Sen. Durbin resuming the hearing. Sen. Whitehouse for questions. Sen. Whitehouse . Thank you very much. Mr. Zatko, i wanted to follow up a little bit on the repeated suggestions you have made in your testimony that the cybersecurity vulnerabilities will expose the United States to risks and to attacks and that security failures threaten the countrys National Security. Good with that . Peiter yes, sir. Sen. Whitehouse i guess he didnt add buyers we saw the same thing with facebook when they were taking ads with payments denominated in rubles and not figuring out that might have been russians behind those ads, and you mentioned concerns about hidden chinese ad buyers. If we could talk a little bit more about the National Security risks associated with, for instance, the unregistered Saudi Foreign agent who worked at twitter or the pressure to hire Indian Government agents, walk us through a scenario of how an individual planted in twitter like that could create a National Security risk for United States, and if you would, a particular reference to the fact that, at least when i use twitter, im sending stuff out thats intended to be public. So, how in that environment can a Foreign Agent create a National Security risk of any significant nature . Peiter yes, sir. There are several aspects to that. There is the nonPublic Information that we have spoken about earlier today. Your phone number, your email address, things that are not advertised to the world. I believe 200 million, if we want to say, regular users, not necessarily from a national severity standpoint, twitter in 2020 internally assessed that they logged information on 200 million users, email addresses, phone numbers, other information like that. This is the information that you need in order to start taking over other peoples accounts. With their phone number and an email address, i can hijack your phone number, i can change your gmail, coinbase, ameritrade, other accounts. I can cause financial harm that way. I can assume your identity. More importantly, i probably want to be able to understand your whereabouts, your network, and understand i will give you an example, in Foreign Governments are concerned, and we could apply that to the United States, there were requests for information about members of the farmers protest. There might be organizations or groups in the United States where once i know your home address and your home phone number, i can approach you in real life. I can put pressure on you, i can possibly recruit you. You can be an unwitting accomplice. I can influence you or target you for influence operations in the real world. Sen. Whitehouse let me just offer the thought that my home address and phone number and email address are pretty widely known, and indeed, in the public domain. How does twitter access to that information is there more . What is the difference between being able to look me up in the phone book and having twitter access the information . Peiter having been in the Public Sector myself, yes, a lot of my information became known. There is also a lot of people who are in particular roles where that information is not known, and the targeting of them perhaps staff, aides, people around you influencing to build that network, which we have seen not in twitter, but which the u. S. In the Intelligence Community has seen as part of the Intelligence Community. Sen. Whitehouse ok, so just lay that out for me a little bit more, given that so much of this information is available through other channels. What with the endgame the four what with the endgame be for, lets say, a Foreign Government trying to put pressure on somebody who could take a difference or make a difference or a decision to the benefit of the foreign country . Peiter identifying a relative, family member, colleague who has Financial Issues or has other elements that can be leveraged against them, to help them influence you in a particular fashion without your awareness. Sen. Whitehouse somebody would be able to create a sort of family or personal network around an individual twitter user and extract information about folks and then to work folks in that network . Peiter that is one particular aspect sen. Whitehouse how would that take place . If somebody has gotten into the twitter system, how would they find that out . Peiter it might be used in combination with other data election sources. One of the concerns about u. S. People traveling to other countries is was there information in the opm database, and cannot information be crossindexed across can that information be crossindexed across the Health Industry databases that have been lost . Do we know that this person has a particular political bias on twitter and start to try all of these things together for people of influence or access within governments are within sensitive positions. Sen. Whitehouse thanks very much. My time is up. Senator sen. Durbin senator graham im sorry, senator cornyn. Sen. Cornyn i want to explore the kind of data on american citizens that can be used for appropriate organ appropriate services for you are familiar with the concept of ubiquitous surveillance, are you . Peiter i can put those together and get the general context, i believe, sir. Yes. Sen. Cornyn basically all the cameras that are publicly posted data on your smartphone. You talked about geolocation data, the type of transactions you engage in, where your home is, how much you paid for it. Even google earth may have taken a picture of your home or your pace of place of business. There are already huge volumes of Data Available for whatever purposes, even above and beyond what social media collects, correct . Peiter yes, sir, there is a lot of information about a lot of us in many different ways available through technology right now. Sen. Cornyn and i daresay, i bet most americans cant fathom the volume of data, and that is without even getting to things like social media. For example, 2015 i think it was, there was a hack of the office of Personnel Management records. I think was 22 million records of government employees, including the applications for security clearances, was hacked reportedly by the peoples republic of china. If people decide that they want to figure out their family ancestry and use one of the dna testing companies, my understanding is many of the testing much of the testing is outsourced to places like china, where obviously it is not secure from Chinese Government access. We were talking about the privacy concerns of americans. This is not just limited to platforms like twitter and social media, correct . Peiter that is correct, sir. I was informed i was in that opm database and my security clearance information was collected as well. Sen. Cornyn turning to twitter, you have talked about the lack of what i would call protection from Insider Threats in the Intelligence Community. A few are working the Intelligence Community, they have logging protocols on who accesses what information. It can be determined if there was inappropriate access. That is the sort of protocols or mechanisms that were not available in places like twitter when you work to, correct . Peiter yes, sir, correct. Sen. Cornyn and so anyone who could get access to that information could, on top of all of the information that i ask you about earlier outside of social media, if you look at the cumulative data picture, is that the kind of information that Foreign Governments like the peoples republic of china are regularly accessing for their purposes . Peiter i cant say whether they are regularly accessing. I dont have that direct information. I am aware that some people and organizations have gotten very good across very large amounts of Data Collected very good at cross indexing across very large amounts of data. Twitter would be a decent contribution to that multisource collection. Sen. Cornyn and that is where things like Artificial Intelligence can come into comb or mine vast sources of data for more targeted or narrow purpose. Peiter the ability to collect and mine, yes, as been augmented by modern ai techniques. Sen. Cornyn so there are what i would call defensive concerns about peoples or individuals or governments access to your personal data, but there are also offensive concerns is welcome and that is where the issue of disinformation or a term that became popularized during the 2016 election aftermath was active measures. These are efforts by Foreign Governments for Intelligence Service to actively create a narrative or a message that is simply propaganda by this Foreign Government that could be used to influence American Public opinion. Is that accurate . Peiter yes, sir, not just american. That is happened worldwide, such as in myanmar, in 20 facebook acknowledging that disinformation campaigns on the platform contribute to genocide. Sen. Cornyn and as you pointed out earlier, when you look at the Data Available on each one of us as american citizens for whatever purposes, good or ill, there is also a lot of information about who we interact with. Something in the Intelligence Community, sometimes they talk about pattern of life. Maybe you want to talk about a network of friends and associates, family members, and the like, from which inquiring minds could obtain Additional Data about us. Peiter yes, and to your point, Information Operations are a concern. Twitter acknowledges they do happen on the platform. They have disclosed numerous ones, and they are aware of others that are ongoing. Sen. Cornyn i am aware that tiktok, which is a chinese company, i believe, and even instagram, which is owned by facebook, have 13yearold age restrictions in terms of terms of use. But there is no limitation on peoples ability to pretend to be an adult, pretend to be somebody they are not, and gain access to social media account and use it for whatever purpose they wish. Peiter i cant speak to tiktok or facebook. Im not familiar with their internal technology for agegating. I do know that was a challenge at twitter, and the majority of agegating was voluntary Self Reporting of what your age was. Sen. Cornyn finally, can you tell me, do you have recommendations based on your 30 years of experience in terms of Data Security on what sort of regulations or laws that congress and the federal government should consider passing . We dont have time to talk about all of those here today, but we would certainly welcome any of your recommendations and insights. Do you think this needs to be an area where the federal government needs to be actively engaged . Peiter yes, sir, i do. I would be happy to supplement my written report. Sen. Cornyn thank you. Sen. Durbin thank you, senator cornyn. Senator hirono. Sen. Hirono thank you for coming to testify, mr. Zatko. Your testimony and all your responses to the various questions we asked you says to me that the situation regarding Data Security and National Security issues with regards to twitter is massive, that twitter is not doing very much to be helpful at all. In fact, there are major disincentives to twitter doing anything to spending the time or the resources to address the concerns that you raise. For example, the fcc, very under resourced with regard to china to keep twitter under any kind of Consent Decree entered into back to 2011, more recently they are contemplating making twitter pay 150 million for some misuse of information, 150 millidollars 150 million fine for a multibillion Dollars Companies nothing for any incentives for them to change what they are doing. And yes, there is information out there from so many different sources, including appliances, cars, and anything else. However, twitter is a huge, if i can call it, single platform to access. Who is going to force twitter really to do anything if we were to adopt some of the legislation that is contemplated, if we dont have an agency that can implement and enforce that law, then we are back where we started. What is it going to take to force twitter to change its ways . Peiter well, this starts at the top at twitter, and you need an executive team that is willing to go in and say the executive team themselves acknowledged, and i heard them say we have 10 years of unpaid debt here and at some point we need to get ahead of they need to prioritize that. The boards primary role is to make sure the right executives are in charge of the company, the ceo in particular, to make sure they are sending the company in the right direction. This needs to be a longterm incentive rather than shortterm incentive for the companies, because the shortterm incentives just mean they are going to tactically run from fire to fire and not actually pay down debt for a longlived, valuable company. Sen. Hirono your discussion of twitter is mainly focused on the shortterm monetary incentives. Who is going to force them to look at the longterm . Do people need to go to prison . What do we need to do to get twitter to what you are telling me, they cannot even identify Foreign Agents in their midst. Peiter yes, maam. And you know, to be blunt, some Foreign Agents would be pretty good difficult to identify. But some in this case are not, and there only to my awareness being identified they are not even attempting to. I think Holding People accountable is a good start. I think that is something that people are concerned of. What you can only hold people accountable if you can measure and quantify what their targets are and what changes need to happen. And if you say, such as what i saw, twitter needs to have a Mature Software security program, that is a very ambiguous and qualitative term. Holding accountability and setting quantitative goals and standards that can be measured and audited independently i believe is what is going to be required to change management structures and drive change in companies when it is needed, such as this. Sen. Hirono so we dont even have the kinds of standards to which we can hold twitter accountable to, is that right . Peiter from what i saw, they were able to be answered in the affirmative without actually meaningfully making the intent of the regulators was correct, but then you can say, yes, i found this, hold up an isolated example, and allow somebody to assume that example was the whole environment sen. Hirono excuse me, so do french regulators have better standards to which the hold twitter accountable to . Peiter my understanding is one of the reasons the french are more fear is they dig in technically and go towards more quantitative results better, less easy for organizations to sort of wordsmith around. Sen. Hirono i think that is something we can learn a lesson from good learn a lesson from. Specifically, you discover twitter compromises user data long after the users close their accounts. In fact, they say that the account is activated but the data is not deleted. The time of your departure from twitter, is that the companys continuing general practice, that they dont really eliminate the data . Peiter yes, i was told straight out by the chief privacy officer that the ftc had come and asked, does twitter delete user information when they leave the platform. The reason this person tells me this, i need you to know this because other regulars are asking us, and this ruse is not going to hold up. Instead of answering whether we delete user data, we intentionally replied that we deactivate users and try to sidestep the program because we know we do not delete user data and cannot comply if they demand this. Sen. Hirono you would think that would be something they could do technically to be able to delete data, because for the users to deactivate your account means there should be nothing there of your account. Is this something technically that they could do . Peiter this goes to one of the fundamental problems i mentioned in my opening statement, which was they would need to know what data they have and where it is and why they got it and who its attached to to do that. If they do that, which should be a fundamental expectation i would have is a user, at that point they could delete the information. Senator hirono thank you. Senator graham for six minutes. Senator graham thank you for coming to the committee and giving us your insight. Something good will come from. Do you believe that . Mr. Zatko i hope so i resting my career and reputation, if something good comes from this five, 10 years down the road it will have been worth it. Senator graham you are willing to take that risk . Mr. Zatko yes. I have been doing this for 30 years. People who have known me in the industry know that im willing to put it on the line hoping that we can improve things. Senator graham im going to work with my democratic colleagues to make sure this is not in vain. Do you still use twitter . Mr. Zatko i still have an account on twitter. I read it. I have not tweeted since i left. Senator graham given what you know, would you recommend all of us continue to use twitter . Should we take a timeout . Mr. Zatko i think tweut certificate a hugely valuable service. Senator graham no matter what you said today you are ok with the rest of us tweeting . Mr. Zatko i think people should look at the information they