Skip to content

Twitter whistleblower unlikely to spur congressional action

EU is setting the pace in legislation for tech platforms

Peiter Zatko, a former Twitter employee who revealed data security issues at the social media company, is scheduled to testify to the 
Senate Judiciary Committee on Tuesday.
Peiter Zatko, a former Twitter employee who revealed data security issues at the social media company, is scheduled to testify to the Senate Judiciary Committee on Tuesday. (Matt McClain/The Washington Post via Getty Images)

The Senate Judiciary Committee hearing Tuesday featuring former Twitter security chief turned whistleblower Peiter Zatko is likely to showcase lawmakers’ concerns about his wide-ranging allegations of security lapses and content moderation failures at the company.

But those alarms are unlikely to spur immediate action from Congress to address the behavior that is endemic in many tech companies, and social media platforms in particular.

“I have to say that I’m not overly optimistic that hearings will lead to either any new important insights or to action, to new legislation or new regulatory measures,” said Rebekah Tromble, director of the Institute for Data, Democracy and Politics at George Washington University.

“We’ve seen a number of these hearings occur already,” Tromble said in an interview. “They become a sort of locus in the moment for attention and concern, even anger, and then don’t translate into concrete action by lawmakers.”

Senate Judiciary Chairman Richard J. Durbin, D-Ill., and ranking member Charles E. Grassley, R-Iowa, announced the hearing with Zatko after The Washington Post first reported his allegations last month.

The committee said Zatko would appear pursuant to a subpoena, adding that his allegations “of widespread security failures and foreign state actor interference at Twitter raise serious concerns. If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world.”

Zatko, a well-known tech expert hired by Twitter in 2020, sent complaints to the Federal Trade Commission, the Securities and Exchange Commission, and the Justice Department in July and provided redacted filings to congressional committees, according to the Post.

He alleged that Twitter violated the terms of an 11-year old settlement with the FTC by claiming it had an adequate security plan to protect users when it did not. He also alleged that the company’s computer servers were out of date, executives withheld details of hacks and breaches from the board, and foreign governments had likely infiltrated Twitter to place agents on the company’s payroll.

Zatko was fired by Twitter in January, and the company told the Post that his allegations were “riddled with inaccuracies.”

Zatko is only the latest in a line of insiders exposing the murky workings of the tech industry and its associated companies.

Christopher Wylie, who worked for the U.K.-based Cambridge Analytica, was one of the first to blow the whistle on how that company used data from Facebook users and other online sources to help Donald Trump’s campaign target voters with disinformation during the 2016 U.S. presidential election.

The FTC imposed a $5 billion fine on Facebook in 2019, and the U.K. government slapped a 500,000 pound fine. But the penalties were widely criticized for being paltry compared with Facebook’s revenue that ran to more than $21 billion in one quarter of 2019.

Last October, Frances Haugen, a former Facebook employee turned whistleblower, told the Senate Commerce consumer protection subcommittee that the company repeatedly prioritized profits over user safety as it pressed forward with a version of Instagram, which it owns, for children under 13 despite internal research showing harm to teenage users.

The Senate Commerce Committee in July approved two bills that would address data privacy for children and minors up to the age of 17 that lawmakers said stemmed from Haugen’s revelations. But the measures have yet to receive a floor vote.

A broader federal data privacy measure has been approved by the House Energy and Commerce Committee but faces obstacles gaining support in the House and in the Senate because it would preempt state privacy laws.

Although Congress hasn’t passed any measures to address various aspects of social media and tech platform deficiencies revealed by whistleblowers, the hearings have helped lawmakers and their staff better understand the complexities behind tech platforms, said Rose Jackson, director of the democracy and tech initiative at the Atlantic Council’s Digital Forensic Research Lab.

Beyond Section 230

“We have moved from an obsession with Section 230 into a slightly more nuanced conversation on how platforms operate,” Jackson said in an interview. “That gets short-handed into frustration or confusion around algorithms, with questions around what they do to advance or drive mis- and disinformation.”

Section 230 refers to the portion of a 1996 communications law that gives social media companies protection from liability for content posted by users.

Republicans have wanted to water down the protection, saying that companies use it to silence conservative voices, and Democrats have said the law allows tech companies to keep hate speech and violent content online.

“So I think we’re widening the aperture, with lawmakers trying to understand how tech platforms work with each new revelation,” Jackson said. “The fact that these hearings are increasingly more sophisticated and better informed is a good sign.”

Nevertheless, with legislative measures to address privacy, data access and antitrust stalled in Congress, “I’m not bullish on any of those passing right now,” Jackson said.

By not acting, the U.S. has ceded ground and power to the European Union and to countries that are passing laws to address the dangers and weaknesses of tech platforms exposed by whistleblowers, Jackson and Tromble said.

The European Union agreed in April on the Digital Services Act, which would require tech platforms including Meta, Google, Twitter and others to police illegal content online. The rules would also stop the platforms from targeting users with algorithms that draw on data based on their gender, race or religion.

The EU rules also would require tech platforms to be more transparent about their algorithms. After review and adoption by member nations, the EU law would go into effect in January 2024.

After the EU agreement, Facebook whistleblower Haugen wrote in The New York Times that Europe has succeeded in passing new rules while the Congress is still debating the issues because tech giants including Meta employ an army of lobbyists to put pressure on U.S. lawmakers.

The details of how the Digital Services Act is “going to work are still being worked out right now,” Jackson said. “And I think the United States has significant interest in not only paying close attention to how that goes, but shaping how that goes, because unquestionably those rules will bind our companies.”

In the absence of federal legislation, the FTC can use the framework of consumer rights to regulate the tech companies and that’s “within the remit” of the agency, Tromble said.

“But that’s never going to be perfect. … The FTC can only go so far,” Tromble said. “We need federal legislation.”

Recent Stories

Security fence to go up at Capitol for State of the Union

California has no shortage of key House races on Tuesday

Alabama, Arkansas races to watch on Super Tuesday

Over the Hill — Congressional Hits and Misses

House GOP reverses course on Jan. 6 footage, will no longer blur faces

Three questions North Carolina primaries may answer