Note: This was originally published as the daily newsletter for the Columbia Journalism Review, where I am the chief digital writer
On August 23rd, the Washington Post and CNN published stories about alleged security failures at Twitter, based on documents provided by Peiter Zatko, the company’s former head of security. Among Zatko’s more serious allegations were that Twitter executives, including Parag Agrawal, its CEO, deliberately misled both the company’s board of directors and federal regulators about Twitter’s security procedures, and that the company gave agents of foreign governments access to “sensitive user data.” The document that Zatko gave to the Post and CNN was also shared with several members of Congress as well as the Federal Trade Commission, the Securities and Exchange Commission, the Justice Department, and the Senate Intelligence Committee. On Tuesday, Zatko appeared before a hearing of the Senate Justice Committee to discuss the document, and spent more than two-and-a half hours providing more detail on his accusations.
Some of the most serious allegations came during Zatko’s testimony about foreign agents he said were on Twitter’s payroll. Zatko told the committee that just a week before he was fired by Twitter, the FBI notified the company that “there was at least one agent” of China’s Ministry of State Security “on the payroll inside Twitter.” Zatko also alleged that Twitter was incapable of tracking when and where its own employees accessed its systems, and this made it impossible for Twitter to find foreign agents who might be gaining access to internal data. According to Zatko, the company was only able to find these agents when informed of their presence by external entities such as the FBI. In one case, Zatko said he told a Twitter executive he was “confident” there was a foreign agent inside the company. “Their response was: ‘Well, since we already have one, what does it matter if we have more. Let’s keep growing the office,’” Zatko told the committee.
In 2019, the New York Times reported that two former Twitter employees were charged with acting as agents of the government of Saudi Arabia and using their positions to get access to information about users who were critical of the Saudi government (one of the individuals was convicted last month by a court in California, and the other left the country before he could be arrested). Zatko also told the committee that , the Chinese government could easily have gotten information about Twitter users who clicked on ads, including the locations of those users. “Twitter’s unsafe handling of the data of its users and its inability or unwillingness to truthfully represent issues to its board of directors and regulators have created real risk to tens of millions of Americans, the American democratic process, and America’s national security,” Zatko told the committee.
Zatko was fired in January, because of what Twitter said were performance issues. In a statement issued after the hearing, the company didn’t respond to any of his specific accusations, but said that Zatko’s allegations were “riddled with inconsistencies and inaccuracies.” Twitter maintains that its security processes and rules around network access are robust. A number of members of the Senate committee, however, seemed to see Zatko’s testimony as evidence that the government needs to step in to regulate what happens on social networks. Although Zatko didn’t provide an opinion on that idea, he did tell the committee that he believes lax regulation by the Federal Trade Commission allows platforms such as Twitter to “grade their own homework.” In his original document on Twitter’s failures, Zatko alleged that Twitter was in breach of an 11-year-old consent decree from the FTC related to the handling of user data.
Dick Durbin, a Democratic senator from Illinois and chairman of the judiciary committee, compared users trusting Twitter with their data to the way depositors trust a bank with their money, but said Zatko’s testimony shows that “at Twitter the vault is wide open.” Lindsey Graham, the Republican senator from South Carolina, said during his comments that the situation at Twitter reinforces the need for “a regulatory environment with teeth.” According to a report from Bloomberg, Graham is working on legislation to that end—a law that might require platforms such as Twitter and Facebook to be licensed by a federal regulator—and is trying to form alliances with others, including Elizabeth Warren, a Democratic senator from Massachusetts. Richard Blumenthal, a Democratic senator from Connecticut, said that he’s open to a new technology regulator that could help shift the balance of power between the platforms and their users.
Elon Musk has also continued to use Zatko’s allegations as ammunition for his ongoing attempt to cancel his agreement to acquire Twitter for $45 billion (a deal that Twitter’s shareholders voted to accept on Tuesday). Last week, Musk told Twitter that a $7 million severance payment it gave Zatko was a breach of the terms of the agreement, because Musk wasn’t notified of the payment first (not surprisingly, Twitter said it disagrees). The back-and-forth lawsuits between Twitter and Musk will eventually be ruled on by a judge in Delaware’s Chancery Court when the case begins next month. Despite Zatko’s testimony about Twitter’s alleged security lapses, his accusations are unlikely to have a significant impact on Musk’s legal battle, according to a number of financial experts who were surveyed by the Financial Times. “For this to affect the trial, it has to amount to a material adverse effect or fraud, which is a very high standard,” Anat Alon-Beck, assistant law professor at Case Western Reserve University, told the FT.
Here’s more on Twitter:
Ticking bomb: In his opening statement at the Senate judiciary committee hearing, Zatko said that he was not making his accusations out of spite or malice. When he first joined Twitter, he said, “I discovered that the company had 10 years of overdue critical security issues, and it was not making meaningful progress on them. This was a ticking bomb of security vulnerabilities. Staying true to my ethical disclosure philosophy, I repeatedly disclosed those security failures to the highest levels of the company. It was only after my reports went unheeded that I submitted my disclosures to government agencies.”
Oppo research: People who have worked with Zatko at Twitter or elsewhere have been contacted by sources looking for information about his credibility, Ronan Farrow reports for The New Yorker. “Hi Marty, Hope you’re having a great week!” one message read. “I’m currently working on a project regarding leadership in tech, and my client is hoping to speak to an experienced professional about a particular individual you may have worked with.” The message requested a “45-60 minute compensated phone consultation,” Farrow reported. The messages and emails appeared to be from research-and-advisory companies, Farrow said, “part of a burgeoning industry whose clients include investment firms and individuals jockeying for financial advantage.”
Data hoarding: Zatko listed the kinds of information that Twitter collects on its users, which includes their phone number; the last IP address a user has connected from, as well as past IP addresses; a user’s current email address, how long they’ve been using it and prior email addresses they’ve used; where the company thinks a user lives; the location the company thinks a user is currently accessing Twitter from; what type of device a person is using to access Twitter; the web browser they are using, and the language they are using Twitter in. Zatko told the Senate committee that any of the company’s engineers could easily access all of that user data if they wanted to.
Data hoarding II: Zatko said that one of the problems with Twitter’s data-handling practices is that the company doesn’t understand all the data it collects from users or why it collects it, CNN reported. “He cited an internal study conducted by engineers which allegedly found that for only about 20% of the data it collects does the company know why they got it, how it was supposed to be used, and when it was supposed to be deleted.” With the rest of the data, the company often “did not know what it was or why it was being collected, Zatko said.” Some of this data was personally identifying information. he said.
Other notable stories:
Ben Smith published a memo that he sent out on Wednesday listing the editorial staff for Semafor, the news startup he co-founded with Justin Smith, former head of Bloomberg Media. The list includes Prashant Rao, former international editor of The Atlantic; Joe Posner, who started Vox Media’s video unit in 2014; Gina Chon, a former columnist with Reuters Breakingviews; Tasneem Nashrulla, former deputy news director at BuzzFeed; Yinka Adegoke, a former editor with Rest of World; Alexis Akwagyiram, former digital editor at the Financial Times; Benjy Sarlin of NBC News; David Weigel, a former reporter with the Washington Post, and Shelby Talcott from The Daily Caller;
Brian Stelter, the former CNN media correspondent and former host of the network’s Reliable Sources show, is joining the Shorenstein Center on Media, Politics and Public Policy at Harvard’s Kennedy School as the Fall 2022 Walter Shorenstein Media and Democracy Fellow, the center announced this week. As part of his duties, Stelter will “convene a series of discussions about threats to democracy and the range of potential responses from the news media,” the center said. CNN cancelled Stelter’s show in mid-August, as part of a series of changes at the network.
Emily Ann Russell writes for CJR about “The Objectivity Wars,” a panel discussion on Tuesday co-hosted by Columbia University’s Lipman Center for Journalism and Civil and Human Rights and CJR, and moderated by Kyle Pope, CJR’s editor in chief. On the panel—which was was held in person at the Columbia Journalism School and also streamed online—were Masha Gessen, staff writer at The New Yorker; David Greenberg, professor of journalism and media studies at Rutgers; Wesley Lowery, a Pulitzer-Prize winning journalist formerly with the Washington Post, Andie Tucher, a professor of journalism at Columbia, and Lewis Raven Wallace, co-director of Press On.
Kara Swisher, a veteran technology journalist who now hosts a New York Times podcast called “Sway,” wrote a Twitter thread about how much of the early work that she and Walt Mossberg did at All Things Digital, which they founded while they were both with the Wall Street Journal, has vanished. “This is a thread on the ephemeral nature of content, who owns your work & why creators need to own their IP,” Swisher wrote. “This hit home when I was doing research for my memoir on covering the rise of Silicon Valley. Why? Because most the work we did at All Things Digital has gone poof.” Swisher says she and Mossberg offered to buy the archives from the Journal when they left, but the offer was refused.
Twitter is still the place where media publishers collectively have the largest audiences, followed by Facebook and Instagram, according to an Axios analysis of 82 major news, entertainment and sports publishers. “National Geographic, by far, has the largest social following across its main accounts, with more than 340 million followers over six major platforms (not taking into account duplication),” Sara Fischer and Kerry Flynn reported. The next closest publisher, the BBC, has more than 150 million followers across its main accounts on those platforms, followed by CNN and ESPN.
NYT Cooking, the subscription recipe site from the New York Times, is launching a new sideline, according to the Hollywood Reporter: $95 at-home cooking kits curated by guest chefs. “Beginning on Wednesday, readers can visit the New York Times online store to be notified when the kits are available for purchase,” the Hollywood Reporter wrote. “At launch, NYT Cooking will offer three different kits created by the chefs Nina Compton, Chintan Pandya and Naoko Takei Moore, in partnership with Times cooking journalists.”
Teen Vogue profiled Jack Corbett, a 25-year-old producer on NPR’s Planet Money podcast that the magazine calls “a TikTok wunderkind.” Corbett claims he is just “a guy from Ohio,” but to the hundreds of thousands of fans who follow the Planet Money TikTok account, Teen Vogue says Corbett is “a wacky- professor figure, a talented TikTok comedian, and most importantly, a guide through the largely inaccessible world of economics.” Corbett often expresses gratitude and even confusion that NPR lets him make his oddball videos in the first place, Teen Vogue writes, “but, in all likelihood, it is exactly that affable, down-to-earth nature that makes Corbett such a good front man.”