Lawmakers from both parties appeared united in response to the allegations, saying they raise national security and privacy concerns that need closer examination.

Reps. Frank Pallone Jr. (D-N.J.) and Cathy McMorris Rodgers (R-Wash.), the chair and top Republican on the House Energy and Commerce Committee, said if the whistleblower’s allegations are true, they “reaffirm” the need for Congress to pass consumer privacy legislation to safeguard Americans’ data. The committee is “assessing next steps,” they said in a joint statement.

Former security chief claims Twitter buried ‘egregious deficiencies’

Sen. Richard Blumenthal (D-Conn.), head of the Senate Commerce panel focused on consumer protection, on Tuesday wrote a letter to the Federal Trade Commission, calling for the agency to investigate Zatko’s claims and bring “enforcement actions,” including fines, against Twitter where appropriate.

“These troubling disclosures paint the picture of a company that has consistently and repeatedly prioritized profits over the safety of its users and its responsibility to the public, as Twitter executives appeared to ignore or hinder efforts to address threats to user security and privacy,” he wrote.

Sen. Edward J. Markey (D-Mass.) sent a similar letter to both the FTC and the Department of Justice, saying the whistleblower allegations “suggest” the company violated the terms of a 2011 consent order with the FTC.

The offices of the top lawmakers on the Senate Judiciary Committee, Sens. Richard J. Durbin (D-Ill.) and Charles E. Grassley (R-Iowa), said they have had early discussions with the whistleblower.

“If these claims are accurate, they may show dangerous data privacy and security risks for Twitter users around the world,” Durbin said in a statement.

The Senate Intelligence Committee also received the complaint and is working to set up a meeting with Zatko, spokeswoman Rachel Cohen said.

Twitter has pushed back on Zatko’s allegations. Spokeswoman Anna Hughes said in a statement that the complaint appeared to have “inconsistencies and inaccuracies and lacks important context,” and that security and privacy are “company-wide priorities” at Twitter.

“Mr. Zatko’s allegations and opportunistic timing appear designed to capture attention and inflict harm on Twitter, its customers and its shareholders,” she said.

New whistleblower allegations could factor into Twitter vs. Musk trial

The documents that Zatko provided could inject new urgency into efforts to create new federal privacy safeguards and other accountability measures, despite years of attempts and failures in Congress to regulate the tech industry. It’s also the second time in less than a year that a former employee at a major tech company publicly provided disclosures to members of Congress, signaling tech whistleblowers could play a larger role in efforts to craft new tech policies.

The political fallout could be exacerbated by Twitter’s long-running tensions with lawmakers over content moderation, especially Republicans who claim that the company has unfairly suppressed their political speech.

“Twitter has a long track record of making really bad decisions on everything from censorship to security practices,” said Sen. Marco Rubio, the top Republican on the Intelligence Committee. “That’s a huge concern given the company’s ability to influence the national discourse and global events.”

Sinking FTC workplace rankings threaten Chair Lina Khan’s agenda

Twitter has had run-ins with Washington regulators over its security practices for more than a decade, dating back to a pair of 2009 incidents when hackers gained unauthorized access to the platform. Following those hacks, the company entered into a settlement with the FTC that required it to establish a comprehensive security program that was subject to external audits. The company more recently faced political blowback for a 2020 hack, during which hackers gained access to the accounts of influential people including then-presidential candidate Joe Biden and Musk.

Zatko alleges that Twitter violated the terms of that 2011 FTC order by falsely claiming it had a security plan. A former FTC official, who worked on the Twitter case and spoke on the condition of anonymity to discuss sensitive information, said the agency was understaffed at the time of its initial settlement, and that the enforcement division had failed to keep a close eye on multiple companies after reaching privacy settlements, including the one with Twitter.

Blumenthal said the disclosures “appear to demonstrate Twitter’s disregard for FTC’s consumer data requirements.”

“Big Tech has been allowed to ignore the terms of the FTC’s orders for too long — despite significant breaches, spying scandals, and hijacking of high-profile accounts,” he said in a statement. “The FTC must vigorously oversee and enforce its orders or those requirements become dead letter law while our national security and consumer privacy are undermined.”

Twitter participated in biannual audits of its security practices, in compliance with the order, according to the company.

Rep. Jan Schakowsky (D-Ill.) said that the allegations show that the FTC “absolutely needs more resources.” Democrats proposed boosting the FTC’s budget last year by $1 billion to create a new digital-focused division that would police privacy violations and cybersecurity incidents, but it was ultimately not included in their recent spending package.

“The status quo has once again failed American consumers, from coast to coast and here in the heartland,” she said.