Why Twitter’s former security head is testifying

CALIFORNIA (AP): Peiter Zatko, the former Twitter security chief who’s accused the company of negligence with privacy and security in a whistleblower complaint, will testify before Congress on Tuesday.

Zatko is well-respected in the cybersecurity space, which gives his complaints extra weight. But so far he has little documentary support for his claims — unlike the Facebook whistleblower, Frances Haugen, whose complaint last year included troves of internal documents from the company now called Meta.

Zatko’s accusations are also playing into Tesla CEO Elon Musk’s battle with Twitter to get out of his $44 billion bid to buy the company. The Delaware judge overseeing that case has ruled that Musk can include new evidence related to Zatko’s allegations in the high-stakes trial set to start Oct. 17.

Twitter calls Zatko’s description of events “a false narrative.”

WHO IS PEITER ZATKO?

Better known by his hacker handle “Mudge,” Zatko is a highly respected cybersecurity expert who first gained prominence in the 1990s and later worked in senior positions at the Pentagon’s Defense Advanced Research Agency and Google.

He joined Twitter at the urging of then-CEO Jack Dorsey in late 2020, the same year the company suffered an embarrassing security breach in which hackers broke into the Twitter accounts of world leaders, celebrities and tech moguls — including Musk — in an attempt to scam their followers out of bitcoin. Zatko served as Twitter’s security chief until he was fired early this year.

WHAT ARE HIS ACCUSATIONS AGAINST TWITTER?

Zatko’s complaint alleges that the company misled regulators about its poor cybersecurity defenses and its negligence in attempting to root out fake accounts that spread disinformation, according to a whistleblower complaint filed with U.S. officials.

Among Zatko’s most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had put stronger measures in place to protect the security and privacy of its users. Zatko also accuses the company of deceptions involving its handling of “spam” or fake accounts, an allegation that is at the core of Musk’s attempt to back out of the Twitter takeover.

His 84-page complaint alleges that he found “extreme, egregious deficiencies” on the platform, including issues with “user privacy, digital and physical security, and platform integrity/content moderation.”

WHY IS HE GOING BEFORE CONGRESS?

U.S. lawmakers are anxious to hear from Zatko and his allegations that the influential social network misled regulators about its cyber defenses and efforts to control fake accounts. Tuesday’s Senate Judiciary Committee hearing will be the first, but it might not be the last.

The Judiciary Committee’s chairman, Sen. Dick Durbin, D-Ill., and its senior Republican, Sen. Chuck Grassley, R-Iowa, said in a joint statement last month that if Zatko’s claims are accurate, “they may show dangerous data-privacy and security risks for Twitter users around the world.”

They said the panel “will investigate this issue further with a full committee hearing … and take further steps as needed to get to the bottom of these alarming allegations.”

WHAT’S EXPECTED FROM THE HEARING?

With the midterm elections looming in early November, many lawmakers may wish to appear before TV cameras expressing concern about online privacy, an issue that resonates with consumers. That means camera lights glaring and outrage thundering from elected representatives as a lone whistleblower stands and takes the oath behind a table ringed with photographers — a scene that would mirror former Facebook product manager Frances Haugen’s testimony late last year.

What’s less clear is whether Congress will take any concrete steps to address Zatko’s allegations. While lawmakers have held numerous hearings questioning Big Tech executives over privacy, security, competition and other matters, efforts to regulate the companies on a federal level have stalled.

WHAT’S NEXT?

The Securities and Exchange Commission is also questioning Twitter about how it counts fake accounts on its platform. In June, the securities regulators asked the company about its methodology for calculating the number of false or spam accounts and “the underlying judgments and assumptions used by management.” The numbers are key to Twitter’s business because it uses metrics for real users to attract advertisers, whose payments make up a little more than 90% of its revenue.

Twitter, with an estimated 238 million daily active users, said last month that it removes 1 million spam accounts daily.

Senior members of the Senate Intelligence and Commerce committees, as well as the House Energy and Commerce panel, also have publicly signaled their engagement on the issue. The Senate Intelligence Committee is planning a meeting with Zatko to discuss his allegations, a spokeswoman said, adding, “We take this matter seriously.”

Sen. Richard Blumenthal, a Connecticut Democrat, has called on the FTC to investigate.