Just before shareholders voted to approve Elon Musk’s $44 billion deal to buy the company, Twitter whistleblower Peter Zatko was in Washington testifying before the Senate Judiciary Committee about alleged security flaws. NPR highlights key takeaways from the hearings: Twitter executives are putting profits ahead of security, leaving the door open to infiltration by foreign agents and hackers, the company’s former security chief told Congress on Tuesday. “Twitter management is misleading the public, lawmakers, regulators and even its own board of directors,” Peter Zatko testified during a Senate Judiciary Committee hearing. “A company’s cybersecurity failures leave it vulnerable to exploitation, causing real harm to real people.” […] In Tuesday’s hearing, which lasted more than two hours, Zatko painted a portrait of a company plagued by widespread security problems and unable to control the data it collects. Calm and composed, he followed his expertise by unpacking the technical details of Twitter’s systems with real-world examples of how company-held information can be misused. “It’s not far-fetched to say that an insider can take over the accounts of all the senators in this room,” he warned.
Zatko argued that the company is highly vulnerable to abuse by foreign intelligence agents, but is unable or unwilling to root them out. A week before his January firing, he testified, the FBI told Twitter’s security team that at least one agent of China’s Ministry of State Security was on the company’s payroll. […] Zatko also claimed that the Indian government had placed an agent on Twitter. He revealed that Twitter struggled to detect potential intrusions by foreign agents and was usually only able to do so after being notified by outside agencies.
Zatko placed the blame for Twitter’s vulnerabilities squarely on the management team, which he described as reactive, incompetent and motivated by profit rather than security. Executives, he claimed, ignored warnings from him and other employees about Twitter’s security flaws because they “lacked the competence to understand the scale of the problem.” Zatko described a company culture that shunned negativity, and would-be executives selectively presented favorable information to the board. He accused management of business prioritizing safety, quoting writer Upton Sinclair: “It’s hard to get a man to understand something when his salary depends on his not understanding something.”
When Zatko joined Twitter, he said he was appalled that the company continued to have recurring security breaches — “the same number, year after year.” The main reason, he told senators, is that Twitter doesn’t understand how much data it collects, why it collects it, and how it should be used. This includes users’ phone numbers, IP addresses, email addresses, the devices they use, their location and other identifying information. Moreover, he said, about half of Twitter’s employees have access to this data. “It doesn’t matter who has the keys if you don’t have locks on the doors,” he said. “The concern is that anyone with access to Twitter … can root, find that information and use it for their own purposes.” Zatko said it also raised concerns that Twitter may not be complying with its 2011 agreement with the FTC about misusing email addresses it told users it collected for security reasons but then used for marketing. (In May, the FTC fined Twitter $150 million for violating that agreement.) “Why do we keep making the same mistakes?” Zatko said. “What is wrong that we are telling the FTC as Twitter?”