Twitter’s former head of security, Peiter Zatko, revealed his prior employer lagged a decade behind cybersecurity standards. This statement was one among several shocking disclosures he shared with members of the U.S. Senate Judiciary Committee during a hearing Sept. 13.

Zatko, who worked at Twitter from November 2020 through January 2022, was called to testify to the committee after he filed a whistleblower complaint with the U.S. Federal Trade Commission and Securities and Exchange Commission, which was made public in August. In the complaint, Zatko, who was hired by Twitter after teenage hackers breached prominent verified accounts, accused company leadership of neglecting significant security concerns.  

Responding to Zatko's claims in August, a Twitter spokesperson at the time said privacy and security matters "have long been company-wide priorities." 

His revelations about the inner workings of Twitter outlined a pattern by company leadership to ignore security vulnerabilities, covering up security failures, and misleading regulators and lawmakers.

Zatko said Twitter’s leadership “is misleading the public lawmakers, regulators and even its own board of directors." He claimed the “company's cybersecurity failures make it vulnerable to exploitation” and is prone to be “compromised by teenagers, thieves and spies” while creating its own set of security problems due to lax practices.

“What I discovered when I joined Twitter was that this enormously influential company was over a decade behind industry security standards,” Zatko said. He told the committee he "brought concrete evidence of these fundamental problems to the executive team, and repeatedly sounded the alarm of the real risks associated with them." But rather than addressing them, Zatko said "The executive team chose instead to mislead its board, shareholders, lawmakers and the public instead of addressing them.”

According to Zatko, Twitter’s problems — like Facebook parent company Meta's — stem in part from the sheer volume of user data it collects. He said engineers do not have anything close to a full grasp of the amount of users’ personal data they collect, and how and where it ultimately gets stored. He said this dynamic presented him with two overarching problems.

“First, (the company doesn’t) know what data they have, where it lives, or where it came from, so, unsurprisingly, they can't protect it,” Zatko said. “This leads to the second problem, which is the employees have to have too much access to too much data and too many systems.”

To help the senators of the Judiciary Committee understand the scope of the problem, Zatko said Twitter’s engineers had a good understanding of what data they were collecting, why the user had provided it and when it was supposed to be deleted approximately only 20% of the time. He said the figure was based on the results of an internal survey conducted by engineers that he provided with his lawful disclosure to the committee.

Zatko said for engineers to even begin to understand the contents and the storage location of the remaining 80% of user data, which includes personally identifying information and geolocation data, they required broad access to a number of internal systems, including the ability to access individual accounts.

“This kind of vulnerability is not in the abstract; it's not far-fetched to say that employees inside the company could take over the accounts of all of the senators in this room,” Zatko said.

He also said Twitter’s internal systems did not keep a log of all engineers who accessed any specific data sets. This dynamic was especially problematic when the company was presented with evidence of several of their workers being directly involved with foreign intelligence operations.

Several senators referenced multiple incidents of foreign intelligence infiltration of Twitter. In one instance, brought up at the beginning of the hearing by Senate Judiciary Chairman Dick Durbin, D-Ill., a Saudi Arabian citizen who worked at the company was convicted in the U.S. for stealing the personal data of Saudi citizens who were critical of the Saudi regime.

In response, Zatko said Twitter lacked the ability "to internally look for and identify inappropriate access within their own systems." He also told the committee he had "high confidence" that he identified a foreign agent while working at the company.

“When we didn't know that person inside acting on behalf of a foreign interest as an unregistered agent, it was extremely difficult to track the people,” Zatko said. “There was a lack of logging, and an ability to see what they were doing, what information was being accessed, or to contain their activities, let alone set steps for remediation and possible reconstitution of any damage. They simply lacked the fundamental abilities to hunt for foreign intelligence agencies and expel them on their own.”

At the beginning of the hearing, Senate Judiciary Chairman Dick Durbin, D-Ill., cited an example of a Saudi Arabian citizen who worked at Twitter, and was convicted in the U.S. for stealing the personal data of Saudi citizens who’ve been critical of the regime.

“When we didn't know that person (was) inside acting on behalf of a foreign interest as an unregistered agent, it was extremely difficult to track the people,” Zatko said. “There was a lack of logging, and an ability to see what they were doing, what information was being accessed or to contain their activities, let alone set steps for remediation and possible reconstitution of any damage. They simply lacked the fundamental abilities to hunt for foreign intelligence agencies and expel them on their own.”

After the hearing Tuesday, a Twitter spokesperson Rebecca Hahn said, “Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies,” though Twitter did not elaborate on which allegations were incorrect.

Senators from both parties on the committee thanked Zatko for coming forward. Zatko, along with multiple members of the Judiciary Committee, said they felt the regulators charged with enforcing privacy standards were overmatched by platforms.

In his testimony, Zatko said Twitter never built systems to comply with a 2011 FTC Consent Order that required the company implement a "comprehensive information security program." 

In response, Sen. Amy Klobuchar, D-Minn., said she and her colleagues need to pass a bill that increases funding for the Federal Trade Commission.

“We have not passed one bill out of the U.S. Senate when it comes to competition, when it comes to privacy, when it comes to better funding the agencies, when it comes to the protection of kids,” Klobuchar said.

Sen. Chuck Grassley, R-Iowa, said he had reservations about the agency’s ability to enforce actions against Big Tech companies like Twitter. Referring to Twitter's violation of the consent order, Grassley added they were important considerations when building federal privacy legislation.

“This is a consent decree that was intended to protect Twitter users’ personal information,” Grassley said. “As Congress considers federal data privacy legislation, I think it's very important that we draw on these revelations about how Twitter views its obligations with federal regulators. Congress should also be mindful of the FTC's ability or lack thereof to successfully oversee these important issues.”  

Sen. Lindsey Graham, R-S.C., asked Zatko if he believed U.S. regulators were “outgunned” with regard to enforcing rules on Big Tech firms, to which Zatko agreed. Graham said the focus of the Senate needs to be on crafting comprehensive privacy legislation in the spirit of the EU General Data Protection Regulation.