This article was first featured in Yahoo Finance Tech, a weekly newsletter highlighting our original content on the industry. Get it sent directly to your inbox every Wednesday by 4 p.m. ET. Subscribe
Wednesday, Sept. 14, 2022
Whistleblower described a company lacking even the most basic security measures
Twitter (TWTR) whistleblower Peiter “Mudge” Zatko testified before the Senate Judiciary Committee on Tuesday, portraying the company as incapable or unwilling to provide even the most basic data security assurances to its millions of users.
“[Twitter executives] don't know what data they have, where it lives, or where it came from. And so, unsurprisingly, they can't protect it,” Zatko told the committee. “And this leads to the second problem, which is the employees then have to have too much access to too much data and too many systems.”
Zatko, who served as Twitter’s security chief until he was fired in January for what the company says was poor leadership, certainly left Twitter with a black eye. But it’s not entirely unheard of. We’ve seen this same story before from tech company after tech company. Heck, Twitter’s rival Meta (META) has its own history of data leaks.
What Zatko’s testimony shows though is that if companies like Twitter and its cohorts are unwilling to protect user data, the federal government finally needs to step in and pass national data privacy legislation.
CORRECTS SPELLING FROM PETER TO PEITER - Twitter whistleblower Peiter Zatko testifies to a Senate Judiciary hearing examining data security at risk, Tuesday, Sept. 13, 2022, in Washington. (AP Photo/Jacquelyn Martin) ·ASSOCIATED PRESS
“Do we have a regulatory agency that focuses on digital platforms? We don't,” Carnegie Mellon University Heinz School of Business professor Ari Lightman said. “We need one.”
Without that, there is little stopping companies like Twitter from continuing to abuse user data with near impunity. For its part, Twitter said that Zatko’s testimony was riddled with inconsistencies and inaccuracies.
A familiar refrain
Zatko’s allegations are the latest in a long line of data security scandals at major tech companies. It seems any company dealing with user information has lost it or exposed it to the public somehow. Facebook parent Meta is, with good reason, the first to come to mind. Its 2018 Cambridge Analytica leak, which saw a political operation dedicated to electing Donald Trump to snatch the data of millions of users, sparked controversy both in the U.S. and abroad.
“None of this stuff should be surprising,” NYU Stern School of Business Professor Vasant Dhar told Yahoo Finance. “For the longest time, people weren't aware of the importance of data governance, people didn't seem to care, there wasn't enough attention paid to it. And so it's not completely surprising that all of these companies are generally relaxed with respect to data governance.”
And while experts have repeatedly called on Congress to pass some form of national privacy legislation to protect consumers across the country better, nothing has managed to move forward. Senator Amy Klobuchar (D-Minn.) specifically pointed to several pieces of bipartisan legislation aimed at taking on tech companies, including privacy regulations, that are languishing in Congress. And with the midterm elections nearing, it’s becoming less likely those bills will ever pass, as members of Congress focus on other last-minute bills or check out entirely.
In the absence of federal privacy regulation, states, most notably California, have begun passing their own legislation. But without a national law in place, there’s no guarantee that tech companies will safeguard all users’ data regardless of where they live.
Growth and profit over data security
Throughout Tuesday’s roughly two-and-a-half-hour meeting, Zatko pointed to security failure after failure. The whistleblower said that too many employees had access to user data that didn’t need it, and that some 30% of employee devices didn’t have security software installed on them.
While Zatko said he brought these issues to management’s attention, executives at the company were incentivized to pursue profits rather than deal with security shortfalls. What’s more, Zatko claims executives hid the security lapses from the company’s board, regulators, shareholders, and the public.
U.S. Senator Amy Klobuchar (D-MN) has repeatedly called for new regulations to reign in tech companies. REUTERS/Hannah McKay/Pool ·Hannah Mckay / reuters
“What we're looking at is a modern-day digital online platform that grew up, but didn't put adult supervision into play because they were running it so fast,” Lightman said. “That's no excuse. But it's not unique to Twitter.”
Twitter is no stranger to controversy related to user privacy and security. In 2011, the company entered into a consent agreement with the Federal Trade Commission over accusations that the social network’s poor security posture left user data at risk and allowed hackers to gain access to Twitter’s networks.
Zatko, however, claimed that the company still hasn’t met the requirements laid out in the agreement, ordering Twitter to have robust security capabilities to protect user data.
With national legislation still a pipe dream at this point, how can users ensure their data is safe? It comes down to whether they trust the companies they do business with. Outside of that, whistleblowers like Zatko offer the best chance for naming and shaming companies into improving their data security practices.
“Twitter really needs to kind of tighten up its data governance,” Dhar said. “They've got to get the data governance policy together and then show the public that they know exactly what they're doing. It certainly has a black eye on a knockout punch.”
