A ticking bomb of security vulnerabilities. Covering up security failures. Duping regulators and misleading lawmakers.
These are just some of the allegations when Twitter’s ex-security lead turned whistleblower, Peiter Zatko, testified to the Senate Judiciary Committee on Tuesday, less than a month after the release of his explosive whistleblower complaint filed with federal regulators. Zatko, better known as Mudge, made his first comments since the public release of his complaint.
Twitter did not respond to a request for comment.
These are the key takeaways from Mudge’s testimony to lawmakers and what we learned from Tuesday’s hearing.
FBI warned Twitter it had a Chinese spy on staff
Sen. Chuck Grassley, the ranking member of the Senate Judiciary Committee, said in his opening remarks that the FBI warned Twitter that it may have a Chinese spy on its payroll.
A redacted version of Mudge’s whistleblower complaint released last month said that Twitter received specific information from the U.S. government that “one or more particular company employees were working on behalf of another particular foreign intelligence agency.” The nationality of the foreign intelligence agents were not disclosed at the time.
But Mudge told the panel that the spy was an agent of China’s Ministry of State Security, or MSS, the country’s main intelligence agency. He added that because Twitter engineers — about 4,000 employees — have broad access to company data, a foreign agent hired as an engineer would have access to personal user information and potentially other sensitive company information, such as Twitter’s plans to censor information in a certain region or concede to demands of a government request. But because Twitter did not closely monitor or log employees’ access, according to his complaint, Mudge said it was “very difficult” to identify what specific data was taken by Twitter employees as foreign agents.
The Chinese spy wasn’t the only agent of a foreign government on Twitter’s payroll. Mudge said in his complaint that the Indian government “succeeded in placing agents on the company payroll” who were granted “direct unsupervised access to the company’s systems and user data.” In August, a former Twitter employee was found guilty of spying for the Saudi government and handing over user data of suspected dissidents.
Thousands of attempts to hack into Twitter weekly
A common theme in Mudge’s complaint is that Twitter did not have the visibility to know what data engineers had access to, or what user data or company information they were accessing. But one system that tracked logins for Twitter engineers found that it was registering “thousands” of failed attempts to log in to Twitter’s systems each week, Mudge told members of Congress.
Mudge said in his complaint that the company saw as many as 3,000 failed attempts each day, describing it as a “huge red flag.” Mudge said then-Twitter chief technology officer Parag Agrawal — now chief executive — did not assign anyone to diagnose or fix the issue, the complaint added.
“This fundamental lack of logging inside Twitter is a remnant of being so far behind on their infrastructure, the engineering, and the engineers not being given the ability to put things in place to modernize,” Mudge testified.
What Twitter knows about its users, and why spies want it
Given the focus of Twitter’s apparent lax access controls to users’ information, lawmakers asked Mudge what specific kind of data that Twitter collects from its users. Mudge said Twitter does not fully understand the scale of what data it collects.
He said among the data Twitter collects includes: a user’s phone number, the current and past IP addresses that the user is connecting from, current and past email addresses, the person’s approximate location based on IP addresses, and information about the person’s device or browser they are accessing Twitter from, such as the make and model, and user’s language.
Mudge said it was possible that engineers had access to this information and would be an attractive target for foreign intelligence agencies. One of the reasons he cited was that it would be helpful for governments to target particular groups and keep tabs on what Twitter knows about their agents or information operations.
Mudge also warned that Twitter user information could be used for harassment or targeting individuals as part of influence operations in the real-world, such as a family member or a colleague, and used as leverage to influence people close to them without their awareness. “It might be used with other data collection,” Mudge told lawmakers, citing previous breaches, including massive thefts of health data and U.S. government personnel files, such as the breach of 22 million records from the U.S. Office of Personnel Management in 2012. Mudge told lawmakers that his own OPM file was stolen in the breach from when he worked for the federal government.
U.S. government agencies let companies ‘grade their own homework’
Mudge’s complaint and subsequent testimony lands just months after Twitter paid $150 million in a settlement with the Federal Trade Commission for violating its 2011 privacy agreement, after the company used email and phone data for securing their accounts but then used that same information for targeted advertising.
Mudge told lawmakers that while government agencies have a responsibility to enforce the law and that they have the right intent, he accused the FTC of being a “little over its head” by allowing companies to “grade their own homework.” In response to a question by Sen. Richard Blumenthal, Mudge referenced the 2011 privacy agreement and asked, “How [has Twitter] been passing this?”
Speaking of the regulators and their enforcement powers, Mudge told lawmakers: “What I have seen, the tools in the toolbelt are not working.”