A current Twitter employee said several other members of the site’s privacy and security unit had also quit, while another said those remaining were trying to stem a wave of abuse in the paid service. extended company, Twitter Blue.
The departures prompted a rare warning from the Federal Trade Commission, which has become the government’s top watchdog in Silicon Valley. It was the second time in two days that Washington has expressed concern about the company’s chaotic developments, ahead less than 24 hours after President Biden said Musk’s dealings with other countries deserved scrutiny.
The agency said it was “following the developments on Twitter with deep concern” and was prepared to take action to ensure the company complied with a settlement known as the ordinance. consent, which requires Twitter to comply with certain privacy and security requirements. due to allegations of data misuse in the past. Twitter was first subject to a consent order in 2011, and it agreed to a new order earlier this year for allegedly misusing phone numbers and email addresses collected for security purposes for advertising. .
“No CEO or company is above the law, and companies must follow our consent decrees,” said Douglas Farrar, director of public affairs for the FTC. “Our revised consent order gives us new tools to ensure compliance, and we’re ready to use them.”
Privacy staffers said they were most concerned about the rapid rollout of new features without the comprehensive security reviews required by the FTC’s consent decree. They also objected to Musk’s order in an email Wednesday night — his first to staff since he took over the company — that all employees must begin work in the office 40 hours a day. week, starting Thursday.
Musk’s email didn’t address Twitter’s long tradition of flexible, remote working. Instead, he cited an urgent need to make money with Twitter Blue. “Without significant subscription revenue, there’s a good chance Twitter won’t survive the coming economic downturn,” Musk warned. “We need about half of our revenue to be subscriptions.”
The developments pointed to how the FTC could be the government agency that acts as a check on Musk, who oversaw unprecedented chaos during his first two weeks at the helm of Twitter. The federal government exercises only limited oversight of social media companies, but the FTC has used its consumer protection and competition oversight to establish itself as the nation’s top data privacy regulator. . The agency has used consent orders to hold some of the nation’s biggest tech companies, including Google, Facebook, Snap and others, liable for alleged privacy missteps. In 2019, the agency reached a $5 billion settlement with Facebook for allegedly violating the terms of an earlier order.
Former FTC officials have warned that the departures of key privacy and security officials, as well as some of Musk’s proposed changes to Twitter products, expose the company to serious regulatory risks.
Twitter agreed in its bylaws to designate employees responsible for privacy and security, including a senior executive who would be responsible for certifying that the company was in compliance. The departures raise questions about whether such a chain of command is still in place and whether those still in it have the authority and connections to ensure the order is carried out.
“There are a lot of perils for the business if it doesn’t have continuity,” said a former FTC official, who spoke on condition of anonymity to candidly discuss regulatory risks to the business.
David C. Vladeck, who was director of the FTC’s Consumer Protection Bureau at the time of Twitter’s first settlement with the agency, said the departures and chaos of Musk’s first few weeks of ownership raise questions about whether “compliance requirements will fall through the cracks.
Vladeck said the penalties could be exponentially higher for Twitter if it is alleged to violate its agreement with the FTC a second time. “There would be a very significant multiple of the last fine,” he said, referring to the May penalty, which carried a $150 million fine. “You need to add a decimal point to that.”
Twitter entered into the consent decree with the FTC after allegations that it deceptively used emails and phone numbers it said it collects for security purposes to target users with advertising. The FTC alleged that this violated a 2011 consent decree it entered into with the company.
The new executive order required Twitter to launch enhanced privacy and security programs, which had to be audited by a third party. As part of this program, Twitter is required to conduct a privacy assessment of all new products it launches.
The departures also invited scrutiny in Europe, which, unlike the United States, has general data protection law. The Irish Data Protection Commission is seeking further details from the company on the departure of the company’s privacy officer, Damien Kieran. According to European rules, companies are required to set up a data protection officer.
A spokesperson for the Irish DPC said the agency had “not received any official notification from Twitter”. Kieran did not respond to a request for comment. Former Twitter compliance officer Marianne Fogarty also did not respond to a request for comment, but on Monday tweeted“I don’t watch Game of Thrones. I certainly don’t want to play it at work.
On Wednesday, Twitter began allowing any user who pays $8 to receive the same blue check mark the platform has only given to verified politicians, businesses and celebrities for years. But because the company does not perform any identity verification, a stream of fake accounts has proliferated on the site, including for President Biden, Pope Francis and former British Prime Minister Tony Blair, some of whom have posted sexual jokes or explicit messages. Musk said the company would suspend those accounts, but a number of fake accounts remained online for hours, receiving tens of thousands of likes and retweets.
As Musk is on a collision course with the US government, bogus but verified accounts for George W. Bush, Tony Blair and Rudy Giuliani have proliferated on the site. One of Musk’s last tweets seven hours ago was a answer to someone mentioning that a fake President Biden was talking about performing a sex act, to which Musk responded with two crying laughing emoji.
The Slack employee’s post said rapidly releasing products and changes without an effective security review was “extremely dangerous” for users. He said engineers would have to bear the burden of certifying that products complied with FTC agreements, which would expose them to substantial personal legal risk.
The collapse of the security branch is particularly dire because an FTC audit was expected by January, according to two people familiar with the timeline. One said Kissner and other executives had hired, despite a company-wide freeze, in a frantic effort to meet compliance rules before then.
“Desperately needed people,” said one, who was part of about half of the company laid off last week and spoke on condition of anonymity to discuss internal Twitter issues.
The Slack message posted a link to Whistleblower Aid, a law firm that represented former security chief Peiter Zatko when he filed a lawsuit this year with the Securities and Exchange Commission and other federal officials citing alleged violations related to the FTC. The Washington Post previously reported his complaint described as inadequate logging of access to sensitive data and widespread use of outdated software.
The post warned that the FTC could fine Twitter “BILLIONS of dollars.” The author claimed to have heard Alex Spiro, Musk’s top lawyer, say that Musk was “willing to take enormous risks in retaliation against this company and its users because ‘Elon puts rockets into space, he not afraid of the FTC.” Spiro did not immediately respond to a request for comment.
Other employees said they were taking paid time off on Thursday as a sign of disapproval. Kissner, who was brought in by Zatko, was admired on Twitter and seen as crucial support amid the recent chaos.
“Twitter has experienced several major security incidents over the past few years due to poor internal controls and a permissive data architecture,” said Alex Stamos, former chief data security officer at Facebook and Yahoo. “The team led by Dr. Kissner has made serious progress in closing these loopholes, as Twitter is required to do by the FTC’s consent decree.”
Lourdes Turrecha, a Silicon Valley cybersecurity and privacy lawyer, said the sudden resignations were a bombshell in privacy circles that had already been stunned by the whistleblower complaint of Zatko and the company’s massive layoffs.
“These executives don’t want to risk their lives and go to jail” if the company breaks the law, she said. “It’s a very difficult time to be an information security officer or a privacy officer in technology right now, especially when your company doesn’t seem to care about its privacy practices and of security.”
Zakrzewski reported from Washington, DC Drew Harwell contributed.