Prepared Statement by U.S. Senator Chuck Grassley (R-Iowa)
Ranking Member, Senate Judiciary Committee
Hearing on “Data Security at Risk:
Testimony from a Twitter Whistleblower”
September 13, 2022
Big tech companies, such as Twitter, collect vast amounts of data
on American citizens. In the hands of a foreign adversary, this data is a gold
mine of information that could be used against American interests. Twitter has
a responsibility to ensure that the data is protected and doesn’t fall into the
hands of foreign powers.
Americans rightfully expect that Twitter will protect that
information. Thanks to a whistleblower that’s come forward, we’ve learned that
Twitter hasn’t secured the data of tens of millions of Americans and countless
That whistleblower is here today. I’d like to welcome Peiter Zatko
to this hearing. And I know you prefer to go by your handle, “Mudge.” He comes
before this Committee today, not only as an expert in the field of
cybersecurity, but also a whistleblower.
As you all know, I have a great deal of admiration for
whistleblowers. I’ve always said whistleblowers are patriotic individuals, who
often sacrifice their own career and livelihood to root out waste, fraud, and
Thank you for being here.
Because of his disclosures, we’ve learned that personal data from
Twitter users was potentially exposed to foreign intelligence agencies. For
example, his disclosures indicate that India was able to place at least two
suspected foreign assets within Twitter. His disclosures also note that the FBI
notified Twitter of at least one Chinese agent in the company.
Based on allegations, Twitter also suffers from a lack of data
security. Due to that failure, thousands of Twitter employees can access user
data – data that they don’t need access to in order to do their job. And if
foreign assets work for Twitter, that means they can access it, too.
To put a finer point on the allegations, Twitter has allegedly
used data it collects and the tools it has to geo-locate individuals who made
threats against board members.
In the hands of a foreign agent embedded at Twitter, a foreign
adversary could use the same technology to track down pro-democracy dissidents
within their country or spy on Americans. This has actually happened in the
past. In 2019, two Twitter employees were indicted by the DOJ. They used their
position at Twitter to access private user data and give it to Saudi Arabia.
These foreign agents were able to access and provide personal information on
more than 6,000 individuals of interest to the Saudi government.
Simply put, the whistleblower disclosures paint a disturbing
picture of a company that’s solely focused on profits at any expense, including
at the expense of the safety and security of its users.
Additionally, it’s been alleged that Twitter knowingly violated a
consent decree that it entered into with the Federal Trade Commission in 2011.
That consent decree required Twitter to address their access control failures.
However, instead of complying with the consent decree and fixing serious
security issues, it’s alleged that Twitter executives, specifically the CEO,
intentionally misled Twitter’s Board of Directors.
I’m concerned that for almost ten years the Federal Trade
Commission didn’t know or didn’t take strong enough action to ensure Twitter
complied with the consent decree. This is a consent decree that was intended to
protect Twitter users’ personal information.
As Congress considers federal data privacy legislation, I think
it’s important that we draw on these revelations about how Twitter views its
obligations with federal regulators. Congress should also be mindful of the
FTC’s ability, or lack thereof, to successfully oversee these important issues.
Twitter also needs to answer questions about its content
moderation. It was revealed to this Committee that Twitter outsources a great
deal of content moderation to foreign countries. They have close to 2,000
employees in other countries whose job it is to screen tweets by Americans.
They also lack the appropriate amount of translators to ensure that tweets in
other languages are complying with Twitter’s own rules. Mudge had limited
visibility in content moderation while at Twitter so these are questions that
need to be answered in full by Twitter.
Unfortunately, this Committee will not be able to get answers
about content moderation because Twitter’s CEO has refused to appear today. He
rejected this Committee’s invitation to appear by claiming that it could
jeopardize Twitter’s ongoing litigation with Elon Musk. Many of the allegations
directly implicate Mr. Agrawal, and he should be here to address them.
So let me be clear, the business of this Committee, and protecting
Americans from foreign influence, is more important than Twitter’s civil
litigation in Delaware. In conclusion, if these allegations are true, I don’t
see how Mr. Agrawal can maintain his position at Twitter.
Going forward, Chairman Durbin and I will continue conducting a thorough
and in-depth investigation. Today’s hearing is part of that process.