Washington - Top Democrats and Republicans in Congress are investigating a former Twitter security chief's explosive new whistle-blower complaint, instigating new political scrutiny of the social network's data security practices and defences against foreign influence.
Leaders of three influential congressional committees say they are reviewing disclosures, in which famed hacker Peiter Zatko alleges the company has "extreme, egregious deficiencies" in its cybersecurity defences, as well as weak efforts to fight spam.
The allegations are prompting a new round of Washington head winds for the company, adding to the controversies it has faced on Capitol Hill over its influential role in democracy and elections, especially since the company's decision to permanently ban former president Donald Trump.
Meanwhile, the company is embroiled in litigation with Elon Musk over its future.
Lawmakers from both parties appeared united in response to the allegations, saying they raise national security and privacy concerns that need closer examination.
Reps. Frank Pallone Jr., D-N.J., and Cathy McMorris Rodgers of Washington, the chair and top Republican on the House Energy and Commerce Committee, said the if the whistle-blower's allegations were true, they reaffirmed the need for Congress to pass consumer privacy legislation to safeguard Americans' data. The committee was "assessing next steps", they said.
On Tuesday, Sen. Richard Blumenthal, D-Conn., the head of the Senate Commerce panel focused on consumer protection, wrote a letter to the Federal Trade Commission, calling for the agency to investigate Zatko's claims and bring "enforcement actions", including fines, against Twitter where appropriate.
"These troubling disclosures paint the picture of a company that has consistently and repeatedly prioritised profits over the safety of its users and its responsibility to the public, as Twitter executives appeared to ignore or hinder efforts to address threats to user security and privacy," he wrote.
Sen. Edward Markey, D-Mass., sent a similar letter to the FTC and Department of Justice, saying the whistle-blower allegations suggested the company violated the terms of a 2011 consent order with the FTC.
The offices of the top lawmakers on the Senate Judiciary Committee, Sen. Richard Durbin, D-Ill., and Sen. Charles Grassley, R-Iowa, said they have had early discussions with the whistle-blower.
"If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world," Durbin said.
The Senate Intelligence Committee also received the complaint and is working to set up a meeting with Zatko, spokesperson Rachel Cohen said.
Twitter has pushed back on Zatko's allegations. Spokesperson Anna Hughes said the complaint appeared to have "inconsistencies and inaccuracies and lacks important context," and that the company security and privacy are "company-wide priorities" at the company.
"Mr. Zatko's allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders," she said.
The documents that Zatko provided could inject new urgency into efforts to create new federal privacy safeguards and other accountability measures, despite years of attempts and failures in Congress to regulate the tech industry. It's also the second time in less than a year that a former employee at a major tech company publicly provided disclosures to members of Congress, signalling tech whistle-blowers could play a larger role in efforts to craft new tech policies.
The political fallout could be exacerbated by Twitter's long-running tension with lawmakers over content moderation, especially Republicans who say the company has unfairly suppressed their political speech.
"Twitter has a long track record of making really bad decisions on everything from censorship to security practices," said Sen. Marco Rubio, the top Republican on the Intelligence Committee. "That's a huge concern given the company's ability to influence the national discourse and global events."
Twitter has had run-ins with Washington regulators over its security practices for more than a decade, dating back to a pair of 2009 incidents when hackers gained unauthorised access to the platform.
Following the hacks, the company entered into a settlement with the Federal Trade Commission that required it to establish a comprehensive security programme that was subject to external audits.
The company more recently faced political blowback for a 2020 hack, during which hackers gained access to the accounts of influential people including then-presidential candidate Joe Biden and Musk.
Zatko alleges that Twitter violated the terms of that 2011 FTC order by falsely claiming it had a security plan. A former FTC official who worked on the Twitter case said the agency was understaffed at the time of its initial settlement, and that the enforcement division had failed to keep a close eye on multiple companies after reaching privacy settlements, including the one with Twitter.
Blumenthal said the disclosures "appear to demonstrate Twitter's disregard for FTC's consumer data requirements".
"Big Tech has been allowed to ignore the terms of the FTC's orders for too long - despite significant breaches, spying scandals, and hijacking of high-profile accounts," he said in a statement.
“The FTC must vigorously oversee and enforce its orders or those requirements become dead letter law while our national security and consumer privacy are undermined."
Twitter participated in biannual audits of its security practices, in compliance with the order, according to the company.
Rep. Jan Schakowsky, D-Ill., said that the allegations show that the FTC "absolutely needs more resources".
Democrats proposed boosting the FTC's budget last year by $1 billion to create a new digital-focused division focused on policing privacy violations and cybersecurity incidents, but it was ultimately not included in its recent spending package.
"The status quo has once again failed American consumers, from coast to coast and here in the heartland," she said.
The Washington Post