[inaudible conversations] [inaudible conversations] resuming the questions. Thank you very much. Mr. Zatko, i just wanted to follow up a little bit on the repeated suggestions that youve made in your testimony that Cyber Security vulnerabilities will expose the United States to risk and to attacks and the twitter security failure threatened the countrys National Security. Good with that . Yes, sir. Okay. So i guess hidden ad buyers, we saw the same thing with facebook when they were taking ads with the payments denominated in rubles and not bothering to figure out there might have been russians behind those ads and you mentioned concerns about hidden chinese ad buyers, but if we could talk a little bit more about the National Security risk associated with, for instance, the unregistered Saudi Foreign agent who worked at twitter or the pressure to hire Indian Government agents. Walk us through a scenario of how an individual planted in twitter like that could create a National Security risk for the United States and if you would, make particular reference to the fact that at least when i use twitter, im sending stuff out. Its intended to be public. So how in that environment can a Foreign Agent create National Security risk of any significant nature . Yes, sir. There are several aspects to that. Theres the nonPublic Information that we have spoken about earlier today, your location, your phone number, your email address, things that arent advertised to the world. In fact, i believe, 200 million, if we want to say regular users, not necessarily from a National Security standpoint, twitter in 2020 internally assessed that they lost information on 200 million users for email addresses, phone numbers, other information like that. This is the information that you need in order to start taking over other peoples accounts. With your phone number and an email address, i can hijack your phone number, i can then change your gmail, your coin base, your ameritrade, your other accounts. I can cause financial harm that way and i can then assume your identity and more importantly, i probably want to be able to understand your whereabouts, your network, and understand, well, ill give you an example, in Foreign Governments a concern and then we can apply that to the United States. There were requests for information about members in the farmers protest. There might be organizations or groups in the United States where once i know your home address and your home phone number, i can approach you in real life. I can put pressure on you, i could possibly recruit you, you could be witting or unwitting accomplish and i could target you for influence operations in the real world. Let me just offer the thought that my home address and phone number and email address are pretty widely known and indeed, in the public domain, so how does twitter access to that information, is there more or whats the difference between being able to look me up in the phone book and having twitter access that information . Having been in the Public Sector myself, yes, a lot of my information became known. Theres also a lot of people who are in particular roles where that information is not known, and the targeting of them, perhaps, staffers, perhaps aides, perhaps people around you influencing you to build that network, which we have seen within not twitter, but which the u. S. And Intelligence Committee has seen as part of the game in the Intelligence Community and world. Okay. So, just play that out for me a little bit more, given that so much of this information is available through other channels. What would the end game be for, lets say, a Foreign Government seeking to put that kind of pressure on somebody who could make a difference or a decision about the benefit of the foreign country . Perhaps identifying a relative, a family member, a colleague who is in Financial Issues or has other elements that can be leveraged against them. To help them influence you in a particular fashion without your awareness. So youre able to somebody would be able to create a sort of a family or personal network around an individual twitter user and extract information about folks this that network . Thats one particular aspect that intelligence communities are to do. How would that take place through the if somebodys gotten into the twitter system, how do they find that out . Well, it might be used in combination with other Data Collection sources. For instance, one of the concerns of u. S. People travelling to other countries is, was there information in the opm data base and can that information be crossindexed against the Health Care Data industry bases that have been lost. Do we know that this person has a particular political bias on twitter and start to tie all of these things together for people of influence or access within governments or within sensitive positions. Thank you very much, my time is up. Thank you, senator whitehouse. Senator graham im sorry, senator cornyn. Mr. Zatko, i want to explore just in the next six minutes the kind of data that is available on american citizens that can be used for appropriate or inappropriate purposes. Youre familiar with the concept of ubiquitous technical surveillance, arent you . I can understand those words together and get the general context, i believe, sir, yes. Basically all the cameras that are publicly posted, data on your smart phone, youve already talked about geo location data, the type of transactions you engage in. Where your home is, how much you paid for it. Even google earth may have taken a picture of your home or your place of business, so theres already huge volumes of Data Available for whatever purposes, even above and beyond what social media collects, correct . Yes, sir, theres a lot of information about a lot of us in many different ways, available through technology right now. And i dare say, i bet most americans just cant fathom, the volume of data and thats without even getting to things like social media. For example, in 2015, i think it was, there was a hack of the office of Personnel Management records. I think it was 22 million records of government employees, including their applications for security clearances, was hacked, reportedly, by the peoples republic of china, and then if people decide that they want to figure out their family ancestry and use one of the dna testing companies, my understanding is many of the testing much of the testing is outsourced to places like china, where obviously its not secure from Chinese Government access and so, when were talking about the privacy concerns of americans, this is not just limited to platforms like twitter and social media, correct . Thats correct, sir. I was informed i was in that opm data base and my information and my security information was collected as well. And turning to twitter, youve already talked about the lack of what i would call protection from Insider Threats in the Intelligence Community. If youre working in the Intelligence Community do they have logging protocols that will determine who accesses what information correct so it can be audited later on to determine whether that had been inappropriate access. Thats the sort of protocols or mechanisms that were not available at places like twitter, when you worked there, correct . Yes, sir, correct. And so, anyone who could get access to that information could, on top of all the information that ive asked you about earlier, outside of social mead, if youd looked at the cumulative data picture, is that the kind of information that Foreign Governments like the peoples republic of china, are regularly accessing for their purposes . I cant say whether theyre regularly accessing, i dont have that direct information. I have been i am aware that some people and organizations have gotten very good at cross indexing, across very large amounts much Data Collected on numerous people from various sources, opm, medical, et cetera. Twitter would be a very decent contribution to that multisource collection. And thats where things like Artificial Intelligence can come in to comb or mine vast sources of data for more targeted or narrow purpose, is that right . The ability to collect and mine, yes, has been augmented by modern ai techniques. So, there are, what i would call defensive concerns about peoples or individuals or governments access to your personal data, but there are also offensive concerns as well and thats where the issue of disinformation or a term that became popularized during the 2016 election aftermath was active measures. These are efforts by Foreign Governments, perhaps, Foreign Intelligence Services to actively create a narrative or a message that is essentially propaganda by this Foreign Government that can be used to influence American Public opinion, is that accurate . Not just american, but worldwide, myanmar and acknowledging the disinformation on their platform contribute today genocide. And as you pointed out earlier, when you look at the Data Available to each one of us as american citizens for whatever purposes for good or ill, theres also a lot of information about who we interact with, right . Theres something in the Intelligence Community, sometimes they talk about pattern of life, maybe youd want to talk about a network of friends and associates, family members and the like from which inquiring minds could obtain Additional Data about us . Yes, and to your point, Information Operations are of a concern. Twitter acknowledges that they do happen on their platform. They have disclosed numerous ones and they are aware of others that are ongoing. Im aware that tik tok, which is a chinese company, i believe, and even instagram, which is owned by facebook, have 13yearold age restrictions in terms of their terms of use. But theres no theres no limitation on peoples ability to pretend to be a adult, to pretend to be somebody that theyre not and gain access to social media accounts and to use it for whatever purposes they wish. I cant speak to tik tok or facebook, im not familiar with their internal technology for age, and i know that was a challenge at twitter and from what i was told the majority of agegating was voluntary selfreporting of what your age was. And finally, can you tell me, do you have recommendations based on your 30 years of experience and in terms of Data Security and what sort of regulations or laws that congress and the federal government should consider passing . We dont have time to talk about all of those here today, but wed certainly welcome any of your recommendations, insights. Do you think this needs to be an area where the federal government needs to be actively engaged . Yes, sir, i do. Id be happy to supplement my written report. Thank you. Thank you, senator cornyn. Senator hirono. Thank you, mr. Chairman. Thank you for coming to testify, mr. Zatko. Your testimony and all of your responses to the various questions we have asked you says to me that this situation regarding Data Security and National Security issues with regards to twitter is massive and that twitter is not doing very much to be helpful at all. In fact, there are major disincentives to twitter doing anything to spending the time or the resources to address the concerns that you raised. So, for example, the fcc, resource with record to china to keep twitter under any kind of, even a Consent Decree that was entered into, but back in 2011, and more recently theyre contemplating making twitter pay 150 million for some misuse of information. 150 million fine for a multibillion Dollar Company is nothing to provide any kind of incentives for them to change what theyre doing. And yes, there is information out there from so many different sources and including our appliances, and cars and everything else, however, twitter is a huge, if i can call it a single platform, where one can access information. So who is going to force twitter, really, to do anything . If we were to adopt some of the legislation contemplated. If we dont have an agency that can implement or enforce that law, then were back where we started from. So, what is it going to take to force twitter to change its ways . Well, this starts at the top in twitter and you need an executive team thats willing to go in and say, you know, the executive team themselves acknowledged and i heard them say we have 10 years of unpaid debt here that at some point we really need to get a head up. And they need to prioritize that and to my understanding, a boards primary role is to make sure that the right executives are in charge of the company, the ceo in particular, to make sure that they were they are, you know, sending the company in the right direction. This needs to be longterm incentive rather than shortterm for the companies because the shortterm incentives mean theyre going to run from fire to fire and not actually pay down debt for a longlived valuable company. So your description of twitter, theyre mainly focused on the shortterm monetary incentives. Who is going to force them to look at the longterm . Do people need to go to prison . I mean, what do we need to do to get twitter to from what youre telling me, they cannot even identify Foreign Agents in their midst. Yes, maam. And you know, to be blunt, some Foreign Agents probably would be pretty good and difficult to identify, but some were in this case, not, and theyre only to my awareness, identified once theyre brought to them. Theyre not even attempting to. I think Holding People accountable is a good start. I think that is something that people are concerned of, but what you can only hold people accountable if you can measure and quantify what their targets are and what changes need to happen, and if you say, such as what i saw, you know, twitter needs to have a Mature SoftwareSecurity Program or a Security Program. Thats a very ambiguous and qualitative term. So holding accountability and setting quantitative goals and standards that can be measured and audited independently, i believe, is whats going to be required to change management structures and drive changes in companies when its needed such as this. So we dont even have the kind of standards to which we can hold twitter accountable to . Is that right . From what i saw, they were able to be answered in the affirmative without actually meaningfully making the the intent of the regulators was correct, but you could then say, yes, ive done this, hold up an isolated example and allow somebody to assume that that example was at, you know, the whole environment, knowing that well, excuse me, do french regulators have better standards to which to hold twitter accountable to . My understanding is that one of the reasons that the french is more feared, they dig in technically and go towards more quantitative results that are less easy for organizations to sort of word smith around an area of answers. I think thats something we can learn a lesson from. And are you sure that youve discovered twitter compromises its user data long after users closed their accounts. You stated that the accounts are simply deactivated where the data is not fully deleted. At the time of your departure from twitter, was the company was that the companys continuing general practice, that they dont really eliminate the data . Yes, i was told straight out by the chief privacy officer that the ftc had come and asked, does twitter delete user information once they leave the platform and the reason the person told me this, i need you to know this, other regulators are asking us and this ruse is not going to hold up. Instead of deleting, we reply we deactivate the users, because we do not delete the user data and and you would think that this would be something to delete the user. And for the users, to deactivate, isnt there something that technically they could do. This goes to one of the fundamental root problems i mentioned in my opening statement. They would need to know what data it is and where they got it who its attached to. If they did that which should be a fundamental expectation i would have as a user, yes, at that point they could absolutely delete the information. Thank you. Senator graham is recognized for six minutes. Thank you very much for coming to this committee and giving us your insight. Something goodwill come from this. Do you believe that . I hope so, im basically risking my career and reputation and if something good comes from this five, 10 years down the road. Youre willing to take the risk, its that important to you . Yes, ive been doing this for 30 years, and people in the industry know im willing to put it on the line to improve things. Im going to work with my democratic colleagues to make sure its not in vain. Let me ask you a question, do you still use twitter. I still have an account on twitter, i proceed it occasionally, i have not tweeted since i left. Given what you know, would you recommend that all of us continue to use twitter or take a t