Source: United States Senator for Delaware Christopher Coons
WASHINGTON — U.S. Senator Chris Coons (D-Del.) questioned data security expert and former head of security at Twitter, Peiter “Mudge” Zatko, at a full Senate Judiciary Committee hearing to assess allegations of widespread security failures at Twitter. Senator Coons questioned Zatko on his disclosures about Twitter’s security vulnerabilities, foreign infiltration, and misrepresentations to regulatory agencies. Senator Coons also highlighted his bill, the Platform Accountability and Transparency Act, which would provide researchers with access to internal platform data to conduct research on the impact that major social media platforms have on our lives. Senator Coons is the Chairman of the Committee’s Subcommittee on Privacy, Technology, and the Law, and he will hold a subcommittee hearing tomorrow on protecting Americans’ private data and information from hostile foreign powers.
Video and transcript of Senator Coons’ opening remarks and questioning is available below:
Senator Coons: Thank you Chairman Durbin, Ranking Member Grassley. And thank you, Mr. Zatko, thank you Mudge, for coming forward. This is yet another eye-opening moment for our public, for our nation, and for this committee. We know that social media and new communications technologies have empowered people across the world to connect and share information at an unprecedented scale, but we also know that concentrating all this information, all these resources, in just a few hands, comes with great risks. So your whistleblower complaint contains really striking allegations, which shed light on several key realities, and I wanted to focus on those. The first, as you’ve stated in a number of exchanges with my colleagues, is that the public lacks any credible way to assess whether and how major platforms and technology companies are protecting or prioritizing user privacy. And I want to talk for a bit about a bill that I’ve got, that Senator Klobuchar also mentioned, that would help strengthen some of that transparency. And then the second, which I’ll get to later, is that these platforms are a target for foreign actors, something where a subcommittee I chair is having a dedicated hearing tomorrow afternoon. You commissioned an independent report regarding Twitter’s platform integrity, and their ability to combat misinformation, disinformation, and that report found, and I’m quoting, “Twitter’s consistently behind the curve in acting against disinformation and misinformation threats, and that Twitter doesn’t have the ability to measure the impact of its work to protect site integrity.” What I’ve concluded from your testimony today is that Twitter lacked the ability to measure the effects of interventions it implemented because of decisions by management and because of the lack of a credible regulatory oversight agency and penalties. Is that correct? Do I understand your testimony correctly?
Mudge: Yes, sir. The inability internally came from 10 years of security and engineering debt that just kept accruing.
Senator Coons: Your complaint also details how Twitter’s executive team was concerned that the report that you’ve commissioned would be damaging if it got out and that they worked to intentionally remove or modify information that might be especially embarrassing for Twitter. Is that correct?
Mudge: Yes, sir. I found that very disturbing. The company that I hired with the knowledge of the other executives and the head of site integrity, which did not report to me, that this independent organization was going to analyze and do gap analysis. The company reached out to me and said, “Hey, Mudge, Twitter is jumping in and making us open a separate contract, and telling us not to provide you the results to your own work. This does not feel right to us. What’s going on?”
Senator Coons: So, a lot of the information that both regulators and Congress relies on when considering how to regulate social media companies comes from the companies themselves;as I think you’ve put it before, they’re essentially grading their own homework. So the conclusion we ought to reach is the information we receive isn’t trustworthy from some social media platforms?
Mudge: Yes. sir. That’s what I experienced.
Senator Coons: So, I’ve released a bill with Senator Portman. Senator Klobuchar referenced it earlier; we are looking for additional Republican co-sponsors. It’s called the Platform Accountability and Transparency Act; it would allow external researchers to look at exactly these kinds of problems to better understand and analyze the algorithms that drive social media and some of their practices. Would empowering researchers and mandating better disclosure help hold companies more accountable and cause them to invest more resources in site integrity?
Mudge: Yes, sir. In fact, I think one of the things that we learned from that study, and what I am hopefully shedding light on in my lawful disclosures, is just how much of a gap there is between Twitter and some of Twitter’s peers, and even learning that sort of discrepancy would help understand and raise the level of hygiene for these organizations in their ability to perform their tasks, and the ability for us to accept what they’re saying as to whether it could possibly be true or not.
Senator Coons: This also opens up enormous national security risks. As you testified earlier, there’s roughly half of Twitter’s employees that had unnecessary access to vast amounts of sensitive user data. As Senator Kennedy was asking you earlier, [you] just gave us a quick sense of what information Twitter might have about Senator Grassley, or about any of us on this committee. It is deeper and broader, and I suspect if you’d gone further, it then unlocks a whole profile that can give really dramatic insight into members of law enforcement, members of the military, Members of Congress and their families, their travel, their preferences, their actions, their consumer activities, and all of that has some real consequences. You wrote in your complaint, the Indian government “forced” Twitter to hire Indian government agents, who then had direct and unsupervised access to data and a former Twitter employee was convicted last August of working as an agent of the Saudi kingdom. How common do you think it is for foreign entities, for hostile agencies, to successfully install sympathetic actors at Twitter, and why might they do so?
Mudge: Well, there’s any number of reasons, you know, there are many reasons why you would do so. In particular, not just to identify people of interest or track groups of interest, but also to maybe look at whether or not Twitter has identified your agents or your information operations — what other governments has Twitter possibly identified. And remember, you know, outside of the ability to access large amounts of data on the engineering side, you would want to know what Twitter’s plan is, as far as whether they will cede to your demands for control of information within their environments or not, in order to change different types of political pressures such as strong arming, and as we saw, that that country was even threatening to put Twitter employees in jail if Twitter didn’t change particular activities on the platform.
Senator Coons: With 80% of Twitter’s users outside the United States and with Twitter having a deep access and resources to critical leaders in our country and other countries, I think this is genuinely concerning. Tomorrow afternoon, the subcommittee I chair, the Subcommittee on Privacy, Technology, and the Law, Senator Sasse and I will be holding a hearing on how to further understand the depth to which hostile actors and adversaries are going to obtain American citizens’ data and that’ll expand on a lot of the topics we’ve pursued today. I hope members of the committee will attend. I want to thank you for your testimony, and Mr. Chairman, for the chance to participate in today’s hearing.
###