WASHINGTON – U.S. lawmakers are anxious to hear from Twitter’s former security chief, who has alarmed Washington with allegations that the influential social network misled regulators about its cyber defenses and efforts to control fake accounts.
Leaders of several congressional panels are poring over the disclosures by respected cybersecurity expert Peiter Zatko, and calls on Capitol Hill for investigations are mounting. Zatko is due to testify next month at a Senate hearing.
In addition to informing Congress, Zatko filed a complaint last month with the Justice Department, the Federal Trade Commission and the Securities and Exchange Commission. Among Zatko’s most serious accusations is that Twitter violated the terms of a 2011 FTC settlement by falsely claiming that it had put stronger measures in place to protect the security and privacy of its users.
Sen. Richard Blumenthal, D-Conn., called on the FTC to investigate.
“These troubling disclosures paint the picture of a company that has consistently and repeatedly prioritized profits over the safety of its users and its responsibility to the public," Blumenthal wrote to FTC Chair Lina Khan.
Twitter has said Zatko’s complaint is “riddled with inconsistencies and inaccuracies and lacks important context.”
Zatko also accused the San Francisco-based company of deceptions involving its handling of “spam,” or fake, accounts, an allegation that is at the core of billionaire tycoon Elon Musk’s attempt to back out of his $44 billion deal to buy Twitter.
The Senate Judiciary Committee announced Wednesday that Zatko will testify at a hearing on Sept. 13 — the same day Twitter's shareholders are scheduled to vote on the company's pending buyout by Musk. The Twitter board is recommending approval of the buyout.
A trial on Twitter’s lawsuit against Musk to force him to go through with the acquisition is scheduled for October.
The Judiciary Committee's chairman, Sen. Dick Durbin, D-Ill., and its senior Republican, Sen. Chuck Grassley, R-Iowa, said in a joint statement Wednesday that if Zatko's claims are accurate, “they may show dangerous data-privacy and security risks for Twitter users around the world."
They said the panel “will investigate this issue further with a full committee hearing ... and take further steps as needed to get to the bottom of these alarming allegations."
The SEC is questioning Twitter about how it counts fake accounts on its platform. In June, the securities regulators asked the company about its methodology for calculating the number of false or spam accounts and “the underlying judgments and assumptions used by management.” The numbers are key to Twitter's business because it uses them to attract advertisers, whose payments make up a little more than 90% of its revenue.
Twitter, with an estimated 238 million daily active users, said last month that it removes 1 million spam accounts daily.
Senior members of the Senate Intelligence and Commerce committees, as well as the House Energy and Commerce panel, also have publicly signaled their engagement on the issue. The Senate Intelligence Committee is planning a meeting with Zatko to discuss his allegations, a spokeswoman said, adding, “We take this matter seriously.”
With the midterm elections looming in early November, many lawmakers may wish to appear before TV cameras expressing concern about online privacy, an issue that resonates with consumers. That means camera lights glaring and outrage thundering from elected representatives as a lone whistleblower stands and takes the oath behind a table ringed by a photographers’ mosh pit — a scene that would mirror former Facebook product manager Frances Haugen's testimony late last year.
“If Twitter whistleblower (and head of security) Peiter Zatko left you asking, ‘How could it possibly be this bad???,' you're not alone," Haugen tweeted Thursday. “Twitter's problems aren't unique, and we should worry."
Haugen’s far-reaching condemnation of Facebook and her allegation that it prioritized profits over safety of the platform were buttressed by a trove of internal Facebook documents. Zatko’s complaint, by contrast, appears to stand alone, though there may be references to other documents in the unredacted version of the complaint. The Associated Press has been able to view only a redacted version.
Other possible witnesses at congressional hearings could include former Twitter CEO Jack Dorsey and current CEO Parag Agrawal.
Zatko’s attorneys have said that in late 2021, after Twitter’s board was given “whitewashed” information about security problems, Zatko escalated his concerns, “clashed” with Agrawal and board member Omid Kordestani, and was fired two weeks later.
The Twitter debacle has raised hopes among some lawmakers that it could give a boost to comprehensive data-privacy legislation, which has been stalled for years but recently cleared a key House committee — bringing it closer than ever to final passage. It has been held up in the Senate, however.
Rep. Frank Pallone, chairman of the House Energy and Commerce Committee, and its senior Republican, Rep. Cathy McMorris Rodgers, issued a joint statement saying the panel “is actively reviewing the Twitter whistleblower disclosure and assessing next steps.”
“There are still a lot of unknowns and questions that need to be answered,” they said. “Many of these allegations, if true, are alarming and reaffirm the need for Congress to pass comprehensive national consumer privacy legislation to protect Americans’ online data.”
Follow Marcy Gordon at https://twitter.com/mgordonap