Some of Twitter’s top privacy and security executives resigned this week amid worries that Elon Musk’s rapid changes may cause violations of the company’s recent settlement with the Federal Trade Commission.
“The privacy staffers said they were most concerned by the rapid rollout of new features without the full security reviews that the FTC consent decree requires,” The Washington Post reported in a story about the departures today.
Chief Information Security Officer Lea Kissner confirmed leaving the company in a tweet. Chief Privacy Officer Damien Kieran and Chief Compliance Officer Marianne Fogarty also resigned, according to news reports.
The FTC said it’s keeping track of what’s going on at Twitter. “We are tracking recent developments at Twitter with deep concern,” an FTC spokesperson said in a statement to The Hill and other news outlets. “No CEO or company is above the law, and companies must follow our consent decrees. Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”
Recent FTC order opens Twitter to compliance risk
Twitter reached a new settlement with the FTC in May 2022, agreeing to pay a $150 million penalty for targeting ads at users with phone numbers and email addresses collected from those users when they enabled two-factor authentication. The FTC said the ad-targeting violated the terms of Twitter’s 2011 settlement with the FTC, which “explicitly prohibited the company from misrepresenting its privacy and security practices.”
The FTC also said it was requiring “substantial new compliance measures” to “help prevent further misleading tactics that threaten users’ privacy.” The settlement requires assessments of risks to privacy, security, and confidentiality before Twitter launches new or modified products and services.
Another requirement is that Twitter must submit a compliance notice within 14 days after a merger. That means the company has to give the FTC a compliance notice triggered by the Musk purchase today if it hasn’t already done so.
Musk’s quick changes risk violating Twitter’s deal with the FTC, a company lawyer reportedly warned in an internal Slack message that was viewable by Twitter’s entire staff. The Verge published the Slack message, saying it was posted by an attorney on the company’s privacy team.
“Musk’s new legal department is now asking engineers to ‘self-certify’ compliance with FTC rules and other privacy laws, according to the lawyer’s note and another employee familiar with the matter, who requested anonymity to speak without the company’s permission,” The Verge wrote.
Musk last week laid off about 3,700 employees, about half of Twitter’s staff.
Attorney warns Twitter engineers of legal risk
Submissions to the FTC required by the May 2022 consent decree are made under penalty of perjury. As Mike Masnick pointed out on TechDirt, “Anyone working in Twitter needs to know that ‘self-certifying’ something that violates the FTC’s consent decree may be tied to a prison sentence and huge fines. This is not how any of this should be working.”
The Twitter lawyer’s internal message reads in part:
This will put huge amount of personal, professional and legal risk onto engineers: I anticipate that all of you will [b]e pressured by management into pushing out changes that will likely lead to major incidents.
All of this is extremely dangerous for our users. Also, given that the FTC can (and will!) fine Twitter BILLIONS of dollars pursuant to the FTC Consent Order, extremely detrimental to Twitter’s longevity as a platform. Our users deserve so much better than this.
The Verge also paraphrased another anonymous employee as saying that this week’s launch of the revamped Twitter Blue subscription “disregarded the company’s normal privacy and security review” in which a “red team” reviews potential risks before launch. “None of the red team’s recommendations were implemented before Twitter Blue’s relaunch, the employee said,” according to The Verge report.
The Twitter Blue changes make it possible to pay $8 a month for the blue checkmarks that were previously reserved for accounts that Twitter verified as being real and notable.
The Washington Post quoted former FTC official David Vladeck as saying the executive departures and general chaos at Twitter raise questions about whether “compliance requirements are going to fall through the cracks.” Vladeck, who was director of the FTC Bureau of Consumer Protection when the 2011 settlement was reached, said another violation would trigger much bigger fines than the $150 million one from earlier this year.
“There would be some very significant multiple of the last fine,” the Post quoted Vladeck as saying.
https://arstechnica.com/?p=1896722