Twitter security chiefs resign amid fears Musk violates FTC rules

Some of Twitter’s top privacy and security officials resigned this week as Elon Musk’s rapid changes could lead to violations of the company’s recent agreement with the Federal Trade Commission.

“Privacy staff members said they were most concerned about the rapid rollout of new features without the comprehensive security reviews required by the FTC’s consent decree,” The Washington Post reported in an article on departures today.

Information Security Manager Lea Kissner confirmed his departure from the company in a tweet. Privacy officer Damien Kieran and compliance officer Marianne Fogarty have also resigned, according to reports.

The FTC said it was monitoring what was happening on Twitter. “We are following recent developments on Twitter with deep concern,” an FTC spokesperson said in a statement to The Hill and other news outlets. “No CEO or company is above the law, and companies must follow our consent decrees. Our revised consent decree gives us new tools to ensure compliance, and we are ready to use them.”

Recent FTC order puts Twitter at risk of non-compliance

Twitter reached a new settlement with the FTC in May 2022, agreeing to pay a $150 million fine for targeting ads to users with phone numbers and email addresses collected from those users when they have enabled two-factor authentication. The FTC said the ad targeting violated the terms of Twitter’s 2011 settlement with the FTC, which “explicitly prohibited the company from misrepresenting its privacy and security practices.”

The FTC also said it required “substantial new compliance measures” to “help prevent new deceptive tactics that threaten user privacy.” The settlement requires privacy, security, and confidentiality risk assessments before Twitter launches new or modified products and services.

Another requirement is that Twitter must submit a compliance notice within 14 days of a merger. That means the company must give the FTC a notice of compliance triggered by Musk’s purchase today if it hasn’t already.

Musk’s quick changes risk violating Twitter’s agreement with the FTC, a company attorney reportedly warned in an internal Slack post visible to all Twitter staff. The Verge published the Slack post, saying it was posted by an attorney from the company’s privacy team.

“Musk’s new legal department is now asking engineers to ‘self-certify’ compliance with FTC rules and other privacy laws, according to the memo from the attorney and another employee familiar with the matter, who requested anonymity to speak without the company’s permission,” The Verge wrote.

Musk last week laid off about 3,700 employees, or about half of Twitter’s staff.

Lawyer warns Twitter engineers of legal risk

Submissions to the FTC required by the May 2022 Consent Decree are made under penalty of perjury. As Mike Masnick pointed out on TechDirt, “Anyone who works on Twitter Needs knowing that something “self-certifying” that violates the FTC’s consent decree can be tied to jail time and huge fines. That’s not how it should all work.”

The Twitter lawyer’s internal message reads in part:

This will pose enormous personal, professional and legal risks to engineers: I anticipate that you will all [b]We are pushed by management to implement changes that could lead to major incidents.

All of this is extremely dangerous for our users. Additionally, since the FTC can (and will!) fine Twitter BILLIONS of dollars pursuant to the FTC’s consent order, which is extremely detrimental to Twitter’s longevity as a platform. form. Our users deserve so much better than this.

The Verge also paraphrased another anonymous employee by saying that this week’s launch of the revamped Twitter Blue subscription “did not take into account the normal corporate privacy and security review” in which a “team red” examines the potential risks before the launch. “None of the Red Team’s recommendations were implemented prior to Twitter Blue’s relaunch, the employee said,” according to The Verge report.

The Twitter Blue changes pay $8 per month for blue checkmarks that were previously reserved for accounts that Twitter has verified as real and notable.

The Washington Post quoted former FTC official David Vladeck as saying the executive departures and general chaos on Twitter raise questions about whether “compliance requirements are going to fall through the cracks.” Vladeck, who was director of the FTC’s Consumer Protection Bureau when the 2011 settlement was reached, said another violation would result in much larger fines than the $150 million from earlier this year.

“There would be a very significant multiple of the last fine,” the Post quoted Vladeck as saying.

Go to chat…