Disclosure detailing alarming allegations about twitter security practices. Without objection, his disclosure will be entered into the record. The name is peter. Thank you for joining us. You are here to serve a subpoena, so that the public can hear the details of your disclosure. Youve alleged a number of security flaws and weaknesses within, flaws that may pose a direct threat to the safety and privacy of twitters hundreds of millions of users as well as Americas National security. This actually began in 20 11 when the ftc, the federal trade commission, first concluded that twitter was playing fast and loose with user data. They found that twitter had deceived customers and put their privacy at risk by failing to safeguard their personal information. The company was ordered by the ftc to protect the security, privacy, confidentiality and integrity of user data. But you have claimed those changes have never been made. And more broadly, you have alleged that compared to other companies, twitter Security Standards are made woefully deficient. Youve alleged that thousand of employees within the company have extraordinary access to Sensitive Information about twitter users and that there is no oversight of how that information is assessed. Some uses may be asking, what is the big deal . When you signed up for twitter, you knowingly hand over your email, phone number, and other information. But you expect these Companies Take precautions to protect the personal information you give them. It is like putting the money in the bank. They take it behind the counter and put it in a vault. At twitter, according to a witness today, the door to that vault is wide open and that vault contains a lot more information about you then you can imagine. Twitter doesnt just have access to your tweets and email address. It also has access to all of the data necessary to directly access your device, and even pinpoint your exact location. Say you are an american citizen, exercising your First Amendment freedom and a political protest. Or maybe you are a woman seeking Reproductive Health care. If you are a twitter user, it may not just be you at the protest or health care facility. Unbeknownst to you, someone else might be right there with you in your pocket or purse. Of course, many of us are comfortable with our phones having location data. It is helpful. But when that data isnt secure, we become vulnerable to bad actors, scammers, stalkers, even Foreign Agents. Earlier this year, a Saudi National who worked for twitter was convicted by a federal jury for stealing the personal data of dissidents criticized the regime and handing the data over to the saudi government. This is a matter of life and death as we know for these dissidents as the butchering of Jamaal Khashoggi made clear. Theres also the matter of twitters reach. It is one of the largest megaphones that World Leaders ever had at their disposal. Weve already seen what can happen when smalltime actors break into twitter account belonging to government officials, but what if next time it isnt two teenagers trying to pull a scam . Imagine if it is a malicious hacker or a hostile Foreign Government breaking into the president s twitter account or sending out false information, claiming there was a terrorist attack in one of our cities. The bottom line is this twitter is an immensely powerful platform that cannot afford gating security vulnerabilities. Today, we have a chance to engage in good faith, bipartisan discussion to ask what needs to be done. Politicians on both sides of the aisle have criticized twitter. I, for one, believe that twitter should be doing far more to combat hate speech and conspiracy theories. I would urge my colleagues to set some of these borders and differences aside and try to find the Common Ground we need to establish Security Standards. With that, i turned to Ranking MemberRanking Member senator grassley. Thank you, a very important issue that you have brought before this committee and i thank you for doing it. I, for 1, 1 people to know that i love using twitter. But we also know that Big Tech Companies such as twitter collect vast amounts of data on americans. In the hands of foreign adversaries, this data is a gold mine of information that could be used against americas interest. Twitter has a responsibility to ensure that the data is protected and doesnt fall into the hands of foreign powers. Americans like me expect that twitter will protect that information. Thanks to a whistleblower who comes forward, weve learned that twitter has not secured the data of tens of millions americans were countless other users. That whistleblower is here today. So we welcome you. He comes before the committee today not only as an expert in the field of cybersecurity, but also as a whistleblower. I think all of my colleagues know that i have a great deal of admiration for whistleblowers. Ive always said that whistleblowers are patriotic individuals who often sacrifice their own career as well as their livelihood to root out fraud and abuse. Thank you very much for being here. Because of these disclosures, weve learned that data from twitter users was potentially exposed to foreign intelligence agencies. For example, his disclosure indicates that india was able to place at least two suspect foreign assets within twitter. The soldiers also note that the fbi notified twitter of at least one chinese agent in the company. Based on allegations, twitter also suffers from a lack of Data Security. Due to that failure, thousands of twitter employees can access user data. That data that they dont need access to in order to do their job, yet they have access. And the foreign assets work for twitter. That means these foreign assets can also access the data. To put a finer point on the allegations, twitter has allegedly used the data it collects and the tools it has to locate individuals who made threats against board members. In the hands of a Foreign Agent embedded at twitter, a foreign adversary could use the same technology to cut down prodemocracy dissidents within their country, but also to spy on americans. This has actually happened in the past. In 2019, two twitter employees were indicted by the fbi. They used their position at twitter to Access Private user data and then gave it to saudi arabia. These Foreign Agents were able to access and provide personal information on more than 6000 individuals of interest to the saudi government. Simply put, the whistleblower disclosures paint a very disturbing picture of a company that is solely focused on profit at any expense, including at the expense of safety and security of its users. Additionally, it has been alleged that twitter knowingly violated a consent agree a decree that it entered into with the federal trade commission in 2011. That Consent Decree required twitter address their access failures. However, instead of complying and fixing these very serious security matters, intensely misled twitters board of directors. So im concerned that for all those years, the federal trade commission didnt know or didnt take Strong Enough action to ensure twitter complied with the Consent Decree. This is a Consent Decree that was intended to protect twitter users personal information. As Congress Considers federal data privacy legislation, i think it is important that we see these revelations of how twitter views its obligations with federal regulators. Congress should also be mindful of the ftcs ability or lack thereof to successfully oversee these important issues. Twitter also needs to answer questions about its content moderation. It was revealed to this committee that twitter outsources a great deal of that moderation to Foreign Countries. They have posted 2000 employees from other countries whose job it is to screen tweets by americans. They also lack the appropriate amount of translators to ensure that tweets in other languages are complying with twitters own rules. Much had limited visibility to content moderation, so these are questions that need to be answered in full by twitter because we cant expect march to respond to them. Unfortunately, this committee will not be able to get answers about content moderation because twitters ceo has refused to appear today. He rejected this committees invitation to appear, claiming that it would jeopardize twitters ongoing litigations with mr. Muska. Many of the allegations directed at , and he should be here to address them. So let me be very clear. This committee protecting america from foreign influence is more important than twitters civil litigation in delaware. In conclusion, if these allegations are true, i dont see how he can maintain this position in twitter. I will continue to conduct a thorough investigation in that process. You will have six minutes for an Opening Statement and six minutes of questioning to followup. We start with the customary oaf and i ask that you please stand for that purpose. Please raise your right hand. Do you affirm the testimony you are about to give will be the truth, the whole truth, and nothing but the truth, so help you god . Let the record reflect that the witness is answered in the affirmative. I appreciate your attendance here. I think your microphone may need thank you very much, sir. Chairman durbin, Ranking Member grassley, members of the committee, i appear before you today to answer questions about the submission in disclosures about cybersecurity concerns in my years while working at twitter. My name is peiter zatko but i am more often referred to by my online handle. For 30 years, my mission has been to make the world better by making it more secure. From november 2020 until january 2022, i was a member of twitters executive team. In my role, i was responsible for security, privacy, physical security, information technology, and twitter Global Support. I am here today because twitters leadership is misleading the public, lawmakers, regulators, and even its own board of directors. What i discovered when i joined twitter with that this enormously Influential Company was over a decade behind industry Security Standards. The companys cybersecurity failures make it vulnerable to exploitation, causing real harm to real people. And when an influential media platform can be compromised by teenagers and spies and the company repeatedly creates Security Problems on their own, this is a big deal for all of us. When i brought concrete evidence of these fundamental problems to the executive team, and repeated the the alarm of the real risks associated with them, there were problems brought to me by the engineers and the company themselves. The executive team chose instead lawmakers in the public instead of addressing them. This leads to obvious questions. Why did they do that, and what were the problems and vulnerabilities identified . So that is when im here to talk about. First, why did they do that . To put it bluntly, twitter leadership ignored its engineers because key leadership lacked the competency to understand the scope of the problem, but more importantly, their exec executive incentives led them to prioritize profits over security. Upton sinclair famously said it is difficult to get a man to understand something when his salary depends on his not understanding it. This mentality is exactly what i saw at the executive level at twitter. So what are the problems i discovered . Two basic issues. First, they dont know what data they have, where it lives, or where it came from. Unsurprisingly, they cant protect it. This leads to the second problem, which is that employees have to have too much access to too much data into too many systems. You can think of it this way, which is it doesnt matter who has the keys if you dont have any locks on the doors. The vulnerability is not in the abstract. It is not farfetched to say in employee inside the company could take over the accounts of all of the senators in this room. Given the real harm the users to National Security, i determined it was necessary to take on the personal and professional risk to myself and to my family of becoming a whistleblower. I did not make my disclosures despite or to harm twitter. I continue to believe in the mission of the company and route for its success. But that can only happen if the privacy and security of twitter users and the public are protected. Accepting an executive position at twitter, i made a personal commitment to mr. Dorsey, the board, the public, and myself. That i would drive the changes needed at twitter to protect the users, the platform, and democracy. That is what i am continuing to do here today. I stand by the statements i made in my disclosures and i am here to answer any questions you may have about them. Thank you. Thank you, mr. Zatko. Each member will have six minutes to ask you questions. Those of us who are not experts but who rely on the internet every day for personal and professional reasons know that many times we are given disclosures, lengthy disclosures that scroll across the screen which are hardly ever read. They usually end up at the bottom box and that is as far as we go with a warning about what we are getting into. Can we get into the real world now and talk about whether or not consumers across america have a right to be warned if they are opening a twitter account as to what is going to happen with their data . For example, if i disclose my name and my address and my email address, i expect that that may be vulnerable, somebody could use that at some future time. I hope not, but it could happen. What i infer from your testimony and what we have read about your findings is that there is a lot more information being collected by twitter beyond that basic information that is going to be used by a handful of different purposes, is that correct . Yes, i entirely concur. When you sign up for an account, i hope that the company is responsible. Not to say that they would like the data to be used correctly and safely, but that they are actually able to quantifiably, internally guarantee that is the case. As far as the type of data, i believe senator grassley referred to an incident. We had a user on twitter that was some members of the executive team and the board. This person came to me and said this is a real, viable threat. Do i need to be worried . Who is this person . It took me maybe 30 minutes to reach out to an employee and say what do we know about this person . It took that person maybe 10 minutes to get back to me and say ok, here is who they are, this is the address where they live, this is where they are physically at this moment, they are on their phone, we know their phone number and all of the other accounts they have tried to set up on the system, and we know that they are on other social media platforms as well. So unbeknownst to a twitter account user, there was access to information far beyond what you think you have disclosed that can be found. Should there be a warning . You say at one point twitter has about 20 of its data registered and managed, meaning the company is incapable of securing this Sensitive Information it collects. Tell me, that is a pretty stark statement that suggests a warning to users, literally anything you disclose or use the account for could be used for bad purposes. Yes. In this case, my concern was more that twitter didnt even know what it was collecting. This was one of the problems because i kept looking at why do they have so many Security Issues . The same amount year after year. Why are the same percentages from the same systems problems . Why are to closing on this . What is fundamentally under the hood and broken . Where is the systemic failure . It turned out that the engineers on their own, they werent given the time and the resources to do this part of their job. That only about 20 of the information that they had, that they were collecting, did they know why they got it, how it was given to them, how it was supposed to be used, when it was supposed to be deleted. The remaining 80 , i refer you to the disclosures was we know that our systems are using some of this other data, but we dont know what it is. And a lot of the data, they just recognized we dont even know what these are. A huge amount of data. And that included personally identifying information, phone numbers, addresses. So for me, the concern is anybody with access inside twitter who has access to the production environment that has it can get that information to use for their own purposes. So the data being managed, the one with the twitter account is vulnerable in that regard. It wouldnt exactly get a passing grade to twitter when it comes to the security of information. On the other cited the ledger, would you agree that there were agencies that had some responsibility to make sure that american consumers, privacy and security is protected . So that was something that came to mind as well. This is over a decade. However we been watching this, especially since there were at least for the exact same problem collected for security purposes . How can we keep making these same mistakes . What is the fcc missing, or what is it that we are telling the ftc that is incorrect . Honestly, i think the ftc is a little in over their head. Compared to the Big Tech Companies and the challenge they have against them, they are left letting companies graded their own homework and i think that is one of the big challenges. I am running out of time. I will just say that i think that the area of great concern as well is the access of Foreign Governments and foreign agencies to americans signing up for twitter at least vulnerable to that possibility. We know that the conviction of individuals in saudi arabia by the saudi government i