Twitter whistleblower summoned to Senate Judiciary Committee
Get the popcorn out for September 13
Updated Former head of security at Twitter and whistleblower Peiter "Mudge" Zatko is scheduled to appear before the US Senate Judiciary Committee on September 13 to discuss allegations that his former employer made serious failures in protecting user data.
Twitter has denied the allegations.
The Senate Judiciary Committee naturally took to the microblogging website to announce his subpoena.
The hearing will feature testimony by Peiter “Mudge” Zatko, who will appear pursuant to a subpoena and whose recent disclosure alleges serious privacy and security failures by the company.— Senate Judiciary Committee (@JudiciaryDems) August 24, 2022
Staffers with Senator Richard Blumenthal reportedly met with Zatko this week. The complaints were also discussed with non-specified staff and ranking members of the Senate Judiciary Committee, the House Energy and Commerce Committee, and the Senate Intelligence Committee, a spokesperson for Zatko told Reuters.
Zatko's 84 pages of disclosures [full PDF here, obtained by the Washington Post] include a treasure trove of alleged fraud, violations of financial rules, and security gross negligence.
Within the pages is an assertion that the microblogging site failed to comply with its 2011 FTC Consent Order, that more than half of the company's 500,000 datacenters are running non-compliant kernels or operating systems, and that roughly a third of employees have unsecured devices.
Some staff allegedly have access to personal user data, and others have purposefully installed foreign spyware. Furthermore, growth was allegedly encouraged over reducing spam to keep Monetizable Daily Active User numbers up.
- UK's largest water company investigates datacenters' use as drought hits
- Amazon has repackaged surveillance capitalism as reality TV
- Japan reverses course on post-Fukushima nuclear ban
- PanWriter: Cross-platform writing tool runs on anything and outputs to anything
- Python tops programming love list – but if you want a job, learn SQL
Interest has been piqued outside the US too, particularly as the disclosures allege European regulators were purposefully misled. Zatko expressed the belief that Twitter misled the Ireland Data Protection Commission (DPC) and France's similar org, CNIL, regarding datasets for training machine learning algorithms.
The well-known whistleblower also alleged Twitter misled CNIL regarding how it was deploying and using cookies, while using them for both ad tracking and security, in violation of international data requirements in some jurisdictions. Furthermore, Zatko also accused Twitter of delaying a fix for the entanglement of cookies, despite having a ready solution, in order to extract as much profit as possible.
In response, data protection authorities in Ireland and France have reportedly said they will investigate or take action on the allegations – the DPC by "meeting" with Twitter and CNIL by "investigating the complaint."
Twitter claimed the complaint presented a "false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context," and told The Register Zatko was fired from his role at Twitter in January 2022 for "ineffective leadership and poor performance."
Zatko's assertion comes at a convenient time for Elon Musk, who faces legal battles with the company after he backed out of a deal to purchase it. Musk responded to the information predictably, by vague-tweeting about it. ®
August 23, 2022
Updated to add
In a statement emailed to The Register after this story was filed, Zatko's legal team challenged Twitter's statements about his performance as false.