As her congressional colleagues questioned former Twitter security head Peiter “Mudge” Zatko about cybersecurity vulnerabilities and other issues at the social media giant, Sen. Mazie Hirono, D-Hawaii, focused her questioning on what happens to user data once the user quits the platform.
In an expansive whistleblower report made public last month, Zatko described Twitter’s lax security, improper use and storage of user data and vulnerability to foreign infiltration. At Tuesday’s Senate Judiciary Committee hearing, he confirmed that Twitter did not delete user data when users close their accounts, as many assumed.
“You discovered that Twitter compromises its user data long after its users close their accounts,” Hirono told Zatko. “In fact, you stated the accounts are simply deactivated while the data is not fully deleted. At the time of your departure from Twitter, was that the company’s continuing general practice?”
Zatko replied that Twitter’s chief privacy officer told him that the Federal Trade Commission and other regulators had previously asked what Twitter did with user data once users left the platform. He said the company’s response was intentionally evasive.
“Instead of answering whether we delete user data, we intentionally have replied, ‘We deactivate users,’ and try to sidestep the program because we know we do not delete user data and cannot comply with that if they demand us to,” Zatko said.
Zatko told Hirono that Twitter would need to manage and organize the data it collects about its users in order to be able properly delete it once the customer closes their account.
“[Twitter] would need to know what data they have, where it is, and why they got it, and who it’s attached to in order to [delete the data],” said Zatko. “If they did that, which should be a fundamental expectation that I would have as a user, yes, at that point they could absolutely delete the information.”
Zatko worked for Twitter from 2020 until January of this year
During the two-hour hearing, Zatko accused Twitter of misleading the public, lawmakers, regulators and even its own board of directors about its shortcomings in security and data management. He said its vulnerabilities enabled foreign agents to be infiltrate the organization and its unwillingness to invest the resources to prevent such infiltration meant it was not aware of these situations until notified by an outside agency.
“Your testimony and all of your responses to the various questions we’ve asked you says to me that the situation regarding data security and national security issues with regard to Twitter is massive and that Twitter is not doing very much to be helpful at all,” Hirono said to Zatko. “In fact, there are major disincentives to Twitter doing anything — to spending the time or the resources to address the concerns that you raise.”
Zatko said the lack of accountability at Twitter is rooted in ambiguity about its goals and a lack of specific measures by which to quantify results.
“I think holding people accountable is a good start,” said Zatko. “But you can only hold people accountable if you can measure and quantify what their targets are, and what changes need to happen. And if you say, ‘Twitter needs to have a mature software security program,’ that’s a very ambiguous and qualitative term. So, holding accountability and setting quantitative goals and standards that can be measured and audited independently, I believe, is what’s going to be required to change management structures and drive change in companies when it’s needed, such as this.”