An audible conversation. [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] [background noises] [background noises] [background noises] this meeting will come to order. In 2006, the social networking Platform Market debut when jack dorsey posted a message that he was quote just setting up my twitter. Twitter now plays an outsized role in politics, culture and even democracy itself. Twitters grown so the risk by bad actors looking to exploit opportunities and the data it holds. In july 2020, 2 teenagers hacked into the account of twitter employees gaining access to a number of highprofile accounts including now President Biden and former president obama. Those two teens set a series of tweets from the account and scanned twitter users out of 100,000 and bit coin. In response, then ceo of twitter dorsey turned to a trusted name in the world of cybersecurity to lead and overhaul twitter security practices. For more than a year, thats what the individual tried to do until he was terminated by twitter and the new ceo is asked january. Last month this individual released a whistleblower disclosure detailing a number of alarming allegations about twitters security practices without objection, his disclosure will be entered into the record. The whistleblowers name w is peter z company or more commonly known, much. Thank you for joining us. Youre here pursuant to a subpoena because you are opposed to appearing before the committee so the public can heaa the details of your disclosure. Hes alleged a number of security flaws and weaknesses within twitter, flaws that may pose a direct threat to the safety and privacy of twitters hundred of millionsiv of users s well as Americas National security. The storyus began in 2011 when e Ftc Federal Trade Commission first concluded twitter was playing fast and loose with user data andnd found twitter deceivd customers and put their privacy at risk by failing to safeguard personal information. The company was ordered by the ftc to quote protect security, privacy, confidentiality and integrity of user data but you claimedbu changes have never ben made. More broadly you alleged compared to other companies, standardsth remain woefully deficient. You alleged thousands of employees within the company have extraordinary access to Sensitive Information of twitters users and little oversight over how the information is assessed. Twitter users tuning in this morning may be asking whats the big deal . When you sign up for twitter, you hand over your email, phone number, other information and thats how it is with most social Media Companies but you y expect these companies will take precautions to protect personal information you give them. It is like depositing money at the bank when you hand your money, they take it andnd put it in a vault but twitter according to our witness today the volt is wide open and it contains a lot more information about you and you can imagine. Twitter doesnt just have access to your tweets and mail, email address, they have access to all data necessary to directly access your device and pinpoint the exact location. Say youre an american citizen exercising your freedom in a political protest or maybe a woman seeking reproductive oscar. If you are a twitter user, it may not just be you and the healthcare facility, unbeknownst to you, someone else may be with you in your pocket or purse. Many of us are comfortable with the programs with location data, it is helpful when the data is secure, we become vulnerable, even Foreign Agents. Give an example earlier this year, work for twitter convicted by a federal jury pursuing personal data and data to the saudi government, a matter of life and death as we know is the butchering of Jamal Khashoggi made clear. A matter of twitters reach, the World Leaders had other disposal, we seen what could happen with hackers breakingen into twitter accounts belonging to government officials but what if w next time it isnt two tees trying to pull a crypto scare . Imagine a malicious hacker or hostile Foreign Government breaking into the president s twitter account or sending out false information claiming a terrorist attack. We can see widespread panic. The bottom line is twitter is a powerful form with gaping security vulnerabilities. We have a chance to engage in good faith bipartisan discussion to ask what needs to be done. Final, politicians on both sides criticized twitter. I believe twitter should be doing far more to combat beach and conspiracy theories. Piracy. I would urge my colleagues to set some of these borders and differences aside and try to trying to find Common Ground we need to establish security candidates that willst be raised today by a whistleblower. About actor and Ranking Member, members, senator grassley. Thank you. Very important issue brought before the committee and thank you for doing it. I for one, want people to know i love using twitter but we know Big Tech Companies such as twitter collect vast amounts of data on americans in the hands of foreign adversaries, the data is gold mine of information that could be used against americas interests. Twitter has a response ability to ensure the data is protected. o the hands of foreign powers. Americans like me expect that twitter will protect that information. Thanks to a whistleblower who comes forward, weve learned that twitter has not secured the data of tens of millions americans were countless other users. That whistleblower is here today. So we welcome you. He comes before the committee today not only as an expert in the field of cybersecurity, but also as a whistleblower. I think all of my colleagues know that i have a great deal of admiration for whistleblowers. Ive always said that whistleblowers are patriotic individuals who often sacrifice their own career as well as their livelihood to root out fraud and abuse. Thank you very much for being here. Because of these disclosures, weve learned that data from twitter users was potentially exposed to foreign intelligence agencies. For example, his disclosure indicates that india was able to place at least two suspect foreign assets within twitter. The soldiers also note that the fbi notified twitter of at least one chinese agent in the company. Based on allegations, twitter also suffers from a lack of data security. Due to that failure, thousands of twitter employees can access user data. That data that they dont need access to in order to do their job, yet they have access. And the foreign assets work for twitter. That means these foreign assets can also access the data. To put a finer point on the allegations, twitter has allegedly used the data it collects and the tools it has to locate individuals who made threats against board members. In the hands of a Foreign Agent embedded at twitter, a foreign adversary could use the same technology to cut down prodemocracy dissidents within their country, but also to spy on americans. This has actually happened in the past. In 2019, two twitter employees were indicted by the fbi. They used their position at twitter to Access Private user data and then gave it to saudi arabia. These Foreign Agents were able to access and provide personal information on more than 6000 individuals of interest to the saudi government. Simply put, the whistleblower disclosures paint a very disturbing picture of a company that is solely focused on profit at any expense, including at the expense of safety and security of its users. Additionally, it has been alleged that twitter knowingly violated a consent agree a decree that it entered into with the federal trade commission in 2011. That Consent Decree required twitter address their access failures. However, instead of complying and fixing these very serious security matters, intensely misled twitters board of directors. So im concerned that for all those years, the federal trade commission didnt know or didnt take Strong Enough action to ensure twitter complied with the Consent Decree. This is a Consent Decree that was intended to protect twitter users personal information. As Congress Considers federal data privacy legislation, i think it is important that we see these revelations of how twitter views its obligations with federal regulators. Congress should also be mindful of the ftcs ability or lack thereof to successfully oversee these important issues. Twitter also needs to answer questions about its content moderation. It was revealed to this committee that twitter outsources a great deal of that moderation to Foreign Countries. They have posted 2000 employees from other countries whose job it is to screen tweets by americans. They also lack the appropriate amount of translators to ensure that tweets in other languages are complying with twitters own rules. Much had limited visibility to content moderation, so these are questions that need to be answered in full by twitter because we cant expect march to respond to them. Unfortunately, this committee will not be able to get answers about content moderation because twitters ceo has refused to appear today. He rejected this committees invitation to appear, claiming that it would jeopardize twitters ongoing litigations with mr. Muska. Many of the allegations directed at , and he should be here to address them. So let me be very clear. This committee protecting america from foreign influence is more important than twitters civil litigation in delaware. In conclusion, if these allegations are true, i dont see how he can maintain this position in twitter. I will continue to conduct a thorough investigation in that process. You will have six minutes for an Opening Statement and six minutes of questioning to followup. We start with the customary oaf and i ask that you please stand for that purpose. Please raise your right hand. Do you affirm the testimony you are about to give will be the truth, the whole truth, and nothing but the truth, so help you god . Let the record reflect that the witness is answered in the affirmative. I appreciate your attendance here. I think your microphone may need thank you very much, sir. Chairman durbin, Ranking Member grassley, members of the committee, i appear before you today to answer questions about the submission in disclosures about cybersecurity concerns in my years while working at twitter. My name is peiter zatko but i am more often referred to by my online handle. For 30 years, my mission has been to make the world better by making it more secure. From november 2020 until january 2022, i was a member of twitters executive team. In my role, i was responsible for security, privacy, physical security, information technology, and twitter Global Support. I am here today because twitters leadership is misleading the public, lawmakers, regulators, and even its own board of directors. What i discovered when i joined twitter with that this enormously Influential Company was over a decade behind Industry Security standards. The companys cybersecurity failures make it vulnerable to exploitation, causing real harm to real people. And when an influential media platform can be compromised by teenagers and spies and the company repeatedly creates Security Problems on their own, this is a big deal for all of us. When i brought concrete evidence of these fundamental problems to the executive team, and repeated the the alarm of the real risks associated with them, there were problems brought to me by the engineers and the company themselves. The executive team chose instead lawmakers in the public instead of addressing them. This leads to obvious questions. Why did they do that, and what were the problems and vulnerabilities identified . So that is when im here to talk about. First, why did they do that . To put it bluntly, twitter leadership ignored its engineers because key leadership lacked the competency to understand the scope of the problem, but more importantly, their exec executive incentives led them to prioritize profits over security. Upton sinclair famously said it is difficult to get a man to understand something when his salary depends on his not understanding it. This mentality is exactly what i saw at the executive level at twitter. So what are the problems i discovered . Two basic issues. First, they dont know what data they have, where it lives, or where it came from. Unsurprisingly, they cant protect it. This leads to the second problem, which is that employees have to have too much access to too much data into too many systems. You can think of it this way, which is it doesnt matter who has the keys if you dont have any locks on the doors. The vulnerability is not in the abstract. It is not farfetched to say in employee inside the company could take over the accounts of all of the senators in this room. Given the real harm the users to national security, i determined it was necessary to take on the personal and professional risk to myself and to my family of becoming a whistleblower. I did not make my disclosures despite or to harm twitter. I continue to believe in the mission of the company and route for its success. But that can only happen if the privacy and security of twitter users and the public are protected. Accepting an executive position at twitter, i made a personal commitment to mr. Dorsey, the board, the public, and myself. That i would drive the changes needed at twitter to protect the users, the platform, and democracy. That is what i am continuing to do here today. I stand by the statements i made in my disclosures and i am here to answer any questions you may have about them. Thank you. Thank you, mr. Zatko. Each member will have six minutes to ask you questions. Those of us who are not experts but who rely on the internet every day for personal and professional reasons know that many times we are given disclosures, lengthy disclosures that scroll across the screen which are hardly ever read. They usually end up at the bottom box and that is as far as we go with a warning about what we are getting into. Can we get into the real world now and talk about whether or not consumers across america have a right to be warned if they are opening a twitter account as to what is going to happen with their data . For example, if i disclose my name and my address and my email address, i expect that that may be vulnerable, somebody could use that at some future time. I hope not, but it could happen. What i infer from your testimony and what we have read about your findings is that there is a lot more information being collected by twitter beyond that basic information that is going to be used by a handful of different purposes, is that correct . Yes, i entirely concur. When you sign up for an account, i hope that the company is responsible. Not to say that they would like the data to be used correctly and safely, but that they are actually able to quantifiably, internally guarantee that is the case. As far as the type of data, i believe senator grassley referred to an incident. We had a user on twitter that was some members of the executive team and the board. This person came to me and said this is a real, viable threat. Do i need to be worried . Who is this person . It took me maybe 30 minutes to reach out to an employee and say what do we know about this person . It took that person maybe 10 minutes to get back to me and say ok, here is who they are, this is the address where they live, this is where they are physically at this moment, they are on their phone, we know their phone number and all of the other accounts they have tried to set up on the system, and we know that they are on other social media platforms as well. So unbeknownst to a twitter account user, there was access to information far beyond what you think you have disclosed that can be found. Should there be a warning . You say at one point twitter has about 20 of its data registered and managed, meaning the company is incapable of securing this Sensitive Information it collects. Tell me, that is a pretty stark statement that suggests a warning to users, literally anything you disclose or use the account for could be used for bad purposes. Yes. In this case, my concern was more that twitter didnt even know what it was collecting. This was one of the problems because i kept looking at why do they have so many Security Issues . The same amount year after year. Why are the same percentages from the same systems problems . Why are to closing on this . What is fundamentally under the hood and broken . Where is the systemic failure . It turned out that the engineers on their own, they werent given the time and the resources to do this part of their job. That only about 20 of the information that they had, that they were collecting, did they know why they got it, how it was given to them, how it was supposed to be used, when it was supposed to be deleted. The remaining 80 , i refer you to the disclosures was we know that our systems are using some of this other data, but we dont know what it is. And a lot of the data, they just recognized we dont even know what these are. A huge amount of data. And that included personally identifying information, phone numbers, addresses. So for me, the concern is anybody with access inside twitter who has access to the production environment that has it can get that information to use for their own purposes. So the data being managed, the one with the twitter account is vulnerable in that regard. It wouldnt exactly get a passing grade to twitter when it comes to the security of information. On the other cited the ledger, would you agree that there were agencies that had some responsibility to make sure that american consumers, privacy and security is protected . So that was something that came to mind as well. This is over a decade. However we been watching this, especially since there were at least for the exact same problem collected for security purposes . How can we keep making these same mistakes . What is the fcc missing, or what is it that we are telling the ftc that is incorrect . Honestly, i think the ftc is a little in over their head. Compared to the