In 2006, the new social networking made its debut and jack dorsey posted a message quote, just setting up my twitter and allowed them to share messages and in the coming years it was an important source of news and social discourse as it gathered millions of users. Twitter played an outsized role in politics, culture and democracy. We want to take you te coverage to the hearing. He was terminated by twitter. Last month, this individual had a number of alarming allegations about twitter security practices without objection, his disclosure will be entered in the record. He is more commonly known as mudge. You are here pursuant to a subpoena, not because you were opposed to appearing before the committee but the public can hear the details of your disclosure. You have alleged a number of flaws and weaknesses within twitter, flaws that may be a direct threat to twitter of users and Americas National security. The story began in 2011 when the f. T. C. Concluded that twitter was playing fast and loose with user data and found that twitter deceived customers and failed to safeguard their personal information. The company was ordered by the f. T. C. , to quote, protect the security, privacy and confidentiality and integrity of user data but you have claimed those changes have never been made and you have alleged that compared to other Technology Companies, they remain wopfully deficient and thousands of employees have extraordinary access to Sensitive Information and little oversight how that information is assessed. Some twitter users may be asking, whats the big deal. When you sign up for twitter you hand over email and phone information but you expect they will take precautions to protect the personal information. It is like depositing money at the bank. The vault is wide open and contains more information about you than you can imagine. Twitter just doesnt have access to your tweets and email address but the data to directly access your device and pinpoint your exact location. And you are exercising your freedom at a political protest or a woman seeking Reproductive Health care, if you are a twitter user, and someone else might be with you right there in your pocket or purse. Many of us are comfortable that our phones have. Its helpful, but when that data isnt secure, we are and even Foreign Agents. And final point. Politicians on both sides of the aisle have criticized twitter. Twitter should be combatting hate speech and conspiracy theories. Republicans say that they are concerned with conservative speakers and i urge them to set these differences aside and find the Common Ground that we need that will be raised by our whistleblower. And i turn to senator grassley. We have learned that hunter has secured the countless other users. That was a blow or is here today so we welcome you. Take comes before the committee today not only expert in the field of cybersecurity but also as a whistleblower. I think all of my colleagues now i have a great deal of admiration for whistleblowers. Who often sacrifice their own career as well as their own livelihoods to rollout waste, fraud, and abuse. Thank you so much for being here. We have learned that personal data from twitter users was potentially exposed to foreign intelligent agencies. For example indicates that india was able to place at least within twitter. As the soldiers also note the fbi notified twitter of at least one Chinese Agency in the country. Company i should say. Based on allegations twitter was also suffering security. Thousands of twitter employees can access user data. That data that they dont need access to in order to do their job yet they have access and if foreign assets work for twitter that means these foreign assets can also access the data. If to put a finer point on the allegations, twitter has allegedly used the data it collects and the tools it has to deal locate individuals who made threats against board members. In the hands of a Foreign Agent embedded at twitter, a foreign adversary can use the same technology to attract pro democracy dissidents within the country but also to spy on americans. This has actually happened in the past. In 2019 two twitter employees used their position to Access Private user data and gave it to saudi arabia. These Foreign Agents were able to access and provide personal information on more than 6000 individuals of interest to the saudi government. Simply put the whistleblower disclosures paint a very disturbing picture of companies that solely focus on profit at any expense including the safety and security of its users. That has been alleged that twitter knowingly violated a Consent Decree entered into with the federal trade commission in 2011. It required twitter to address their access however, instead of complying with the degree decree and fixing these Security Matters it alleged that twitter ceo misled board of directors. So im concerned that for almost 10 years the federal trade commission didnt know didnt know and didnt take Strong Enough action to ensure twitter complied with the Consent Decree. Consent decree. This is a Consent Decree that was intended to protect twitter users personal information. As Congress Considers federal data privacy legislation, i think it is important that we see these revelations of how twitter views its obligations with federal regulators. Congress should also be mindful of the ftcs ability or lack thereof to successfully oversee these important issues. Twitter also needs to answer questions about its content moderation. It was revealed to this committee that twitter outsources a great deal of that moderation to Foreign Countries. They have posted 2000 employees from other countries whose job it is to screen tweets by americans. They also lack the appropriate amount of translators to ensure that tweets in other languages are complying with twitters own rules. Much had limited visibility to content moderation, so these are questions that need to be answered in full by twitter because we cant expect march to respond to them. Unfortunately, this committee will not be able to get answers about content moderation because twitters ceo has refused to appear today. He rejected this committees invitation to appear, claiming that it would jeopardize twitters ongoing litigations with mr. Muska. Many of the allegations directed at , and he should be here to address them. So let me be very clear. This committee protecting america from foreign influence is more important than twitters civil litigation in delaware. In conclusion, if these allegations are true, i dont see how he can maintain this position in twitter. I will continue to conduct a thorough investigation in that process. You will have six minutes for an Opening Statement and six minutes of questioning to followup. We start with the customary oaf and i ask that you please stand for that purpose. Please raise your right hand. Do you affirm the testimony you are about to give will be the truth, the whole truth, and nothing but the truth, so help you god . Let the record reflect that the witness is answered in the affirmative. I appreciate your attendance here. I think your microphone may need thank you very much, sir. Chairman durbin, Ranking Member grassley, members of the committee, i appear before you today to answer questions about the submission in disclosures about cybersecurity concerns in my years while working at twitter. My name is peiter zatko but i am more often referred to by my online handle. For 30 years, my mission has been to make the world better by making it more secure. From november 2020 until january 2022, i was a member of twitters executive team. In my role, i was responsible for security, privacy, physical security, information technology, and twitter Global Support. I am here today because twitters leadership is misleading the public, lawmakers, regulators, and even its own board of directors. What i discovered when i joined twitter with that this enormously Influential Company was over a decade behind Industry Security standards. The companys cybersecurity failures make it vulnerable to exploitation, causing real harm to real people. And when an influential media platform can be compromised by teenagers and spies and the company repeatedly creates Security Problems on their own, this is a big deal for all of us. When i brought concrete evidence of these fundamental problems to the executive team, and repeated the the alarm of the real risks associated with them, there were problems brought to me by the engineers and the company themselves. The executive team chose instead lawmakers in the public instead of addressing them. This leads to obvious questions. Why did they do that, and what were the problems and vulnerabilities identified . So that is when im here to talk about. First, why did they do that . To put it bluntly, twitter leadership ignored its engineers because key leadership lacked the competency to understand the scope of the problem, but more importantly, their exec executive incentives led them to prioritize profits over security. Upton sinclair famously said it is difficult to get a man to understand something when his salary depends on his not understanding it. This mentality is exactly what i saw at the executive level at twitter. So what are the problems i discovered . Two basic issues. First, they dont know what data they have, where it lives, or where it came from. Unsurprisingly, they cant protect it. This leads to the second problem, which is that employees have to have too much access to too much data into too many systems. You can think of it this way, which is it doesnt matter who has the keys if you dont have any locks on the doors. The vulnerability is not in the abstract. It is not farfetched to say in employee inside the company could take over the accounts of all of the senators in this room. Given the real harm the users to National Security, i determined it was necessary to take on the personal and professional risk to myself and to my family of becoming a whistleblower. I did not make my disclosures despite or to harm twitter. I continue to believe in the mission of the company and route for its success. But that can only happen if the privacy and security of twitter users and the public are protected. Accepting an executive position at twitter, i made a personal commitment to mr. Dorsey, the board, the public, and myself. That i would drive the changes needed at twitter to protect the users, the platform, and democracy. That is what i am continuing to do here today. I stand by the statements i made in my disclosures and i am here to answer any questions you may have about them. Thank you. Thank you, mr. Zatko. Each member will have six minutes to ask you questions. Those of us who are not experts but who rely on the internet every day for personal and professional reasons know that many times we are given disclosures, lengthy disclosures that scroll across the screen which are hardly ever read. They usually end up at the bottom box and that is as far as we go with a warning about what we are getting into. Can we get into the real world now and talk about whether or not consumers across america have a right to be warned if they are opening a twitter account as to what is going to happen with their data . For example, if i disclose my name and my address and my email address, i expect that that may be vulnerable, somebody could use that at some future time. I hope not, but it could happen. What i infer from your testimony and what we have read about your findings is that there is a lot more information being collected by twitter beyond that basic information that is going to be used by a handful of different purposes, is that correct . Yes, i entirely concur. When you sign up for an account, i hope that the company is responsible. Not to say that they would like the data to be used correctly and safely, but that they are actually able to quantifiably, internally guarantee that is the case. As far as the type of data, i believe senator grassley referred to an incident. We had a user on twitter that was some members of the executive team and the board. This person came to me and said this is a real, viable threat. Do i need to be worried . Who is this person . It took me maybe 30 minutes to reach out to an employee and say what do we know about this person . It took that person maybe 10 minutes to get back to me and say ok, here is who they are, this is the address where they live, this is where they are physically at this moment, they are on their phone, we know their phone number and all of the other accounts they have tried to set up on the system, and we know that they are on other social media platforms as well. So unbeknownst to a twitter account user, there was access to information far beyond what you think you have disclosed that can be found. Should there be a warning . You say at one point twitter has about 20 of its data registered and managed, meaning the company is incapable of securing this Sensitive Information it collects. Tell me, that is a pretty stark statement that suggests a warning to users, literally anything you disclose or use the account for could be used for bad purposes. Yes. In this case, my concern was more that twitter didnt even know what it was collecting. This was one of the problems because i kept looking at why do they have so many Security Issues . The same amount year after year. Why are the same percentages from the same systems problems . Why are to closing on this . What is fundamentally under the hood and broken . Where is the systemic failure . It turned out that the engineers on their own, they werent given the time and the resources to do this part of their job. That only about 20 of the information that they had, that they were collecting, did they know why they got it, how it was given to them, how it was supposed to be used, when it was supposed to be deleted. The remaining 80 , i refer you to the disclosures was we know that our systems are using some of this other data, but we dont know what it is. And a lot of the data, they just recognized we dont even know what these are. A huge amount of data. And that included personally identifying information, phone numbers, addresses. So for me, the concern is anybody with access inside twitter who has access to the production environment that has it can get that information to use for their own purposes. So the data being managed, the one with the twitter account is vulnerable in that regard. It wouldnt exactly get a passing grade to twitter when it comes to the security of information. On the other cited the ledger, would you agree that there were agencies that had some responsibility to make sure that american consumers, privacy and security is protected . So that was something that came to mind as well. This is over a decade. However we been watching this, especially since there were at least for the exact same problem collected for security purposes . How can we keep making these same mistakes . What is the fcc missing, or what is it that we are telling the ftc that is incorrect . Honestly, i think the ftc is a little in over their head. Compared to the Big Tech Companies and the challenge they have against them, they are left letting companies graded their own homework and i think that is one of the big challenges. I am running out of time. I will just say that i think that the area of great concern as well is the access of Foreign Governments and foreign agencies to americans signing up for twitter at least vulnerable to that possibility. We know that the conviction of individuals in saudi arabia by the saudi government is Proof Positive of that possibility. Thank you very much. Im picking up where the chairman just left off. The comment is Chinese Government bans twitter. Companies based in china advertise on the platform. They have presumably been redirected to a website to go for the Chinese Government to collect vast amounts of data. With respect to prodemocracy chinese citizens, is twitter endangering their life by allowing china to advertise on the platform . I think that is a very valid concern, sir. That was a concern raised to me by the employees inside twitter who were disturbed that, in a country where the service was not allowed to be used and provide a voice to the public, that that money was being accepted from organizations that may or may not be associated with the Chinese Government and i believe there was a news article just a day or so ago saying that they did identify that there were governments related to china advertising on the platform in violation of twitters own policy. The executive in charge of sales very shortly after i joined, there was this big internal conundrum. We are making too much money from these sales. We are not going to stop. We need something that will make the employees more comfortable with the fact that we are doing this. We need to figure out how to essentially thread this needle, which made me a bit uncomfortable. And they didnt know what people they were putting at risk or what information they were even giving to the government, which made me concerned that they had not thought through the problem in the first place, that they were putting their users at risk for. And that was a very common problem where i saw that twitter was a company that was managed by risk and by crises instead of one that manages risk and crises. It was very reactionary. It would react too late. I think you just answer this question, but i want to ask it and see if you have set all you wanted to on the subject. While at twitter, you raised concerns about chinese advertisement. What was twitters response . In a nutshell, it was we are already in bed, it would be problematic if we lost that revenue stream, so figure out a way to make people comfortable with it. According to your disclosure, thousands of twitter employees have access to twitter user data and internal systems. That includes over 4000 engineers which is half of twitters workforce. However, you stated that they dont need that kind of widespread access to perform their job duties. Based on twitters lack of data security, what kind of access would Foreign Agents have, and what kind of data would they be able to obtain. Please explain why this is a problem and how it could impact you as National Security. Let me break that down into two parts of an answer. Twitter has engineers and nonengineers. Twitter does not have at least when i was there in january of 2022 does not have a testing environment where it develops a staging environment. This is an oddity, this is an exception to the norm. Most companies have a place where you test yourself, you make sure that it is working the way you want it to. Think about somebody building an airplane and saying i am going to put in a windtunnel, i am not going to put passengers on it or put it in the air. The running systems, the live data. When you become an engineer, and half of the company are engineers, you are by default given some access to this production environment. You are doing the testing, you are doing your work on live systems and live data, irrespective of where you are in the world as an engineer. So if you are a Foreign Agent hired as an engineer, youve got access to all of that data that we talked about. The 80 that twitter does not know, that engineers studied and realizes personallyidentifying information, other information where there is a lack of access because there is too much data and they just dont know where everything is, so they have to give access. But also recall that Foreign Agents can have multiple goals. Sometimes it is not just the engineers and the technical access that they want, but it might be information about the plans of twitter. What plans twitter has potentially to censor information on the government or concedes to a government request, or what plans they have for expansion in a particular environment. In most cases, that is what i saw with high confidence from india to stained negotiations and how well they were going with having difficulties with twitter in india. In your disclosure, you mentioned that the fbi notified twitter that one of their employees was suspected of being a Chinese Foreign asset. Were you and others at twitter at all surprised by that . This was made aware to me maybe a week before i was dismissed. I had been told because the physical Security Team had been contacted and there was at least one agent on the payroll inside twitter. While it was disturbing to hear, i and many others are recognizing the state of the environment and twitter for really thinking it is very difficult valuable tool for agents. Senator feinstein . On august 10, 2022, a federal jury convicted a florida twitter employee of acting as an unregistered Foreign Agent for the kingdom of saudi arabia. The individual accepted payments in exchange for accessing and conveying the private information of twitter users to saudi officials. That individual is one of two former twitter employees charged by the department of justice for their efforts to provide saudi officials with the personal information of dissidents and activists critical of the saudi regime, including Sensitive Data that can identify and locate these individual users. Another question. As head of security, can you describe the types of efforts you seem by Foreign Governments to infiltrate, control, exploit, and convey on twitter and share what steps twitter and regulators should have taken to protect against these attacks . Yes, maam. One of the disturbing things that i saw based on the 10 years behind where i would expect a modern tech company to be was a lack of ability to internally look forward and identify inappropriate access within their own systems. Other than the person who i believe was a Foreign Agent placed in this position from india, it was only going to the to be from an outside agency or somebody alerting twitter that somebody already existed that they would find the person. What i did notice when we did know of a person inside acting on behalf of a foreign interest as an unregistered agent, it was extremely difficult to track the people. There was a lack of logging and an ability to see what they were doing, what information is being accessed, or to contain their activities, let alone set steps for remediation and constitution of any damage. They certainly lacked the fundamental abilities to hunt for ford intelligence agencies and expose them on their own. You said it was difficult to track. Explain exactly what you mean about that, and secondly, what could be done to curb that . One of the most senior engineers at the company came to me not long after i was there and said you should know that this company doesnt really have centralized logging. We dont log the activities of the systems. I was surprised by this. Most tech companies, most companies i know of even not in tech have logs of what is happening in their systems, and this tells you who is doing what, where, when it happened. Later on in my tenure i learned that there were thousands of failed attempt to access internal systems that were happening per week, and nobody was noticing. And when they brought this up, people said who is it, what is it . I said that is what were trying to find out. This fundamental lack of logging is a remnant of being so far behind on not being given the ability to put things in place, to modernize. I can give an example. Lets suppose you have five credit cards and you are receiving statements each month, but only two of those statements give you detailed transactions. First off, three of those credit cards, youre not going to be able to look at the transactions. Those remaining two, you kind of wing it and say i need all those credit cards to stay alive. That is kind of the analogy i have for the logging situation at twitter. Trying to understand an adversary identified inside as doing it can be pretty challenging without logs. Have you thought about how one would design legislation which would maintain some basic, necessary rights, and yet cover this area . Well, ive been thinking a lot about the regulators because of course, i was very curious as to how was twitter still operating like this aimed at addressing a fair amount of this. I noticed a few things. One, there were a lot of evaluations and examinations which were interview questions. Essentially, the organization was allowed to grade their own homework. There wasnt a lot of ground truth. There wasnt a lot of quantified measurements. And a fair amount of the came from companies that twitter themselves were able able to hire, so i think that is maybe a conflict of interest. I also noticed that of all of the regulators, some of the foreign regulators were much more feared in the ftc. For instance, the French Version of the ftc. Terrified of twitter in comparison to the ftc. And when i looked at why, it was because there was more of the fear that it would not be a one time pry. Longtime funding did not bother twitter at all. When i saw the reason, it was much less than we had been concerned about and each time in my discussions with the chief privacy officer, with privacy engineers, and the executives, they said ok, we will pay that and keep kicking the can down the road and maybe we will get another one time fine. Wall street did not seem to care because it wasnt a longterm problem that was ongoing. What did make these companies afraid was that there was a risk of, hey, you have mishandled the same type of data repeatedly. Maybe we are not going to let you to mishandled the data . Peiter if twitter mishandled email addresses repeatedly, the concern was if the ftc were to tell it that we are not allowed to monetize email addresses because of our continued inability to handle them correctly, will then we might not be on fair footing with our competitors, and that scared them and made them move. I believe Something Like that did happen to facebook, which has been used as a sort of cautionary tale inside organizations. I think the regulators have tools that do work, but they are not able to see which tools in the toolbelt are the ones actually working. Thank you, senator feinstein. Thank you very much, mr. Chairman. Thanks for being here. In your disclosures, you include information that twitter has of privacy engineering and the chief privacy officer reported the following to the board of directors toward the end of 2021. This is a quote. Every new employee has access to data they do not need to have access to. It also added that until twitter could reach the point of the system to manage and access the data, they were at risk of access or use of data. They also reported that our inability to delete data compounds that risk, as we retain data that we should not have, and which is therefore accessible by people who do not need to have access to this data. Tell me, what action was taken by twitters board of directors in response to this rather shocking information . Peiter this is not the first time the board of directors has been made aware of that. There was no change or mandate or charge before the board of directors. Sen. Lee what do they mean when they refer to the inability to delete data . Why is that significant . Peiter if you dont know where your data is as we talked about, these large amounts of data and somebody says ive left the system and maybe the ftc asks heavy deleted all the user data . Have you deleted all the user data . You cant respond in the affirmative. Sen. Lee if you deleted the account. Peiter correct, because you dont know where this data lives in the systems because you dont know what data you have access to. Sen. Lee so are you saying that twitter is actually unable to delete data, or just unwilling . Peiter it is unable, because they do not know where it is. They are unable to comply. Sen. Lee ok. But this has resulted from a deliberate decision at some point to abduct protocols that dont allow them to do that, right . Peiter to choose other priorities rather than to correctly register and track where the data lives. Sen. Lee but it is physically possible. You could have a database in which you could track that. Peiter absolutely. If you knew where everything was in your database, you could delete it if you chose to make that a priority. You could absolutely go deleted, but that has not been prioritized with projects such as increasing revenue or users. Sen. Lee now, im concerned as i assume most or all americans would be those who have become aware of these concerns, that twitter has seemingly turned a blind eye, rather deliberately, to some pretty significant security risks. Essentially, compromising their own personal data and putting geolocation information both to hackers and to Foreign Government agents and to other people who, for whatever reason, whether for corporate espionage purposes or other commercial purposes or otherwise might want to gain access to this information. Based on your disclosures, it seems to me that twitter ceo is more concerned with increasing influence and profits from Foreign Countries and with protecting user data from foreign spies or hackers. Now, you claim that twitter has hired four government agents as sort of the cost of doing business in countries like india , nigeria, and china. Related, twitter has knowingly hired these government spies, so it cannot risk losing access to users and markets in those countries. Or in the case of china, to not lose access to out of building revenues. To these engineers who are suspected of being Foreign Agents, do they have access to all user data, or just a certain subset of user data . Peiter to be very specific, the incident was not an engineer, and as i mentioned, i think that was put in place more to understand twitters intentional negotiations with the ministry of india, to have inside information. Sen. Lee they work with other people who were, themselves, engineers . Peiter yes, sir, there were numerous engineers in the office. Im sorry, im focused on that part of your question. Sen. Lee can i ask you this is there any way detract what data they access, or the data that they share . Peiter we found that to be very difficult. We had to set up a specific, small team individually to try to create a unique environment just to allow us to track and monitor one individual because of the lack of general logging and Access Control that we found to be unscalable and not reproducible should there be any other people like that. There was a lack of basic, fundamental Access Control. Sen. Lee im almost out of time, but i need to know this why would twitter not create a tracker or a logging system to follow this sort of thing, to make sure it was handled correctly . Particularly given that they know that many Foreign Governments like india and nigeria and china, they specifically want to access and use that data to find and root out and punish dissidents . Why would they want to do that . Why would they subject their own users to this kind of harm with the great implications that it carries for those countries . Peiter i think they would like to, but they are simply unwilling to put the effort in at the cost of other efforts such as driving revenue. I am reminded of one conversation with an executive where i said i am confident that we have a Foreign Agent and the response was well, since we already have one, what does it matter if we have more . Sen. Lee thank you. Senator klobuchar . Sen klobuchar thank you. Following up on that point, i just returned from ukraine, seeing the extent of the damage inflicted by the russian invasion. I was troubled to learn of twitters leadership that recently considered agreeing to the putin regimes request to censor and surveilled russian twitter users. Twitter ultimately did not agree to the request as far as i understand. What can you tell us about requests made by Foreign Governments and the risks that those demands pose, and why would a company like twitter consider agreeing . Peiter i was very surprised and shocked by that oneonone conversation which i had prior to his assuming the ceo role. I understand it out of a frustration of the inability to perform, and this kind of comes in the content moderation which was conversation that i had with twitter. We dont really have the ability and tools to do this correctly. This is a lot of work, it is not driving our main executive goals. Is there a way that we can simply punt . Since they have elections, doesnt that make them a democracy . Peiter thank you. Sen. Klobuchar thank you. I am a big believer that these companies, not just twitter, have to invest more in protecting data and protecting the public. Ive heard senator durbin talk to you about the agencies, and you agree with me that the agencies in the u. S. Are underfunded when it comes to taking on these major cases. Im going to put the mirror back on ourselves here in congress. Do you think it would be helpful if we had some privacy legislation in congress . I think one thing that would be very helpful is that the ftc and other regulators dont have laws or rules that would create whistleblower protection programs for people while they were still in these organizations. I think that is where a lot of information, and a lot of people share the information. When i came on board, they were excited that there was an executive that was listening and that was willing to ruffle feathers, that was willing to fight for some of these things. Peiter sen. Klobuchar are you aware that senator grassley and i actually passed a bill to change the fees that got through this committee unanimously, passed through the senate, sitting somewhere in purgatory over in the house that would allow us to maybe be as scary as france, or some other country, and that we have been unable to get that decisive, probably being the 50th hearing beside commerce and judiciary . We have not passed one bill out of the u. S. Senate when it comes to competition, when it comes to privacy, when it comes to better funding the agencies. When it comes to the protection of kids. And so at some point, when we talk about the agencies, we had better be putting the mirror on ourselves, because i was listening to your quote and it is difficult to get someone to understand something when his salary depends on him not understanding it. Could you talk about the lack of action in congress and how that has actually created an environment where these Companies Feel like they can do anything from destroying our newspapers and public good to basically not taking correct actions when it comes to hacking . Peiter that is your world, not mine. I appreciate the effort you are doing. What i did see is that any laws or bills passed or actions in the past, if they are not able to be quantified and externally audited, by an independent viewer, has gained a lot by what i saw inside big tech in the ability to sort of answer in the affirmative without actually doing what the intention was of the regulation. Sen. Klobuchar from accountability to require digital platforms and researchers, the independent experts for addressing found serious problems, made recommendations how could independent groups help . Peiter independent groups having independent eyes and providing ground truth on that, i think it should be clear first off, the engineers and the employees, much as changed. The culture and i can speak primarily on twitter because that is the company i have been involved with it is a culture where they dont prioritize they are only able to focus on one crisis at a time. And that crisis is not completed, it is simply replaced by another crisis. I think they would like to have all of these things fixed, but they are unwilling to bite the bullet and strategically say, hey, we are going to have to develop the time and money to get these basic things in place and do the legwork rather than just react to what is coming in that they hear from a hearing like this or from the news. Sen. Klobuchar last thing, you talked about how twitter is not enough focused on removing misinformation and hate speech, particularly within a language that employees didnt even speak. Obviously you cannot check whether or not a tweet violates rules if you dont speak the language. Ive had my own experience directly conveying the misinformation spread about me that resulted in having an effect Death Threats on a number of my family. And nothing ever changed. Exception finally, regular media reported that it was a lie. Those other kinds of things that happen to people in this building because of the misinformation that is rampant on social media. Could you comment about what you think they should be doing about that . Peiter im very sorry to hear about that. The lack of language was stunning to me. This was a situation where i brought in a worldclass leader for twitter Global Support who also identified this and they started saying we cant react to a language situation. But something was happening more and more. You cant wait until after it happens and then go, where are the native speakers . Those translators were already hired elsewhere. You have to understand, 80 of twitter has to understand 80 of the users are outside of the United States. You cant create a healthy environment. You cant serve the public conversation if all you can do is look at it and say i hope that the translator is doing the job for me. Sen. Klobuchar thank you. Thank you, senator klobuchar. Senator kennedy . Senator kennedy thank you, mr. Chairman. Mr. Zatko, give me 30 seconds. Strike that. Senator grassley is an active user on twitter. I will use him as an example. Give me 30 seconds on the type of information twitter has on senator grassley. Or someone like him. Peiter if there was somebody that just came to me and said hey, weve got a problem with this user sen. Kennedy just give me 30 seconds on the type of information twitter has on the average user. Peiter sure. The phone number, the latest ip address they have connected from , is this the current email, how long have they been using that email account, what are their prior emails, former ip address, where do we think they live, where do we think they are connected right now, are they still connected or actively using the information, what type of device are they connected with, what type of web browser are they using, which computer, what language did they connect in . Those are some of the systems. Sen. Kennedy thank you for that. And i want to understand you are telling this committee that all of the engineers and half of the employees of twitter have access to senator grassleys account . Peiter half of the employees of twitter are engineers. The engineers are by default given some access sen. Kennedy do they have access . Peiter from what i saw, if they wanted to root around in the data and find it, they could find it. Sen. Kennedy let me understand. Im not trying to trick you. From your testimony, i understand that half of all of the engineers and half of the employees at twitter have access to senator grassleys account. Is that correct . Peiter based upon what i saw, technically, yes. Sen. Kennedy and if they go into senator grassleys account if an engineer does, for example twitter doesnt know that that engineer has done that . Is that correct . Peiter it would be difficult to find that, correct. Sen. Kennedy so you dont have a login and logout system. Peiter there was not the easy ability for me to find which engineers had logged into which systems and what data they had accessed. Sen. Kennedy ok. So this engineer who can secretly go into senator grassleys account and get all this information, twitter has no idea what the hell he is going to do with that information, does it . Peiter no. Sen. Kennedy so that engineer, twitter could sell it, for example, couldnt eat . Peiter im sorry, what . Sen. Kennedy could sell it. Peiter ive seen numerous accounts on underground forums offering such access. Whether those are valid or not, i have seen offers to access to delete accounts. Sen. Kennedy so that engineer could just call one of his buddies and say you dont like senator grassley, let me give you some information here that you may want to use against him. That engineer do that . Would twitter know that the engineer had done that . Peiter not necessarily. Sen. Kennedy now, did mr. Dorsey know all of this . Peiter i did explain this to mr. Dorsey. My understanding is he did not understand this prior to me cluing him in. Sen. Kennedy does he understand it now . Peiter i believe sen. Kennedy how about your ceo . Peiter i believe so. He has been there for 10 years and rose up through the ranks in engineering and he has talked with engineers and they have told sen. Kennedy is that a yes . Peiter i believe yes. Sen. Kennedy how about salesforce. Does he know about this . Peiter i do not know whether he understands. Sen. Kennedy youve got an executive from master collar. Im going to probably mispronounce the last name. From mastercard. Does this boardmember know about it . Peiter i do not know if she knows that. Sen. Kennedy is this the kind of thing that a reasonable boardmember would inquire about . Peiter i would think so, but ive also seen what was presented to the board was not representative. Did the board ever ask . The board did not ask these directly. Even after these problems with Foreign Agents . Now when i was there during the meeting. They just sat there . They focused on other topics. Dr. Lee is a professor at stanford, does he know all of this . Same response. I did not see questions on this specific topic. Someone that used to be with google. Peiter same response. Action, patrick shea was the one where i brought up this instance, he had the roof. He was very upset. Sen. Kennedy did he fix it . Peiter no, he asked for followup information. Sen. Kennedy why hasnt twitter fixed this . Peiter there were other priorities. Sen. Kennedy it is about the money, isnt it . Peiter its about whatever crisis and the other priorities. Sen. Kennedy the fixes would cost them money, wouldnt it . Peiter it would take focus away from other aspects. Sen. Kennedy it would cost money, wouldnt it . Peiter most likely, yes. Sen. Kennedy twitter for a while was going to go into the porn business. Did they do that . Peiter i dont know that they did that. I did not know they were going to go into that business. Sen. Kennedy while they were. Do know why they decided not to . Sen. Kennedy i do know peiter i do know there were discussions about eightrelated information and the discussions internally i heard were simply concerns about lack of tools to correctly regulate or constrain it. Sen. Kennedy so it wasnt a moral issue, it was why did they not go in the porn business . Peiter i do not know. Sen. Kennedy lastly, who sets the standards for censorship at twitter . Peiter i believe that comes out of counsel. Sen. Kennedy your lawyer . Peiter i believe so. Sen. Kennedy do they talk with the board about it . Peiter i have been advised out of an abundance of caution i should not comment on any twitter counsel conversations for a superb twitter might have served. Sen. Kennedy thank you. Thank you senator kenny peed senator kennedy. Thank you for you being here, your extraordinarily insightful and significant us to money here today, as a substantial professional and personal risk and your cooperation with me and my staff off the record in providing details important to our understanding and the more of it made public i think the better. Would you agree twitter has put its users health and safety severely at risk . Peiter yes, sir. And up at the National Security severely at risk . Peiter yes sir. That they have misled their own board of directors . Peiter yes sir. In that event, the management ought to be certainly restructured, shipped, changed, correct . Peiter yes, sir. Sen. Blumenthal that kind of structural reform is necessary to achieve changes within the company. Peiter that is my belief. Sen. Blumenthal you also said this company has misrepresented facts to Government Agencies, most especially the ftc, that is correct, isnt it . Peiter yes, that is correct. Sen. Blumenthal i think you shared in your complaint that twitter management was intending to mislead as well regulators about compliance with the Consent Decree, correct . Peiter that is correct. Sen. Blumenthal how high in the twitter management would you say that intend to mislead in effect to see Government Agencies when . Peiter to the ceo, i do not know to what level inside of the board. They did not know because of misrepresentation or chose not to push. Sen. Blumenthal the misleading of Government Agencies is one of the reasons why stronger action has not been taken . Peiter i could very well be sir. Sen. Blumenthal but it also, in effect, is the result of a lack of bigger and law enforcement, whether because of inadequate resources or a failure of will. Peiter that could be as well, sir. Sen. Blumenthal the most recent settlement with twitter was a payment of 150 million earlier this year, the ftc and department of justice stated twitter violated the 2011 Consent Decree, that is no surprise, but the size of the penalty, a mere 150 million amounts to the kind of burden on us average drivers when we pay the toll to go into manhattan. Given that its profit in the Second Quarter this year was about 1. 18 billion, correct . Peiter that is correct. While i was there, the concern only really was about a significantly higher amount, significantly higher, or that would have been a more institutional restructuring risk but that amount would have been of little concern while i was there. Sen. Blumenthal to effectively address this problem, we need not only to insist on restructuring the company but also likely restructuring, reforming, and energizing our regulatory apparatus. Not only as to twitter but also as to other Internet Companies and platforms, would you agree . Peiter i would. The intent of the regulators is the right intent but it is not being followed or correctly adhered to. Sen. Blumenthal all of what youre seeing, everything in your complaint and a lot of what we have heard in this committee and other committees lead me to think we need a new agency. As reluctant as i am to suggest a new government bureaucracy, i dont think it needs to be a government bureaucracy with a lot of new people but it needs to be a new means of enforcement here to bring cases to the department of justice focusing on Privacy Security and protecting users as well as our National Security. Would you agree . Peiter i had not consider that. I will have to think about that. That is an interesting approach. Sen. Blumenthal im not reaching any conclusions what what we are doing right now is not working. You would agree to that . Peiter yes. What ive seen, the tools used out of the toolbelt are not working and i do believe other tools in the tool belt do work but the regulators are not able to quantify and get measurements that would show them to switch to the other tools they have. Sen. Blumenthal what are the remedies that for example other countries have that enable them to better protect privacy . Peiter some are simply much more aggressive and do not accept answers at face value, put strict time constraints on requiring answers, requiring data to back of the answers, and threatened to preclude monetizing entire markets such as maybe you will not be allowed to monetize in france or maybe you wont be allowed to use particular data sourcing in france. And you have a week to respond sort of approach. Sen. Blumenthal let me finish on that note, to expand on this and claire theory of the case, essentially users and their information are twitters product. They are the means to monetize the eyeballs on the site to collect, use, and monetize that information is the twitter business. So their reckless disregard for their usershealth and safety and the National Security is a product of that incentive, would you agree . Peiter yes, sir. That is why i understand the m in manned out to be monetizing average daily users. Sen. Durbin thank you. Thank you, mr. Chairman, for joining us. Im a grandmother and a mother. I want to talk with you about this process twitter has gone through. They tried to start a new subscriptionbased Adult Entertainment section. Are you familiar with that . Peiter no, im not. While they had to scrap the plans because an internal team found they had too much child and nonconsensual pornography that was on their site already. Are you aware of that . Peiter unfortunately, that does not surprise me. Theres a federal court case against twitter because the site repeatedly refused to take down tweets of children as young as 13 and 14 performing sex acts in photographs and videos. These were posted by sex traffickers who were impersonating a teenage female. So, my question is, why . For what reason would twitter refuse to take down this sexually explicit content if it knew it was affecting underaged children . Why would they leave this up . Why would they refuse to take this down . Peiter from what i saw, and on the area of adult content, because that was brought up, their concern was certain advertisers did not want adult content to appear next to ads they were putting and that was a concern inside of the company, the lack of peiter they had a monetary sen. Blackburn they had a monetary concern but not moral concern . Peiter i cant speak to the morals of the people internally but there was a concern whether or not they could even correctly identify and get ahead of this because they lacked the basic tools and resources in those teams and it would have to be in reaction after things were posted. Sen. Blackburn so what do they do to police this sexually explicit material, especially when it pertains to children . Peiter that was not under my area, so i do not have information to talk specifically to that. Sen. Blackburn ok. So there is not a Standard Operating Procedure to block this, to down . Peiter i believe they have or i was told they have some voluntary self tagging and Self Reporting of whether you are an adult content account but im not aware of the other processes or procedures in the company. Sen. Blackburn let me ask you about the ftc. Senator blumenthal was just asking you about that. Did you ever participate in calls or meetings with the ftc, in which you heard specific misrepresentations made by twitter . Peiter no, maam. I was not in the calls. Sen. Blackburn you had no direct knowledge . Peiter i got direct briefings from the people who were in the calls telling me what they did. Sen. Blackburn so it was all secondhand. Peiter correct, from the people involved in the calls. Sen. Blackburn did the ftc come to twitter and identify specific conduct or representations that concern them . Peiter that would be a question you have to ask the chief privacy officer, who would have been the recipient of those outreach. Sen. Blackburn let me ask you about the issue of click through ads. I know many times our adversaries will, through a company in china, specifically, the ccp will be part owner of a company. So they use clickthrough ads to gain access to platform user data, including china, including other adversaries, and including places where twitter is block and they are finding ways to evade the tracking and to get into these networks. In your experience, is this a typical black this typical practice that happens at the Global Platforms . Peiter clickthrough ads to expose a risk nonclickthrough as do not. If you can get an get a user to click through, you would get the information i was describing, ip address, browser, from the ip address you could determine their geolocation or whether they were using a vpn or not if that is allowed in your country and you could interrogate that persons computer or get them to provide more information, maybe that they do not know they are providing directly to you thinking it is there an ad on a service. Sen. Blackburn could this be remedied in any way and senator klobuchar talked about this, the National Privacy standard. If we had a National Privacy standard, would that help to secure an individuals Information Online and would help in any way in policing these click through ads . Peiter i think addressing in general the difference of the information or making people aware and then providing a context around when a user knows they are providing information and what information they are providing no longer to the service they thought they were interacting with could definitely benefit a user. Sen. Blackburn i want to ask you one thing about censorship. During your time at twitter, did you participate in any conversations or meetings where content moderation decisions were made based on a posters political views . Peiter i never investigated or was or heard of decisions on that particular topic. I was focused on the crisis and fires in the area of my domain. Sen. Durbin thank you, senator blackburn. Senator kunz . Sen. Coons thank you much. Thank you for coming forward. This is yet another eyeopening moment for our public, nation, and for this committee. We know social media and new Communications Technologies have empowered people across the world to connect and share information at an unprecedented scale but we also know concentrating all this information and resources on a few hands comes with greater risks. So your whistleblower complaint contains really striking allegations, which shed light on several key realities and i wanted to focus on those. The first, as you stated in a number of exchanges with my colleague is the public lacks any credible way to assess whether major platforms and Technology Companies are protecting or prioritizing a user privacy. I wanted to talk a bit about a bill i have that senator klobuchar also mentioned that would help strengthen some of that transparency. And the second i will get to is these platforms are a target for foreign actors, something where the subcommittee i chair is having a dedicated hearing tomorrow afternoon. You commissioned an independent report regarding twitters platform integrity and their ability to combat misinformation, disinformation, and to that report found, twitter is consistently behind the curve on acting on disinformation and misinformation threats. And that twitter does not have the ability to measure the impact of its work to protect site integrity. What ive concluded from your testimony today is twitter lacks the ability to measure the effects of interventions it implemented because of decisions by management, and because of the lack of a credible Regulatory Oversight agency and penalty. Is that correct . Do i understand your testimony correctly . Peiter yes, sir. The inability internally came from 10 years of security and engineering that kept accruing. Sen. Coons your complaint also details how twitters executive team was concerned the report you had commissioned would be damaging if it got out and they worked to intentionally remove or modify information that might be especially embarrassing for twitter, is that correct . Peiter yes, sir. I found that disturbing. The company i hired, with the knowledge of the other executives in the head of site integrity, which did not report to me, but that this independent organization was going to analyze and do gap analysis, the Company Reach out to me and said hey, twitter is jumping in and making a separate contract and telling us not to provide you the results to your own work. This does not feel right to us, what is going on . Peiter so a lot of the sen. Coons so a lot of the information regulators and congress relies on on regulating social Media Companies comes from the companies themselves. As you put it, they are essentially grading their own homework. So the conclusion we ought to reach is the information we received is not trustworthy from some social media platforms. Peiter that is what i experienced. Sen. Coons i really stay bill was senator portman, senator klobuchar, where earlier we are looking for additional republican cosponsors, called the platform accountability and transparency act. It would allow external researchers to look at these kinds of problems, to better understand and analyze the algorithms that drive social media and some of their practices. Would empowering researchers and mandating better disclosure help hold companies more accountable and cause them to invest more resources in site integrity . Peiter yes, sir. One of the things we learn from the study and what im hopefully shedding light on in my disclosures is just how much a gap there is between twitter and some of twitters peers. And even learning that sort of discrepancy would help understand and raise the level of hygiene for these organizations and their ability to perform their tasks and ability for us to accept what they are saying is whether it could be true or not. Sen. Coons this also opens up enormous National Security risks as you testified earlier, there is roughly half of twitters employees that had unnecessary access to vast amounts of sensitive user data. Senator kennedy was asking earlier to give us a quick sense of what information twitter might have about any of us on this committee and it is deeper and broader and i suspect if you had gone further it unlocks a whole profile that can give really dramatic insights into members of law enforcement, members of the military, of congress, and their families, their travel, their preferences, their actions, their consumer activities, all of that has real consequences. He wrote in your complaint the Indian Government forced footer to hire Indian Government agents who then had direct and unsupervised access to data and a former twitter employee was convicted as working as an agent of the saudi kingdom. How, do you think it is for foreign entities or hostile agencies to successfully install sympathetic actors at twitter, and why might they do so . Peiter if theres any number there are any number of reasons, many reasons why you would do so. In particular to not just identify people of interest or track groups of interest but also maybe look at whether or not twitter has identified your agents or your information operations, what other governments has twitter possibly identified, and remember, outside of the ability to access large amount of data on the engineering side, you would want to know what twitters plan is as far as whether they will see to your demands for control of information within their environments were not in order to change different types of political pressures such as strongarming. And as we saw that country was even threatening to put twitter employees in jail if twitter did not change particular activities on the platform. Sen. Coons with 80 of twitters users outside of the United States and with twitter having a deep access and resources to critical leaders in our country and other countries i think this is generally concerning. Tomorrow afternoon, the subcommittee i chair and subcommittee on Privacy Technology and the law senator and i will be holding a hearing on how to further understand the depth to which hostile actors and adversaries are going to obtain american citizen data. That will expand on a lot of topics we pursue today. I hope members of the committee will attend. I want to thank you for your testimony and mr. Chairman for the chance to participate in todays hearing. Sen. Durbin we will take a fiveminute break after senator cotton kotten asks his questions. Senator cotton. Sen. Cotton thank you for your very important testimony this money. I want to start with questions about twitters censorship policies. I know you were not at twitter for much of 20 20 but i wanted to start with an example from june 2020, specifically may, as leftwing street militias were rioting and looting in our streets. I posted on the website the National Guard and activeduty military were used to stop the writing in the past most recently 1992 in the alley rights. Within hours, the low levels at Twitter Office contacted my staff and said if i do not delete the tweet, my account would be permanently locked. My staff worked with a lowlevel employee, calling her on several occasions because she seemed reluctant to put anything in writing in an email and document the accuracy of my comment and gave examples of how other elected officials have used similar language. The 30 minute window pass, my account was not locked. Ultimately she said that twitter would not take any action about my account. I know it was before you began at twitter but from your experience, what a lowlevel twitter employee typically have the authority to permanently locked the accounts of an elected member of congress . Peiter from my experience, they should not have the authorization to do it, though it would probably be a lowlevel employee instructed to do it. Sen. Cotton so she was likely taking direction from more senior officials at the company . Peiter not knowing the situation, i cannot comment on the specific one but that is the sort of activity i would see there. And i can confer that i did notice a reluctance to put a lot of things in writing on particular topics. Sen. Cotton i noticed in the emails that were sent to you, he seemed reluctant to put things in writing or made statement about what he was going to verbally express to the board yet did not express those things. Sticking with censorship, i know you werent there in the lead up to the 2020 election but once you arrived, a couple days after the election, you selected an outside company to do an evaluation of twitters censorship policies, finding twitters content controls are ad hoc and informal, those are two direct quotes. And the policy decisions behind it are made mostly by twitter staff at San Francisco frequently during a time of crisis. Is that accurate . Peiter i did not hire them to do a report on censorship, but that was the platform manipulation organization and yes, how you cite the report is what they found. Sen. Cotton when it says frequently in time of crisis, what kind of crisis was the report referring to . Peiter i believe this is from what i experienced if something was brought up in the media, if a government brought it up and somehow it became public really publicly aware or there was an ongoing outage to the system or some active disruption. Sen. Cotton thank you. The report does go on to say according to twitter employees interviewed, twitter usually sensors information only if it is flagged by reporters or News Headlines partners, which it means to include academic organizations and other social Media Companies or political officials. Does twitter have special channels of communication with fellow social Media Companies like facebook . Peiter if they do, i believe they would be ad hoc. I am not aware of official ones that would not have been within my organizations. Sen. Cotton what about other socalled partners like pharmaceutical companies or advocacy groups . Peiter i am not aware of those again. That would be out of counsel or other organizations. Sen. Cotton so saying ad hoc, you think these cases, you think an executive at a Pharmaceutical Company that does not act what is being posted on the website or leftwing activist at a washington think tank would use preexisting relationships to contact someone at twitter on an ad hoc basis . Peiter i do not know. Sen. Cotton how can they coordinate if they dont have some sort of channel of communication set up . Peiter in the report attached from the organization, they talked about this information, which i believe my understanding was the Site Integrity Team spoke with other organizations and with other social Media Companies about ongoing disinformation or platform manipulation. I do not know anything beyond what was in the report for the topic. Sen. Cotton you said something earlier i want to come back to, this is not an exact quote but it was something along the lines of if you dont have a foreign Intelligence Officer inside of twitter, you are probably not doing a good job as an intelligence agency. Is that close enough . Peiter that is close enough. I worked for the government, i held a highlevel position, i worked running research and development in programs with the department of defense and intelligence communities and, from my interactions with these people, these organizations, twitter would be a gold mine from my understanding from people in the community who focus on foreign intelligence organizations and assets. If you placed someone in twitter as i believe as we know has happened, it would be difficult to twitter to find them. They would probably be able to stay there for a long period of time and again significant amount of information to provide back on either targeting people or information as to twitters decisions and discussions and to the direction of the company. Sen. Cotton does that include in twitters u. S. Officers versus overseas or is that distinction immaterial given the way twitter functions . Peiter i believe that is immaterial and both. Sen. Cotton thank you. Peiter my pleasure. Sen. Durbin thank you, senator cotton. We will take a fiveminute break and return to senator whitehouse