Blumenthal questioned Zatko about Twitter’s data security practices, its potential misleading of federal regulators & necessary remedies
[WASHINGTON, D.C.] – Today, U.S. Senator Richard Blumenthal (D-CT) questioned Peiter “Mudge” Zatko, the Twitter whistleblower, during a Senate Judiciary Committee hearing to examine the claims brought forward by Zatko regarding Twitter’s data security practices, including potential breaches of a 2011 Federal Trade Commission (FTC) consent decree.
Blumenthal discussed with Zatko whether Twitter has put user information and national security at risk, who bears responsibility at the company, and what needs to be done to correct course.
Blumenthal: “Would you agree with me that Twitter has put its users’ health and safety severely at risk?”
Zatko: “Yes, sir.”
Blumenthal: “And it has put the national security severely at risk?”
Zatko: “Yes sir.”
Blumenthal: “Its management has misled its own board of directors?”
Zatko: “Yes sir.”
Blumenthal: “And in that event, the management ought to be certainly restructured, shifted, changed, correct?”
Zatko: “Yes, sir.”
Blumenthal also questioned Zatko about Twitter’s misrepresentation of facts to federal agencies and reforms necessary to improve enforcement. In August, Blumenthal sent a letter to the FTC regarding Zatko’s allegations.
Blumenthal: “The misleading of government agencies is one of the reasons why stronger action hasn’t been taken?”
Zatko: “That could very well be sir.”
Blumenthal: “But it also, in effect, is the result of a lack of vigor in law enforcement, whether because of inadequate resources or a failure of will.”
Zatko: “That could be as well, sir.”
Blumenthal: “In fact, the most recent settlement with Twitter which was a payment of $150 million earlier this year, the FTC and Department of Justice stated that Twitter violated the 2011 consent decree. That is no surprise, but the size of the penalty, a mere $150 million amounts to the kind of burden on us average drivers when we pay the toll to go into Manhattan, given that its profit in the second quarter this year was about $1.18 billion, correct?”
Zatko: “That is correct. While I was there, the concern only really was about a significantly higher amount, significantly higher, or if it would have been a more institutional restructuring risk but that amount would have been of little concern while I was there.”
Blumenthal: “To effectively address this problem, we need not only to insist on restructuring the company but also likely restructuring, reforming, and energizing our regulatory apparatus. Not only as to Twitter but also as to other internet companies and platforms, would you agree?”
Zatko: “Yes I would. The intent of the regulators I think is the right intent but it is not being followed or correctly adhered to.”
The full transcript of the exchange between Blumenthal and Zatko can be found below.
U.S. Senator Richard Blumenthal (D-CT): Thanks Mr. Chairman. Thank you and Senator Grassley for holding this hearing. Thank you Mr. Zatko for you being here, your extraordinarily insightful and significant testimony here today at substantial professional and personal risk which is the tradition of whistleblowers and your cooperation with me and my staff off the record in providing details that are important to our understanding and the more of it that’s made public I think the better.
Would you agree with me that Twitter has put its users’ health and safety severely at risk?
Peiter Zatko: Yes, sir.
Blumenthal: And it has put the national security severely at risk?
Zatko: Yes sir.
Blumenthal: Its management has misled its own board of directors?
Zatko: Yes sir.
Blumenthal: And in that event, the management ought to be certainly restructured, shifted, changed, correct?
Zatko: Yes, sir.
Blumenthal: That kind of structural reform is necessary to achieve changes within the company.
Zatko: That is my belief.
Blumenthal: You’ve also said that this company has misrepresented facts to government agencies, most especially the FTC, that’s correct, isn't it?
Zatko: Yes, that is correct.
Blumenthal: I think you shared in your complaint that Twitter management was intending to mislead as well French and Irish regulators about compliance with the consent decree, correct?
Zatko: Yes sir, that is correct.
Blumenthal: How high in the Twitter management would you say that intent to mislead and in effect deceive government agencies went?
Zatko: To the CEO. I do not know to what level inside of the board. They did not know because of misrepresentation or chose not to push.
Blumenthal: The misleading of government agencies is one of the reasons why stronger action hasn’t been taken?
Zatko: That could very well be sir.
Blumenthal: But it also, in effect, is the result of a lack of vigor in law enforcement, whether because of inadequate resources or a failure of will.
Zatko: That could be as well, sir.
Blumenthal: In fact, the most recent settlement with Twitter which was a payment of $150 million earlier this year, the FTC and Department of Justice stated that Twitter violated the 2011 consent decree. That is no surprise, but the size of the penalty, a mere $150 million amounts to the kind of burden on us average drivers when we pay the toll to go into Manhattan, given that its profit in the second quarter this year was about $1.18 billion, correct?
Zatko: That is correct. While I was there, the concern only really was about a significantly higher amount, significantly higher, or if it would have been a more institutional restructuring risk but that amount would have been of little concern while I was there.
Blumenthal: To effectively address this problem, we need not only to insist on restructuring the company but also likely restructuring, reforming, and energizing our regulatory apparatus. Not only as to Twitter but also as to other internet companies and platforms, would you agree?
Zatko: Yes I would. The intent of the regulators I think is the right intent but it is not being followed or correctly adhered to.
Blumenthal: All of what you're saying, everything in your complaint and a lot of what we have heard in this committee and other committees leads me to think we need a new agency. As reluctant as I am to suggest a new government bureaucracy, I don't think it needs to be a government bureaucracy with a lot of new people but it needs to be a new means of enforcement here to bring cases to the Department of Justice focusing on privacy, security and protecting users as well as our national security. Would you agree?
Zatko: I had not considered that. I will have to think about that. That is a very interesting approach.
Blumenthal: I'm not reaching any conclusions, but clearly what we are doing right now is not working. You would agree with that?
Zatko: Yes. What I've seen, the tools used out of the tool belt are not working. I do believe other tools in the tool belt do work but the regulators aren’t able to quantify and get measurements that would show them to switch to the other tools they have.
Blumenthal: What are the remedies that for example other countries have that enable them to better protect privacy?
Zatko: Some are simply much more aggressive and do not accept answers at face value, put very strict time constraints on requiring answers, require data to back up the answers, and threaten to preclude monetizing entire markets such as maybe you will not be allowed to monetize in France or maybe you won't be allowed to use a particular data source in France. And, you have a week to respond sort of approach.
Blumenthal: Let me just finish on that note, to expand on the Upton Sinclair theory of the case here, essentially users and their information are Twitter's product. They are the means to monetize the eyeballs on the site to collect, use, and monetize that information is the Twitter business. And so their reckless disregard for their users' health and safety and for the national security is a product of that incentive, would you agree?
Zatko: Yes, sir. That is why I understand the M in MDAU out to be monetizable daily average users.
-30-