[Senate Hearing 117-976]
[From the U.S. Government Publishing Office]





                                                        S. Hrg. 117-976

                    DATA SECURITY AT RISK: TESTIMONY
                      FROM A TWITTER WHISTLEBLOWER

=======================================================================

                                HEARING

                               before the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             SECOND SESSION

                               __________

                           SEPTEMBER 13, 2022

                               __________

                          Serial No. J-117-75

                               __________

         Printed for the use of the Committee on the Judiciary









    [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]











                        www.judiciary.senate.gov
                            www.govinfo.gov
                                   _______
                                   
                 U.S. GOVERNMENT PUBLISHING OFFICE 
                 
60-055                   WASHINGTON : 2025 
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                            
                       COMMITTEE ON THE JUDICIARY

                   RICHARD J. DURBIN, Illinois, Chair
PATRICK J. LEAHY, Vermont            CHARLES E. GRASSLEY, Iowa, Ranking 
DIANNE FEINSTEIN, California             Member
SHELDON WHITEHOUSE, Rhode Island     LINDSEY O. GRAHAM, South Carolina
AMY KLOBUCHAR, Minnesota             JOHN CORNYN, Texas
CHRISTOPHER A. COONS, Delaware       MICHAEL S. LEE, Utah
RICHARD BLUMENTHAL, Connecticut      TED CRUZ, Texas
MAZIE K. HIRONO, Hawaii              BEN SASSE, Nebraska
CORY A. BOOKER, New Jersey           JOSH HAWLEY, Missouri
ALEX PADILLA, California             TOM COTTON, Arkansas
JON OSSOFF, Georgia                  JOHN KENNEDY, Louisiana
                                     THOM TILLIS, North Carolina
                                     MARSHA BLACKBURN, Tennessee
             Joseph Zogby, Chief Counsel and Staff Director
      Kolan L. Davis, Republican Chief Counsel and Staff Director
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
                            C O N T E N T S

                              ----------                              

                           OPENING STATEMENTS

                                                                   Page

Durbin, Hon. Richard J...........................................     1
Grassley, Hon. Charles E.........................................     3

                               WITNESSES

Zatko, Peiter....................................................     5
    Prepared statement...........................................    42
    Responses to written questions...............................    45

                                APPENDIX

Items submitted for the record...................................    41

 
                    DATA SECURITY AT RISK: TESTIMONY 
                      FROM A TWITTER WHISTLEBLOWER 

                              ----------                              


                      TUESDAY, SEPTEMBER 13, 2022

                              United States Senate,
                                Committee on the Judiciary,
                                                    Washington, DC.
    The Committee met, pursuant to notice at 10 a.m., in Room 
216, Hart Senate Office Building, Hon. Richard J. Durbin, Chair 
of the Committee, presiding.
    Present: Senators Durbin [presiding], Feinstein, 
Whitehouse, Klobuchar, Coons, Blumenthal, Hirono, Ossoff, 
Grassley, Graham, Cornyn, Lee, Hawley, Cotton, Kennedy, and 
Blackburn.

          OPENING STATEMENT OF HON. RICHARD J. DURBIN,

           A U.S. SENATOR FROM THE STATE OF ILLINOIS

    Chair Durbin. This meeting of the Senate Judiciary 
Committee will come to order. In 2006, the new social 
networking platform marked its debut when Jack Dorsey posted a 
message that he was, quote, ``Just setting up my Twitter.'' At 
the time, Dorsey's startup, which allowed users to share short 
messages with their followers was a novelty. But in the coming 
years it would become increasingly source--an important source 
of news and social discourse, as it gathered millions of users 
around the world.
    Twitter now plays an outsized role in politics, culture, 
and even in democracy itself. As Twitter has grown, so have the 
risks posed by bad actors looking to exploit its opportunities, 
and the data it holds. In July 2020, two teenagers hacked into 
the accounts of Twitter employees, gaining access to a number 
of high-profile accounts, including now President Biden and 
former President Obama. Those two teenagers then sent a series 
of tweets from the accounts and scammed Twitter users out of 
more than $100,000 in Bitcoin.
    In response, then CEO of Twitter, Dorsey, turned to a 
trusted name in the world of cybersecurity to lead an overhaul 
of Twitter's security practices. And for more than a year, 
that's what this individual tried to do, until he was 
terminated by Twitter and their new CEO this past January. Last 
month, this individual released a whistleblower disclosure, 
detailing a number of alarming allegations about Twitter's 
security practices. Without objection, his disclosure will be 
entered into the record.
    [The information appears as a submission for the record.]
    That whistleblower's name is Peiter Zatko, or as he's more 
commonly known, Mudge. Mudge, thank you for joining us. You are 
here pursuant to a subpoena, not because you were opposed to 
appearing before the Committee, but so the public can hear the 
details of your disclosure. You've alleged a number of security 
flaws and weaknesses within Twitter, flaws that may pose a 
direct threat to the safety and privacy of Twitter's hundreds 
of millions of users, as well as America's national security.
    The story actually began in 2011, when the FTC, the Federal 
Trade Commission, first concluded that Twitter was playing fast 
and loose with user data. They found that Twitter had, quote, 
``deceived customers and put their privacy at risk by failing 
to safeguard their personal information.'' The company was 
ordered by the FTC to, quote, ``protect the security, privacy, 
confidentiality, and integrity of user data.'' But you've 
claimed those changes have never been made, and more broadly, 
you allege that compared to other technology companies, 
Twitter's security standards remain woefully deficient. You 
allege that thousands of employees within the company have 
extraordinary access to sensitive information of Twitter's 
users, and that there is little oversight over how that 
information is assessed.
    Some Twitter users tuning in this morning may be asking, 
``Well, what's the big deal?'' When you sign up for Twitter, 
you knowingly hand over your email, your phone number, other 
information. That's how it is with most social media companies. 
But you expect--do we not--that these companies will take 
precautions to protect the personal information that you give 
them. It's like depositing money at the bank. When you hand 
your money to the teller, they take it behind the counter and 
put it in a vault, but at Twitter, according to our witness 
today, the door of that vault is wide open. And that vault 
contains a lot more information about you than you can imagine.
    Twitter doesn't just have access to your tweets and mail--
email address, they also have access to all of the data 
necessary to directly access your device, and even pinpoint 
your exact location. Say you're an American citizen. You're 
exercising your First Amendment freedom at a political protest. 
Or maybe you're a woman seeking reproductive health care. If 
you're a Twitter user, it may not just be you at the protest or 
in that health care facility. Unbeknownst to you, someone else 
may be right there with you in your pocket, or purse.
    Of course, many of us are comfortable with some of the 
programs on our phones having location data. It's helpful, but 
when that data isn't secure, we become vulnerable to bad 
actors, scam artists, stalkers, even foreign agents. To give an 
example, earlier this year, a Saudi national who worked for 
Twitter was convicted by a Federal jury for stealing the 
personal data of dissidents who criticized the Saudi regime and 
handed the data over to the Saudi government. This is a matter 
of life and death, as we know, for these dissidents, as the 
butchering of Jamal Khashoggi made clear.
    There's also the matter of Twitter's reach. It was one of 
the largest megaphones that world leaders ever had at their 
disposal. We've already seen what can happen when small-time 
actors break into Twitter accounts, belonging to Government 
officials. But what if--what if next time it isn't two 
teenagers trying to pull a crypto scam? Imagine if it's a 
malicious hacker, or a hostile foreign government, breaking 
into President--the President's Twitter account, or sending out 
false information, claiming there was a terrorist attack on one 
of our cities? We can see widespread panic. The bottom line is 
this: Twitter is an immensely powerful platform that cannot 
afford gaping security vulnerabilities. Today we have a chance 
to engage in a good-faith, bipartisan discussion to ask what 
needs to be done.
    A final point, politicians on both sides of the aisle have 
criticized Twitter. I have, for one, believed that Twitter 
should be doing far more to combat the proliferation of hate 
speech and conspiracy theories. Republicans, on the other hand, 
claim that Twitter censors their conservative speakers. I urge 
my colleagues to set some of the partisan differences aside and 
try to find the common ground that we need to establish 
security standards that will be raised today by our 
whistleblower. With that, I turn to our Ranking Member, Senator 
Grassley.

             STATEMENT OF HON. CHARLES E. GRASSLEY,

             A U.S. SENATOR FROM THE STATE OF IOWA

    Senator Grassley. Thank you, Chairman Durbin. A very 
important issue that you have brought before this Committee, 
and I thank you for doing it. I, for one, want people to know 
that I love using Twitter. But we also know that Big Tech 
companies, such as Twitter, collect vast amounts of data on 
Americans. In the hands of foreign adversaries, this data is a 
goldmine of information that could be used against America's 
interest.
    Twitter has a responsibility to ensure that the data is 
protected and doesn't fall into the hands of foreign powers. 
Americans rightly expect that Twitter will protect that 
information. Thanks to a whistleblower that comes forward, 
we've learned that Twitter hasn't secured the data of tens of 
millions of Americans and countless other users. That 
whistleblower is here today. So, we welcome you, Mudge.
    He comes before the Committee today, not only as a expert 
in the field of cybersecurity, but also as a whistleblower. I 
think all of my colleagues know that I have a great deal of 
admiration for whistleblowers. I've always said that 
whistleblowers are patriotic individuals, who often sacrifice 
their own career, as well as their livelihood, to root out 
waste, fraud, and abuse. Thank you very much for being here.
    Because of Mudge's disclosures, we've learned that personal 
data from Twitter users was potentially exposed to foreign 
intelligence agencies. For example, his disclosure indicates 
that India was able to place at least two suspect foreign 
assets within Twitter. His disclosures also note that the FBI 
notified Twitter of at least one Chinese agency--agent in the 
company--company, I should say. Based on allegations, Twitter 
also suffers from a lack of data security. Due to that failure, 
thousands of Twitter employees can access user data, that data 
that they don't need access to in order to do their job. Yet 
they have access. And if foreign assets work for Twitter, that 
means these foreign assets can also access the data.
    To put a finer point on the allegations, Twitter has 
allegedly used the data it collects and the tools it has to 
geolocate individuals who made threats against board members. 
In the hands of a foreign agent embedded at Twitter, a foreign 
adversary could use the same technology to track down pro-
democracy dissidents within their country, but also to spy on 
Americans. This has actually happened in the past.
    In 2019, two Twitter employees were indicted by the FBI. 
They used their position at Twitter to access private user 
data, and then gave it to Saudi Arabia. These foreign agents 
were able to access and provide personal information on more 
than 6,000 individuals of interest to the Saudi government.
    Simply put, the whistleblower disclosures paint a very 
disturbing picture of a company that's solely focused on profit 
at any expense, including at the expense of safety and security 
of its users. Additionally, it's been alleged that Twitter 
knowingly violated a consent decree that it entered into with 
the Federal Trade Commission, 2011. That consent decree 
required Twitter to address their access control failures. 
However, instead of complying with the consent decree, and 
fixing these very serious security matters, it alleged that 
Twitter executives, specifically CEO Parag Agrawal, 
intentionally misled Twitter's board of directors.
    So, I'm concerned that for almost 10 years the Federal 
Trade Commission didn't know or didn't take strong enough 
action to ensure Twitter complied with the consent decree. This 
is a consent decree that was intended--intended to protect 
Twitter users' personal information. As Congress considers 
Federal data privacy legislation, I think it's very important 
that we draw on these revelations about how Twitter views its 
obligations with Federal regulators.
    Congress should also be mindful of the FTC's ability, or 
lack thereof, to successfully oversee these important issues. 
Twitter also needs to answer questions about its content 
moderation. It was revealed to this Committee that Twitter 
outsources a great deal of consent moderation to foreign 
countries. They have close to 2,000 employees in other 
countries, whose job is to screen tweets by Americans. They 
also lack the appropriate amount of translators to ensure that 
tweets in other languages are complying with Twitter's own 
rules.
    Mudge had limited visibility to content moderation while at 
Twitter, so these are questions that need to be answered in 
full by Twitter, because we can't expect Mudge to respond to 
them. Unfortunately, this Committee will not be able to get 
answers about content moderation because Twitter's CEO has 
refused to appear today. He rejected this Committee's 
invitation to appear by claiming that it would jeopardize 
Twitter's ongoing litigations with Mr. Musk. Many of the 
allegations directly implicate Mr. Agrawal, and he should be 
here to address them.
    So, let me be very clear. The business of this Committee 
and protecting Americans from foreign influence is more 
important than Twitter's civil litigation in Delaware. In 
conclusion, if these allegations are true, I don't see how Mr. 
Agrawal can maintain his position at Twitter. Going forward, 
Chairman Durbin and I will continue to conduct a thorough and 
in-depth investigation. Today's hearing is a part of that 
process. Thank you.
    Chair Durbin. Thank you, Senator Grassley. Mr. Zatko, you 
will have 6 minutes for an opening statement, and then each 
Member will be given 6 minutes questioning to follow up. We 
start with a customary oath, and I ask you to please stand for 
that purpose. Please raise your right hand.
    [Witness is sworn in.]
    Let the record reflect that the witness has answered in the 
affirmative, and I appreciate your attendance here, and the 
floor is yours. I think your microphone may need----

              STATEMENT OF PEITER ``MUDGE'' ZATKO,

                INDEPENDENT SECURITY CONSULTANT,

                   NEW YORK METROPOLITAN AREA

    Mr. Zatko. Thank you very much, sir. Chairman Durbin, 
Ranking Member Grassley, Members of the Committee, I appear 
before you today to answer questions about information I 
submitted in written disclosures about cybersecurity concerns I 
observed while working at Twitter. My name is Peiter Zatko, but 
I'm more often referred to by my online handle as Mudge. For 30 
years, my mission has been to make the world better by making 
it more secure. From November 2020 to January 2022, I was a 
member of Twitter's executive team. In my role, I was 
responsible for Information Security, Privacy Engineering, 
Physical Security, Information Technology, and Twitter Global 
Support.
    I'm here today because Twitter's leadership is misleading 
the public, lawmakers, regulators, and even its own board of 
directors. What I discovered when I joined Twitter was that 
this enormously influential company was over a decade behind 
industry security standards. The company's cyber security 
failures make it vulnerable to exploitation, causing real harm 
to real people. And when an influential media platform can be 
compromised by teenagers, thieves, and spies, and the company 
repeatedly creates security problems on their own, this is a 
big deal for all of us.
    When I brought concrete evidence of these fundamental 
problems to the executive team and repeatedly sounded the alarm 
of the real risks associated with them--and these were problems 
brought to me by the engineers and employees of the company 
themselves--the executive team chose, instead, to mislead its 
board, shareholders, lawmakers, and the public, instead of 
addressing them.
    This leads to two obvious questions. Why did they do that, 
and what were the problems and vulnerabilities identified? And 
that's what I'm here to talk about. So, first, why did they do 
that? To put it bluntly, Twitter leadership ignored--ignored 
its engineers, because key parts of leadership lacked the 
competency to understand the scope of the problem, but more 
importantly their executive incentives led them to prioritize 
profits over security. Upton Sinclair famously said, ``It is 
difficult to get a man to understand something, when his salary 
depends on his not understanding it.'' This mentality is 
exactly what I saw at the executive level at Twitter.
    So, what are the problems I discovered? Two basic issues. 
First, they don't know what data they have, where it lives, or 
where it came from, and so, unsurprisingly, they can't protect 
it. And this leads to the second problem, which is, the 
employees then have to have too much access to too much data 
and to too many systems. You can think of it this way, which 
is, it doesn't matter who has keys if you don't have any locks 
on the doors. And this kind of vulnerability is not in the 
abstract. It's not farfetched to say that an employee inside 
the company could take over the accounts of all of the Senators 
in this room. Giving to the real harm--given the real harm to 
users and national security, I determined it was necessary to 
take on the personal and professional risk to myself and to my 
family of becoming a whistleblower.
    I did not make my whistleblower disclosures out of spite or 
to harm Twitter, far from that. I continue to believe in the 
mission of the company and root for its success. But that 
success can only happen if the privacy and security of 
Twitter's users and the public are protected. In accepting an 
executive position at Twitter, I made a personal commitment to 
Mr. Dorsey, the board, the greater public, and myself, that I 
would drive the changes needed at Twitter to protect the users, 
the platform, and democracy. That's what I'm continuing to do 
here today. I stand by the statements I made in my lawful 
disclosures, and I am here to answer any questions you may have 
about them. Thank you.
    [The prepared statement of Mr. Zatko appears as a 
submission for the record.]
    Chair Durbin. Thank you, Mr. Zatko. I'll start the 
questioning, and as I mentioned, each Member will have 6 
minutes to ask you questions. Those of us who are not expert 
but rely on the internet everyday for personal and professional 
reasons, know that many times we are given disclosures, lengthy 
disclosures, that scroll across the screen, which are hardly 
ever read, in my estimation, and usually end up with a bottom 
box that said approve. And that is as far as we go warning 
about what we're getting into. Can we get into the real world 
now and talk about whether or not consumers across America have 
a right to be warned if they are opening or using a Twitter 
account, as to what's going to happen with their data?
    For example, if I disclose my name and my address and my 
email address, I expect that that may be vulnerable. Somebody 
could use that in some future time. You hope not, but it could 
happen. But what I infer from your testimony and what we've 
read about your findings is that there's a lot more information 
being collected by Twitter, beyond that basic information that 
is going to be used by them for different purposes. Is that a 
fact?
    Mr. Zatko. Yes. I entirely concur. I mean, when we sign up 
for an account, I hope that the company is being responsible 
and not just saying that they are, you know, would like the 
data to be used correctly and safely, but that they're actually 
able to quantifiably, internally, you know, guarantee that that 
is the case. As far as the type of data, I believe Senator 
Grassley, you know, referred to an incident. We had a user on 
Twitter that was harassing some members of the executive team, 
and some members of the board.
    And as an example, this person, the CTO, came to me and 
said, ``Mudge, you know, is this a real viable threat? Do I 
need to be worried? You know, who is this person?'' And it took 
me maybe 30 minutes to reach out to an employee and say, ``What 
do we know about this person?'' And it only took that person 
maybe 10 minutes to get back to me and said, ``Okay, here's who 
they are. This is the address where they live. This is where 
they are physically at this moment. They're on their phone. We 
know their phone number. We also know all of the other accounts 
that they've tried to set up on the system and hide. And we 
know who they are on the other social media platforms as 
well.''
    Chair Durbin. So, unbeknownst to a Twitter account user, 
there is access to information far beyond what you think you've 
disclosed that can be found. Should there be a warning? You say 
at one point, Twitter has about 20 percent of its vast trove of 
data registered and managed, meaning the company is incapable 
of securing the sensitive information it collects. Tell me--
that is a pretty stark statement and suggests that a warning to 
users is that literally anything that you disclose or use the 
account for is traceable and could be used for bad purpose.
    Mr. Zatko. Yes. In this case, my concern was more that 
Twitter didn't even know what it was collecting. And this was 
one of the problems, because I kept looking at why do they keep 
having so many security incidents? The same amount, you know, 
each year after year? Why are the same percentages, you know, 
from the same systemic problems? Why aren't we closing on this? 
What is fundamentally under the hood broken? Where is the 
systemic failure? And then it turned out from an internal study 
that the engineers did on their own, because they weren't 
given, you know, the cover and the time and the resources to do 
this as part of their job, that only about 20 percent of the 
information that they had--that they were collecting did they 
know why they got it, you know, why the person had given it to 
them, how it was supposed to be used. You know, when it was 
supposed to be deleted, you know, and the remaining--I think it 
was 80 percent--I refer you to the disclosures for the specific 
numbers--was, ``Hey, we know that our systems are using some of 
this other data, but we don't know what it is.'' And then a lot 
of the data they just recognized, ``We don't even know what 
these are.'' Petabytes, huge amounts of data. And they did a 
sampling that included personally identifying information, 
phone numbers, addresses. So, for me, the concern there is 
anybody with access inside Twitter, and half the company has 
access to the production environment that has this, could go 
rooting through and find this information and use it for their 
own purposes.
    Chair Durbin. So, if 80 percent of the data that is being 
collected is, in fact, not registered and managed, and the one 
with the Twitter account person is vulnerable in that regard, I 
wouldn't exactly give a passing grade to Twitter when it comes 
to the security of information that they've gathered. Now, let 
me ask you, on the other side of the ledger, would you grade as 
well, the Government agencies that have some responsibility to 
make sure that the American consumer's privacy and security is 
protected? For example, Federal Trade Commission, Security and 
Exchange Commission, and others.
    Mr. Zatko. So, that was something that I was--what came to 
mind as well is that we had a 2011 consent decree. This is over 
a decade. How have we been passing this, especially since there 
were at least two more times where there were violations for 
the same exact problem, the misuse of email data that was 
collected for security purposes, but then turned around and 
used for marketing. Which was a violation of the assumption of 
why you were providing them the data. How come we keep making 
these same mistakes? You know, what is the FTC missing, or what 
is it that we are telling the FTC, as Twitter, that is 
incorrect? And I think--I think, honestly, I think the FTC is a 
little, you know, over their head. Compared to the size of the 
Big Tech companies and the challenge they have against them, 
they're left letting companies grade their own homework. And I 
think that's one of the big challenges.
    Chair Durbin. I'm running out of time, and I'll just say 
that I think that the area of great concern, as well, is the 
access of foreign governments and foreign agencies to the same 
data. Americans signing up for Twitter have no idea that they 
are at least vulnerable to that possibility, and we know that 
the conviction of individuals in Saudi Arabia, or for dealing 
with the Saudi government, is proof positive of that 
possibility. Thank you very much. Senator Grassley.
    Senator Grassley. I'm going to take off where the Chairman 
just left off. The Communist Chinese government bans Twitter, 
yet companies based in China advertise on the platform. When a 
user clicks on such an advertisement, they've presumably 
redirected to a website controlled by the Chinese government, 
which can collect vast amounts of data and track their 
location. With respect to pro-democracy Chinese citizens, is 
Twitter endangering their lives by allowing China to advertise 
on the platform?
    Mr. Zatko. I think that's a very valid concern, sir. And 
that was a concern that was raised to me by the employees 
inside Twitter, who were disturbed that in a country where the 
service was not allowed to be used and provide the--a voice to 
the public, but that money was being accepted from 
organizations that may or may not be associated with the 
Chinese government. And I believe that there was a Reuters 
article just a day or say ago, saying that they did identify 
that there were governments related to China advertising on the 
platform, possibly in violation of Twitter's own policies.
    The executive in charge of sales, very shortly after I 
joined, said, ``Mudge, this is a big internal conundrum. 
Because we're making too much money from these sales, we're not 
going to stop. We need something that will make the employees 
more comfortable with the fact that we're doing this.'' Figure 
out how we essentially thread this needle or frame it, which 
made me a bit uncomfortable. And they didn't know what people 
they were putting at risk, or what information they were even 
giving to the government, which made me concerned that they 
hadn't thought through the problem in the first place, that 
they were putting their users at risk for. And that was a very 
common problem, where I saw that Twitter was a company that was 
managed by risk and by crises, instead of one that manages risk 
and crises. It was reacting--it would react to problems too 
late.
    Senator Grassley. I think you just answered this question, 
but I want to ask it and see if you've said all you wanted to 
on the subject. While at Twitter, you raised concerns with 
their policy allowing Chinese advertisement. What was Twitter's 
response?
    Mr. Zatko. In a nutshell, it was, ``We're already in bed. 
It would be problematic if we lost that revenue stream. So, 
figure out a way to make people comfortable with it.''
    Senator Grassley. Okay. According to your disclosure, 
thousands of Twitter employees have access to Twitter user data 
and internal systems. That includes nearly 4,000 engineers, 
which is half of Twitter's workforce. However, you stated that 
they don't need that kind of widespread access to perform their 
job duties. Based on Twitter's reported lack of data security, 
what kind of access would foreign agents have and what kind of 
data would they be able to obtain? In your answer, please 
explain why this is a problem, and how it could impact U.S. 
national security.
    Mr. Zatko. Yes, sir. Let me break that down into two parts 
of an answer. So, Twitter has engineers and non-engineers. 
Twitter does not have--at least when I was there, which was up 
until January 2022--does not have a testing environment, or a 
developing or staging environment. This is--this is an oddity. 
This is an exception to the norm. Most companies will have a 
place where you test your software, where you build it, where 
you make sure it's working the way you want it to. Think about 
somebody building an airplane. And saying like, ``I'm going to 
put it in a wind tunnel. I'm going to build it in an 
environment--I'm not going to put passengers on it, put it in 
the air, and then figure out how to build it or tweak the 
engines at that point.''
    Twitter just has the production environment, the running 
systems, the live data. When you become an engineer, which is 
half the company are engineers, you are by default given some 
access to this live production environment. You are doing your 
testing. You are doing your work on live systems and live data, 
irrespective of where you are in the world as an engineer. So, 
if you are a foreign agent and you are hired, and you are an 
engineer, you've got access to all of that data that we've 
talked about, the 80 percent that Twitter doesn't know what's 
in. Yet the engineers studied and realized this personally 
identifying information, other sensitive information, where 
there's a lack of access controls because they have too much 
data and they just didn't know where everything is, so they 
have to give everybody access. And the systems can access the 
information.
    But also recall that foreign agents can have multiple 
goals. And sometimes it's not just the engineers or the 
technical access that they want, but it might be information 
about the plans of Twitter, what plans Twitter has to 
potentially censor information in the government or concede to 
a government's request, or what plans they have for expansion 
in a particular environment. And in those cases, that's where I 
saw, with high confidence, a foreign agent placed from India to 
understand the negotiations and how well they were going for or 
against India's party who was having difficulties with Twitter 
in India.
    Senator Grassley. In your disclosure you mentioned that the 
FBI notified Twitter that one of their employees was suspected 
of being a Chinese foreign asset. Were you and others at 
Twitter at all surprised by that?
    Mr. Zatko. This was made aware to me maybe a week before I 
was surprised and summarily dismissed. I had been told because 
the Corporate Security/Physical Security team had been 
contacted and told that there was at least one agent of the 
MSS, which is one of China's intelligence services, on the 
payroll inside Twitter. While it was disturbing to hear, I and 
many others, recognizing the state of the environment at 
Twitter, were really thinking if you were not placing foreign 
agents inside Twitter--because it's very difficult to detect 
them--it is very valuable to a foreign agent to be inside there 
as a foreign intelligence company--you're most likely not doing 
your job.
    Chair Durbin. Thank you, Senator Grassley. Senator 
Feinstein.
    Senator Feinstein. Thanks, Mr. Chairman. On August 10, 
2022, a Federal jury convicted a former Twitter employee of 
acting as an unregistered foreign agent for the Kingdom of 
Saudi Arabia. While employed by Twitter, the individual 
accepted payments in exchange for accessing and conveying the 
private information of Twitter users to Saudi officials. That 
individual is one of two former Twitter employees charged by 
the Department of Justice for their efforts to provide Saudi 
officials with the personal information of dissidents and 
activists critical of the Saudi regime, including sensitive 
data that could identify and locate these individual users.
    Now, the question. As head of security, Mr. Zatko, can you 
describe the types of efforts you've seen by foreign 
governments to infiltrate, control, exploit, or surveil Twitter 
and its users, and share what steps Twitter and regulators 
should have taken to protect against these attacks?
    Mr. Zatko. Yes, ma'am.
    Senator Feinstein. Thank you.
    Mr. Zatko. One of the disturbing things that I saw based 
upon being 10 years behind where I would expect a modern tech 
company to be, was a lack of an ability to internally look for 
and identify inappropriate access within their own systems. 
Other than the person who I believe, with high confidence, to 
be a foreign agent placed in a position from India. And from--
it was only going to be from an outside agency or somebody 
alerting Twitter that somebody already existed, that they would 
find the person. What I did notice when we did know of a person 
inside, acting on behalf of a foreign interest as an 
unregistered agent, it was extremely difficult to track the 
people. There was a lack of logging and an ability to see what 
they were doing, what information was being accessed, or to 
contain their activities, let alone set steps for remediation 
and possible reconstitution of any damage. It simply lacked the 
fundamental abilities to hunt for foreign intelligence agencies 
and expel them on their own.
    Senator Feinstein. You said it was difficult to track. 
Explain exactly what you mean about that--what you mean, and 
second, what could be done to correct that.
    Mr. Zatko. One of the most senior engineers in the company 
came to me not long after I was there and said, ``Mudge, you 
should know that this company doesn't really have centralized 
logging. We don't log the activities of the systems.'' I was 
surprised by this. Most tech companies--most companies I know 
of, even not in tech, you know, have logs about what's 
happening on their systems, and this tells you who tried to log 
in, who was doing what, where, when it happened.
    Later on in my tenure, I learned that there were thousands 
of failed attempts to access internal systems that were 
happening per week, and nobody was noticing. And when we 
brought this up, people said, ``Well, who is it? What is it?'' 
And I said, ``That's what we're trying to find out. Why 
wasn't--why weren't we even being aware of this?'' This 
fundamental lack of logging inside Twitter is, you know, a 
remnant of being so far behind on their infrastructure and the 
engineering, and the engineer is not being given the ability to 
put things in place, to modernize.
    I can give an example. Let's suppose you have five credit 
cards, and you're receiving statements each month, but only two 
of those statements gives you detailed transactions. And you 
want to see if there's fraud on your credit cards. Well, first 
off, three of those credit cards, you're not going to be able 
to look at the transactions. You just know the total bill. And 
those remaining two, you don't have time to go through the 
transactions and look for it. So, you kind of wing it and say, 
``I need all those credit cards to stay alive,'' so you just 
keep paying off the bills. That's kind of the analogy I have 
for the production environment and the logging situation at 
Twitter. So, you can understand that trying to understand what 
an adversary inside identified is doing can be pretty 
challenging, without logs.
    Senator Feinstein. Have you thought about how one would 
design legislation, which would maintain some basic, necessary 
rights, and yet cover this area?
    Mr. Zatko. Well, I've been thinking a lot about the 
regulators. Because, of course, I was very curious as to, you 
know, how was Twitter still operating like this since there was 
a 2011 consent decree that was aimed at addressing a fair 
amount of this? I noticed a few things. One, there were a lot 
of evaluations and examinations, which were interview 
questions. So, essentially, the organization was allowed to 
grade their own homework. Did you make things better? Yes, we 
did. Okay, check. There wasn't a lot of ground--ground truth. 
There wasn't a lot of quantified measurements. And a fair 
amount of the interviews came from companies' auditors, that 
Twitter themselves were able to hire. So, I think that's a 
little bit of--maybe a little bit of a conflict of interest.
    I also noticed that of all the regulators, some of the 
foreign regulators were more feared that the FTC. For instance, 
the French CNIL, the CNIL--the French version of the FTC--
terrified Twitter in comparison to the FTC. And when I looked 
at why, it was because there was more of the fear that it 
wouldn't be a one-time fine. One-time fines are priced in. One-
time fines didn't bother Twitter at all. When I saw the recent 
amount of the fine that was much less than we had been 
concerned about--and each time it was a one-time fine, in my 
discussions with the chief privacy officer, with the privacy 
engineer head, that was a--and the executives, the thought was, 
``Okay, we'll pay that and we can keep kicking the can down the 
road and hope, you know, maybe we'll get another one-time 
fine.'' Wall Street didn't seem to care because it wasn't a 
long-term problem that was ongoing. What did make these 
companies afraid, was if there was a risk of, ``Hey, you've 
mishandled the same type of data repeatedly. Maybe we're not 
going to let you monetize that type of data----
    Senator Feinstein. I'm sorry. Who mishandled the data?
    Mr. Zatko. Oh, so, if Twitter, for example, Twitter 
mishandled email addresses repeatedly, and a concern was, ``If 
the FTC were to come in and tell us that we're not allowed to 
monetize email addresses because of our continued inability to 
handle them correctly, well then we might not be on fair 
footings with our competitors.'' And that scared them and made 
them move. I believe something like that did happen to 
Facebook, which has been used as a sort of cautionary tale 
inside organizations. So, I think the regulators have tools 
that do work, but they're not able to see which tools in their 
toolbelt are the ones actually working and they're using the 
ones, the one-time fines, that the companies aren't really 
afraid of.
    Chair Durbin. Thank you, Senator Feinstein. Senator Lee.
    Senator Lee. Thank you very much, Mr. Chairman. Mr. Zatko, 
thanks for being here. In your disclosures, you include 
information that Twitter's head of privacy engineering and the 
chief privacy officer reported the following to the board of 
directors, toward the end of 2021. This is a quote. ``Every new 
employee has access to data they do not need to have access to, 
for the purpose of their role.'' And also added that until 
Twitter could reach the point where it could implement a system 
to manage access to data, they were, quote, ``at risk of 
inappropriate access or use of data.'' They also reported that, 
``Our inability to delete data compounds that risk, as we 
retain data that we should not have, and which is therefore 
accessible by people who do not need to have access to this 
data.''
    Tell me, Mr. Zatko, what action was taken by Twitter's 
board of directors in response to this rather shocking 
information?
    Mr. Zatko. This is not the first time the board of 
directors had been made aware of that or told this. And there 
was no change or mandate or charge afforded by the board of 
directors.
    Senator Lee. What do they mean when they refer to the 
inability to delete data? Why is that significant?
    Mr. Zatko. If you don't know where your data is--as we 
talked about, these large amounts of data--and somebody comes 
in and says, ``I've left the system, you know,'' and maybe the 
FTC asks, ``Well, you know, have you deleted all the user 
data?'' You can't respond in the affirmative, because----
    Senator Lee. Even if you deleted the account?
    Mr. Zatko. Correct, because you don't know where else this 
data lives in systems, because you don't know what data you 
have and where it is. That's correct.
    Senator Lee. So, does this mean that Twitter is actually 
unable to delete data, or is it just unwilling?
    Mr. Zatko. It is unable because they do not know where it 
is, so they are unable to comply.
    Senator Lee. Okay. But this has resulted from a deliberate 
decision at some point, to adopt protocols that don't allow 
them to do that, right?
    Mr. Zatko. To choose other priorities rather than to 
correctly register and track and understand where their data 
lives.
    Senator Lee. Because it is physically possible. I mean, you 
can have a data base in which----
    Mr. Zatko. Yes, absolutely, if you knew where everything 
was in your data base, you could go delete it. If you chose to 
make that a priority, to make sure that the new data coming in 
was correctly registered, and to go back and figure out what 
data you have and where it is. You could absolutely go delete 
it, but that hasn't been prioritized over other projects, such 
as increasing revenue or users.
    Senator Lee. Now, I'm concerned, as I assume most or all 
Americans would be, those who become aware of these concerns, 
that Twitter has seemingly turned a blind eye, rather 
deliberately, to some pretty significant security risks. 
Potentially compromising their own personal data, including 
geolocation information, both to hackers and to foreign 
government agents, and to other people who for whatever reason, 
whether for corporate espionage purposes or other commercial 
purposes, or otherwise might want to gain access to this 
information.
    Based on your disclosures, it seems to me that Twitter's 
CEO is more concerned with increasing influence and profits 
from foreign countries than with protecting user data from 
foreign spies or hackers. Now, you claim that Twitter has hired 
foreign government agents as cost--sort of the cost of doing 
business in countries like India, Nigeria, and China. And as 
you've related, Twitter has knowingly hired these government 
spies so as to not risk losing access to users and markets in 
those countries. Or in the case of China, to not lose access to 
advertising revenues. Do these engineers who are suspected of 
being foreign agents, do they have access to all user data, or 
just a certain subset of the user data?
    Mr. Zatko. To be very specific, the India incident was not 
an engineer, and as I mentioned to the other Senator, I think 
that was more put in place more to understand Twitter's intent 
in negotiations with the court and the ministry of India before 
Twitter--you know, to have an inside information to 
understand----
    Senator Lee. He worked with other people who were 
themselves engineers?
    Mr. Zatko. Yes, sir.
    Senator Lee. He had access to them.
    Mr. Zatko. Yes, sir. There were numerous engineers in the 
India office--I'm sorry--I focused on that, and I lost the 
other part of your question.
    Senator Lee. So, let me ask you this. Is there anyway to 
track what data they access, or the data that they share?
    Mr. Zatko. We found that to be very difficult. We had to 
set up a specific small team, individually, to try and create a 
unique environment, just to allow us to track and monitor and 
log one individual. Because of the lack of general logging and 
access control, that we found would be unscalable and not 
reproducible, should there be any other people like that. It 
was a lack of basic, fundamental tools and access control.
    Senator Lee. Okay, so I'm almost out of time, but I need to 
know this. Why would Twitter not create a tracking or a logging 
system to follow this sort of thing, to make sure that it was 
handled correctly? Particularly given that they know that many 
foreign governments like India and Nigeria and China 
specifically want to access and use that data to find and root 
out and punish dissidents. Why would they want to do that? Why 
would they want to subject their own users to this kind of 
harm, with the grave implications that it carries, especially 
in those countries?
    Mr. Zatko. I think they would like to, but they're simply 
unwilling to put the effort in at the cost of other efforts 
such as driving revenue. I'm reminded of one conversation with 
an executive when I said, ``I am confident that we have a 
foreign agent.'' And their response was, ``Well, since we 
already have one, what does it matter if we have more? Let's 
keep growing the office.''
    Senator Lee. Right.
    Chairman Durbin. Thank you, Senator Lee. Senator Klobuchar.
    Senator Klobuchar. Thank you very much, Chairman. Thank 
you, Mr. Zatko. Following up on that point, I just returned 
from Ukraine, where Senator Portman and I saw first-hand the 
extent of the damage inflicted by the Russian invasion. I was 
troubled to learn that according to your written disclosures, 
Twitter's leadership recently considered agreeing to the Putin 
regime's request to censor and surveil Russian Twitter users. 
Twitter ultimately did not agree to Putin's request, as far as 
I understand. What can you tell us about requests made by 
foreign governments and the risk that those demands pose? And 
why would a company like Twitter consider agreeing to requests 
to censor and surveil users?
    Mr. Zatko. I was very surprised and shocked by that one-on-
one conversation with which I had with Mr. Agrawal. This was 
prior to his assuming the CEO role. I understand--be it out of 
a frustration of the inability to perform--and this kind of 
goes into content moderation which we talked about before, and 
why all that wasn't my main bailiwick, and I've been informed I 
shouldn't go into details about conversations that I've had 
with Twitter counsel. There was a--we don't really have the 
ability and tools to do things correctly. This a lot of work. 
It's not, you know, driving our main executive incentive goals. 
Is there a way that we can simply punt? And since they have 
elections, doesn't that make them a democracy?
    Senator Klobuchar. Thank you. I am a big believer that 
these companies, and not just Twitter, have to invest more in 
protecting data and protecting the public, and I heard Senator 
Durbin talk to you about the agencies, right? And you, I think, 
agree with me that the agencies in the U.S. are underfunded 
when it comes to taking on these major cases. But I want to 
turn to ourselves and put the mirror back on ourselves here in 
Congress. Do you think it would be helpful if we passed some 
privacy legislation in Congress?
    Mr. Zatko. I think one thing that would be very helpful is 
that the FTC and other regulators don't have laws or rules that 
would create whistleblower protection programs for people while 
they were still in these organizations. And I think that's 
where--I mean, I learned a lot of information, a lot of people 
wanted to share the information. When I came on board, they 
were excited that there was an executive that was listening and 
that was willing to ruffle feathers, that was willing to fight 
for some of these things because they had tried to raise them--
--
    Senator Klobuchar. Yes. I understand.
    Mr. Zatko. Yes.
    Senator Klobuchar. Okay, are you aware that Senator 
Grassley and I actually passed a bill to change the merger fees 
that passed through this Committee unanimously, passed through 
the Senate--it's now sitting somewhere in purgatory over in the 
House--that would allow us to fund the FTC. So, maybe they 
would be as scary as France or some other country in that we 
have been unable to pass that. Or actually, despite this 
probably being our 50th hearing between--and I'm looking at 
Senator Blackburn--between Commerce and Judiciary, we have not 
passed one bill out of the U.S. Senate when it comes to 
competition, when it comes to privacy, when it comes to better 
funding the agencies, when it comes to the protection of kids 
that Senator Blumenthal and Senator Blackburn have worked on. 
And so, at some point, when we talk about the agencies, I think 
we better be putting a mirror on ourselves, because I was 
listening to your quote from Sinclair Lewis. ``It is difficult 
to get someone to understand something when his salary depends 
on him not understanding it.'' Could you talk about the lack of 
action in Congress and how that has actually created an 
environment where these companies feel like they can do 
everything from destroying our newspapers and our public good, 
to basically not taking correct actions when it comes to 
hacking?
    Mr. Zatko. So, that's your world, not mine. I appreciate 
the efforts and the work that you're doing. What I did see, is 
that any laws or bills passed, or actions in the past, if they 
are not able to be quantified and externally audited by an 
independent viewer, get gamed a lot by what I saw inside Big 
Tech, in their ability to sort of answer in an affirmative 
without actually doing what the intention was of the rule of 
law or regulation.
    Senator Klobuchar. One other bill I want to mention and 
teamed up here with Senator Coons and Portman on this Platform 
Accountability and Transparency Act, to require digital 
platforms to give researchers access to data. And the 
independent experts that you hired to audit Twitter's processes 
for addressing disinformation found serious problems, made 
recommendations. However, I think Twitter's leadership didn't 
listen. In your view, why do you think Twitter failed to act on 
the recommendations made related to the disinformation, and how 
could independent groups help?
    Mr. Zatko. Yes, I'm a big fan of independent groups having 
independent eyes and providing ground truth on that. I think 
this is--I should be clear, you know, first off, the engineers 
and the employees want this change. The culture, and I can 
speak primarily about Twitter, because that's what I'm here to 
talk about, the most recent Big Tech company I've been involved 
with. It's a culture where they don't prioritize. They're only 
able to focus on one crisis at a time. And that crisis isn't 
completed. It's simply replaced by another crisis.
    Senator Klobuchar. Correct.
    Mr. Zatko. So, I think they would like to wave a magic wand 
and have all of these things fixed, but they're unwilling to 
bite the bullet and look strategically and say, ``Hey, we're 
going to have to devote some time and money to get these basic 
things in place.'' And to be honest with their investors, the 
public, their board, themselves, and do the legwork rather than 
just react to what's coming in that they hear from a hearing 
like this or from the news, just until the next crisis comes 
along.
    Senator Klobuchar. Exactly, as opposed to us putting some 
long-term rules in place. Last thing, you talked about in your 
disclosures that Twitter does not have enough resources focused 
on removing misinformation and hate speech. In particular, you 
noted that half of the content flagged for review in Twitter's 
Spaces features, was in a language that employees didn't even 
speak. Obviously, you can't check whether a tweet violates 
Twitter's rules if you don't speak the language.
    I have had my own experience directly conveying a 
misinformation that was put out on me, that resulted in an 
attack on a member of my family. I don't know if you knew that, 
because I told Jack Dorsey about it, and nothing ever changed, 
except when finally, regular media reported that it was a lie. 
But those are the kinds of things that happen to people in this 
building, because of the misinformation that is rampant on 
social media. Could you comment about what you think they 
should be doing about that?
    Mr. Zatko. I'm very sorry to hear about that. The lack of 
language was stunning to me. This was a situation where I 
brought in a world class leader for Twitter Global Support, who 
also identified this. And we started saying, ``You can't react 
to a language situation.'' When something was happening in 
Myanmar, you can't wait until after it happens and then go, 
``Where are the Burmese speakers? Let's see who we can hire.'' 
Those translators are already hired elsewhere. You have to 
understand 80 percent--Twitter has to understand, 80 percent of 
their users are outside of the United States. You can't create, 
you know, a healthy environment. You can't serve the public 
conversation if all you can do is look at it and say, ``I hope 
Google Translate is doing the right job for me.''
    Senator Klobuchar. Thank you.
    Chair Durbin. Thank you, Senator Klobuchar. Senator 
Kennedy.
    Senator Kennedy. Thank you, Mr. Chairman. Mr. Zatko, give 
me 30 seconds. Well, strike that. Senator Grassley is an active 
user on Twitter. I'll use him as an example. Give me 30 seconds 
on the type of information Twitter has on Senator Grassley, or 
someone like him.
    Mr. Zatko. If I was--if there was somebody just like what 
the CTO came to me and said, ``Hey, we've got a problem with 
this user. Is this user----
    Senator Kennedy. Just give me 30 seconds on the type of 
information----
    Mr. Zatko. Sure.
    Senator Kennedy [continuing]. That Twitter has on the 
average Twitter user.
    Mr. Zatko. Sure. What's the phone number? What's the latest 
IP address they've connected from? Are there other IP addresses 
that they've connected from? Is this the current email? How 
long have they been using that email with the account? What are 
the prior emails for it? From the IP address, where do we think 
they live? Where do we think they're connected to right now? 
Are they still connected, even if they're not actively using 
the information? What type of device are they connected with? 
What type of web browser are they using? Which brand is it 
possibly? Which computer? What language did they connect in it? 
Those are some of the front-end systems----
    Senator Kennedy. Thank you. Thank you for that. And I want 
to be sure I understand that you're telling this Committee that 
all of the engineers and half the employees of Twitter have 
access to Senator Grassley's account.
    Mr. Zatko. Half of the employees of Twitter are engineers. 
The engineers are, by default, given some access due to the 
production environment----
    Senator Kennedy. Do they have access?
    Mr. Zatko. From what I saw, if they wanted to root around 
in the data and find it, they could find it, and----
    Senator Kennedy. Okay, let me try this again. I want to be 
sure I understand, okay? I'm not trying to trick you. From your 
testimony, I understand that half of all of the engineers and 
half of the employees at Twitter have access to Senator 
Grassley's account. Is that correct?
    Mr. Zatko. Based upon what I saw, technically, yes.
    Senator Kennedy. Okay, and if they go into Senator 
Grassley's account, if an engineer does, for example, Twitter 
doesn't know that that engineer has done that. Is that correct?
    Mr. Zatko. It would be difficult to find the logs showing 
that is my understanding. Correct.
    Senator Kennedy. Okay, so you don't have a log in and log 
out system?
    Mr. Zatko. There was not an easy ability for me to find 
which engineers had logged into which systems, and what data 
that they had accessed.
    Senator Kennedy. Okay, so this engineer who can secretly go 
into Senator Grassley's account and get all this information--
Twitter has no idea what the hell that engineer's going to do 
with that information, does it?
    Mr. Zatko. Under the hood, no.
    Senator Kennedy. Okay. So, that engineer at Twitter could 
sell it, for example, couldn't he?
    Mr. Zatko. I'm sorry. Could what?
    Senator Kennedy. Could sell it?
    Mr. Zatko. Could sell access? I've seen numerous accounts 
on underground forums offering to sell such access. Whether 
those are valid or not--but I have seen the offers to sell 
access to accounts, to delete accounts, to unban accounts.
    Senator Kennedy. Well, that engineer could just call one of 
their buddies and say, ``Hey, you don't like Senator Grassley. 
Let me give you some information here and you may want to use 
it against him.'' Could that engineer do that?
    Mr. Zatko. With the access they have to----
    Senator Kennedy. Would Twitter know that the engineer had 
done that?
    Mr. Zatko. Not necessarily.
    Senator Kennedy. Okay. Now, did Mr. Dorsey know all this?
    Mr. Zatko. I did explain this to Mr. Dorsey. My 
understanding is he did not understand this prior to bringing 
me in, and that was one of the reasons that he wanted----
    Senator Kennedy. Does he understand it now?
    Mr. Zatko. I believe after seeing this hearing----
    Senator Kennedy. How about your CEO, does he understand 
this?
    Mr. Zatko. I believe since he has been there for 10 years 
and rose up through the ranks in engineering, and he has talked 
to the engineers, and they have told him----
    Senator Kennedy. Is that a yes?
    Mr. Zatko. I believe yes. I believe yes.
    Senator Kennedy. How about Mr. Bret Taylor, from 
Salesforce? He's the chairman of your board. Does he know all 
this?
    Mr. Zatko. He knows what I put in my reports. I do not know 
whether he understands it.
    Senator Kennedy. All right, you've got an executive from 
Mastercard, Mimi--I'm going to probably mispronounce the last 
name--Alemayehou, from Mastercard. Does this board member know 
that?
    Mr. Zatko. I do not know if she knows that.
    Senator Kennedy. Well, is this the kind of thing that a 
reasonable board member would inquire about?
    Mr. Zatko. I would think so, but I've also seen that what 
was presented to the board was not representative----
    Senator Kennedy. Did they--during your time there, did the 
board ever ask?
    Mr. Zatko. The board did not ask these directly, no.
    Senator Kennedy. Even after all these problems with foreign 
agents?
    Mr. Zatko. Not when I was there during the board meetings--
--
    Senator Kennedy. They just sat there?
    Mr. Zatko. They focused on other topics and other 
priorities.
    Senator Kennedy. Yes, right. Dr. Li, he's a professor at 
Stanford. Does he know all this?
    Mr. Zatko. Same response. I did not see any questions on 
this specific topic while I was there----
    Senator Kennedy. Patrick Pichette, who used to be with 
Google.
    Mr. Zatko. Same response, sir.
    Senator Kennedy. All right.
    Mr. Zatko. Oh, Patrick Pichette? Sorry----
    Senator Kennedy. Pichette.
    Mr. Zatko. Yes, Patrick Pichette was the one who when I 
brought up this instance, he hit the roof. He was very upset, 
said, ``This is----
    Senator Kennedy. Did he fix it?
    Mr. Zatko. No, he asked for follow-up information----
    Senator Kennedy. Any why hasn't Google--and why hasn't 
Twitter fixed this?
    Mr. Zatko. There were other priorities.
    Senator Kennedy. It's about the money, isn't it?
    Mr. Zatko. It's about whatever crisis and the other 
priorities, correct.
    Senator Kennedy. To fix this would cost them money, 
wouldn't it?
    Mr. Zatko. It would take away focus on other projects----
    Senator Kennedy. It would cost them money, wouldn't it?
    Mr. Zatko. Most likely, yes.
    Senator Kennedy. Yes. Okay, Twitter, for a while, was going 
to go into the porn business. Did they do that?
    Mr. Zatko. I don't know that they did that. I didn't know 
that they were going to go into the porn business.
    Senator Kennedy. Oh, okay. Well, they were. You don't know 
why they decided not to?
    Mr. Zatko. I do know that there were discussions about age 
related information, and the discussions internally that I 
heard were simply concerns about lack of tools to correctly 
regulate or constrain it.
    Senator Kennedy. So, it wasn't a moral issue. It was they 
didn't--why didn't they go in the porn business?
    Mr. Zatko. I do not know.
    Senator Kennedy. Okay, sounded like you knew a little bit 
about it. Last question, I'll ask it quickly, Mr. Chairman. Who 
sets the standards for censorship at Twitter?
    Mr. Zatko. I believe that comes out of counsel.
    Senator Kennedy. Your lawyers?
    Mr. Zatko. I believe so, sir.
    Senator Kennedy. And do they talk with the board about it?
    Mr. Zatko. I have been advised out of an abundance of 
caution that I shouldn't comment on any Twitter counsel 
conversations for A-C Priv that Twitter might assert.
    Senator Kennedy. Thank you, Mr. Chairman.
    Chairman Durbin. Thank you, Senator Kennedy. Senator 
Blumenthal.
    Senator Blumenthal. Thank you, Mr. Chairman. Thank you and 
Senator Grassley for holding this hearing, and thank you, Mr. 
Zatko, for your being here. You are an extraordinarily 
insightful and significant testimony here today, at substantial 
professional and personal risk--which is the tradition of 
whistleblowers--and your cooperation with me and my staff off 
the record in providing details that are important to our 
understanding. And the more of it that's made public, I think, 
the better. Would you agree with me that Twitter has put its 
users' health and safety severely at risk?
    Mr. Zatko. Yes, sir.
    Senator Blumenthal. And it's put the national security 
severely at risk.
    Mr. Zatko. Yes, sir. That was part of my disclosure.
    Senator Blumenthal. Its management has misled its own board 
of directors.
    Mr. Zatko. Yes, sir.
    Senator Blumenthal. And in that event, the management ought 
to be certainly restructured, shifted, changed. Correct?
    Mr. Zatko. Yes, sir.
    Senator Blumenthal. That kind of structural reform is 
necessary to achieve changes within the company.
    Mr. Zatko. That is my belief.
    Senator Blumenthal. You've also said that this company has 
misrepresented facts to Government agencies, especially the 
FTC. That's correct, isn't it?
    Mr. Zatko. Yes, that is correct, sir.
    Senator Blumenthal. And I think you shared in your 
complaint that Twitter management was intending to mislead as 
well French and Irish regulators about compliance with the 
consent decree. Correct?
    Mr. Zatko. Yes, sir. That's correct.
    Senator Blumenthal. How high in the Twitter management 
would you say that intent to mislead, and, in effect, deceive 
Government agencies went?
    Mr. Zatko. To the CEO. I do not know to what level inside 
the board. They did not know because of misrepresentation or 
chose not to push.
    Senator Blumenthal. The misleading of Government agencies 
is one of the reasons why stronger action hasn't been taken?
    Mr. Zatko. That could very well be, sir.
    Senator Blumenthal. But is also, in effect, is the result 
of a lack of vigor in law enforcement, whether because of 
inadequate resources or a failure of will.
    Mr. Zatko. That could be as well, sir.
    Senator Blumenthal. In fact, the most recent settlement 
with Twitter, which was a payment of $150 million earlier this 
year. The FTC and Department of Justice stated that Twitter 
violated the 2011 consent decree. That's no surprise. But the 
size of the penalty, a mere $150 million amounts to the kind of 
burden on us average drivers when we pay the toll to go into 
Manhattan, given that its profit in the second quarter this 
year was about $1.18 billion. Correct?
    Mr. Zatko. That is correct. While I was there, the concern 
only really was about a significantly higher amount, 
significantly higher, or if it would have been a more 
institutional restructuring risk. But that amount would have 
been of very little concern while I was there.
    Senator Blumenthal. To effectively address this problem, we 
need not only to insist on restructuring the company, but also, 
likely restructuring, reforming, and energizing our regulatory 
apparatus. Not only as to Twitter, but also as to other 
internet companies and platforms. Would you agree?
    Mr. Zatko. Yes, I would. The intent of the regulators, I 
think, is the right intent, but it is not being followed or 
correctly adhered to.
    Senator Blumenthal. All of what you're saying--everything 
in your complaint, and a lot of what we've heard in this 
Committee and in other committees leads me to think that we 
need a new agency. As reluctant as I am to suggest a new 
Government bureaucracy, I don't think it needs to be a 
Government bureaucracy with a lot of new people. But it needs 
to be a new means of enforcement here to bring cases to the 
Department of Justice, focusing on privacy, security, and 
protecting users, as well as our national security. Would you 
agree?
    Mr. Zatko. I had not considered that. I will have to think 
about that. It is a very interesting approach.
    Senator Blumenthal. I'm not reaching any conclusions, but 
clearly what we're doing right now is not working. You would 
agree with that?
    Mr. Zatko. Yes, what I have seen, the tools that are used 
out of the toolbelt are not working. I do believe other tools 
in the toolbelt do work, but the regulators aren't able to 
quantify and get measurements that would show them to switch to 
the other tools they have.
    Senator Blumenthal. What are the remedies that, for 
example, other countries have that enable them to better 
protect privacy?
    Mr. Zatko. Some are simply much more aggressive and do not 
accept answers at face value, put very strict time constraints 
on requiring answers, require data to back up the answers, and 
threaten to preclude monetizing entire markets, such as maybe 
you won't be allowed to monetize in France or maybe you won't 
be allowed to use particular data source in France. You know, 
and you have a week to respond, sort of approach.
    Senator Blumenthal. And let me just finish on that note. To 
expand on the Upton Sinclair theory of the case here, 
essentially users and their information are Twitter's product. 
They are the means to monetize the eyeballs on the site; to 
collect, use, and monetize that information is the Twitter 
business. And so, their reckless disregard for their users' 
health and safety and for the national security is a product of 
that incentive. Would you agree?
    Mr. Zatko. Yes, sir, and that's why I understand the M in 
mDAU to be monetizable daily average users.
    Chair Durbin. Thank you, Senator Blumenthal. Senator 
Blackburn.
    Senator Blackburn. Thank you, Mr. Chairman. Thank you for 
joining us today. I'm a mother, and a grandmother, and I want 
to talk with you about this process Twitter has gone through. 
They tried to start a new subscription based adult 
entertainment section. Are you familiar with that?
    Mr. Zatko. No, ma'am, I'm not.
    Senator Blackburn. You're not, okay. Well, they had to 
scrap the plans because an internal team found that they had 
too much child and nonconsensual pornography that was on their 
site already. Are you aware of that?
    Mr. Zatko. No, ma'am. Unfortunately, it does not surprise 
me.
    Senator Blackburn. Okay, well, there's a Federal court case 
right now against Twitter because the site repeatedly refused 
to take down tweets of children as young as 13 and 14 
performing sex acts in photographs and in videos. And these 
were posted by sex-traffickers who were impersonating a teenage 
female. So, my question is why, what--for what reason would 
Twitter refuse to take down this sexually explicit content, if 
it knew that it was affecting underage children, why would they 
leave this up? And why would they refuse to take this down?
    Mr. Zatko. From what I saw on the area of adult content, 
because that was brought up, and our concern was certain 
advertisers didn't want adult content to appear next to ads 
they were putting. And that was a concern inside the company. 
The lack of----
    Senator Blackburn. They had a monetary concern, but not a 
moral concern?
    Mr. Zatko. They had--there was a--I can't speak to the 
morals of the people internally, but there was a concern 
whether or not they could even correctly identify and get ahead 
of this, because they lacked the basic tools and the resources 
in those teams, and it would have to be in a reaction after 
things were posted and maybe brought to their attention----
    Senator Blackburn. All right, so, what do they do to police 
this sexually explicit material, especially when it pertains to 
children?
    Mr. Zatko. Unfortunately, that was not under my area, so I 
don't have information to talk specifically to that.
    Senator Blackburn. So, there's not a standard operating 
procedure to block this, to pull it down?
    Mr. Zatko. I believe they do have--or I was told that they 
have some voluntary self-tagging and self-reporting of whether 
you were an adult content account, but I'm not aware of any of 
the other processes or procedures in the company.
    Senator Blackburn. Let me ask you about the FTC. Senator 
Blumenthal was just asking you about that. Did you ever 
participate in calls or meeting with the FTC, in which you 
heard specific misrepresentations made by Twitter?
    Mr. Zatko. No, ma'am. I was not in the calls. I got 
briefings----
    Senator Blackburn. So, you had no direct knowledge?
    Mr. Zatko. Well, I got direct briefings from the people who 
were in the calls telling me what they did.
    Senator Blackburn. All right. So, it was all second-hand.
    Mr. Zatko. Correct, from the people involved in the calls.
    Senator Blackburn. Okay, did the FTC come to Twitter and 
identify specific conduct or representations that concerned 
them?
    Mr. Zatko. That would be a question that you would have to 
ask the chief privacy officer, who would have been the 
recipient of those outreach.
    Senator Blackburn. Okay, let me ask you about the issue of 
click-through ads, because I know that many times that our 
adversaries will, through a company in China, specifically, the 
CCP will be part owner of a company. So, they use click-through 
ads to gain access to platform user data, including China, 
including other adversaries, and including places where Twitter 
is blocked. And they are finding ways to evade the tracking and 
to get into these networks. In your experience, is this a 
typical practice that happens at the global tech platforms?
    Mr. Zatko. Click-through ads do expose a risk that non-
click-through ads do not. If you can get a user to click 
through, you get the information that I was describing before, 
the IP address, the browser. From the IP address you can 
determine the IP geolocation or if they're using a VPN or not, 
if that is allowed in your country. And then you can further 
interrogate that person's computer or get them to provide more 
information maybe that they don't know that they're providing 
directly to you, thinking that it's an ad on a service.
    Senator Blackburn. Could this be remedied in anyway? And 
Senator Klobuchar talked to you about this, a national privacy 
standard. If we had a national privacy standard, would that 
help to secure an individual's information online and would it 
help in any way, in policing these click-through ads?
    Mr. Zatko. I think addressing, in general, the difference 
of the information, or making people aware, and then providing 
a context around when a user knows if they are providing 
information and what information they are providing no longer 
to the service they thought they were interacting with could 
definitely benefit a user.
    Senator Blackburn. I want to ask you one thing about 
censorship. And during your time at Twitter, did you 
participate in any conversations or meetings where content 
moderation decisions were made based on a poster's political 
views?
    Mr. Zatko. I never investigated or heard of decisions on 
that particular topic. I was focused on the crisis and fires in 
the areas of my domain.
    Chair Durbin. Thank you, Senator Blackburn.
    Senator Blackburn. Thank you.
    Chair Durbin. Senator Coons.
    Senator Coons. Thank you, Chairman Durbin, Ranking Member 
Grassley, and thank you, Mr. Zatko. Thank you, Mudge, for 
coming forward. This is yet another eye-opening moment for our 
public, for our Nation, and for this Committee. We know that 
social media and new communications technologies have empowered 
people across the world to connect and share information at an 
unprecedented scale. But we also know that concentrating all 
this information, all these resources, in just a few hands 
comes with great risks. So, your whistleblower complaint 
contains really striking allegations, which shed light on 
several key realities, and I wanted to focus on those. The 
first, as you've stated in a number exchanges with my 
colleagues, is that the public lacks any credible way to assess 
whether and how major platforms and technology companies are 
protecting or prioritizing user privacy. And I want to talk for 
a bit about a bill that I've got that Senator Klobuchar also 
mentioned would help strengthen some of that transparency. And 
then the second, which I'll get to later, is that these 
platforms are a target for foreign actors, something where a 
Subcommittee I chair is having a dedicated hearing tomorrow 
afternoon.
    You commissioned an independent report regarding Twitter's 
platform integrity, and their ability to combat misinformation, 
disinformation, and that report found, and I'm quoting, 
``Twitter's consistently behind the curve in acting against 
disinformation and misinformation threads,'' and that, 
``Twitter doesn't have the ability to measure the impact of its 
work to protect site integrity.'' What I've concluded from your 
testimony today is that Twitter lacked the ability to measure 
the effects of interventions it implemented because of 
decisions by management, and because of the lack of a credible, 
regulatory oversight agency and penalties. Is that correct? Do 
I understand your testimony correctly?
    Mr. Zatko. Yes, sir. The inability internally came from 10 
years of security and engineering that just kept accruing.
    Senator Coons. And your complaint also details how 
Twitter's executive team was concerned that the report that 
you'd commissioned would be damaging if it got out, and that 
they worked to intentionally remove or modify information that 
might be especially embarrassing for Twitter. Is that correct?
    Mr. Zatko. Yes, sir. I found that very disturbing. The 
company that I hired, with the knowledge of the other 
executives and the head of site integrity, which did not report 
to me, but that this independent organization was going to 
analyze and do gap analysis. The company reached out to me and 
said, ``Hey, Mudge, Twitter is jumping in and making us open a 
separate contract and telling us not to provide you the results 
to your own work--to your own work. This does not feel right to 
us. What's going on?''
    Senator Coons. So, a lot of the information that both 
regulators and Congress relies on when considering how to 
regulate social media companies comes from the companies 
themselves. As I think you put it before, they're essentially 
grading their own homework. So, the conclusion that we ought to 
reach is that the information that we receive isn't 
trustworthy, from some social media platforms.
    Mr. Zatko. Yes, sir. That's what I experienced.
    Senator Coons. So, I've released a bill with Senator 
Portman, Senator Klobuchar, referenced earlier. We are looking 
for additional Republican cosponsors. It's called the Platform 
Accountability and Transparency Act. It would allow external 
researchers to look at exactly these kinds of problems, to 
better understand and analyze the algorithms that drive social 
media and some of their practices. Would empowering researchers 
and mandating better disclosure help hold companies more 
accountable and cause them to invest more resources in site 
integrity?
    Mr. Zatko. Yes, sir. In fact, I think one of the things we 
learned from that study, and what I am hopefully shedding light 
on in my lawful disclosures is just how much a gap there is 
between Twitter and some of Twitter's peers. And even learning 
that sort of discrepancy would help understand and raise the 
level of hygiene for these organizations and their ability to 
perform their tasks, and the ability for us to accept what 
they're saying, as to whether it could possibly be true or not.
    Senator Coons. This also opens up enormous national 
security risks, as you testified earlier. There's roughly half 
of Twitter's employees that had unnecessary access to vast 
amounts of sensitive user datas. Senator Kennedy was asking you 
earlier, just give us a quick sense of what information Twitter 
might have about Senator Grassley, or about any of us on this 
Committee. And it is deeper and broader, and I suspect if you'd 
gone further, it then unlocks a whole profile that can give 
really dramatic insight into members of law enforcement, 
members of military, Members of Congress, and their families, 
their travel, their preferences, their actions, their consumer 
activities. All of that has some real consequences. You wrote 
in your complaint, the India government forced Twitter to hire 
India government agents, who then had direct and unsupervised 
access to data. And a former Twitter employee was convicted 
last August of working as an agent of the Saudi Kingdom. How 
common do you think it is for foreign entities, for hostile 
agencies to successfully install sympathetic actors at Twitter 
and why might they do so?
    Mr. Zatko. Well, there's any number of reasons. You know, 
there were many of reasons why you would do so, in particular, 
to not just to identify people of interest, or track groups of 
interest, but also to look at whether or not Twitter has 
identified your agents, or your information operations. What 
other governments has Twitter possibly identified? And 
remember, you know, outside of the ability to access large 
amounts of data on the engineering side, you would want to know 
what Twitter's plan is, as far as whether they will cede to 
your demands for control of information within their 
environments or not, in order to change different types of 
political pressure, such as strong-arming. And as we saw, that 
country was even threatening to put Twitter employees in jail 
if Twitter didn't change particular activities on the platform.
    Senator Coons. With 80 percent of Twitter users outside the 
United States and with Twitter having a deep access in 
resources to critical leaders in our country and other 
countries, I think this is genuinely concerning. Tomorrow 
afternoon, the Subcommittee I chair, Subcommittee on Privacy, 
Technology and the Law, Senator Sasse and I will be holding a 
hearing on how to further understand the depth to which hostile 
actors and adversaries are going to obtain American citizens' 
data, and that will expand on a lot of the topics we've pursued 
today. I hope Members of the Committee will attend. I want to 
thank you for your testimony and Mr. Chairman, for the chance 
to participate in today's hearing.
    Chair Durbin. Thank you, Senator Coons. We're going to take 
a 5-minute break after Senator Cotton asks his questions. 
Senator Cotton.
    Senator Cotton. Thank you, Mr. Zatko, for your very 
informative testimony this morning. I want to start with some 
questions about Twitter's censorship policies. I know you 
weren't at Twitter for most of 2020, but I want to start with 
an example from June 2020, specifically, me. As left-wing 
street militias were rioting and looting in our streets, I 
posted on the website that the National Guard and even the 
active-duty military have been used to stop such rioting in the 
past, most recently in 1992 in the LA riots. Within a couple of 
hours, a low-level employee at Twitter's national office 
contacted my staff and said that if I did not delete that tweet 
that my account would be permanently locked. My staff worked 
with this low-level employee, calling her on several occasions, 
because she seemed very reluctant to put anything in writing in 
an email.
    They documented the accuracy of my comment and gave 
examples of how other elected officials have used similar 
language. The 30-minute window passed. My account was not 
locked. Ultimately, she said that Twitter would not take any 
action about my account. As I said, I know it was before you 
began at Twitter, but from your experience, would a low-level 
Twitter employee typically have the authority to permanently 
lock the account of an elected Member of Congress?
    Mr. Zatko. From my experience, they should not have the 
authorization to do it, although it would probably be a low-
level employee that would be instructed to do it.
    Senator Cotton. So, she was likely taking direction from 
more senior officials at the company.
    Mr. Zatko. Not knowing the situation, I can't comment on 
this specific one, but that is the sort of activity that I 
would see there. And I can concur that I did notice some 
reluctance to put a lot of things in writing on particular 
topics.
    Senator Cotton. I noticed that in the emails that Mr. 
Agrawal sent to you, he seemed very reluctant to put things in 
writing, or made statements about what he was going to verbally 
express to the board, and yet he apparently did not express 
those things.
    Sticking with the censorship, again like I said, I know you 
weren't there in the lead up to the 2020 election, but once you 
arrived, just a couple days after the election, you selected an 
outside company to do an evaluation of Twitter's censorship 
policies. The report that you commissioned found that Twitter's 
content controls are ``ad hoc'' and ``informal.'' Those are two 
direct quotes. And the policy decisions behind it are made 
mostly by a small group of Twitter staff at San Francisco, 
quote, ``frequently during a time of crisis.'' Is that 
accurate?
    Mr. Zatko. I didn't hire them to do a report on censorship, 
but that was the Platform Manipulation Organization, and yes, 
how you cite the report as what they found on that team is 
correct.
    Senator Cotton. When it says frequently in time of crisis, 
what type of crisis was the report referring to?
    Mr. Zatko. I believe the report also said--and this is from 
what I experienced--if something was brought up in the media, 
if the Government brought it up, if somehow it became publicly 
aware, or if there was, you know, an ongoing outage to the 
system or some active disruption or crisis.
    Senator Cotton. Thank you for that. Because the report does 
go on to say that according to Twitter employees interviewed, 
Twitter usually censors information, quote, ``only if it is 
flagged by reporters or news headlines, partners--which it 
means to include--academic organizations and other social media 
companies or political officials,'' end quote. So, does Twitter 
have special channels of communication with fellow social media 
companies like Facebook to discuss so-called misinformation?
    Mr. Zatko. If they do, I believe that they would be ad hoc. 
I am not aware of official ones. That would not have been 
within my organizations.
    Senator Cotton. Okay, what about other so-called partners, 
like pharmaceutical companies or advocacy groups?
    Mr. Zatko. I am not aware of those. Again, that would be 
out of counsel or other organizations.
    Senator Cotton. So, saying ad hoc, you think in these 
cases, say an executive at a pharmaceutical company that 
doesn't like what's being posted on the website or a left-wing 
activist at a Washington think tank would just use pre-existing 
relationships to contact someone at Twitter on an ad hoc basis?
    Mr. Zatko. I do not know.
    Senator Cotton. Well, how can they-- how can they 
coordinate if they don't have some kind of channel of 
communication set up?
    Mr. Zatko. In the report that was an attachment from the 
organization, they talked about disinformation operations, 
which I do believe my understanding was that the site integrity 
team spoke with other organizations and with other social media 
companies about ongoing disinformation or platform 
manipulation. I do not know anything beyond what was in the 
report for that topic.
    Senator Cotton. You said something earlier. I just want to 
come back to it. This isn't an exact quote, but I want to give 
you a chance to elaborate a little bit. It was something along 
the lines of, ``If you don't have a foreign intelligence 
officer inside Twitter, you probably aren't doing a very good 
job as an intelligence agency.'' Is that close enough?
    Mr. Zatko. Yes, that's close enough, sir. I worked for the 
Government. I held a high-level position. I worked running 
research and development and programs for the Department of 
Defense and Intelligence Communities. And from my interactions 
with these people in these organizations, Twitter would be a 
gold mine from my understanding, from the people in the 
community who focus on foreign intelligence organizations and 
assets. If you placed somebody in Twitter, as I believe--as we 
know has happened, it would be very difficult for Twitter to 
find them. They would probably be able to stay there for a long 
period of time and gain a significant amount of information to 
provide back on either targeting people, or on information as 
to Twitter's decisions and discussions and to the direction of 
the company.
    Senator Cotton. Does that include in Twitter's U.S. offices 
versus overseas or is that distinction immaterial given the way 
Twitter functions?
    Mr. Zatko. I believe that's immaterial into both.
    Senator Cotton. Thank you.
    Mr. Zatko. My pleasure, sir.
    Chair Durbin. Thank you, Senator Cotton. We're going to 
take a 5-minute break and return to Senator Whitehouse.
    [Whereupon the Committee was recessed and reconvened.]
    Chair Durbin. Resuming the hearing. Senator Whitehouse for 
questions.
    Senator Whitehouse. Thank you very much. Mr. Zatko, I just 
wanted to follow up a little bit on the repeated suggestions 
that you've made in your testimony that the cybersecurity 
vulnerabilities will expose the United States to risks and to 
attacks and that Twitter security failures threaten the 
country's national security. Good with that?
    Mr. Zatko. Yes, sir.
    Senator Whitehouse. Okay, so, I get hidden ad buyers. We 
saw the same thing with Facebook when they were taking ads with 
the payments denominated in rubles and not bothering to figure 
out that there might have been Russians behind those ads. And 
you've mentioned concerns about hidden Chinese ad buyers. But 
if we could talk a little bit more about the national security 
risk associated with, for instance, the unregistered Saudi 
foreign agent who worked at Twitter, or the pressure to hire 
Indian government agents. Walk us through a scenario of how an 
individual planted in Twitter like that could create a national 
security risk for the United States. And if you would, make 
particular reference to the fact that--at least when I use 
Twitter, I'm sending stuff out. It's intended to be public. So 
how, in that environment, can a foreign agent create national 
security risk of any significant nature?
    Mr. Zatko. Yes, sir. There are several aspects to that. 
There's the nonpublic information that we've spoken about 
earlier today, your location, your phone number, your email 
address, things that aren't advertised to the world. In fact, I 
believe 200 million--if you want to say regular users, not 
necessarily from a national security standpoint--Twitter in 
2020 internally assessed that they lost information on 200 
million users for email addresses, phone numbers, other 
information like that. This is the information that you need in 
order to start taking over other people's accounts. With your 
phone number and an email address, I can hijack your phone 
number. I can then change your Gmail, your Coinbase, your 
Ameritrade, your other accounts. I can cause financial harm 
that way. I can then assume your identity.
    But more importantly, I probably want to be able to 
understand your whereabouts, your network, and understand--
well, I'll give you an example in foreign governments, a 
concern, and then we can apply that to the United States. There 
were requests for information about members in the farmers'--at 
the farmers' protest. There might be organizations or groups in 
the United States where once I know your home address and your 
home phone number, I can approach you in real life. I can put 
pressure on you. I could possibly recruit you. You can be a 
witting or unwitting accomplice, and then I could influence you 
or target you for influence operations in the real world.
    Senator Whitehouse. Let me just offer the thought that my 
home address, phone number, and email address are pretty widely 
known, and indeed in the public domain. So, how does Twitter 
access to that information--is there more or what's the 
difference between being able to look me up in the phonebook 
and having Twitter access to that information?
    Mr. Zatko. Having been in the public sector myself, yes, a 
lot of my information became known. There's also a lot of 
people who are in particular roles where that information is 
not known. And the targeting of them, perhaps staffers, perhaps 
aides, perhaps people around you influencing to build that 
network, which we have seen within, not Twitter, but which the 
U.S. and the Intelligence Communities have seen as part of the 
great game in the Intelligence Communities and world.
    Senator Whitehouse. Okay, so just play that out for me a 
little bit more, given that so much of this information is 
available through other channels. What would the end game be 
for let's say a foreign government seeking to put that kind of 
pressure on somebody who could make presumably make a 
difference or a decision to the benefit of the foreign country?
    Mr. Zatko. Perhaps identifying a relative, a family member, 
a colleague, who is in financial issues or has other elements 
that can be leveraged against them to help them influence you 
in a particular fashion, without your awareness.
    Senator Whitehouse. So, somebody would be able to create a 
sort of a family or personal network around an individual 
Twitter user and extract information about folks in that 
network?
    Mr. Zatko. That is one particular aspect that Intelligence 
Communities are----
    Senator Whitehouse. How would that--how would that take 
place through the--if somebody's gotten into the Twitter 
system, how do they find that out?
    Mr. Zatko. Well, it might be used in combination with other 
data collection sources. For instance, one of the concerns of 
U.S. people traveling to other countries is was their 
information in the OPM data base and can that information be 
cross-indexed against the health care industry data bases that 
have been lost. Do we know that this person has a particular 
political bias on Twitter and start to tie all of these things 
together for people of influence or access within governments 
or within sensitive positions?
    Senator Whitehouse. Thanks very much. My time is up.
    Chair Durbin. Thank you, Senator Whitehouse. Senator 
Graham. I'm sorry. Senator Cornyn.
    Senator Cornyn. Mr. Zatko, I want to explore just in the 
next 6 minutes the kind of data that is available on American 
citizens that can be used for appropriate or inappropriate 
purposes. You're familiar with the concept of ubiquitous 
technical surveillance, aren't you?
    Mr. Zatko. I can understand those words together and get 
the general context I believe, sir. Yes.
    Senator Cornyn. Basically, all of the cameras that are 
publicly posted, data on your smart phone, you've already 
talked about geolocation data, the type of transactions you 
engage in. Where your home is, how much you paid for it, even 
Google Earth may have taken a picture of your home or your 
place of business. So, there's already huge volumes of data 
available for whatever purposes. Even above and beyond what 
social media collects, correct?
    Mr. Zatko. Yes, sir. There is a lot of information about a 
lot of us in many different ways available through technology 
right now.
    Senator Cornyn. And I dare say, I bet most Americans just 
can't fathom the volume of data, and that's without even 
getting to things like social media. For example, in 2015 I 
think it was, there was a hack of the Office of Personnel 
Management records. I think it was 22 million records of 
Government employees, including their applications for security 
clearances was hacked, reportedly by the People's Republic of 
China. And then if people decide that they want to figure out 
their family ancestry, and use one of the DNA testing 
companies, my understanding is many of the testing--much of the 
testing is outsourced to places like China, where obviously 
it's not secure from Chinese government access. And so, when 
we're talking about the privacy concerns of Americans, this 
is--this is not just limited to platforms like Twitter and 
social media. Correct?
    Mr. Zatko. That is correct, sir. I was informed that I was 
in that OPM data base and that my information and my security 
clearance information was collected as well.
    Senator Cornyn. And turning to Twitter, you've already 
talked about the lack of what I would call protection from 
insider threats in the Intelligence Community. If you're 
working in the Intelligence Community, they have logging 
protocols that will determine who accesses what information, 
correct, so that it can be audited later on to determine 
whether there had been inappropriate access. That's the sort of 
protocols or mechanisms that were not available at places like 
Twitter when you worked there. Correct?
    Mr. Zatko. Yes, sir. Correct.
    Senator Cornyn. And so, anyone who could get access to that 
information, could on top of all the information that I asked 
you about earlier, outside of social media, if you look at the 
cumulative data picture, is that the kind of information that 
foreign governments like the People's Republic of China are 
regularly accessing for their purposes?
    Mr. Zatko. I can't say whether they are regularly 
accessing. I don't have that direct information. I have been--I 
am aware that some people in organizations have gotten very 
good at cross-indexing across very large amounts of data 
collected on numerous people from various sources, OPM, 
medical, etc. Twitter would be a very decent contribution to 
that multi-source collection.
    Senator Cornyn. And that's where things like artificial 
intelligence can come in to comb or mine vast sources of data 
for more targeted or narrow purpose. Is that right?
    Mr. Zatko. The ability to collect and mine, yes, has been 
augmented by modern AI techniques.
    Senator Cornyn. So, there are what I would call defensive 
concerns about people or individuals or government's access to 
your personal data, but there are also offensive concerns as 
well, and that's where the issue of disinformation, or a term 
that became popular--popularized during the 2016 aftermath was 
active measures. These are efforts by foreign governments, 
perhaps foreign intelligence services to actively create a 
narrative or a message that is essentially propaganda by this 
foreign government that can be used to try to influence 
American public opinion. Is that accurate?
    Mr. Zatko. Yes, sir. Not just America, that has happened 
worldwide, such as Myanmar and in 2018, Facebook acknowledging 
that the disinformation campaigns on their platform contributed 
to genocide.
    Senator Cornyn. And as you pointed out earlier, it is not--
when you're looking at the data that is available on each one 
of us as American citizens for whatever purposes, for good or 
ill, there's also a lot of information about who we interact 
with, right? Something--in the Intelligence Community sometimes 
they talk about pattern of life. Maybe you'd want to talk about 
a network of friends and associates, family members and the 
like, from which inquiring minds could obtain additional data 
about us.
    Mr. Zatko. Yes, and to your point, information operations 
are of a concern. Twitter acknowledges that they do happen on 
their platform. They have disclosed numerous ones, and they are 
aware of others that are ongoing.
    Senator Cornyn. I'm aware that TikTok, which is a Chinese 
company, I believe, and even Instagram, which is owned by 
Facebook, have 13-year-old age restrictions in terms of their 
terms of use. But there's no limitation on people's ability to 
pretend to be an adult, to pretend to be somebody that they're 
not and gain access to social media accounts, and to use it for 
whatever purpose that they wish.
    Mr. Zatko. I can't speak to TikTok or Facebook. I'm not 
familiar with their internal technology for age gating. I do 
know that that was a challenge at Twitter, and from what I was 
told, the majority of age gating was voluntary, self-reporting 
of what your age was.
    Senator Cornyn. And finally, can you tell me--do you have 
recommendations based on your 30 years of experience in terms 
of data security and what sort of regulations or laws that 
Congress and the Federal Government should consider passing? We 
don't have time to talk about all those here today, but we'd 
certainly welcome any of your recommendations and insights. Do 
you think this needs to be an area where the Federal Government 
needs to be actively engaged?
    Mr. Zatko. Yes, sir, I do. I'd be happy to supplement my--
my written report.
    Senator Cornyn. Thank you.
    Chair Durbin. Thank you, Senator Cornyn. Senator Hirono.
    Senator Hirono. Thank you, Mr. Chairman. Thank you for 
coming to testify, Mr. Zatko. Your testimony and all of your 
responses to the various questions we have asked you says to me 
that this situation regarding data security and national 
security issues with regard to Twitter is massive and that 
Twitter is not doing very much to be helpful at all. In fact, 
there are major disincentives to Twitter doing anything to 
spend the time or the resources to address the concerns that 
you raise.
    So, for example, the FTC, very out resourced with regard to 
try to keep Twitter under any kind of even a consent decree 
that was entered into back in 2011. And more recently, they're 
contemplating making Twitter pay $150 million for some misuse 
of information. One hundred fifty million dollar fine for a 
multi-billion dollar company is nothing, to provide any kind of 
incentives for them to change what they're doing. And yes, 
there is information out there from so many different sources, 
including our appliances and cars and everything else. However, 
Twitter is a huge, single platform where one can access 
information. So, who is going to force Twitter really to do 
anything? If we were to adopt some of the legislation that's 
contemplated, if we don't have an agency that can implement and 
enforce that law, then we are back where we started from. So, 
what is it going to take to force Twitter to change its ways?
    Mr. Zatko. Well, this starts at the top of Twitter, and you 
need an executive team that is willing to go in and say--you 
know, the executive teams themselves acknowledged, and I heard 
them say, ``We have 10 years of unpaid debt here, that at some 
point we really need to get ahead of.'' They need to prioritize 
that. And to my understanding, a board's primary role is to 
make sure the right executives--executives are in charge of the 
company, the CEO in particular, to make sure they are, you 
know, sending the company in the right direction. This needs to 
be a long-term incentive rather than short-term incentives for 
the companies, because the short-term incentives just mean that 
they're going to tactically run from fire to fire and not 
actually pay down debt for a long-lived valuable company.
    Senator Hirono. So, your description of Twitter though, is 
they're mainly focused on the short-term monetary incentives. 
Who's going to force them to look at the long-term? Do people 
need to go to prison? I mean, what do we need to do to get 
Twitter to--from what you're telling me, they cannot even 
identify foreign agents in their midst.
    Mr. Zatko. Yes, ma'am. And you know, to be blunt, some 
foreign agents would probably be pretty good and difficult to 
identify, but some were, in this case, not. And they're only, 
to my awareness, being identified when they are brought to 
them. They're not even attempting to--I think--I think holding 
people accountable is a good start. I think that is something 
that people are concerned of. But what--you can only hold 
people accountable if you can measure and quantify what their 
targets are and what changes need to happen. And if you say, 
such as what I saw, you know, Twitter needs to have a mature 
software security program, or security program. That's a very 
ambiguous and qualitative term. So, holding accountability and 
setting quantitative goals and standards that can be measured 
and audited independently, I believe, is what's going to be 
required to change management structures and drive change in 
companies when it's needed, such as this.
    Senator Hirono. So, we don't even have the kind of 
standards to which we can hold Twitter accountable to. Is that 
right?
    Mr. Zatko. From what I saw, they were able to be answered 
in the affirmative without actually meaningfully making--the 
intent of the regulators was correct. But you could then say, 
``Yes, I've done this,'' hold up an isolated example, and allow 
somebody to assume that that example was the whole environment, 
knowing that you're misleading----
    Senator Hirono. Excuse me. So, do French regulators have 
better standards to which to hold Twitter accountable to?
    Mr. Zatko. My understanding is that one of the reasons that 
the French CNIL is more feared is that they dig in technically 
and go toward more quantitative results that are less easy for 
organizations to sort of wordsmith around in their response and 
answers.
    Senator Hirono. Yes. I think that's something we can learn 
a lesson from. More specifically, are you sure that you 
discovered Twitter compromises its user data long after the 
users close their accounts? In fact, you stated that the 
accounts are simply deactivated while the data is not fully 
deleted. At the time of your departure from Twitter, was the 
company--was that the company's continuing general practice? 
They don't really eliminate the data?
    Mr. Zatko. Yes, I was told straight out by the chief 
privacy officer that the FTC had come and asked, ``Does Twitter 
delete user information when they leave the platform?'' And the 
reason this person told me this is he said, ``I need you to 
know this, because other regulators are asking us, and this 
ruse is not going to hold up. So, instead of answering whether 
we delete user data, we intentionally have replied, ``We 
deactivate users and try to side-step the program, because we 
know we do not delete user data and cannot comply with that if 
they demand us to.''
    Senator Hirono. You would think that that would be 
something that they could do technically, to be able to delete 
data, because for the users, to deactivate your account means 
that there should be nothing there of your account information, 
so, isn't there something technically that they could do?
    Mr. Zatko. This goes to one of the fundamental root 
problems I mentioned in my opening oral statement, which is 
they would need to know what data they have, where it is, and 
why they got it, and who it's attached to in order to do that. 
If they did that, which should be a fundamental expectation 
that I would have as a user, yes, at that point they could 
absolutely delete the information.
    Senator Hirono. Thank you.
    Senator Ossoff. [Presiding.] Senator Graham is recognized 
for 6 minutes.
    Senator Graham. Thank you very much for coming to the 
Committee and giving us your insight. Something good will come 
from this. Do you believe that?
    Mr. Zatko. I hope so. I'm basically risking my career, and 
reputation, and if something good comes from this 5, 10 years 
down the road, it will have been worth it as a sacrifice.
    Senator Graham. And you're willing to take that risk 
because it's that important to you?
    Mr. Zatko. Yes, I've been doing this for 30 years. People 
who know me in the industry know that, you know, I'm willing to 
put it all on the line, hoping that we can improve things.
    Senator Graham. Well, I'm going to work with my Democratic 
colleagues to make sure this is not in vain. Let me ask you a 
question. Do you still use Twitter?
    Mr. Zatko. I still have an account on Twitter. I still read 
it occasionally. I have not tweeted since I've left.
    Senator Graham. Given what you know, would you recommend 
that all of us continue to use Twitter, or should we take a 
time out?
    Mr. Zatko. I think Twitter is a hugely valuable service. It 
really shapes people's----
    Senator Graham. So, no matter what you've said today you're 
okay with the rest of us still tweeting?
    Mr. Zatko. I think people should look at the information 
they're getting off of it differently, and I think people 
should put pressure on Twitter and ask questions from the 
public and from the Government and regulators----
    Senator Graham. You're not asking to shut them down. You're 
asking them to get better.
    Mr. Zatko. Absolutely, sir.
    Senator Graham. Okay, would you buy Twitter, given what you 
know, if you had the money?
    Mr. Zatko. Well, I guess that depends on the price.
    Senator Graham. That's fair enough, but I guess the reason 
I asked that, you know, for the rest of us, we take what you 
say seriously. It's pretty unnerving. I'm going to go ahead and 
use Twitter, but I'll use it differently. And if nothing good 
comes out of this, shame on us all.
    So, let me just tell you where I'm headed. There's no way 
to deal with this without bipartisanship, from my point of 
view. So, I'm working with Elizabeth Warren of all people. We 
have different perspectives on most everything. But Elizabeth 
and I have come to believe that it's now time to look at social 
media platforms anew. And we have this general understanding 
among ourselves that the regulatory system regarding social 
media is not working effectively. Do you agree with that?
    Mr. Zatko. Based upon what I saw, a lot of things are not 
working effectively. Yes, sir.
    Senator Graham. Okay. The Federal Trade Commission, that's 
the primary regulator for Twitter, as far as we know?
    Mr. Zatko. I do not believe that Twitter should be able to 
be viewed as in compliance----
    Senator Graham. Well, my point is, do you know when the 
Federal Trade Commission was founded?
    Mr. Zatko. No, sir, I do not.
    Senator Graham. 1914. A lot has happened since 1914, World 
War I, World War II, and an explosion of social media. Would 
you say, given what you know, it seems like the regulatory 
bodies are sort of outgunned here?
    Mr. Zatko. In Big Tech, I think they are absolutely 
outgunned.
    Senator Graham. Yes, they're like big time outgunned, and I 
want people to understand paying a $150 million fine seems to 
be of little consequence. Is that your testimony?
    Mr. Zatko. In this case, absolutely.
    Senator Graham. Okay, so just imagine what I just said, Mr. 
Chairman. A company doesn't mind paying $150 million and just 
getting back on to doing what they're doing. So, one of the 
things I'm trying to do with Senator Warren and others, is 
create a consequence for these organizations to give them an 
incentive to do better. Don't you think that's where we should 
be headed?
    Mr. Zatko. Yes, sir. I do.
    Senator Graham. One thing. Do you have a car?
    Mr. Zatko. Yes, sir. I do.
    Senator Graham. Do you have a driver's license?
    Mr. Zatko. Yes, sir.
    Senator Graham. Okay, if you drive a car, you need a 
license. If you sell real estate, you need a license. If you 
practice law, you need a license. If you're involved in the 
securities business, you need to get licensed. Is there any 
licensing requirement to run a social media company?
    Mr. Zatko. Not to the best of my knowledge, sir.
    Senator Graham. Okay, can you sue a social media company 
when they do you wrong?
    Mr. Zatko. I do not know.
    Senator Graham. Well, the answer is no. So, they're not 
licensed. You can't sue them. And to be shocked that we have a 
problem is kind of naive on our part. So, here is what I 
promise to you. That we're going to take your testimony, that 
we're going to learn from it, we're going to create a system 
more like Europe, a regulatory environment with teeth, an 
agency that came about after 1914, with the power to deal with 
privacy issues, content moderation. If you're going to be in 
this space, you have to harden your sights against foreign 
interference. You have to protect your sites against 
criminality. And if somebody takes your content down, you'll 
have an appeal process outside the group who did it. Does that 
sound kind of like where we need to be going?
    Mr. Zatko. Those all sound good to me, and I would hope 
measurable and transparent, and thank you, sir.
    Senator Graham. Well, we're headed that way with my good 
friend, Senator Hawley, who is going to join the Graham/Warren 
team. We're going to come up with a regulatory system to make 
sure that people in this space pay better attention, they have 
consequences if they don't change their behavior. It's long 
past due.
    Would you say that the companies that we're talking about 
are some of the most powerful in the history of the world?
    Mr. Zatko. I don't know, sir.
    Senator Graham. Well, I'll say that. I will say that these 
companies make massive amounts of money. They're virtually 
unregulated. They're regulatory body was founded in 1914. 
They're completely outgunned. And under our law, you can't sue 
them when you're wronged. Having said all that, there's much 
value to these companies, Facebook, Twitter, Google. They add 
value to life. But there's a dark side. And we're going to 
address the dark side.
    So, I will just close with this. Your testimony today has 
legitimized what most of us feel is a process out of control. 
That the regulatory environment is insufficient to the task. 
It's time to up our game in this country. I'm not about putting 
these people out of business. I'm about making them do business 
in a normal way and take their job more seriously. And if 
Elizabeth Warren and Lindsey Graham can come together around 
that concept, I think we're off to the races as a body. Thank 
you very much. What you did today will not be in vain.
    Mr. Zatko. Thank you very much, sir. If what I've done can 
contribute to positive change, it will be worth it. Thank you.
    Senator Ossoff. Thank you, Senator Graham. Mr. Zatko, thank 
you for joining us. Mudge, thank you for joining us. I'd like 
to ask you about what you encountered in terms of the corporate 
incentives at the top of the company. Something like pushing 
patches in security updates to employee devices. Cyber hygiene 
is not easy, but that's a relatively low-cost way to mitigate a 
lot of risks. And there is significant risk here, reputational 
risk, financial risk, so, why based upon your experience 
working within Twitter's corporate leadership, would the 
company not have elected to take that step, to mitigate risk in 
that relatively low-cost way, or other steps like that?
    Mr. Zatko. I didn't see any financial incentives at the top 
levels that would then give prioritization to such efforts. In 
fact, I saw incentives counter to that, and combined with a 
culture where the company needs a crisis to operate and is 
driven by crises. Those didn't afford time or focus from what I 
saw, to do the basic security hygiene.
    Senator Ossoff. What are the basic incentives against 
something like patching?
    Mr. Zatko. So, it was just--so, I'll give you an example. 
One of the things that I was surprised while I was there, we 
did a media day from the executives for the street. It was the 
first one that Twitter had done in a very long time. It set 
very ambitious goals for revenue growth, goals that I was 
concerned that the company would not be able to hit. Not too 
many months after that, there was an internal value creation 
award presented to me, offering $10 million if we tripled these 
growth goals. And I raised concerns saying, I don't know how we 
can do that unless we entirely cut corners everywhere. I do not 
like this incentive structure. How are we going to be able to 
devote resources to the basics, such as fixing security 
patching, getting the systems up to date, building a 
development and testing environment for all of the different 
functions----
    Senator Ossoff. Okay, but how is the growth incentive 
hostile to something like pushing software updates to employee 
devices? And given that that is a, as I understand it, a 
fundamental security practice, a basic cyber hygiene practice, 
why were you unable to implement a change like that. That sort 
of baseline hygiene practice where you'd want all employee 
devices to be updated to the latest version?
    Mr. Zatko. Yes, I brought that up numerous times. I was 
repeatedly told that, you know, 92 percent of the systems had 
security software. And I kept asking what is the security 
software reporting? It took me a month plus to get the truth 
that 30 percent of the systems were not--they had turned off 
software updates. There was a culture of not reporting bad 
results up, only reporting good results up, because that was 
the internal incentive structure. You were rewarded based upon 
relationships and how you performed in an emergency, not for 
identifying existing errors and doing the groundwork for 
keeping the lights on and running the business. My inability to 
find such basic information was disturbing.
    Senator Ossoff. So, you couldn't get the authorization, for 
example, to implement an MBM system, or some system to push 
patches out to user devices, or you just couldn't work the 
bureaucracy to make it happen?
    Mr. Zatko. I had the authorization. I couldn't get the real 
information, because people were misrepresenting to the 
executive team and the executive team was then further 
misrepresenting only good news and incorrect news to the board. 
So, it took me several months to start going and getting ground 
truth, and to find out that this had been a culture of only 
present good and positive reports up. And that's how you move 
forward in the company.
    Senator Ossoff. Okay, let's talk about the data, much of 
it, no doubt sensitive, within Twitter's possession, and some 
of the most alarming aspects of your disclosure and testimony 
is that the extent to which Twitter may not know what it has. 
What would--and, of course, you don't know what you don't know, 
but what would be an example of the kinds of data sets that 
Twitter might possess, but not fully understand it possesses, 
and what would be the mechanisms, other than monitoring user 
activity, by which it would have accumulated such data?
    Mr. Zatko. Sure. One example, I was surprised to see that 
in an internal incident review in 2020, 50 million Twitter 
employees' information had been exposed. And that number 
confused me because Twitter doesn't have 50 million employees. 
Twitter has all of the information of all past employees, 
contractors, and other users, because they haven't deleted that 
data. They've kept that data in that system, and those systems 
when they are exposed, expose that information. That was 
surprising to me. I'm sorry, what was the second part of your 
question, sir?
    Senator Ossoff. No, that's helpful, and I'm running low on 
time, so I want to get to this next point. And I know some of 
my colleagues have covered it, but the risks associated with 
targeted advertising, whether for the purpose of inducing 
targeted users to click on links that could then harvest data 
about their devices or their web use or their location. Or 
possibly inject malware or for targeted influence campaigns. 
Can you please talk about what you observed and what you view 
to be the risks associated with the advertising model and the 
capability of enterprise clients of Twitter's to target ads and 
links to specific users?
    Mr. Zatko. Yes, so that area wasn't specifically my domain. 
That was under the executive of sales engineering. The parts 
that I believe are relevant were not only the additional report 
that we talked about earlier with the information operations, 
but I did see that data sets internally to the organization 
when I first joined, thousands of users had access to the 
advertisers' information, including their bank accounts and 
routing numbers. And when I first joined, people could change 
that information, and you could understand why changing the 
banking account information of a company such as Apple or Nike 
might be problematic.
    Senator Ossoff. Final question, and then I'll yield to 
Senator Hawley, and I'm going to follow up with you on this one 
for the record as well, to get as much detail as possible. But 
what records, documents, or technical information, with as much 
specificity as you can muster right now, would you suggest that 
the Congress should seek from Twitter, to understand the extent 
of the alleged lack of security practices, but also what data 
may have been exfiltrated when and by whom, what the level of 
national security risk might be? What should we be seeking from 
this company so that we can assess the level of risk and the 
threat and make policy accordingly?
    Mr. Zatko. Yes, sir. I submitted, I believe, 100 plus pages 
in my disclosure, with data, talking about the sources of that 
data and providing a road map for investigators. I will do it a 
disservice trying to summarize the large numbers of sources and 
locations of that data. But hopefully, my lawful disclosures 
provide that road map, and I am happy to follow up----
    Senator Ossoff. Okay, we'll review it, in full, and send 
you any follow-ups.
    [The information appears as a submission for the record.]
    Mr. Zatko. Yes, sir.
    Senator Ossoff. Thanks for your testimony. Senator Hawley, 
for 6 minutes.
    Senator Hawley. Thank you very much, Mr. Chairman. Mr. 
Zatko, thank you for being here. Thanks for your testimony.
    Mr. Zatko. Thank you.
    Senator Hawley. I want to just make sure I get this 
straight. You stated today, and in your report, that about 
4,000 Twitter employees are classified as engineers. Is that 
right?
    Mr. Zatko. Yes, sir. At the time, half of the employees--I 
believe there was 7,000 plus full-time employees.
    Senator Hawley. Got it, and that means that these 4,000-ish 
employees would have had access to live user data all over 
Twitter. They could access users' personal information, 
including their live data. Have I got that right?
    Mr. Zatko. Yes, sir. So, they would have access to the 
production environment. If they spent the time to meander 
around and look around, they would find that they could access 
these large troves of data.
    Senator Hawley. Including geolocation data? Did you testify 
to that earlier today?
    Mr. Zatko. I know that Twitter has IP locations, and that 
they do use geolocation services based upon IP addresses.
    Senator Hawley. Wow, 4,000 employees with access to that 
data. That's extraordinary. So, those employees would be in a 
position then, if they wanted to, to get this information and 
dox Twitter users. Is that fair to say?
    Mr. Zatko. That is a concern of mine. Yes.
    Senator Hawley. Wow. That's a significant concern. 4,000 
people with the ability to dox individual users who pick up the 
phone and use Twitter. That's extraordinary. Have you ever seen 
it happen?
    Mr. Zatko. I have seen numerous situations where Twitter 
engineers had to patch a problem and I said, ``What was the 
problem?'' And they said, ``Oh, engineers could tweet as 
anybody.'' The data was exposed in this part, and it was always 
reactionary--and finding these wounds left and right and 
putting band aids on them because the systemic underlying 
problems were not addressed, the broad access to too much 
information and too many systems.
    Senator Hawley. When you say Twitter engineers could tweet 
as anybody, tell me what that means.
    Mr. Zatko. That meant a Twitter engineer, understanding how 
the running systems and the data flows were operating, could 
then access and inject, or put forward information as--as I 
mentioned in my oral statement--any of the Senators sitting 
here today.
    Senator Hawley. And have you ever seen that happen?
    Mr. Zatko. Not with the--no, not directly.
    Senator Hawley. Not directly. Are you concerned it has 
happened? Do you have some reason to believe it may have 
happened?
    Mr. Zatko. The number of cases that were reported to me by 
individual engineers saying, ``Hey, we found this. I'm going to 
try and have somebody fix it,'' where that was the exact 
problem, and we wouldn't know if it had happened in this past? 
Yes, I am concerned.
    Senator Hawley. Wow. I think that's pretty significant 
testimony. Let me--let me make sure that I understand also just 
this point. A Facebook whistleblower came forward a couple of 
years ago now, came to me, to my office, and told us that at 
Facebook they at least had some policies on the books that 
restricted backend developers from using--from accessing user 
data. Now, whether or not those policies were ever followed, 
who really knows? But is it your testimony to me that Twitter 
had no similar policies in place that would have restricted 
these 4,000 engineers from accessing user data in this way?
    Mr. Zatko. Not technical enforced--not technical policies 
that were enforced. I did see basic policies, such as ``Hey, 
you're not supposed to access inappropriate systems.'' But I 
also saw policies saying that, ``Your work laptops should only 
run in the following setups,'' and I was aware that I don't 
believe any of the laptops were in compliance with those 
policies.
    Senator Hawley. None of the laptops?
    Mr. Zatko. Based upon the policy that I read, I do not 
believe that any of the laptops were in compliance with that 
security policy.
    Senator Hawley. Zero. Zero in compliance with their policy. 
That's extraordinary. Let me ask you about this. That same 
Facebook whistleblower told us a couple of years ago now, that 
Twitter's content moderation staff routinely collaborated with 
content moderators at Facebook and Google. Is that true to your 
knowledge? Do you have any information about that?
    Mr. Zatko. That would be in a team under counsel, and I 
wouldn't have first-hand knowledge of that.
    Senator Hawley. Are you aware of any Twitter policies that 
would have prohibited coordination on content moderation 
between Facebook, Google, and Twitter?
    Mr. Zatko. Not to the best of my knowledge. I am not aware.
    Senator Hawley. Okay, so it's immanently possible is what 
you're saying?
    Mr. Zatko. Yes, sir.
    Senator Hawley. Let me ask you about this. Are you aware of 
any communications regarding content moderation with Twitter 
staff and the U.S. Government in your time at the company?
    Mr. Zatko. I am familiar with the conversations that 
happened through Department of Homeland Security, the Traffic 
Light Protocol, where there are messages sent out to 
organizations about threats that maybe the FBI or other 
organizations had insight into.
    Senator Hawley. So, earlier this year, documents that we 
obtained from a different whistleblower at the Department of 
Homeland Security exposed that the Disinformation Board that 
the Department of Homeland Security set up, that first on the 
Disinformation Board's list of companies to meet with was 
Twitter. And they had an extensive memo, which by the way is 
public information now. We've released it. You can go and look 
at it. But they had a memo prepared with notes for this meeting 
with Twitter, talking about cooperation and content moderation 
and frankly in monitoring Americans' speech. And now we know 
thousands of Twitter employees have access to that. This was 
all in these documents. I guess my question to you is--and I 
know that you weren't in those meetings--but why do you suppose 
that the Disinformation Board had Twitter first on the list of 
entities to come to, to talk about coordinating and monitoring 
Americans' speech?
    Mr. Zatko. I can't opine on that, but I can say that 
Twitter is a tremendously influential platform, and we do know 
that there are information operations being run on Twitter.
    Senator Hawley. Do you think it's maybe because Twitter has 
proved so pliant to government pressure, to censorship and 
monitor people? I'm thinking of, you know, first of all the 
Hunter Biden story. We now know that Twitter killed the Hunter 
Biden reporting. We know Mark Zuckerberg has said that the FBI 
pushed Facebook to do so. Facebook throttled it down. Twitter 
killed it completely, you know, locked up accounts that were 
trying to report what we now know was a true story. Or how 
about in your own report, you claimed that the Twitter CEO 
proposed caving to the Russian government's demands to censor 
content on Twitter and spy on its users. And you noted that 
this occurred even as you were directing employees to prepare 
for the Russian invasion of Ukraine. That sounds like an 
executive team that's pretty darn pliant to the demands of 
governments to weaponize, effectively, their platform to 
control information, to spy on its users. What's your view?
    Mr. Zatko. I wasn't there when the Hunter Biden issue 
happened, and I don't have any information on that. I wasn't 
briefed into it or involved in any of the investigations. The 
CEO was the CTO at the time, when he proposed to me that, 
``Hey, what do you think about, you know, why don't we just let 
Russia perform their own moderation? They're a democracy. So, 
why shouldn't we let them do it?'' I didn't know what to think 
at the time. I'm sure I was a little flabbergasted.
    Senator Hawley. Well, I think I know what to think, which 
is that Twitter has been all too eager to take private 
information from its users without telling them, to sell it and 
monetize it without their permission, to expose them to the 
worst kind of security threats, to censor them, to spy on them. 
I mean, you have painted a picture of a company that is not 
only out of control, but is truly, in many ways a malign actor. 
And I thank you for being willing to be here and testify. Thank 
you, Mr. Chairman.
    Senator Ossoff. Thank you, Senator Hawley. Thank you for 
appearing before the Committee today. The hearing record will 
remain open for 1 week for submission of materials for the 
record, and with that, this hearing is adjourned.
    [Whereupon, at 12:25 p.m., the hearing was adjourned.]
    [Additional material submitted for the record follows.]

                            A P P E N D I X

Miscellaneous submissions:

 Whistleblower Aid................................................    60

 Alpha Combined Files

  https://www.govinfo.gov/content/pkg/CHRG-117shrg60055/pdf/CHRG-
    117shrg
    6055-add1.pdf

 Bravo Combined Files

  https://www.govinfo.gov/content/pkg/CHRG-117shrg60055/pdf/CHRG-
    117shrg
    60055-add2.pdf
    
    
    
       [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
   
    
                                 [all]