Skip to content
The Morning Dispatch: Is Twitter Secure?
Go to my account

The Morning Dispatch: Is Twitter Secure?

Congress examines a high-profile hacker's whistleblower complaint about the social media giant's privacy and data security practices.

Happy Wednesday! And happy seventh birthday to one of the dumbest news cycles in recent memory.

Quick Hits: Today’s Top Stories

  • The Bureau of Labor Statistics reported Tuesday that, as measured by the Consumer Price Index, the annual rate of inflation decreased in August for a second consecutive month, from 8.5 percent to 8.3 percent. That figure was driven largely by falling gas prices, however, which obscured alarming rates of inflation in other areas of the economy, like food, shelter, medical care, furniture, and cars and trucks. Core inflation—which excludes the 5-percent drop in energy prices and 0.8-percent jump in food prices—increased at a 6.8-percent annual rate in August. The news all but ensured the Federal Reserve will continue aggressively hiking interest rates in the coming months, sending stocks tumbling. The Dow Jones Industrial Average fell 3.94 percent on Tuesday—the index’s worst day since June 2020—and the S&P 500 dropped 4.32 percent.

  • The primary season is officially over after Democratic and Republican voters in New Hampshire, Delaware, and Rhode Island went to polls yesterday. Some key takeaways:

    • In New Hampshire’s GOP Senate primary, retired Brig. Gen. Donald Bolduc—a MAGA candidate who denies the legitimacy of the 2020 election—narrowly edged out state Sen. Chuck Morse, who conceded around 2 a.m. Wednesday morning. Bolduc will face incumbent Democrat Sen. Maggie Hassan in the general election.

    • New Hampshire’s incumbent Gov. Chris Sununu, a Republican, easily fended off a handful of primary challengers and will face Democrat Tom Sherman in November as he looks to win a fourth term.

  • Democrats’ majority in the House is back up to 221-212 after three recent special election winners—Mary Peltola of Alaska, Pat Ryan of New York, and Joe Sempolinski of New York—were sworn in on Tuesday. Two seats remain vacant: That of the late Rep. Jackie Walorski of Indiana, a Republican, who died in a car accident last month, and that of former Rep. Charlie Crist of Florida, a Democrat, who resigned two weeks ago to campaign for governor.

  • Armenia and Azerbaijan—neighbors and longtime geopolitical opponents—reported a combined 99 troop deaths in border clashes Tuesday. Armenia’s defense ministry said the fighting started shortly after midnight when Azerbaijan began artillery and drone attacks in several areas, while Azerbaijan’s foreign ministry said it was responding to a “large-scale provocation” by Armenian troops planting mines and firing on military positions. Russian officials claim to have brokered another ceasefire in the conflict—it mediated a truce after a six-week war in 2020—and Armenia said it has requested aid from Moscow.

  • A senior U.S. official told reporters Tuesday that Russia has covertly funneled as much as $300 million to political parties and candidates in an effort to influence elections in more than 24 countries over the past eight years. The Russians reportedly pay these sums in cash, cryptocurrency, and non-monetary contributions, relying on FSB agents, oligarchs, and foundations/think tanks as intermediaries.

  • GOP Sen. Lindsey Graham introduced legislation on Tuesday that would institute a federal ban on doctors performing abortions after 15 weeks of gestation—leaving in place state laws that are more restrictive—but Senate Minority Leader Mitch McConnell indicated he wouldn’t bring the legislation up for a vote if Republicans retake the Senate, telling reporters he thinks most Republicans “prefer that this be dealt with at the state level.” 

  • West Virginia’s legislature passed a bill restricting abortion access on Tuesday, with the state Senate and House voting 22-7 and 77-17 in favor, respectively. The legislation, which Gov. Jim Justice is expected to sign, would prohibit doctors in the state from performing abortions at any point during a pregnancy, with exceptions for rape, incest, and the life or health of the mother. 

  • The House of Representatives on Tuesday approved by voice vote legislation eliminating the statute of limitations for victims of child sex abuse to file civil claims, sending the bill—which passed the Senate unanimously in March—to the White House for President Biden’s signature. There is currently no statute of limitations for criminal child sex abuse charges, but minors who suffer must file federal civil claims before they turn 28 years old or before 10 years have passed since the abuse occurred.

  • The Justice Department announced Tuesday it had arrested eight people in Texas, Louisiana, Alabama, and Mississippi for their alleged involvement in a human smuggling network near the U.S.-Mexico border. According to an indictment unsealed yesterday, the individuals made millions of dollars transporting migrants from Mexico, Guatemala, and Colombia to and within the United States, often in “deplorable conditions.”

  • Los Angeles County’s Department of Public Health reported Tuesday a resident’s recent death has been attributed to monkeypox, the first such death in California—and possibly the United States. (A person in Texas died with monkeypox last month, but it’s unclear whether the virus was responsible for the death.) A Centers for Disease Control report released Tuesday found monkeypox had led to brain inflammation and neurological issues in at least two “previously healthy” men in their thirties.

Twitter’s Data Security and Privacy Under the Microscope

Peiter “Mudge” Zatko, former head of security at Twitter, testifies before the Senate Judiciary Committee. (Photo by Kevin Dietsch / Getty Images)

Tuesday wasn’t Peiter Zatko’s first time testifying before Congress. The “ethical hacker” better known as “Mudge” was rocking a lot of hair during his 1998 testimony, when he pleaded with lawmakers to put his cybersecurity skills to use. Now missing his luscious locks and with a few more decades of experience—including stints at Google, Stripe, and the Pentagon’s Defense Advanced Research Projects Agency—Zatko returned to Capitol Hill yesterday to warn about yet another cyber threat: Lax security standards at Twitter that alarmed him during his brief time with the company.

In a whistleblower complaint made public in August, Zatko described Twitter’s data management as featuring “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.” And on Tuesday, he brought the problem home for his audience: “It’s not far-fetched to say a Twitter employee could take over the accounts of all the senators in this room.”

Now, a few lawmakers would certainly benefit from having their Twitter accounts taken away—but that should be the doing of apprehensive staffers, not foreign agents or tech employees with a political ax to grind. Zatko alleges that about half of Twitter’s some-10,000 employees have broad access to user data—including phone numbers and email addresses—and that the company has no system for logging which employees access what data, when, and why. Its shoddy data storage also means it can’t guarantee it’s deleted a user’s information, per Zatko.

“They don’t know what data they have, where it lives, or where it came from, and so unsurprisingly they can’t protect it,” Zatko told lawmakers. “It doesn’t matter who has keys if you don’t have any locks on the doors.”

That’s a situation ripe for abuse not only by disgruntled employees or outside hackers, but foreign actors. Zatko’s complaint alleged that the Indian government successfully pressured Twitter to hire government agents, and he claimed Tuesday the FBI had warned Twitter that a Chinese intelligence agent was working at the company. The social media platform has no effective process in place to catch such agents on its own, Zatko said, and executives have shown little interest in addressing the vulnerability. When Zatko raised the alarm internally, he claimed an executive told him, “Well, since we already have one, what is the problem if we have more? Let’s keep growing the office.” 

The whistleblower also claims that Twitter’s new CEO, Parag Agrawal, asked about letting Russia manage some content moderation in the runup to its invasion of Ukraine, reasoning that, “Since they have elections, doesn’t that make them a democracy?” Zatko didn’t provide details of Agrawal’s alleged suggestion, but Russia last year passed a law pushing big tech companies to open in-country offices or face advertising bans—a move security experts said seemed designed to increase Russian leverage over the platforms.

Zatko further alleges that Twitter executives discouraged his fact-finding efforts, cherry-picked security data they presented to the company’s board, and misled federal regulators about security advances. He says he was fired two weeks after clashing with Agrawal and Omid Kordestani, a Twitter board member, over the problems. Twitter disputes that account, claiming Zatko was fired for poor performance and describing his whistleblower complaint as “riddled with inconsistencies” and “lacking important context.” (Twitter reportedly paid Zatko about $7 million in a June settlement after his termination, but before he filed his whistleblower complaint.)

The company hasn’t exactly rushed to add the context it claims is missing—senators said Agrawal turned down an invitation to testify alongside Zatko, and its public comments on the matter have been relatively perfunctory—and Twitter’s history doesn’t suggest a sparkling security record. 

Zatko was initially hired in 2020 in response to a Tampa Bay teenager hacking prominent Twitter users like former President Barack Obama, Amazon founder Jeff Bezos, and Microsoft founder Bill Gates as part of a cryptocurrency scam. In 2013, a hacked Associated Press account sent the stock market tumbling when it falsely posted there had been an explosion at the White House. Just last month, a former Twitter employee was convicted of spying for Saudi Arabia, turning over the personal information of Saudi dissidents using the platform anonymously.

The Federal Trade Commission filed a complaint against Twitter more than a decade ago for mishandling users’ private data and giving too many employees access to central controls, and the agency fined the company $150 million in May for violating the terms of the 2011 order

Though Republican senators also pushed Zatko on whether the platform censors users for political beliefs—he pleaded ignorance of moderation decisions—lawmakers were largely united in their alarm at the allegations and frustration over Congress’ seeming inability to get legislation targeting Twitter—and other tech companies—across the finish line. “Despite this probably being our 50th hearing,” Sen. Amy Klobuchar said, “we have not passed one bill out of the U.S. Senate when it comes to competition, when it comes to privacy, when it comes to better funding the agencies, when it comes to the protection of kids.”

The 50th hearing probably isn’t going to move the needle either. “I don’t think this hearing fundamentally changes the likelihood that Congress moves forward foundational privacy or anti-trust legislation this session,” Rose Jackson, director of the Atlantic Council’s Democracy and Tech Initiative, told The Dispatch. But, she added, “that Democratic and Republican members seemed to be aligned in their alarm around the implications of foreign intelligence service access in particular may help build bipartisan momentum and urgency around calls for action on privacy.”

Whether Congress acts or not, the FTC will investigate Zatko’s claims. He has thus far offered little documentation publicly to back up his allegations, but is adamant Twitter misled the regulator about its compliance with the 2011 order. “The FTC won’t act until it gives Twitter a fair opportunity to respond,” David Vladeck, former director of the FTC’s Bureau of Consumer Protection, told The Dispatch. But if the FTC buys Zatko’s account after a thorough investigation, Vladeck said, the agency can punish Twitter again for violating its previous security promise—or bring a new action for wrongdoing not covered under the previous settlement.

Twitter itself is not a money-making machine, but those punishments are typically a drop in the bucket for most big tech companies. “The regulators have tools that do work,” Zatko said, such as recurring fines. “[But] they’re using the one-time fines that the companies aren’t really afraid of.”

Meanwhile, Zatko’s account has become a central piece of another Twitter imbroglio—Elon Musk’s attempt to wriggle out of buying Twitter, claiming the company doesn’t have a handle on bot accounts on its platform. Zatko’s been subpoenaed to testify in the case, which heads to court in October, and some of his claims support Musk’s arguments. The whistleblower says Twitter doesn’t have effective ways of tracking and managing bots because it isn’t financially incentivized to develop them.

A similar perverse incentive, Zatko argued, is at the root of many of the company’s security problems: a constant prioritization of profit over costly investment in data security and privacy. “I think they would like to wave a magic wand and have all of these things fixed,” Zatko said. “But they’re unwilling to bite the bullet.”

Worth Your Time

  • Are Americans actually growing more polarized, or are we converging around different versions of the same, bad ideas? “[What’s most broken in our politics is] not the ways left and right are further apart than ever; it’s the ways they’re closer together, with powerful elements on each side having jettisoned the longstanding liberal ideal of respecting the rights of even those with whom you strongly disagree,” Stephanie Slade writes in a cover story for Reason. “The two camps, of course, have different substantive moral visions for the society they wish to construct. But each views a broad conception of individual liberty as a barrier to achieving that vision. Economic liberty, including international trade and private property rights, stands in the way of progressives’ desire for an egalitarian and democratic order in which no one is ever again expected to work for someone else—and in the way of natcons’ desire for a revivified American manufacturing sector in which male breadwinners can support a large family on a single income. Speech protections prevent both sides from controlling the conversation as they wish. Religious freedom is seen as either a cover for rank bigotry or a rationalization for excluding God from the public square. And liberal toleration, with its norms of fair play and civility, is at odds with the reigning conception of politics as total war.”

  • Despite some movement on the issue earlier this year, Congress has yet to vote on any legislation preventing lawmakers and their spouses from actively buying and selling individual stocks. On Tuesday, the New York Times published an analysis that found that, from 2019 to 2021, 97 members of Congress reported trades—made either by themselves or close family members—in companies that were influenced by committees on which they sat. “In some cases, the transactions appear to be routine or to have only a tangential connection to any influence the lawmaker might have had on an issue,” Alicia Parlapiano, Adam Playford, and Kate Kelly write. “In others, the trades were conducted by trusts or brokers who, the lawmakers say, were operating without any instructions or input from them. But many instances show how legislative work and investment decisions can overlap in ways that at a minimum can leave the appearance of a conflict and that sometimes form a troubling pattern—even if they technically fall within the rules.”

Presented Without Comment

Also Presented Without Comment

Also Also Presented Without Comment

Toeing the Company Line

  • With David still on his Alaskan cruise, Sarah invited Wiley Rein LLP partner Megan Brown to join her on Tuesday’s episode of Advisory Opinions and provide listeners with some free career advice. What factors should aspiring lawyers consider when deciding which law firms to apply to? And how do you actually get hired once you settle on a firm?

  • In Tuesday’s jam-packed edition of The Sweep (🔒): Can Donald Bolduc flip New Hampshire red in the general election? Has the polling industry learned from the mistakes its made over the last few cycles? Is it “idiotic” for Republicans to wait for Donald Trump’s decision before jumping into the 2024 presidential race? And can Herschel Walker get over the goal line?

  • Haley’s latest Uphill focuses on the Senate’s upcoming debate over U.S. policy towards Taiwan. “Senators from both parties have advocated legislation this year to upgrade Taiwan’s defenses—and its relationship with the United States—and they remain largely unified in pursuing it,” she writes. “[But] some Democrats fear the symbolic elements of Sen. Bob Menendez’s Taiwan Policy Act could be inflammatory at a time when Taiwan isn’t prepared to defend itself from a Chinese invasion.”

  • The New Right’s objections shouldn’t distract U.S. policymakers from Ukrainian military aid’s incredibly high return on investment thus far. “I would also be reluctant to pour weapons into a losing war, prolonging suffering only to delay the inevitable,” David writes in Tuesday’s French Press (🔒). “But this is not a losing war, and the billions of dollars we’re spending to sustain the Ukrainian war effort may represent one of the more cost-effective allocations of American resources in recent history.”

  • On Tuesday’s episode of Dispatch Live (🔒), Jonah, David, Klon, and Adam discussed the latest news out of Ukraine. Dispatch members who missed the conversation can catch a rerun—either video or audio-only—by clicking here.

  • On the site today, Harvest writes about how D.C. groups have been dealing with Texas Gov. Greg Abbott’s ongoing program of bussing migrants to the Capitol, and Scott Winship criticizes a new study on the causes of falling child poverty.

Let Us Know

On a scale of 1-10, how screwed would you be if China or Iran hypothetically had access to all your private message history and decided one day to leak it online for all the world to see?

Declan Garvey is the executive editor at the Dispatch and is based in Washington, D.C. Prior to joining the company in 2019, he worked in public affairs at Hamilton Place Strategies and market research at Echelon Insights. When Declan is not assigning and editing pieces, he is probably watching a Cubs game, listening to podcasts on 3x speed, or trying a new recipe with his wife.

Esther Eaton is a former deputy editor of The Morning Dispatch.