September 13, 2022

Durbin Questions Twitter Whistleblower Peiter "Mudge" Zatko During Senate Judiciary Committee Hearing

This hearing focused on Mudge’s allegations of data security failures, foreign infiltration, and misrepresentations to regulatory agencies by Twitter

WASHINGTON – U.S. Senate Majority Whip Dick Durbin (D-IL), Chair of the Senate Judiciary Committee, questioned Twitter whistleblower Peiter “Mudge” Zatko during today’s hearing entitled “Data Security at Risk: Testimony from a Twitter Whistleblower.” Durbin began by questioning Mr. Zatko about the type of information that Twitter collects from its users.

“Can we get into the real world now and talk about whether or not consumers across America have a right to be warned if they are opening a Twitter account as to what is going to happen with their data? For example, if I disclose my name and my address and my email address, I expect that that may be vulnerable, somebody could use that at some future time. I hope not, but it could happen. What I infer from your testimony and what we have read about your findings is that there is a lot more information being collected by Twitter beyond that basic information that is going to be used by a handful of different purposes, is that correct?” Durbin asked.

Mr. Zatko responded that a Twitter account user may not know how much personal information they are providing to Twitter. In one example, citing a Twitter user who was a potential threat, an employee at Twitter was able to identify specific information about this person, including their home address and where they physically were in that moment.  Mr. Zatko explained, “there is access to information far beyond what you think you have disclosed that can be found.” He also stated that a major concern of his is that Twitter “doesn’t know what it was collecting,” and that, “anybody with access inside Twitter and has access to the production environment, can go find this information and use for their own purposes.”

Durbin shifted his questions to other agencies and how they have been monitoring privacy.

“Would you agree government agencies had some responsibility to make sure that American consumers’ privacy and security is protected?” Durbin asked.

In 2011, the Federal Trade Commission (FTC) issued a consent order with Twitter following charges that the company “deceived consumers and put their privacy at risk by failing to safeguard their personal information.”  Under this agreement, Twitter was prohibited from misrepresenting its privacy and security practices and ordered to “establish and implement” a comprehensive information security program to protect the security, privacy, confidentiality, and integrity of nonpublic consumer information.” While the FTC did step in in 2011, Mr. Zatko still said the FTC is “a little in over their head compared to the big tech companies and the challenge they have against them.”

According to Mr. Zatko, Twitter only has about 20 percent of its vast trove of data registered and managed, meaning that the company is incapable of adequately tracking and securing the sensitive information it collects. About half of Twitter’s 10,000 employees have privileged access to sensitive live production systems.

Video of Durbin’s questions in Committee is available here.

Audio of Durbin’s questions in Committee is available here.

Footage of Durbin’s questions in Committee is available here for TV Stations. 

-30-