In 2006, the new social networking made its debut and jack dorsey posted a message quote, just setting up my twitter and allowed them to share messages and in the coming years it was an important source of news and social discourse as it gathered millions of users. Twitter played an outsized role in politics, culture and democracy. We want to take you te coverage to the hearing. He was terminated by twitter. Last month, this individual had a number of alarming allegations about twitter security practices without objection, his disclosure will be entered in the record. He is more commonly known as mudge. You are here pursuant to a subpoena, not because you were opposed to appearing before the committee but the public can hear the details of your disclosure. You have alleged a number of flaws and weaknesses within twitter, flaws that may be a direct threat to twitter of users and Americas National security. The story began in 2011 when the f. T. C. Concluded that twitter was playing fast and loose with user data and found that twitter deceived customers and failed to safeguard their personal information. The company was ordered by the f. T. C. , to quote, protect the security, privacy and confidentiality and integrity of user data but you have claimed those changes have never been made and you have alleged that compared to other Technology Companies, they remain wopfully deficient and thousands of employees have extraordinary access to Sensitive Information and little oversight how that information is assessed. Some twitter users may be asking, whats the big deal. When you sign up for twitter you hand over email and phone information but you expect they will take precautions to protect the personal information. It is like depositing money at the bank. The vault is wide open and contains more information about you than you can imagine. Twitter just doesnt have access to your tweets and email address but the data to directly access your device and pinpoint your exact location. And you are exercising your freedom at a political protest or a woman seeking Reproductive Health care, if you are a twitter user, and someone else might be with you right there in your pocket or purse. Many of us are comfortable that our phones have. Its helpful, but when that data isnt secure, we are and even Foreign Agents. And final point. Politicians on both sides of the aisle have criticized twitter. Twitter should be combatting hate speech and conspiracy theories. Republicans say that they are concerned with conservative speakers and i urge them to set these differences aside and find the Common Ground that we need that will be raised by our whistleblower. And i turn to senator grassley. We have learned that hunter has secured the countless other users. That was a blow or is here today so we welcome you. Take comes before the committee today not only expert in the field of cybersecurity but also as a whistleblower. I think all of my colleagues now i have a great deal of admiration for whistleblowers. Who often sacrifice their own career as well as their own livelihoods to rollout waste, fraud, and abuse. Thank you so much for being here. We have learned that personal data from twitter users was potentially exposed to foreign intelligent agencies. For example indicates that india was able to place at least within twitter. As the soldiers also note the fbi notified twitter of at least one Chinese Agency in the country. Company i should say. Based on allegations twitter was also suffering security. Thousands of twitter employees can access user data. That data that they dont need access to in order to do their job yet they have access and if foreign assets work for twitter that means these foreign assets can also access the data. If to put a finer point on the allegations, twitter has allegedly used the data it collects and the tools it has to deal locate individuals who made threats against board members. In the hands of a Foreign Agent embedded at twitter, a foreign adversary can use the same technology to attract pro democracy dissidents within the country but also to spy on americans. This has actually happened in the past. In 2019 two twitter employees used their position to Access Private user data and gave it to saudi arabia. These Foreign Agents were able to access and provide personal information on more than 6000 individuals of interest to the saudi government. Simply put the whistleblower disclosures paint a very disturbing picture of companies that solely focus on profit at any expense including the safety and security of its users. That has been alleged that twitter knowingly violated a Consent Decree entered into with the federal trade commission in 2011. It required twitter to address their access however, instead of complying with the degree decree and fixing these Security Matters it alleged that twitter ceo misled board of directors. So im concerned that for almost 10 years the federal trade commission didnt know didnt know and didnt take Strong Enough action to ensure twitter complied with the Consent Decree. Consent decree. This is a Consent Decree that was intended to protect twitter users personal information. As Congress Considers federal data privacy legislation, i think it is important that we see these revelations of how twitter views its obligations with federal regulators. Congress should also be mindful of the ftcs ability or lack thereof to successfully oversee these important issues. Twitter also needs to answer questions about its content moderation. It was revealed to this committee that twitter outsources a great deal of that moderation to Foreign Countries. They have posted 2000 employees from other countries whose job it is to screen tweets by americans. They also lack the appropriate amount of translators to ensure that tweets in other languages are complying with twitters own rules. Much had limited visibility to content moderation, so these are questions that need to be answered in full by twitter because we cant expect march to respond to them. Unfortunately, this committee will not be able to get answers about content moderation because twitters ceo has refused to appear today. He rejected this committees invitation to appear, claiming that it would jeopardize twitters ongoing litigations with mr. Muska. Many of the allegations directed at , and he should be here to address them. So let me be very clear. This committee protecting america from foreign influence is more important than twitters civil litigation in delaware. In conclusion, if these allegations are true, i dont see how he can maintain this position in twitter. I will continue to conduct a thorough investigation in that process. You will have six minutes for an Opening Statement and six minutes of questioning to followup. We start with the customary oaf and i ask that you please stand for that purpose. Please raise your right hand. Do you affirm the testimony you are about to give will be the truth, the whole truth, and nothing but the truth, so help you god . Let the record reflect that the witness is answered in the affirmative. I appreciate your attendance here. I think your microphone may need thank you very much, sir. Chairman durbin, Ranking Member grassley, members of the committee, i appear before you today to answer questions about the submission in disclosures about cybersecurity concerns in my years while working at twitter. My name is peiter zatko but i am more often referred to by my online handle. For 30 years, my mission has been to make the world better by making it more secure. From november 2020 until january 2022, i was a member of twitters executive team. In my role, i was responsible for security, privacy, physical security, information technology, and twitter Global Support. I am here today because twitters leadership is misleading the public, lawmakers, regulators, and even its own board of directors. What i discovered when i joined twitter with that this enormously Influential Company was over a decade behind Industry Security standards. The companys cybersecurity failures make it vulnerable to exploitation, causing real harm to real people. And when an influential media platform can be compromised by teenagers and spies and the company repeatedly creates Security Problems on their own, this is a big deal for all of us. When i brought concrete evidence of these fundamental problems to the executive team, and repeated the the alarm of the real risks associated with them, there were problems brought to me by the engineers and the company themselves. The executive team chose instead lawmakers in the public instead of addressing them. This leads to obvious questions. Why did they do that, and what were the problems and vulnerabilities identified . So that is when im here to talk about. First, why did they do that . To put it bluntly, twitter leadership ignored its engineers because key leadership lacked the competency to understand the scope of the problem, but more importantly, their exec executive incentives led them to prioritize profits over security. Upton sinclair famously said it is difficult to get a man to understand something when his salary depends on his not understanding it. This mentality is exactly what i saw at the executive level at twitter. So what are the problems i discovered . Two basic issues. First, they dont know what data they have, where it lives, or where it came from. Unsurprisingly, they cant protect it. This leads to the second problem, which is that employees have to have too much access to too much data into too many systems. You can think of it this way, which is it doesnt matter who has the keys if you dont have any locks on the doors. The vulnerability is not in the abstract. It is not farfetched to say in employee inside the company could take over the accounts of all of the senators in this room. Given the real harm the users to National Security, i determined it was necessary to take on the personal and professional risk to myself and to my family of becoming a whistleblower. I did not make my disclosures despite or to harm twitter. I continue to believe in the mission of the company and route for its success. But that can only happen if the privacy and security of twitter users and the public are protected. Accepting an executive position at twitter, i made a personal commitment to mr. Dorsey, the board, the public, and myself. That i would drive the changes needed at twitter to protect the users, the platform, and democracy. That is what i am continuing to do here today. I stand by the statements i made in my disclosures and i am here to answer any questions you may have about them. Thank you. Thank you, mr. Zatko. Each member will have six minutes to ask you questions. Those of us who are not experts but who rely on the internet every day for personal and professional reasons know that many times we are given disclosures, lengthy disclosures that scroll across the screen which are hardly ever read. They usually end up at the bottom box and that is as far as we go with a warning about what we are getting into. Can we get into the real world now and talk about whether or not consumers across america have a right to be warned if they are opening a twitter account as to what is going to happen with their data . For example, if i disclose my name and my address and my email address, i expect that that may be vulnerable, somebody could use that at some future time. I hope not, but it could happen. What i infer from your testimony and what we have read about your findings is that there is a lot more information being collected by twitter beyond that basic information that is going to be used by a handful of different purposes, is that correct . Yes, i entirely concur. When you sign up for an account, i hope that the company is responsible. Not to say that they would like the data to be used correctly and safely, but that they are actually able to quantifiably, internally guarantee that is the case. As far as the type of data, i believe senator grassley referred to an incident. We had a user on twitter that was some members of the executive team and the board. This person came to me and said this is a real, viable threat. Do i need to be worried . Who is this person . It took me maybe 30 minutes to reach out to an employee and say what do we know about this person . It took that person maybe 10 minutes to get back to me and say ok, here is who they are, this is the address where they live, this is where they are physically at this moment, they are on their phone, we know their phone number and all of the other accounts they have tried to set up on the system, and we know that they are on other social media platforms as well. So unbeknownst to a twitter account user, there was access to information far beyond what you think you have disclosed that can be found. Should there be a warning . You say at one point twitter has about 20 of its data registered and managed, meaning the company is incapable of securing this Sensitive Information it collects. Tell me, that is a pretty stark statement that suggests a warning to users, literally anything you disclose or use the account for could be used for bad purposes. Yes. In this case, my concern was more that twitter didnt even know what it was collecting. This was one of the problems because i kept looking at why do they have so many Security Issues . The same amount year after year. Why are the same percentages from the same systems problems . Why are to closing on this . What is fundamentally under the hood and broken . Where is the systemic failure . It turned out that the engineers on their own, they werent given the time and the resources to do this part of their job. That only about 20 of the information that they had, that they were collecting, did they know why they got it, how it was given to them, how it was supposed to be used, when it was supposed to be deleted. The remaining 80 , i refer you to the disclosures was we know that our systems are using some of this other data, but we dont know what it is. And a lot of the data, they just recognized we dont even know what these are. A huge amount of data. And that included personally identifying information, phone numbers, addresses. So for me, the concern is anybody with access inside twitter who has access to the production environment that has it can get that information to use for their own purposes. So the data being managed, the one with the twitter account is vulnerable in that regard. It wouldnt exactly get a passing grade to twitter when it comes to the security of information. On the other cited the ledger, would you agree that there were agencies that had some responsibility to make sure that american consumers, privacy and security is protected . So that was something that came to mind as well. This is over a decade. However we been watching this, especially since there were at least for the exact same problem collected for security purposes . How can we keep making these same mistakes . What is the fcc missing, or what is it that we are telling the ftc that is incorrect . Honestly, i think the ftc is a little in over their head. Compared to the Big Tech Companies and the challenge they have against them, they are left letting companies graded their own homework and i think that is one of the big challenges. I am running out of time. I will just say that i think that the area of great concern as well is the access of Foreign Governments and foreign agencies to americans signing up for twitter at least vulnerable to that possibility. We know that the conviction of individuals in saudi arabia by the saudi government is Proof Positive of that possibility. Thank you very much. Im picking up where the chairman just left off. The comment is Chinese Government bans twitter. Companies based in china advertise on the platform. They have presumably been redirected to a website to go for the Chinese Government to collect vast amounts of data. With respect to prodemocracy chinese citizens, is twitter endangering their life by allowing china to advertise on the platform . I think that is a very valid concern, sir. That was a concern raised to me by the employees inside twitter who were disturbed that, in a country where the service was not allowed to be used and provide a voice to the public, that that money was being accepted from organizations that may or may not be associated with the Chinese Government and i believe there was a news article just a day or so ago saying that they did identify that there were governments related to china advertising on the platform in violation of twitters own policy. The executive in charge of sales very shortly after i joined, there was this big internal conundrum. We are making too much money from these sales. We are not going to stop. We need something that will make the employees more comfortable with the fact that we are doing this. We need to figure out how to essentially thread this needle, which made me a bit uncomfortable. And they didnt know what people they were putting at risk or what information they were even giving to the government, which made me concerned that they had not thought through the problem in the first place, that they were putting their users at risk for. And that was a very common problem where i saw that twitter was a company that was managed by risk and by crises instead of one that manages risk and crises. It was very reactionary. It would react too late. I think you just answer this question, but i want to ask it and see if you have set all you wanted to on the subject. While at twitter, you raised concerns about chinese advertisement. What was twitters response . In a nutshell, it was we are already in bed, it would be problematic if we lost that revenue stream, so figure out a way to make people comfortable with it. According to your disclosure, thousands of twitter employees have access to twitter user data and internal systems. That includes over 4000 engineers which is half of twitters wor