Twitter can’t protect users’ data, former CISO alleges

ADVERTISEMENT

Twitter’s former chief information security officer (CISO) made a series of serious accusations against his former employer in testimony before the US Congress, including allegations that foreign agents from India and China were working for the company, and that Twitter executives mislead the public and regulators about the data. Safety.

“First, they don’t know what data they have, where you live, or where it came from, so, unsurprisingly, they can’t protect it,” Peter Zatko told the Senate Judiciary Committee on Tuesday. “This leads to the second problem: employees need too much access to too much data on too many systems.”

He joined the company in November 2020. Twitter says he was fired in January for “ineffective leadership and poor performance”.

SC Media quotes Zatko as saying that Twitter’s data infrastructure is so decentralized that leadership does not know all the data the company collects or where it is stored. When he conveyed these concerns to Twitter’s leadership, he claimed that their incentive structure led them to prioritize “profits over security.”

News site The Record quoted him as saying that nearly half of Twitter’s employees are engineers with extensive hands-on access to the company’s systems. However, these systems often lack logging capabilities, so it can be difficult to track whether someone – such as an agent of a foreign government – is inappropriately accessing the information.

Several news outlets have indicated that Twitter has been subject to a consent decree with the US Federal Trade Commission since 2011 due to several data security incidents. Recently, in May, Twitter settled a civil complaint with the agency accusing the company of violating this order by collecting users’ phone numbers for account security purposes, and then using them to target ads. The company agreed to pay a fine of US$150 million.

In response to the allegations, AFP and others noted in a statement that Twitter said its hiring process is “independent of any foreign influence” and access to data is managed through a range of measures, including background checks, access controls, monitoring and detection systems and processes. .

The Reuters news agency indicated that many of the allegations are unconfirmed and have little documentary support.

Zatko was certain. “It is not inconceivable to say that an employee of the company can take over the accounts of all the Senators in this room,” he was quoted as saying. “Given the real harm to users and national security, I have decided that it is necessary to take the professional and personal risks to myself and my family of becoming a whistleblower.”

The certification comes as the US House of Representatives deals with a bipartisan federal privacy bill.

ADVERTISEMENT

Leave a Reply

Your email address will not be published.