SENATORS across the ideological spectrum vowed to pursue stricter regulation for social media in response to Tuesday’s whistleblower testimony about what he called the “ticking bomb of security vulnerabilities” at Twitter Inc.
Former Twitter security chief Peiter Zatko, also known by his hacker name “Mudge”, spent more than 2 1/2 hours describing a company with outdated software, broad employee access to personal user data and a reactive security policy that had engineers running “from fire to fire.” He also spotlighted what he said was ineffective enforcement from the Federal Trade Commission (FTC) that was “letting companies grade their own homework.”
The revelations had even Republicans like South Carolina’s Lindsey Graham calling for “a regulatory environment with teeth” — usually an anathema to conservatives who prefer a smaller federal government. But broad frustration with social media platforms and the risks to user privacy and national security that Zatko described are forging new alliances like Graham’s plans to introduce legislation with Elizabeth Warren, a Massachusetts Democrat and one of the Senate’s most progressive members.
“It’s now time to look at social media platforms anew,” Graham promised Zatko in the hearing. “What you did today will not be in vain.”
The two senators are working on a bill to create a new federal regulator to oversee big tech, Graham told reporters after the hearing. He proposed licensing companies like Twitter, saying while they might not worry about paying a fine of US$150 million, “they could worry about losing their license.” Graham and Warren haven’t reached agreement on the details, according to a congressional aide.
Right now, the FTC and Justice Department share oversight of the tech industry, and some advocates have argued that a regulator devoted to the Internet economy would be better equipped to take on one of the world’s richest industries.
Graham said such an agency should force companies to harden their platforms against foreign interference, be more responsible with user data and provide an appeals process for content moderation decisions. He said new rules should “create a consequence for these organisations, give them an incentive to do better.”
Zatko said Twitter was a decade behind necessary security upgrades and gave several examples of Twitter prioritizing profit over addressing the risks on its influential platform.
“Twitter’s unsafe handling of the data of its users and its inability or unwillingness to truthfully represent issues to its board of directors and regulators have created real risk to tens of millions of Americans, the American democratic process, and America’s national security,” Zatko said in the hearing.
He also said the company’s leadership “repeatedly covered up its security failures by duping regulators and lying to users and investors.”
Zatko, 51, was fired in January 2022 over what the company said were performance shortcomings.
Twitter, in a statement issued after the hearing, said it “only confirms that Mr Zatko’s allegations are riddled with inconsistencies and inaccuracies.” The company defended its hiring process and said access to data is controlled by monitoring systems and background checks.
The reaction to Zatko’s testimony was mixed among current and former Twitter employees, according to people familiar with the matter and tweets from employees. Some pointed out that Zatko’s big-picture complaint — that tech companies like Twitter need better oversight on data and security issues — hit the mark. Still others questioned why he didn’t do more to fix Twitter’s problems himself, considering his high-ranking position internally.
Sitting alone at a table facing the Senate Judiciary Committee, Zatko painted a picture of a company that collected vast amounts of user data but only understood how about 20% of it was used and allowed many employees a dangerous level of access to that information. Even though Twitter was under a 2011 consent decree from the FTC to address security lapses, Zatko said US regulators — and the one-time fees they use as deterrents — are ineffective compared to their foreign peers like France’s data protection agency.
The FTC in May fined Twitter for not complying with that 2011 agreement to tighten security controls and respect user privacy. But as Hawaii Democrat Mazie Hirono put it: “A $150 million fine for a multibillion dollar company is nothing to provide any kind of incentives for them to change what they’re doing.”
Zatko’s allegations come as Twitter prepares to go to court to force Tesla Inc. CEO Elon Musk to complete a $44 billion deal to buy the company. Zatko’s whistle-blower complaint backed up Musk’s concern about the prevalence of automated accounts known as bots, which is likely to feature prominently in the Oct. 17 trial in a Delaware court, but Tuesday’s hearing focused on security shortcomings.
Lawmakers raised concerns in particular about Mudge’s allegations that Twitter has allowed foreign agents to operate on its payroll and acquiesced to the demands of adversaries like China. Judiciary Chairman Dick Durbin, a Democrat from Illinois, compared users trusting Twitter to safeguard their data as they might trust a bank — but “at Twitter the vault is wide open,” he said.
“Twitter is an immensely powerful platform that cannot afford gaping security vulnerabilities,” Durbin said.
Zatko said he wasn’t surprised to find out, a week before he was fired, that the FBI had warned Twitter about an employee that was a suspected foreign asset working with the MSS, a Chinese intelligence service.
“If you’re not placing foreign agents inside Twitter — because it’s very difficult to detect them, it is very valuable to a foreign agent to be inside there,” Zatko said of intelligence agencies, “you’re most likely not doing your job.”
Iowa Senator Chuck Grassley, the committee’s top Republican, said Mudge’s disclosures “paint a disturbing picture of a company that’s solely focused on profits at any expense.”
Grassley said Twitter CEO Parag Agrawal was invited to Tuesday’s hearing to respond to the allegations, but declined because he claimed it could interfere with the ongoing litigation with Musk.
Zatko pleaded with lawmakers to pass protections for whistle-blowers who want to come forward while they are still at the companies. He also said any privacy legislation should involve audits and quantifiable results that couldn’t be gamed by technology platforms.
There is bipartisan support for new internet regulation to protect user privacy and security, but current proposals have failed to gain much traction as Congress focuses on other priorities. Even with Graham’s support, other Senate Judiciary Republicans questioned the need to give more power to regulators.
“I don’t think we need any more bureaucrats,” said Texas Republican John Cornyn, a member of the Senate Judiciary Committee. “We just need some rules for them to enforce, which we don’t currently have.”
Connecticut Democrat Richard Blumenthal said he’s open to a new technology-focused regulator that could help shift the balance of power between immensely profitable companies and the agencies charged with protecting consumers. He also said he “could be persuaded” to give new authority to the FTC, rather than creating a new agency.
“To effectively address this problem, we need not only to insist on restructuring the company, but also likely restructuring, reforming and energizing our regulatory apparatus,” Bumenthal said. “Clearly what we’re doing right now is not working.” –BLOOMBERG