The ex-security chief of Twitter testified before the US Congress that the bird app is plagued with weak cyber defences that leave it open to exploitation by “teenagers, thieves, and spies” and jeopardize the privacy of its users.
Peiter “Mudge” Zatko, a respected cybersecurity expert, appeared before the US Senate Judiciary Committee to lay out his allegations.
“I am here today because Twitter leadership is misleading the public, lawmakers, regulators and even its own board of directors,” Zatko said as he began his sworn testimony.
“They don’t know what data they have, where it lives and where it came from and so, unsurprisingly, they can’t protect it,” Zatko said.
“It doesn’t matter who has keys if there are no locks.”
Zatko said “Twitter leadership ignored its engineers” in part because “their executive incentives led them to prioritise profit over security”.
His message echoed one brought to Congress against another social media giant last year but unlike that Facebook whistleblower, Frances Haugen, Zatko has not brought troves of internal documents to back up his claims.
Zatko was the head of security for the influential platform until he was fired early this year.
He filed a whistleblower complaint in July with Congress, the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission.
Among his most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had put stronger measures in place to protect the security and privacy of its users.
Related: Twitter employees in dark over future with Musk
Senator Dick Durbin, an Illinois Democrat who heads the Judiciary Committee, said Zatko has detailed flaws “that may pose a direct threat to Twitter’s hundreds of millions of users as well as to American democracy”.
“Twitter is an immensely powerful platform and can’t afford gaping vulnerabilities,” he said.
Unknown to Twitter users, there is far more personal information disclosed than they -or sometimes even Twitter itself – realise, Zatko testified.
He said “basic systemic failures” that were brought forward by company engineers were not addressed.
The FTC has been “a little over its head” and far behind European counterparts, in policing the sort of privacy violations that have occurred at Twitter, Zatko said.
Zatko’s claims could also affect Tesla billionaire Elon Musk’s attempt to back out of his $US44 billion ($A65 billion) deal to acquire the social platform.
Musk claims that Twitter has long under-reported spam bots on its platform and cites that as a reason to nix the deal he struck in April.
Many of Zatko’s claims are uncorroborated and appear to have little documentary support.
Twitter has called Zatko’s description of events “a false narrative… riddled with inconsistencies and inaccuracies” and lacking important context.
Among the assertions from Zatko that drew attention from lawmakers Tuesday was that Twitter knowingly allowed the government of India to place its agents on the company payroll, where they had access to highly sensitive data on users.
Twitter’s lack of ability to log how employees accessed user accounts made it hard for the company to detect when employees were abusing their access, Zatko said.
Zatko also accuses the company of deception in its handling of automated “spam bots” or fake accounts.
That allegation is at the core of Musk’s attempt to back out of his deal to buy Twitter.
Musk and Twitter are locked in a bitter legal battle, with Twitter having sued Musk to force him to complete the deal.
The Delaware judge overseeing the case ruled last week that Musk can include new evidence related to Zatko’s allegations in the high-stakes trial, which is set to start on October 17.
This article was first published on Commsroom.