‘Foreign agents’ went undetected till flagged someone outside: Zatko
Twitter’s lack of internal security controls meant that the social media company could not track employees who may have been acting as government agents due to inadequate logging activity, Twitter ex-security lead turned whleblower Peiter Zatko said.
He had previously claimed that he believed “with high confidence” that the Indian government had placed its agents within the company. During a hearing at the US Senate Judiciary Committee Tuesday night, Zatko also said that Twitter had a Chinese agent working for the country’s Minry of State Security on its payroll.
“Other than the person who I believe with high confidence, to be a foreign agent placed in a position from India, it was only going to be from an outside agency or somebody alerting Twitter that somebody already exed that they would find the person,” Zatko said responding to a question Senator Dianne Feinstein.
He said that when Twitter learnt of a person inside acting on behalf of a foreign interest as a government agent, “it was extremely difficult to track the people”. “There was a lack of logging and an ability to see what they were doing, what information was being accessed, let alone set steps for remediation and possible reconstitution of any damage,” Zatko told the Committee.
His deposition comes less than a month after Zatko filed an whleblower complaint with the US Securities and Exchange Commission (SEC) where he had claimed that the Indian government “forced” the social media company to hire one or more individuals who were “government agents” and had unsupervised access to vast amounts of the platform’s user data, among other things.
In August, a former Twitter employee was also found guilty of spying for the Saudi government and handing over user data of suspected dissidents.
During Tuesday’s hearing that lasted for more than two hours, another senator asked Zatko how having an agent could possibly help that government. In a potential reference to India, Zatko said that an agent could get access to people’s phone numbers and email addresses and could potentially know about people and their networks that might have been involved in the farmers protest, for instance.
He said among the data Twitter collects includes: a user’s phone number, the current and past IP addresses that the user is connecting from, current and past email addresses, and the person’s approximate location based on IP addresses, among other things. Aside from collecting this wide trove of data, Zatko claimed that Twitter had access to data of users who have quit the platform since it did not delete their accounts, but merely deactivated them.
Twitter did not respond to an immediate request for comment.
Following Zatko’s revelations, Twitter officials in India were summoned the Shashi Tharoor-led Parliamentary Standing Committee on Information Technology last month.