Testimony from Twitter’s former security chief to US senators on Tuesday was undoubtedly bruising for the social media company. But it is unlikely to have a significant impact on Elon Musk’s legal battle to terminate his $44bn takeover deal, according to experts.
Over the course of a two-and-a-half-hour Senate judiciary committee hearing, former Twitter executive turned whistleblower Peiter “Mudge” Zatko painted a portrait of a company with woefully inept security practices to the point that national security was threatened, and no desire to address those flaws.
Instead, Zatko argued, Twitter’s leadership chose to prioritise “profits over security”, fostering “a culture of ‘only report good and positive results up’”.
But the allegations, coming as shareholders on Tuesday voted in favour of the takeover ahead of the October trial, are unlikely to have an impact on the case, experts said.
“It’s definitely serious for any social media company to face privacy issues,” said Anat Alon-Beck, assistant law professor at Case Western Reserve University.
“But for this to affect the trial, it has to amount to a material adverse effect or fraud, which is a very high standard. I’m not sure it will amount to that unless more egregious violations come out of the investigation.”
Appearing before the Senate judiciary committee, Zatko made two big accusations to largely sympathetic lawmakers. The first was that thousands of employees at the company had unbridled access to reams of sensitive user data, raising grave privacy concerns. He also alleged that Twitter struggled to monitor how employees used that data, which left it vulnerable to infiltration by foreign spies.
Zatko said the FBI had told the company there was at least one Chinese intelligence agent working “on the payroll” inside Twitter. He also said that when he raised concerns with another executive that there was a foreign agent in the company, the person replied: “Well, since we already have one, what does it matter if we have more?”
Beyond unwittingly allowing infiltration, Zatko also said that India had successfully pressured Twitter to allow Indian government operatives to work inside the company.
Zatko placed the blame squarely with Twitter’s leadership. “This starts at the top,” he said, adding that he believed chief executive Parag Agrawal was aware of the issues.
The hearing thrust the unlikely — and polarising — figure of Zatko into the unfolding Twitter-Musk legal saga. Last week, Musk’s lawyers noted Zatko’s decorated career — as part of an elite hacking group and later in senior cyber security positions at Google, Stripe and the US Department of Defence. Zatko had testified before the Senate in 1998 on internet security.
David Kennedy, chief executive of cyber security consultancy TrustedSec and a former National Security Agency hacker, described Zatko as having a reputation “second to none” in the cyber security world.
“He showed Twitter was in firefight mode all the time and . . . tucking all that information under the rug,” he said, adding that it appeared from the testimony that Twitter failed to have in place even the most “foundational 101” security practices.
But in the wake of the hearing, several former senior staffers at Twitter took to the platform to complain that Zatko had never bothered to communicate with them during his tenure, and rubbished his claims.
Twitter, who fired Zatko in January citing poor performance before paying him a $7.75mn severance package, said his allegations were “riddled with inconsistencies and inaccuracies”.
Musk has already jumped on the allegations Zatko filed in his initial whistleblower complaint to bolster his attempts to back out of the deal. He has successfully requested that they be added to the case alongside his argument that the company misrepresented the number of bots on its platform — an issue that was not addressed during the hearing.
His lawyers also argue that Zatko’s $7.75mn severance package constitutes fresh grounds to terminate the merger agreement, because it was “out of the ordinary course of business” and not signed off by Musk.
But experts noted that Zatko did not appear to provide concrete evidence during the hearing to prove Twitter’s leadership was deliberately fraudulent.
“Twitter might be breathing a small sigh of relief right now,” said Jasmine Enberg, principal analyst at Insider Intelligence. “Zatko doesn’t provide hard evidence that Twitter knowingly misrepresented user numbers — rather that they were disinterested in removing bots. It’s mostly his characterisations of the company culture and prioritising growth over everything else.”
She added: “It’s hard to imagine that this will be a real nail in the coffin. A likely scenario is that he will be able to use some of this information to negotiate a deal.”
Either way, the allegations mark just the latest crisis for Agrawal, who declined to attend the hearing on the basis that it might jeopardise the ongoing litigation with Musk, irking some senators.
“The business of this committee and protecting Americans from foreign influence is more important than Twitter’s civil litigation in Delaware,” Senator Charles Grassley said, adding that Agrawal would have to step down if the allegations were accurate.
Musk aside, the hearing also has wider implications for the company — and the social media sector — reinvigorating debate around privacy and security regulation.
In his testimony, Zatko said that Twitter had misled the Federal Trade Commission about its security controls, in violation of a 2011 consent order requiring it to improve practices. But he also laid blame on the FTC, claiming that the agency was in “a little over their head” and “letting companies grade their own homework”.
In response, Senator Richard Blumenthal suggested there needed to be a new agency to enforce privacy and national security issues, while other senators called for further regulation.