what we learned when twitter whistleblower mudge testified to congress

A ticking bomb of security vulnerabilities. Covering up security failures. Duping regulators and misleading lawmakers.

These are just some of the allegations when Twitter’s ex-security lead turned whistleblower, Peiter Zatko, testified to the Senate Judiciary Committee on Tuesday, less than a month after the release of his explosive whistleblower complaint filed with federal regulators. Zatko, better known as Mudge, made his first comments since the public release of his complaint.

Twitter did not respond to a request for comment.

These are the key takeaways from Mudge’s testimony to lawmakers and what we learned from Tuesday’s hearing.

FBI warned Twitter it had a Chinese spy on staff

Sen. Chuck Grassley, the ranking member of the Senate Judiciary Committee, said in his opening remarks that the FBI warned Twitter that it may have a Chinese spy on its payroll.

A redacted version of Mudge’s whistleblower complaint released last month said that Twitter received specific information from the U.S. government that “one or more particular company employees were working on behalf of another particular foreign intelligence agency.” The nationality of the foreign intelligence agents were not disclosed at the time.

But Mudge told the panel that the spy was an agent of China’s Ministry of State Security, or MSS, the country’s main intelligence agency. He added that because Twitter engineers — about 4,000 employees — have broad access to company data, a foreign agent hired as an engineer would have access to personal user information and potentially other sensitive company information, such as Twitter’s plans to censor information in a certain region or concede to demands of a government request. But because Twitter did not closely monitor or log employees’ access, according to his complaint, Mudge said it was “very difficult” to identify what specific data was taken by Twitter employees as foreign agents.

The Chinese spy wasn’t the only agent of a foreign government on Twitter’s payroll. Mudge said in his complaint that the Indian government “succeeded in placing agents on the company payroll” who were granted “direct unsupervised access to the company’s systems and user data.” In August, a former Twitter employee was found guilty of spying for the Saudi government and handing over user data of suspected dissidents.

Thousands of attempts to hack into Twitter weekly

A common theme in Mudge’s complaint is that Twitter did not have the visibility to know what data engineers had access to, or what user data or company information they were accessing. But one system that tracked logins for Twitter engineers found that it was registering “thousands” of failed attempts to log in to Twitter’s systems each week, Mudge told members of Congress.

Mudge said in his complaint that the company saw as many as 3,000 failed attempts each day, describing it as a “huge red flag.” Mudge said then-Twitter chief technology officer Parag Agrawal — now chief executive — did not assign anyone to diagnose or fix the issue, the complaint added.

“This fundamental lack of logging inside Twitter is a remnant of being so far behind on their infrastructure, the engineering, and the engineers not being given the ability to put things in place to modernize,” Mudge testified.

What Twitter knows about its users, and why spies want it

Given the focus of Twitter’s apparent lax access controls to users’ information, lawmakers asked Mudge what specific kind of data that Twitter collects from its users. Mudge said Twitter does not fully understand the scale of what data it collects.

He said among the data Twitter collects includes: a user’s phone number, the current and past IP addresses that the user is connecting from, current and past email addresses, the person’s approximate location based on IP addresses, and information about the person’s device or browser they are accessing Twitter from, such as the make and model, and user’s language.

Mudge said it was possible that engineers had access to this information and would be an attractive target for foreign intelligence agencies. One of the reasons he cited was that it would be helpful for governments to target particular groups and keep tabs on what Twitter knows about their agents or information operations.

Mudge also warned that Twitter user information could be used for harassment or targeting individuals as part of influence operations in the real-world, such as a family member or a colleague, and used as leverage to influence people close to them without their awareness. “It might be used with other data collection,” Mudge told lawmakers, citing previous breaches, including massive thefts of health data and U.S. government personnel files, such as the breach of 22 million records from the U.S. Office of Personnel Management in 2012. Mudge told lawmakers that his own OPM file was stolen in the breach from when he worked for the federal government.

U.S. government agencies let companies ‘grade their own homework’

Mudge’s complaint and subsequent testimony lands just months after Twitter paid $150 million in a settlement with the Federal Trade Commission for violating its 2011 privacy agreement, after the company used email and phone data for securing their accounts but then used that same information for targeted advertising.

Mudge told lawmakers that while government agencies have a responsibility to enforce the law and that they have the right intent, he accused the FTC of being a “little over its head” by allowing companies to “grade their own homework.” In response to a question by Sen. Richard Blumenthal, Mudge referenced the 2011 privacy agreement and asked, “How [has Twitter] been passing this?”

Speaking of the regulators and their enforcement powers, Mudge told lawmakers: “What I have seen, the tools in the toolbelt are not working.”

Keyword: What we learned when Twitter whistleblower Mudge testified to Congress

TECH'S NEWS RELATED

TripActions reportedly files to go public at $12 billion valuation

TripActions is said to have filed confidentially to go public in the third quarter of next year at a $12 billion valuation. Citing an unnamed source, Business Insider broke the news on Wednesday that the company had filed confidential paperwork with the U.S. Securities and Exchange Commission for an ...

View more: TripActions reportedly files to go public at $12 billion valuation

Roku will now work with Nielsen to track cross-media viewership

Today, Nielsen announced that Roku plans to enable four-screen measurement across desktop, mobile, connected TV, and traditional TV. This is the first time Roku will use the digital methodology, Nielsen One, the data measurement firm’s cross-media measurement tool, which launches in December. In the age of streaming, it’s becoming ...

View more: Roku will now work with Nielsen to track cross-media viewership

Stockholm-based Ripe helps product-led B2B companies find the ripest leads in their customer base

Product-led growth (PLG) is defined by VC firm OpenView as “a growth model where product usage drives customer acquisition, retention and expansion.” This is a major shift from growth driven by hands-on selling efforts, with broader implications than it may initially seem. A key difference is that the most successful ...

View more: Stockholm-based Ripe helps product-led B2B companies find the ripest leads in their customer base

Sky.Garden, Kenya’s Amazon-style marketplace, faces closure after funding fell through

The future of Kenya-based Sky.Garden — an Amazon-style marketplace for third-party merchants to sell electronics, home goods and more — is in the balance after the startup failed to close a round of financing, according to a memo the startup sent out to employees. An insider told TechCrunch that the startup’s ...

View more: Sky.Garden, Kenya’s Amazon-style marketplace, faces closure after funding fell through

Arcade scores $7.5M seed to make it simple to build a product demo

Software product marketers typically are charged with creating demos for potential customers. These let people who are interested in the product see how a function inside an application works as a way to whet the appetite of the potential buyer. Arcade, a startup launched by two former Atlassian employees, decided ...

View more: Arcade scores $7.5M seed to make it simple to build a product demo

Studio’s private group camcorder app lets friends create ‘episodes’ by combing 10-second videos

As younger consumers are shifting to social apps that focus on video and more personal forms of social networking, a new social app called Studio, launching today, is introducing a group camcorder experience that allows groups of friends to share videos with one another in private albums. These albums, or ...

View more: Studio’s private group camcorder app lets friends create ‘episodes’ by combing 10-second videos

As extreme weather events worsen, 7Analytics meshes AI and big data to predict flooding

Show me the data Startups to the rescue? Anyone who has followed global news events of late will have noticed the devastating floods that have engulfed pretty much every corner of the world, from the U.S. and Europe, to Africa, Australia, and Asia, where India and Pakistan have been ...

View more: As extreme weather events worsen, 7Analytics meshes AI and big data to predict flooding

YouTube will show personal stories of patients in search results for health-related queries

YouTube announced Wednesday that it will show a new section called “Personal Stories” in search results starting this week when users enter health-related queries. The company said when people search for videos of certain health conditions on YouTube, it will show a panel featuring videos from people who are ...

View more: YouTube will show personal stories of patients in search results for health-related queries

Airplane lands $32M in new cash to make it easier for companies to build internal dev tools

Group Payment App Collctiv Celebrates $20M Milestone

Lunio raises $15M to combat click fraud with algorithms

Fintech Without Frontiers joins Ukrainian Finance Associations to create united front

KOOS RECEIVES $4M IN FUNDING TO ACCELERATE A NEW ERA OF OWNERSHIP

Most common types of insurance for startups

Can companies issue stakes in their success without using shares or options? This startup thinks so

Price of three BYD models revealed for European customers

Former Revolut employees launch Solvo, an app that simplifies crypto investing

Inter-city food delivery built to be profitable, will break even much faster: Zomato

What are the new must-hit startup metrics?

Google updates the Play Store to make it easier to find non-phone apps

OTHER TECH NEWS

;