[inaudible conversations] [inaudible conversations] this meeting of the Senate Judiciary committee will come to order. In 2006, the new social networking platform marked its debut when jack dorsey posted a message that he was just setting up my twitter. At the time dorseys startup which allowed users to share short messages was a novelty but in the coming years it would become increasingly a source of news and social discourse as it gathered millions of users around the world. Twitter now plays an outsized role in politics, culture and even democracy itself. As twitter has grown, so the risk posed by bad actors looking to exploit its opportunities in the data it holds. In july 2020, two teenagers hacked into the accounts of twitter employees gaining access to a number of highprofile accounts including now President Biden and former president obama. Those two teenagers then sent a series of tweets and scammed twitter users out of more than 100,000 in coin. In response, then ceo twitter dorsey turned to a trusted name in the world cybersecurity to lead an overhaul of twitters security practices. For more than a year thats what this individual tried to do until he was terminated by twitter and the new ceo this past january. Last month this individual released a whistleblower disclosure detailing a number of alarming allegations about twitters security practices. Without objection his disclosure will be entered into the record. That whistleblowers name is peter zatko or as he is more commonly known, mudge. Inc. You for joining us. You are here pursuant to a subpoena, not because you were opposed to appearing before the committee but so the public can hear the details of your disclosure. You have alleged that a number of security flaws and weaknesses within twitter, flaws that may pose a direct threat to the safety and privacy of twitters hundreds of millions of users as well as Americas National security. The story began in 2011 when the federal trade Commission First concluded that twitter was playing fast and loose with user data. They found twitter had, quote, deceived customers and put their privacy at risk by failing to safeguard their personal information. The company was ordered by the ftc to, quote, protect the security, privacy, confidentiality and integrity of user data. You have claimed those changes have never been made and more broadly, you allege compared to other Technology Companies twitter Security Standards remain woefully deficient. You allege thousands of employees within the company have extraordinary access to Sensitive Information of twitters users and there is little oversight over how that information is assessed. Some twitter users may be asking what is the big deal . When you sign up for twitter you knowingly hand over your email, phone number, other information. Thats how it is with most social Media Companies but you expect these companies will take precautions to protect the personal information you give them. Like depositing money at the bank. When you hand your money to the teller they take it behind the counter and put it in a vault about at twitter according to our witness today, the door to the vault is wide open and it contains a lot more information about using you can imagine. Twitter doesnt just have access to your tweets and email address, they have access to all the data necessary to directly access your device and even pinpoint your exact location. Say you are an american citizen exercising First Amendment freedom at a political protest, maybe you are a woman seeking Reproductive Health care. If your twitter user, unbeknownst to you, someone else may be right there with you in your pocket or purse. Many of us are comfortable with the programs having location data, it is helpful, but when the data isnt secure week become vulnerable to bad actors, scammers, stockers, even Foreign Agents. To give an example earlier this year, Saudi National who worked for twitter was convicted by a federal jury for stealing the personal data of dissidents who criticized the saudi regime and handing the data to the saudi government. This is a matter of life and death for these dissidents as the butchery of Jamal Khashoggi made clear and there is the matter of twitters reach, one of the largest megaphones World Leaders ever had at their disposal. We have seen what can happen with smalltime actors breaking into twitter accounts belonging to government officials but what if next time it isnt two teenagers trying to pull a crypto scam . Imagine if it is a malicious hacker or hostile Foreign Government breaking into the president s twitter account or sending out false information claiming there was a terrorist attack. We can see widespread panic. The bottom line, that cannot afford gaping security vulnerabilities. We have a chance to engage in good faith bipartisan discussion to ask what needs to be done. A final point. Politicians on both sides of the aisle have criticized twitter. I for one believe twitter should be doing far more to combat proliferation of hate speech. Republicans on the other hand claim twitter sensors conservative speakers. I urge my colleagues to set these differences aside and try to find the Common Ground they need to establish Security Standards that will be raised by our whistleblower. With that i turned to Ranking Member senator grassley. Thank you. A very important issue you have brought before this committee and i thank you for doing it. I for one want people to know that i love using twitter. But we also know the Big Tech Companies such as twitter collect vast amounts of data on americans in the hands of foreign adversaries this data is a gold mine of information that could be used against americas interests. Twitter has a responsibility to ensure that the data is protected and doesnt fall into the hands of foreign powers. Americans rightly expect that twitter will protect that information. Thanks to a whistleblower that comes forward, weve learned that twitter has secured the date of tens of millions of americans and countless other users, that whistleblower is here today, so we welcome you, mudge. He comes before the committee not only as an expert in the field of cybersecurity, but also as a whistleblower. I think all of my colleagues know that i have a great deal of admiration for whistleblowers. I have always said whistleblowers are patriotic individuals who often sacrifice their career as well as their livelihood to root out waste, fraud, and abuse. Thank you for being here. Because of mudges disclosures weve learned personal data from twitter users was potentially exposed to foreign intelligence agencies. His disclosure indicates that india was able to place at least two suspects foreign assets within twitter. Disclosures also note the fbi notified twitter of at least one Chinese Agency in the country. Company, i should say. Based on allegations twitter also suffers from a lack of data security. Due to that failure, thousands of twitter employees can access user data. That data that they dont need access to in order to do their job yet they have access and foreign assets work for twitter, that means foreign assets can also access the data. To put a finer point on the allegations, twitter has allegedly used data it collects and tools it has 2 geolocation individuals who make threats against board members, in the hands of a Foreign Agent embedded at twitter a foreign adversary could use the same technology to track down prodemocracy dissidents within their country, but also to spy on americans. This has happened in the past. In 2019, two twitter employees were indicted by the fbi, they used their position at twitter to Access Private user data and then gave it to saudi arabia. These Foreign Agents were able to access and provide personal information on 6000 individuals, with interests to the saudi government. Simply put, the whistleblower disclosures paint a very disturbing picture of companies solely focus on profit at any expense including at the expense of safety and security with its users. Additionally, it has been alleged twitter knowingly violated Consent Decree it entered with the federal trade commission in 2011, it required twitter to address their control failures but instead of complying with consent to creek, it alleged twitter executives, intentionally misled twitters board of directors. After 10 years, the federal trade commission didnt take Strong Enough action to ensure twitter complied to the Consent Decree. This is a Consent Decree that is intended to protect twitter users personal information. And privacy legislation, to draw on these revelations how twitter views its obligation of federal regulators. Congress should also be mindful of the ftcs ability and lack thereof to successfully oversee these important issues. Twitter needs to answer questions about moderation. Twitter outsources a great deal of consent to Foreign Countries, close to 2000 employees and other countries whose job is to screen tweets by americans, an appropriate amount of translators to ensure the tweets in other languages are complying with twitters and rules. Mudge had limited visibility to content moderation so these are questions that need to be answered in full by twitter because we cant expect mudge to respond to them. Unfortunately, this committee will not get answers about content moderation because twitters ceo refused to appear today. He rejected the committees invitation to appear by claiming it would jeopardize twitters ongoing medications with mr. Musk. They directly implicate mr. Walt so he should be here. The business of this committee, protecting americans from foreign influence, is more important than twitters simple litigation in delaware. In conclusion if these allegations are true i dont see how he can maintain his position at twitter. Looking forward, chairman durbin and i will conduct a thorough and in depth investigation, each hearing as part of that process. Thank you. Mister zatko, you have six minutes for an Opening Statement and each member will be given six minutes questioning to follow up. We start with the customary oath and i asked you to stand for that purpose. Please raise your right hand. The you are from the testimony you are about to give this committee is the truth, the whole truth and nothing but the truth so help you god . Let the record reflect the witness has answered in the affirmative. Appreciate your attendance and the floor is yours. I think your microphone may need thank you very much. Ranking member grassley, members of the committee. I appear before you today to answer questions about information i submitted in written disclosures about cybersecurity concerns while working at twitter. My name is peter zatko but i more often referred to by my online handle as mudge. For 30 years, my mission has been to make the world better by making it more secure. From november 2020 until january 2022 i was a member of twitters executive team. In my role i was responsible for information security, privacy engineering, physical security, information technology, and twitter Global Support. I am here today because twitter leadership is misleading the public. Lawmakers, regulators, and even its own board of directors. What i discovered when i joined twitter was that this enormously Influential Company was over a decade behind industry Security Standards. The companys cybersecurity failures make it vulnerable to exploitation, causing real harm to real people. And when an influential media platform can be compromised by teenagers and spies and the company repeatedly creates Security Problems on their and the company repeatedly creates Security Problems on their own. This is a big deal for all of us. When i brought concrete evidence of of the fundamental problems to the executive team, and repeatedly sounded the alarm of the real risks associated with them, these were problems brought to me by the engineers and employees of thepr company themselves, the executive team chose instead to mislead its board shareholders, lawmakers and the public instead of addressing them. This leads to two obvious questions. Why did they do that, and what were the problems and vulnerabilitiess identified . And thats what im here to talk about. N so first, why did they do that . To put it bluntly, twitter leadership ignored its engineers because key parts of leadership lacked the competency to understand the scope of the problem, but more importantly there executive incentives led them to prioritize profits over security. Upton sinclair famously said it is difficult to get a man to understand something when his salary depends on his not understanding it. This mentality is exactly what i saw at the executive level at twitter. So what are the problems i discovered . Two basic issues. First, they dont know what data they have, where it lives, or where it came from and so unsurprisingly they cant protect it. And this leads to the second problem which is, the employees within have to have too much access to too much data and to too many systems. You can think of it this way, which is a doesnt matter who has keys if you dont have any locks on the doors. And this kind of vulnerability is not in the abstract. Its not farfetched to say that employee inside the company could take over the accounts of all of the senators in this room. Given to the real harm given the real harm to users and National Security i determined it was necessary to take on the personal and professional riskpe to myself and to my family of becoming a whistleblower. I did not make my whistleblower disclosures out of spite or to harm twitter. Apart from that. I continued belief in the the mission of the company and root for its success. But that success can only happen if the privacy and security of twitters users and the public are protected. And accepting an executive position at twitter i made a personal commitment toit mr. Dorsey, the board, the Greater Public and myself that i would drive the change is needed at twitter to protect the users, the platform, and democracy. Thats what im continuing to do here today. I stand by the statements i made in my lawful disclosures and im here to answer any questions you may have about them. Thank you. Thank you, mr. Zatko. I will start the question. As the midget each member six minutes to ask you questions. Those of us who are not expert but rely on the internet every day for personal, professional reasons know that many times where given disclosures, lengthm disclosures of a scroll across the screen which i hardly ever read, my estimation, and usually end up with a bottom box said approved, that is as far as we go, warning about what were getting into. Can we get into the real world now and talket about whether or not consumers across america have a right to be warned if theyre opening or using a twitter account as to whats going to happen with their data . For example, if i disclose my name and my address and my email address, i expect that that may be vulnerable, somebody could use that in some future time. You hope not but it could happen. But what i inferred from your testimony and what weve read about your findings is theres a lot more information being collected by twitter beyond the basic information that is going to be used by them for different purposes. Is that a fact . Yes. I entirely concur. I mean, when we sign up for an account, i hope that the company is being responsible and not just saying that they would like the data to be used correctly and safely but that they are actually able to quantifiably internally guarantee that that is the case. As far as the type of data, i believe senator grassley, you know, refer to an incident. We had a user on twitter that was harassing some members of the executive team and some members of the board, as an example of this person the ce to me and said mudge, is this a real viablee threat . Do i need to be worried . Who is this person . And it took me maybe 30 minutes to reach out to an employee and say what do we know about this person . And then it only took that person may be ten minutes to get back to me m and said, okay, who heres to the archon heres the address with a lid, this is what you are physically at this moment. They are on the phone. When other phone number. We also know allll of the other accounts they try to set up on the system and id, and we know who they are on the other social media platforms as well. So unbeknownst to a twitter account user, there is accessed information are beyond what you think youve disclosed that can be found. Should there be a warning . You say at one point twitter has about 20 of its vast trove of data registered and managed meaning the company is incapable of securing the i Sensitive Information it collects. Ns tell me, that is a pretty stark statement and suggests that a warning to users is that literally anything that you disclose or use the account for is traceable and could be used for bad purpose. Yes. In this case my concern was more that twitter didnt even know what it was collecting. And this was one of the problems because i kept looking at why do they keep having so many security incidents, the same amount each year after year. Why are the same percentages from the same systemic problems . Why arent we closing on this . What is fundamentally under the hood broken . Wheres the systemic failure quick . And internet from an internal study that the interested unknown because they were not given the cover and the time and the resources to do this as part of the job, that only about 20 of the information that they had that they were collecting did they know why they got it, why the person had given it to them, how it was supposed to be used, when it was supposed to be s