During a hearing held today by the Senate Judiciary Committee, Peiter Zatko — a cyber security expert, well-known hacker and recent Twitter executive whistleblower — quoted the writer Upton Sinclair in his opening remarks to members of Congress.
“It difficult to get a man to understand something when his salary depends on his not understanding it,” Zatko quoting Sinclair.
During several hours of testimony to members of Congress, Zatko said the company has put profits ahead of user safety while failing to address key concerns that put user data and national security at risk. Zatko — who joined Twitter in November 2020, but was fired from his role as head of security in January 2022 — said Twitter has even misled the public and government while exposing sensitive user data and falling behind on security standards.
The hearing comes the same day as a majority of Twitter shareholders voted to approve a sale of the company to Elon Musk, which is still hung up in court in a contentious legal battle. When asked for comment about Zatko’s claims, a Twitter spokesperson said the company’s hiring process is independent of foreign influence and that access to data is managed through a variety of checks, controls and monitoring systems.
“Today’s hearing only confirms that Mr. Zatko’s allegations are riddled with inconsistencies and inaccuracies,” the Twitter spokesperson told Digiday in an emailed statement.
Here are a few of the ad-related themes that he discussed with lawmakers:
Chinese ad revenue, security concerns
Since coming forward as a whistleblower last month, Zatko — who is also known for his hacker name “Mudge” — has raised a number of severe accusations about various policies and practices at Twitter. He’s accused the company of putting foreign agents on its payroll, misleading U.S. and foreign regulators, allowing foreign governments to potentially access sensitive data and failing to keep up with security standards used by other tech companies.
Other social platforms such as TikTok have come under increased scrutiny for potentially allowing the Chinese government to access user data. However, Zatko said it’s a “very valid concern” that the Chinese officials collect U.S. consumers’ data from Twitter allowing Chinese companies to advertise on the platform via click-through ads that lead users off-platform to Chinese websites.
Twitter employees raised related concerns when he was still at the company, according to Zatko, who recalled a sales executive telling him soon after he joined that there was a “big internal conundrum” over Twitter making too much money from sales to stop the Chinese advertisers despite employee concerns. “In a nutshell,” Zatko said, “It was, ‘We’re already in bed, it would be problematic if we lost that revenue stream, so figure out a way to make people comfortable with it.’”
“They didn’t know what people they were putting at risk or what information they were even giving to the government,” Zatko said. “Which made me concerned that they hadn’t thought through the problem in the first place and that they were putting their users at risk. And that was a very common problem, where I saw Twitter was a company that was managed by risk and by crisis instead of one that manages risk and crises.”
Risks with click-through ads also came up during other parts of the hearing. When asked if the format concerns him more than ads that allow users to stay on the platform, he said they “do expose a risk that non-click-through ads do not.” That’s because it could expose users’ IP addresses and other information that could help determine geolocation.
“Then you can further interrogate that person’s computer or get them to provide more information,” he said.
Users at risk
When asked about other ways that targeted ads could be used to inject malware into devices, harvest data or conduct influence campaigns, Zatko said that domain was under the vp of sales engineering. However, he recalled seeing internal data sets showed that thousands of Twitter users had access to advertiser information including bank accounts and routing numbers.
“When I first joined, people could change that information,” he said. “And you could understand why changing the banking account information of a company such as Apple or Nike might be problematic.”
Per Zatko, accessing even just a user’s email address and phone number from Twitter is enough to hack someone’s email, bank account or crypto wallet. He added that foreign governments could also approach someone in real life if they have their physical address and pressure them to be recruited for intelligence operations. One of the “fundamental root problems,” Zatko said, is that Twitter isn’t able to delete user data because the company doesn’t always know how much data it has on users.
Sen. Richard Blumenthal expanded on Zatko’s Sinclair analogy and asked if Twitter has been “reckless” with users’ health and safety in exchange for monetizing data, which Zatko agreed with. Zatko also repeatedly expressed concerns about how Twitter data could be a national security threat — a concern that he addressed when first coming forth as a whistleblower several weeks ago. For example, he said Twitter didn’t have a system that required engineers to log in when they access a user’s account or what data they access.
Zatko said he is “hopefully shedding a light” on “just how much of a gap there is between Twitter and some of Twitter’s peers.”
“Even learning that sort of discrepancy would help understand and raise the level of hygiene for these organizations and their ability to perform their tasks,” Zatko said. “And the ability for us to accept what they’re saying as to whether it could possibly be true or not.”
Twitter executives were more afraid of other nations’ regulators — such as those in France — than those in the U.S., per Zatko, suggesting that it was easier to pay one-time fines to the Federal Trade Commission. When asked about the need for regulation, Zatko said the FTC’s current regulatory approach is “not working,” adding that the agency is “a little over their head” while letting major tech companies “grade their own homework.”
When asked what other nations’ regulators do differently than the U.S, Zatko said federal agencies should be more aggressive with their investigation, “not accept answers at face value,” be stricter with deadlines for receiving answers back and threaten real penalties such as banning the ability to monetize until answers are sufficient.
“The regulators have tools that do work,” Zatko said. “But they’re not able to see which tools in their tool belt are the ones actually working. And they’re using the ones — the one-time fines — that the companies aren’t really afraid of.”