Mudge currently testifying before Senate Judiciary Committee on his whistleblower claims against Twitter. judiciary.senate.gov/meetings/data-…
Apparently Senator Grassley "loves using Twitter."
Emphasis on the national security risks thus far and foreign agents. Social media companies, including Twitter, will testify tomorrow before the Senate Homeland Security Committee.
Grassley noting that Twitter is outsourcing moderation to other countries, and the moderators lack tools and translators in some cases.
Grassley says that the threat of foreign influence is more important than Twitter's civil litigation in Delaware, and if allegations are true, he doesn't see how Agrawal can stay CEO.
Mudge leads off by saying Twitter is a decade behind competitors when it comes to security standards. Says company is misleading everyone from lawmakers to board of directors.
Mudge: "To put it bluntly, Twitter leadership ignored its engineers, because key parts of leadership lacked competency to understand the scope of the problem. But more importantly, their executive incentives led them to prioritize profits over security."
"This kind of vulnerability is not in the abstract. It's not far fetched to say that employees inside the company could take over the accounts of all of the senators in this room."
"I did not make my whistleblower disclosures out of spite or to harm Twitter. Far from that I continue to believe in the mission of the company and for its success."
"But that success can only happen if the privacy and security of Twitter's users and the public are protected."
Durbin getting at Twitter collecting more data than they publicly say.
Mudge: "In this case, my concern was more that Twitter didn't even know what it was collecting."
Durbin keeps asking whether users should "see a warning" about what data is being collected. To be clear, that's a terms of service agreement, and the issues with those extend way beyond Twitter.
Now talking through the FTC consent decree. Here is a reminder of what that was: justice.gov/opa/pr/twitter….
Mudge wondered how Twitter continued to be in compliance with the consent decree despite ongoing security issues.
Mudge: "I think honestly, I think the FTC is a little over their head......They're left letting companies grade their own homework. And I think that's one of the big challenges."
Grassley kicking off questions about China and risk to people there.
Mudge: "Twitter was a company that was managed by risk, and by crises, instead of one that manages risk and crises. It was very reactive, it would react to problems too late. "
Grassley asking what access foreign agents would have to data and what they could use it for.
Mudge walking through Twitter's construction - they only have live production environment, no test environment.
Mudge: "If you are a foreign agent, and you are hired and you are an engineer, you've got access to all of that data that we talked about - the 80% that Twitter doesn't know what's in it," but when studied it's personally identifying information.
Mudge alleges one Chinese security agent was on the payroll.
Feinstein raising the case of Saudi agent. justice.gov/usao-ndca/pr/f…
Feinstein: "Can you describe the types of efforts you've seen by foreign governments to infiltrate, control, exploit or surveil Twitter and its users and share what steps Twitter and regulators should have taken to protect against these attacks."
Mudge: "One of the disturbing things that I saw based upon being 10 years behind, where I would expect a modern tech company to be was a lack of an ability to internally look for and identify inappropriate access within their own systems."
Mudge continues: "There was a lack of logging and an ability to see what they were doing, what information was being accessed, or to contain their activities, let alone set steps for remediation and possible reconstitution of any damage."
"...They simply lacked the fundamental abilities to hunt for foreign intelligence agencies and expelled them on their own."
Mudge says there were thousands of failed attempts to access internal systems that were happening per week, and nobody was noticing. Who was doing it? Mudge says no one knew.
Feinstein asking Mudge about legislative fixes for these issues...which seems odd. That's more their job than his.
Just take a look at the fed gov's failure to set mandatory security standards that have teeth or effective privacy legislation.
"I also noticed that of all of the regulators, some of the foreign regulators were much more feared than the FTC," says Mudge. Points to FTC only charging one time fines.
What would be effective? If the FTC were to come in and tell Twitter that they're weren't allowed to monetize email addresses because of inability to handle them correctly. "Well, then we might not be on fair footings with our competitors and that would make them move"
"It [Twitter] is unable (to delete data) because they do not know where it is so they are unable to comply," said Mudge.
We've not YET gotten into "censorship" thankfully...but I'm just waiting.
Mudge says it was incredibly difficult to track what data was accessed or shared by foreign agents.
Access control, or lack thereof, is a huge issue Mudge keeps hitting on.
Access control, or lack thereof, is a huge issue Mudge keeps hitting on.
"I'm reminded of one conversation with an executive. when I said, 'I am confident that we have a foreign agent' and their response was, 'Well, since we already have one, What does it matter if we have more, let's keep growing the office'"
Klobuchar up now. Asks about demands by foreign govs re censoring and surveilling users, like Russia.
Mudge basically says he was surprised and frustrated by the company's willingness to punt on these issues.
Klobuchar: "Do you think it would be helpful if we pass some privacy legislation in Congress?"
Klobuchar going on about the bill she worked on re privacy.
"Could you talk about the lack of action in Congress and how that has actually created an environment where these companies feel like they can do everything from destroying our newspapers and our public good, to basically not taking correct actions when it comes to hacking. "
Mudge: "So that's your world, not mine. I appreciate the efforts and the work that you're doing."
"What I did see is that any laws or bills passed or actions in the past, if they are not able to be quantified and externally audited by an independent viewer, gained a lot by what I saw inside big tech in their ability to sort of answer in an affirmative..."
"...without actually doing what the intention was of the rule of law or regulation," says Mudge.
Klobuchar asks about language issues with misinformation and content moderation.
Mudge: "Twitter has to understand 80% of their users are outside of the United States. You can't create a healthy environment, you can't serve the public conversation if all you can do is look at it and say I hope Google translate is doing the right job for me."
Oh man Kennedy is up now. He didn't read the whistleblower report. 
Kennedy's line of questioning is...interesting? Trying to get Mudge to talk about what data employees has access to. Brings up selling data on Grassley is an employee doesn't like him.
"Censorship against conservatives" is coming...I can feel it.
Kennedy asking about whether multiple board members knew about these issues.
Kennedy: "it's about the money isn't it"
Mudge basically responds it's about Twitter being too reactionary and yes it costs money, among focusing on other priorities.
Mudge basically responds it's about Twitter being too reactionary and yes it costs money, among focusing on other priorities.
Weird back and forth with Kennedy asking about Twitter getting into porn. He's talking about this investigation..which is unrelated to Mudge. theverge.com/23327809/twitt…
That was messy. On to Blumenthal now.
Blumenthal: "Would you agree with me that Twitter has put its users health and safety severely at risk?"
Mudge: "Yes, sir."
Blumnethal: "And it's put the national security severely at risk."
Mudge: "Yes, sir."
Mudge: "Yes, sir."
Blumnethal: "And it's put the national security severely at risk."
Mudge: "Yes, sir."
Blumentahal: To effectively address this problem, we need not only to insist on restructuring, the company, also likely restructuring reforming and energizing our regulatory apparatus, not only as to Twitter, but also as to other internet companies and platforms.Would you agree?
Mudge: " Yes. I would. The intent of the regulators, I think is the right intent, but it is not being followed or correctly adhere to all of what you're saying"
Blumenthal hinting at need for another agency beyond the current ones to address the issues Mudge identifies.
Blackburn up. Going back to adult entertainment. "I want to talk with you about this process Twitter has gone through they tried to start a new subscription based adult entertainment section. Are you familiar with that?"
Mudge is not. But Blackburn is now going into CSAM and NCP issues on the site. Twitter "had too much child and non consensual pornography that was on their site already." Mudge says we was not aware but sadly does not surprise him.
Blackburn: "So my question is, why, what for what reason would Twitter refuse to take down this sexually explicit content? If it knew that it was affecting underage children? Why would they leave this up? And why would they refuse to take this down?"
Mudge: "From what I saw, and on the area of adult content because that was brought up and our concern was certain advertisers didn't want adult content to appear next to ads they were putting in that was a concern inside the company."
Blackburn talking about "click through ads" being used to access user data by countries like China, where CCP owns parts of companies.
Mudge: "Click through ads do expose a risk that non click through ads do not."
Mudge: "If you can get a user to click through, you get the information that I was describing before - the IP address...you can determine the IP geolocation or whether they're using a VPN or not if that is allowed in your country."
Blackburn asking about censorship based on political views.
Mudge: "I never investigated or was or heard of decisions on that particular topic. I was focused on the crisis and fires in the areas of my domain. "
Coons is speaking now.
Coons: "Your complaint also details how Twitter's executive team was concerned that the report that you'd commissioned would be damaged if it got out and that they worked to intentionally remove or modify information that might be especially embarrassing for Twitter, correct?"
Mudge: "Yes sir.I found that very disturbing the company that I hired with the knowledge of the other executives and the head of site integrity, which did not report to me but that this independent organization was going to analyze and do gap analysis..."
"The company reached out to me and said, 'Hey, mudge, Twitter is jumping in and making us open a separate contract and telling us not to provide you the results to to your own work."
Coons: "How common do you think it is for foreign entities for hostile agencies to successfully install sympathetic actors at Twitter and why might they do so?"
Mudge: "Any number of reasons.. in particular to not just identify people of interest or track groups of interest, but also to maybe look at whether or not Twitter has identified your agents or your information operations. What other governments has Twitter possibly identified?"
Cotton is up and we are back to censorship policies. Cotton using himself as an example of being censored.
Cotton: "From your experience, would a low level Twitter employee typically have the authority to permanently lock the account of an elected member of Congress?"
Mudge: "From my experience, they should not have the authorization to do it. Although it would probably be a low level low level employee that would be instructed to do it. So she was likely taking direction from more senior officials at the company.."
Cotton: "Does Twitter have special channels of communication with fellow social media companies like Facebook, to discuss misinformation?"
Mudge: "If they do I believe that they would be ad hoc I am not aware of official ones.."
The adult entertainment story and political censorship of accounts are two themes that have been raised a few times. Mudge has done a good job being clear these were not his domains.
5 min break now.
And we're back! Whitehouse up next.
Mudge and Whitehouse currently talking about the ways that Twitter data, used in combination with other data, could be used to lean on people of influence and push them towards certain decisions, re how a security agency could leverage Twitter data.
Cornyn is up and asks if Mudge is aware of ubiquitous technical surveillance.
Mudge: "I can understand those words together and get the general context I believe, sir, yes."
Mudge: "I can understand those words together and get the general context I believe, sir, yes."
Cornyn revisiting logging issues.
Last couple of senators have been doing more speaking than asking questions and rehashing issues that have already been discussed.
Now we have mentions of TikTok and Instagram.They "have 13 year old age restrictions in terms of their Terms of Use.There's no, there's no limitation on people's ability to pretend to be an adult to pretend to be somebody that they're not and gain access to social media accounts"
Mudge: "I can't speak to TikTok or Facebook. I'm not familiar with their internal technology for age gating. I do know that that was a challenge at Twitter. And from what I was told the majority of age gating was voluntary - self reporting of what your age was."
Hirono up next. Hitting again on the FTC and how the size of fines relative to company size and revenue is fairly ineffective.
Hirono: "What is it going to take to force Twitter to change its ways?"
Mudge: "Well, this starts at the top in Twitter and you need an executive team that is willing to go in and say the executive team themselves acknowledged and I heard them say we have 10 years of unpaid debt here, that at some point, we really need to get ahead of that"
" And to my understanding, you know, a board's primary role is to make sure the right executive executives are in charge of the company, the CEO in particular, to make sure they were they are you know, sending the company in the right direction."
"This needs to be a long term incentive rather than short term incentives for the companies, because the short term incentives just mean that they're going to tactically run from fire to fire and not actually pay down debt for a long lived valuable company. "
Hirono asks whether people need to go to prison, regarding holding people accountable.
And what would that look like, given Twitter can't even identify foreign agents.
Mudge: "Yes, ma'am. And to be blunt, some foreign agents will probably be pretty good and difficult to identify. But some were in this case, not and they're only to my awareness being identified when they're brought to them. They're not even attempting to.""
Graham is up now. "Thank you very much for coming to the committee and giving us your insight. Something good will come from this do you believe that?"
Mudge: "I hope so. I'm basically risking my career and reputation. and if something good comes from this 510 years down the road, it will have been worth it."
Graham asks whether Mudge is comfortable with us all still using Twitter.
Mudge: "I think people should look at the information they're getting off of it differently. and I think people should put pressure on Twitter and ask questions from the public as well as from the government and regulators."
Graham asks if Mudge would buy Twitter given what he knows (hinting at Musk). Mudge says "I guess that depends on the price."
Mudge says with "big tech I think they're absolutely outgunned" re regulatory agencies.
Graham re social media companies: "They're not licensed. you can't sue them, and to be shocked that we have a problem is kind of naive on our part."
Graham: "If you're going to be in this space, you have to harden your site's against foreign interference. You have to protect your site's against criminality. And if somebody takes your content down, you'll have an appeal process outside the group who did it."
"Does that sound kind of like where we need to be going?"
Mudge: "Those all sounds good to me."
Graham: "Your testimony today has legitimized what most of us feel is a process out of control, that the regulatory environment is insufficient to the task is time to up our game in this country."
Ossoff now speaking re incentives. Why were the financial incentives and security incentives at odds basically.
Mudge relates and interesting story. "We did a media day from the executives...it was the first one that Twitter had done in a very long time. It set very ambitious goals for growth for revenue growth - goals that I was concerned that the company would not be able to hit."
"Not too many months after that there was an internal value creation award presented to me offering $10 million if we tripled these growth goals, growth goals, and I raised concern saying, 'I don't know how we can do that unless we entirely cut corners everywhere.'"
"'I do not like this incentive structure. How are we going to be able to devote resources to the basics such as fixing security patching, getting the systems up to date, and building a development and testing environment?'"
Ossoff: "Can you please talk about what you observed and what you viewed to be the risks associated with the advertising model of the capability of enterprise clients? Of Twitter's ability to target ads and links to specific users?
Mudge: " I did see that data sets internally to the organization when I first joined. Thousands of users [I think he meant employees here] had access to the advertisers information, including their bank accounts and routing numbers."
"And when I first joined, people could change that information and you could understand why changing the bank account information of a company such as Apple or Nike might be problematic."
Hawley up now and asking about data access.
Mudge: "I have seen numerous situations where Twitter engineers had to patch a problem and I said 'what was the problem?' And they said, 'Oh, engineers could tweet as anybody.'"
Mudge: "I did see basic policies such as, hey, you're not supposed to access inappropriate systems, but I also saw policies saying that your work laptops should only run in the following setups.I don't believe any of the laptops were in compliance with those policies."
Hawley: "Are you aware of any communications regarding content moderation with Twitter staff, and the United States government in your time at the company?"
Mudge: "I'm familiar of the conversations that happen through the Department of Homeland Security at the traffic light protocol, whether a message is sent out to organizations about threats that maybe the FBI or other organizations had insight into."
Hawley raising failed disinformation board. "Why do you suppose that the disinformation board had Twitter first on the list of entities to come to to talk about coordinating monitoring American speech?"
Mudge: "I can't opine on that. but I can say that Twitter is a tremendously influential platform, and we do know that there are information operations being run on on Twitter."
Hawley bringing up Hunter Biden, caving to Russia on moderation issues, etc.
Mudge: "I wasn't there when the Hunter Biden issue happened and I don't have any information on that. I wasn't briefed into it or involved in the investigations. "
And we are done! Thanks for tuning in folks! Going to be very interesting to see how the hearing goes tomorrow re social media companies and national security. Lots to unpack.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
