiter i never investigated or was or heard of decisions on that particular topic. I was focused on the crisis and fires in the area of my domain. Sen. Durbin thank you, senator blackburn. Senator kunz . Sen. Coons thank you thank you much for coming forward. This is yet another eyeopening moment for our public, for our nation, and for this committee. We know that social media and new Communications Technologies have empowered people across the world to connect and share information at an unprecedented scale, but we also know that concentrating all of this information, all of these resources in just a few hands, comes with great risk. So your whistleblower complaint contains striking allegations which shed light on several key realities and i wanted to focus on those. The first, as youve stated, the number of exchanges with my colleagues is that the public lacks any credible way to assess whether and how major platforms and Technology Companies are protecting or prioritizing user privacy, and i want to talk for a bit about a bill that senator klobuchar mentioned that would help strengthen some of that transparency and the second which ill get to later, is that these platforms are targets for foreign actors and theyre having a dedicated hearing tomorrow afternoon. And you commissioned an independence report regarding twitters platform integrity and their ability to combat misinformation, disinformation and that report, found, and im quoting, kind the curve on disinformation and misinformation threat and that twitter doesnt have the ability to measure the impact of its work to protect site integrity. But what i concluded from your testimony today is that twitter lacks the ability to measure the effects of interventions it implemented because of decisions by management, and because of the lack of a credible Regulatory Oversight agency and penalty. Is that correct . Do i understand your testimony correctly . Yes, sir. The inability internally came from 10 years of security and engineering debt that kept accruing. And your complaint also details how twitters executive team was concerned that the report that youd commissioned would be damaging if it got out and that they worked to intentionally remove or modify information that might especially embarrassing for twitter. Is that correct . Yes, i found that disturbing. The company that i hired with the knowledge of the other executives and the head of site integrity, which did not report it me, but that this independent organization was going to analyze and do gap analysis, the company reached out to me and said, hey, mudge, twitter is jumping in and making us open a separate contract and telling us not to provide you the results to your own work, you know, to your own work. This does not feel right to us. Whats going on. So, a lot of the information that those regulators and congress relies on when considering how to regulate social Media Companies comes from the companies themselves. As i think you put it before, theyre essentially grading their own homework. So the conclusion that we ought to reach is the information that we receive, isnt trustworthy from some social media . Yes, sir, thats what i experienced. So, ive released a bill with senator portman and smart klobuchar and were looking for republican cosponsors, the transparent ability act and with social media and some practices. Would em purge researchers and mandating better sploesh researchers, and would that be site integrity. Yes, sir, one of the things we learned in that study, just how much gap between twitter and twitters peers and that would help to raise the level of hygiene for these organizations and their ability to perform their tasks and the ability for us to accept what theyre saying as to whether it could possibly be true or not. This also opens up enormous National Security risks as you testified earlier, theres roughly half of twitters employees that had unnecessary access to vast amounts of sensitive user data. Senator kennedy was asking you earlier, just give us a quick sense of what information twitter might have about senator grassley or about any of us on this committee and its deeper and broader and i suspect if youd gone further, it then unlocks a whole profile that can give really dramatic insight into members of law enforcement, members of the military, members of congress, and their families, their travel, their preferences, their actions, their consumer activities, all of that has some real consequences. You wrote in your complaint the Indian Government forced twitter to hire Indian Government agents who then had direct and unsupervised access to data and a former twitter employee was convicted last august as working as an agent of the saudi kingdom. How common, do you think it is for foreign entities for hostile agencies to successfully install sympathetic actors at twitter and why might they do so . Well, if theres any number of reasons. You know, there are many reasons why you would do so, and in particular, to not just identify people of interest or track groups of interest, but also to maybe look at whether or not twitter has identified your agents or your information operations. What other governments have twitter possibly identified. And remember, outside the ability to access large amounts of engineering side, youd want to know what twitters plan is whether theyll accede for your information or not in order for political pressure such as strongarming and as we saw that country was even threatening to put twitter employees in jail if twitter didnt change activities on the platforms. With 80 of twitter users outside of the United States and having a deep accesses and resources to leaders is concerning. And tomorrow a subcommittee on privacy and the law, and senator sass and i will be holding a hearing how to further understand the depth to which hostiles for going to obtain americas data and that is expand on that. And hope members of the committee will attend. I want to thank the testimony, mr. Chairman, for the chance to participate in the hearing. Well take a five minute break after senator cotton asks his questions. Smart senator cotton. Mr. Zatko, through for your testimony. I want to talk about twitters policies. You werent there in 2020, june 2020, as they were rioting in our streets i put on the website, the National Guard and active military had been used in the past, 1992 in the l. A. Riots. Within couple hours a low level employee at twitters office contacted my staff, if i did not delete that tweet that i would be immediately stopped. And the low level employee was reluctant to be anything in email and they documented the accuracy of my comments and examples how other elected officials have used similar language. 30 minute window passed, my account was not locked. Ultimately, she said that twitter would not take any action about my account. As i said, i know it was before you began at twitter, but from your experience would a low level twitter employee typically have the authority to permanently lock the account of an elected member of congress . From my experience, they should not have the authorization to do it, although, it would probably be a low level employee that would be instructed to do it. So she was likely taking direction from more senior officials at the company . Not knowing the situation, i cant comment on the specific one, but that is the sort of activity that i would see there and i can concur that i did notice a reluctance to put a lot of things on writing on particular topics. And i noticed that he was apparently did not express those things. Particularly with censorship, i know you werent up there in the leadup to the 2020 election and once you arrived after the election, you selected an outside company to do an evaluation of twitters policies and the controls are ad hoc and informal those of two direct quotes and policy decisions behind it are made mostly by a small group of twitter staff at san francisco, quote, frequently during a time of crisis, is that accurate . I didnt hire them to do a report on censorship, but that was the platform manipulation organization and, yes, the how you cite the report is what they found on that is correct. What is frequently during a time of crisis . What sort of crisis are they referring to. And the report from what i experienced, if something was brought up in the media, if a government brought it up, if somehow it became publicly aware or if there was an ongoing outage to the system or some active disruption or crisis. Thank you for that, because the report does go on to say accord to go twitter employees interviewed, twitter usually censors, only if its flagged by reporters, headlines, partners, means to include academic organizations and other social Media Companies or political officials, end quote. Does twitter have special channels of communications with social Media Companies like facebook or if they do, i believe they would be ad hoc. Im not aware of official ones, that would not have been within my organizations. What about other socalled partners like pharmaceutical companies or advocacy groups . I am not aware of those again, that would be out of counselor other organizations. So saying ad hoc, you think in these cases just executive at a Pharmaceutical Company that doesnt like what is being posted on the website or a left wing activist or washington think tank would use previous relationship to Contact Twitter on ad hoc basis . I do not know. How can they coordinate if they dont have some kind of channel of communication set up . In the report that was an attachment from the organization, they talked about disinformation operations, which i do believe my understanding was that the Site Integrity Team spoke with other organizations and with other social Media Companies, about ongoing disinformation or platform manipulation. I do not know anything beyond what was in the report for that topic. You said something earlier, and i just want to come back to. This isnt an exact quote, but i want to give you a chance to elaborate a little bit. If you dont have a foreign Intelligence Officer inside of twitter you probably arent doing a good job as an intelligence agency. Is that close enough . Yeah, thats close enough, sir. I worked for the government. I held a high level position, i worked running research and development in programs for the department of defense and intelligence communities and from my interactions with these people and these organizations, twitter would be a gold mine from my understanding from people in the community who focused on organizations and assets. If you placed somebody in twitter as as we know has happened, it would be very difficult for twitter to fine them. They would probably be able to stay there for a long period of time, and gain significant amount of information to provide back on either targeting people or on information as to twitters decisions and discussions and to the direction of the company. Does that include in twitters u. S. Offices, versus overseas or is that distinction immaterial given the way that twitter functioned . I believe thats immaterial in both. Thank you. My pleasure, sir. Thank you, senator cotton. Well take a five minute break and return to senator whitehouse. [inaudible conversations] [inaudible conversations]