Whistleblower Explains How Twitter Easily Skirted FTC’s Data Security Enforcement

Congressional testimony from Peiter Zatko—a storied progenitor of vulnerability disclosure programs for cybersecurity—provided insight into how Twitter maneuvered through the Federal Trade Commission’s enforcement process, evading accountability for its management of user data, which he said was woefully neglected in favor of increasing profits.

“I was told straight out by the chief privacy officer that the FTC had come and asked, ‘does Twitter delete user information when they leave the platform?’,” Zatko said, “And the reason this person told me this, [is] he said, ‘I need you to know this because other regulators are asking us and this ruse is not going to hold up.’ So instead of answering whether we delete user data, we intentionally have replied ‘we deactivate users.’”

Zatko testified before the Senate Judiciary Committee Tuesday on disclosures he made about Twitter’s practices to the Department of Justice, the Securities and Exchange Commission and the Federal Trade Commission in July, just as Elon Musk was trying to back out of a planned acquisition of the company.

The reason Twitter isn’t able to affirm to the FTC that they delete user data is because they only have knowledge of about 20% of the data they amass from users, Zatko said. He detailed an environment with no controls or basic logging in place to responsibly manage or protect a vast majority of user data and activity, which he said thousands of employees–about half the company—were able to access as a result. That, and other poor security practices, place Twitter in violation of several laws and regulations and a 2011 consent decree from the FTC, Zatko said in his disclosure.

After first drawing attention to security vulnerabilities at companies like Microsoft in the 1990’s, Zatko went on to work on developing cybersecurity tools for the Defense Advanced Research Projects Agency and was also at Google before being hired by Twitter in November 2020, as the company reeled from a major security scandal. Teenagers were able to post from the accounts of Musk, former President Barack Obama and others, luring victims into a Bitcoin-related scam.

Referencing his government experience, Zatko laid out the national security implications for lawmakers who focused on reports that Twitter was being accessed by a Chinese intelligence service. Such agents wouldn’t be doing their job if they aren’t inside Twitter, which is a gold mine for spies, he said. 

During the hearing, Zatko, who is more well known as “Mudge,” said Twitter executives are way more afraid of the French government—which he said uses auditable, quantifiable mechanisms in their enforcement—than they are of the FTC, which he said essentially allows companies to “grade their own homework.” 

“There were a lot of evaluations and examinations, which were interview questions,” he said of the FTC’s process for enforcing the 2011 order that Twitter improve its security after earlier compromises. “‘Did you make things better? Yes, we did, okay, check.’ There wasn't a lot of ground truth. There wasn't a lot of quantified measurements.”

Zatko said even when the FTC does exercise its enforcement authorities, its one-time fines are not as effective as institutional changes and practices European counterparts rely on. He also raised issues with third-party security certifiers. “A fair amount of the interviews came from companies—auditors—that Twitter themselves were able to hire. I think that's a little bit of maybe a conflict of interest,” he said.

Lawmakers on both sides of the aisle took advantage of the opportunity to question the FTC’s ability to enforce a privacy and data security regime under emerging legislation on the issue. They seemed baffled by the prospect that Twitter would deliberately neglect such serious national security issues. Mudge assured them that it is possible to responsibly secure user data and track intrusion attempts, but said the company, and others in the tech industry, were focused on other priorities, such as increasing their revenues.

One outcome from Zatko’s testimony could be legislation crafted by Sens. Lindsey Graham, R-S.C., and Elizabeth Warren, D-Mass.

Warren is a known firebrand on consumer data protection. She blasted Equifax and pushed for regulations after its infamous breach, for example. But she is also a national security hawk, and has teamed up with Intelligence Chairman Mark Warner on data security legislation in the past. Her alliance with Republicans like Graham, who said during the hearing that it’s time to follow the lead of European counterparts, would be significant.

“I’m working with Elizabeth Warren of all people,” Graham said, to establish “a regulatory environment with teeth.” He said Sen. Josh Hawley, R-Mo., was also part of the unlikely coalition. Sen. John Cornyn, R-Texas, a senior member of the Intelligence Committee, also expressed interest in Zatko’s ideas for how the federal government should intercede to protect national security.

“If Elizabeth Warren and Lindsey Graham can come together around that concept, I think we're off to the races as a body,” Graham said.