The infamous Twitter whistleblower, Peiter “Mudge” Zatko, will take his case to Congress on Tuesday as he warns of security flaws, privacy threats, and lax controls on the social platform - causing alarm for the Senate Judiciary Committee at a time of heightened concern over the safety of powerful tech platforms.

It’s Zatko’s second Capitol Hill appearance and a flashback to his first - in 1998, he testified before a Senate panel alongside a team of hackers who warned about the security dangers of the then-emerging internet era.

Zatko, a cybersecurity expert, served as Twitter’s head of security until he was fired early this year before bringing the allegations to Congress and federal regulators and asserting that the platform misled regulators about cyber defenses and efforts to control millions of fake accounts. This comes after Twitter Inc. agreed, in June, to pay a $7 million settlement to Zatko. 

Senator Dick Durbin, the Illinois Democrat who heads the panel, called Zatko’s allegations “serious business", adding, “If it’s anywhere along the lines that (he) suggested, I think it’s a matter of grave personal-privacy concern, the question is whether information gathered by Twitter has been used for purposes which we’re not aware of.”
 
Zatko’s claims also integrate into Tesla CEO Elon Musk’s battle with Twitter after the latter offered a $44 billion bid to buy the company and decided to withdraw, so Twitter sued to force him to complete the deal. However, the judge over the case ruled last week that Musk can utilize new evidence in his case against Twitter for fake accounts, related to Zatko’s allegations in the high-stakes trial set to start October 17. One of Zatko’s attorneys said, “He’s never met Elon Musk. Doesn’t know Elon Musk. They know people in common.”

Twitter’s shareholders are due on Tuesday to vote on the company’s pending buyout by Musk, which is considered a formality given that the deal is on hold while the court case plays out, but if the measure passes as expected, it would also give way for a Musk takeover should Twitter prevail in court. 

Zatko also filed complaints with the Justice Department, the Federal Trade Commission (FTC), and the Securities and Exchange Commission (SEC), including that Twitter breached the terms of a 2011 FTC settlement by falsely stating that it had put stronger measures to protect user security and privacy.

The SEC is questioning Twitter about how it counts fake accounts on its platform, as it uses counts of its presumably real users to attract advertisers, whose payments comprise about 90% of its revenue. 

Although Twitter has an estimated 238 million daily active users worldwide, it claims to remove 1 million spam accounts daily, and these accounts also known as "spam bots" have no value to advertisers because there’s no person behind them.

Zatko’s 84-page complaint on the matter discloses that he found “extreme, egregious deficiencies” on the platform, including issues with “user privacy, digital and physical security, and platform integrity/content moderation.” It points accusations toward CEO Parag Agrawal and other senior executives of “false and misleading statements to users and the FTC." Twitter denied the claims, justifying that Zatko was fired in January for “ineffective leadership and poor performance," which Zatko's attorneys called bluff. 

Twitter also hinted that Zatko’s complaint might be designed to bolster Musk’s legal fight with the company. Twitter called Zatko’s complaint “a false narrative” that is “riddled with inconsistencies and inaccuracies and lacks important context," saying it has significantly tightened security since 2020.

Among Zatko’s specific allegations is that Twitter deliberately allowed the government of India to place its agents on the company payroll, which had “direct unsupervised access” to highly sensitive user data, and that unidentified Chinese entities funded Twitter who may have been enabled to access the identities and sensitive data of Chinese users who secretly use Twitter, which is officially banned in China.

Zatko made a name for himself in the 1990s as the best-known member of the Boston-based collective "L0pht", which pioneered "ethical hacking", exposing companies including Microsoft for poor security which raised awareness in the computing world that forced major companies to take security seriously. He co-founded the consultancy "@Stake", which was later taken by Symantec.

Zatko later worked in senior positions at the Pentagon’s Defense Advanced Research Projects Agency and Google before joining Twitter at former CEO Jack Dorsey’s request in late 2020, the same year the company suffered a security breach involving hackers who broke into the Twitter accounts of world leaders, celebrities, and tech moguls, including Musk, in an attempt to scam their followers out of bitcoin.