September 13, 2022

Grassley: Twitter has a Responsibility to Safeguard User Data

Prepared Statement by U.S. Senator Chuck Grassley (R-Iowa)
Ranking Member, Senate Judiciary Committee
Hearing on “Data Security at Risk: Testimony from a Twitter Whistleblower”
September 13, 2022
 
Big tech companies, such as Twitter, collect vast amounts of data on American citizens. In the hands of a foreign adversary, this data is a gold mine of information that could be used against American interests. Twitter has a responsibility to ensure that the data is protected and doesn’t fall into the hands of foreign powers.
 
Americans rightfully expect that Twitter will protect that information. Thanks to a whistleblower that’s come forward, we’ve learned that Twitter hasn’t secured the data of tens of millions of Americans and countless other users.
 
That whistleblower is here today. I’d like to welcome Peiter Zatko to this hearing. And I know you prefer to go by your handle, “Mudge.” He comes before this Committee today, not only as an expert in the field of cybersecurity, but also a whistleblower.
 
As you all know, I have a great deal of admiration for whistleblowers. I’ve always said whistleblowers are patriotic individuals, who often sacrifice their own career and livelihood to root out waste, fraud, and abuse.
 
Thank you for being here.
 
Because of his disclosures, we’ve learned that personal data from Twitter users was potentially exposed to foreign intelligence agencies. For example, his disclosures indicate that India was able to place at least two suspected foreign assets within Twitter. His disclosures also note that the FBI notified Twitter of at least one Chinese agent in the company.
 
Based on allegations, Twitter also suffers from a lack of data security. Due to that failure, thousands of Twitter employees can access user data – data that they don’t need access to in order to do their job. And if foreign assets work for Twitter, that means they can access it, too.
 
To put a finer point on the allegations, Twitter has allegedly used data it collects and the tools it has to geo-locate individuals who made threats against board members.
 
In the hands of a foreign agent embedded at Twitter, a foreign adversary could use the same technology to track down pro-democracy dissidents within their country or spy on Americans. This has actually happened in the past. In 2019, two Twitter employees were indicted by the DOJ. They used their position at Twitter to access private user data and give it to Saudi Arabia. These foreign agents were able to access and provide personal information on more than 6,000 individuals of interest to the Saudi government.
 
Simply put, the whistleblower disclosures paint a disturbing picture of a company that’s solely focused on profits at any expense, including at the expense of the safety and security of its users.
 
Additionally, it’s been alleged that Twitter knowingly violated a consent decree that it entered into with the Federal Trade Commission in 2011. That consent decree required Twitter to address their access control failures. However, instead of complying with the consent decree and fixing serious security issues, it’s alleged that Twitter executives, specifically the CEO, intentionally misled Twitter’s Board of Directors.
 
I’m concerned that for almost ten years the Federal Trade Commission didn’t know or didn’t take strong enough action to ensure Twitter complied with the consent decree. This is a consent decree that was intended to protect Twitter users’ personal information.
 
As Congress considers federal data privacy legislation, I think it’s important that we draw on these revelations about how Twitter views its obligations with federal regulators. Congress should also be mindful of the FTC’s ability, or lack thereof, to successfully oversee these important issues.
 
Twitter also needs to answer questions about its content moderation. It was revealed to this Committee that Twitter outsources a great deal of content moderation to foreign countries. They have close to 2,000 employees in other countries whose job it is to screen tweets by Americans. They also lack the appropriate amount of translators to ensure that tweets in other languages are complying with Twitter’s own rules. Mudge had limited visibility in content moderation while at Twitter so these are questions that need to be answered in full by Twitter.
 
Unfortunately, this Committee will not be able to get answers about content moderation because Twitter’s CEO has refused to appear today. He rejected this Committee’s invitation to appear by claiming that it could jeopardize Twitter’s ongoing litigation with Elon Musk. Many of the allegations directly implicate Mr. Agrawal, and he should be here to address them.
 
So let me be clear, the business of this Committee, and protecting Americans from foreign influence, is more important than Twitter’s civil litigation in Delaware. In conclusion, if these allegations are true, I don’t see how Mr. Agrawal can maintain his position at Twitter.
 

Going forward, Chairman Durbin and I will continue conducting a thorough and in-depth investigation. Today’s hearing is part of that process.