Twitter's former head of security told US lawmakers on Tuesday that the social media platform's alleged cybersecurity failures "make it vulnerable to exploitation, causing real harm to real people."
"When an influential media platform can be compromised by teenagers, thieves and spies and the company repeatedly creates security problems on their own, this is a big deal for all of us," he said.
Peiter "Mudge" Zatko, who filed a whistleblower complaint against Twitter in July, appeared before the Senate Judiciary Committee for more than two hours. The hearing underscored how lawmakers are responding to concerns about how well Twitter is safeguarding the data of its 238 million daily users.
Zatko allegedly uncovered various privacy and security problems at Twitter before the company fired him in January. He filed an 84-page whistleblower complaint to the US Securities and Exchange Commission, the Department of Justice and the Federal Trade Commission. In the complaint, he alleges his former employer prioritized user growth over privacy and security.
Zatko accuses Twitter executives of hiding bad news instead of trying to fix problems. Twitter appeared to have a high rate of security incidents, some employees had disabled security and software updates on their devices, and staff had too much access to user data, Zatko alleges in the complaint. A Twitter spokesperson pushed back against the accusations, stating that the hearing shows that Zatko's allegations "are riddled with inconsistencies and inaccuracies."
US lawmakers, though, are trying to get to the bottom of the allegations as they look at ways to hold tech companies accountable.
Sen. Dick Durbin, an Illinois Democrat who chairs the Senate Judiciary Committee, kicked off the hearing by outlining his concerns about the trove of data Twitter collects about its users.
"When that data isn't secure, we become vulnerable to bad actors, scam artists, stalkers, even foreign agents," Durbin said.
Here are four key takeaways from Tuesday's hearing:
Social media companies are 'grading their own homework'
Zatko alleges that Twitter violated an 11-year-old settlement with the FTC by falsely claiming it had a comprehensive security program. The company had never complied with the FTC order and wasn't on track to do so, the complaint stated.
A lot of the information that regulators and Congress rely on, according to Zatko, comes from the companies themselves. The FTC, he said, is a little in "over their head."
"They're left letting companies grade their own homework, and I think that's one of the big challenges," he said.
Some US lawmakers floated possible solutions such as creating a new government agency, passing privacy legislation or improving the regulatory system so it has more teeth.
In his testimony, Zatko said Twitter has a culture where employees react to crises rather than proactively work to prevent them.
"They're only able to focus on one crisis at a time, and that crisis isn't completed. It's simply replaced by another crisis," he said. "I think they would like to wave a magic wand and have all of these things fixed, but they're unwilling to bite the bullet."
Zatko said "setting quantitative goals and standards that can be measured and audited independently" will help drive change at these companies. If the FTC and regulators had laws or rules that would create whistleblower protection programs for people while they were still in these organizations, that would help as well, he said.
Lawmakers raise concerns about foreign agents
Sen. Chuck Grassley, an Iowa Republican and the ranking member of the committee, alleged in his opening remarks that India was able to place two agents on Twitter's staff and the FBI notified Twitter of at least one Chinese agent within the company.
"In the hands of a foreign agent embedded at Twitter, a foreign adversary could use the same technology to track down pro-democracy dissidents within their country but also to spy on Americans," Grassley said.
Zatko said that roughly a week before he was fired he had learned from the security team that Twitter had a Chinese agent working for the country's Ministry of State Security on its payroll.
He also added that he had a conversation with a Twitter executive about his concerns about having a foreign agent within the company. Zatko said the executive told him "Well, since we already have one, what does it matter if we have more?"
China and India aren't the only foreign influences lawmakers are concerned about. In August, a former Twitter employee was found guilty of spying for the Saudi government.
A Twitter spokesperson said the company's hiring process is independent of any foreign influence and the company manages access to data through various measures.
Twitter CEO rejected lawmakers' invitation to testify
Grassley said that lawmakers invited Twitter CEO Parag Agrawal to appear before lawmakers, but he refused to do so because of concerns it would jeopardize the company's legal battle with billionaire Elon Musk.
"If these allegations are true, I don't see how Mr. Agrawal can maintain his position at Twitter going forward," Grassley said.
Musk, who is trying to back out of buying the company for $44 billion, is using the whistleblower complaint as part of his case. Meanwhile, Twitter appeared to vote in favor of the deal on Tuesday.
Zatko's whistleblower complaint also alleges that Twitter lied to Musk about the number of bots on its platform. Lawmakers, though, didn't ask questions about that claim.
Sen. Lindsey Graham, a South Carolina Republican, did ask Zatko if he would "buy Twitter given what you know."
"Well, I guess that depends on the price," Zatko said.
Lawmakers question whistleblower about adult entertainment
At several points during the hearing, Republican lawmakers also asked Zatko about the company's plans to create an Only Fans competitor. Twitter reportedly scrapped this idea because employees concluded the platform wasn't effectively policing child sexual exploitation and nonconsensual nudity.
"Why didn't they go in the porn business?" Sen. John Neely Kennedy, a Louisiana Republican, asked.
"I do not know," Zatko replied, but noted that he heard that there were concerns about age-related content.
Sen. Marsha Blackburn, a Tennessee Republican, also broached the same topic later in the hearing. Twitter "had to scrap the plans because an internal team found that they had too much child and nonconsensual pornography that was on their site already," she said.
"Are you aware of that?" she asked Zatko.
"No, ma'am. Unfortunately, it does not surprise me," he replied.