Yesterday I tweeted out a question about whether or not there was anyone left at Twitter who remembered that the company was under a pretty strict FTC consent decree:
By the way, is there anyone left at Twitter who remembers that the company is still under a pretty stringent FTC consent decree that has, you know, some requirements about launching new products & services and having a written plan about their security? https://t.co/ZjytSLUq1W pic.twitter.com/Wc1iJKeEEZ
— Mike Masnick (@mmasnick) November 9, 2022
Apparently the answer was yes, but they didn’t include Elon Musk. Late last night, a few hours after that tweet, the Chief Information Security Officer, the Chief Privacy Officer, and the Chief Compliance Officer all quit, apparently citing potential FTC violations as the reason. Lea Kissner, the former CISO tweeted about it early this morning:
According to the Verge, Elon and his entourage have made it clear that he doesn’t give a fuck about the FTC. It details a note on an internal Twitter Slack from a company lawyer:
In a note posted to Twitter’s Slack and viewable to all staff that was obtained by The Verge, an attorney on the company’s privacy team wrote, “Elon has shown that his only priority with Twitter users is how to monetize them. I do not believe he cares about the human rights activists. the dissidents, our users in un-monetizable regions, and all the other users who have made Twitter the global town square you have all spent so long building, and we all love.”
The note goes on to say that its author, who The Verge knows the identity of but is choosing not to disclose, has “heard Alex Spiro (current head of Legal) say that Elon is willing to take on a huge amount of risk in relation to this company and its users, because ‘Elon puts rockets into space, he’s not afraid of the FTC.’”
So, here’s the thing. While Elon may think he’s not afraid of the FTC, he should be. The FTC is not the SEC and the FTC does not fuck around. Violating the FTC can lead to criminal penalties. I mean, it was just a month ago that Uber’s former Chief Security Officer was convicted on federal charges for obstruction against the FTC.
And you wonder why Twitter’s Chief Security Officer resigned?
The Verge article also notes the following:
Musk’s new legal department is now asking engineers to “self-certify” compliance with FTC rules and other privacy laws, according to the lawyer’s note and another employee familiar with the matter, who requested anonymity to speak without the company’s permission.
Anyone working in Twitter needs to know that “self-certifying” something that violates the FTC’s consent decree may be tied to a prison sentence and huge fines. This is not how any of this should be working.
Stanford’s Riana Pfefferkorn (who used to be outside counsel for Twitter) has a great Twitter thread explaining the many ways in which this is fucked up. That thread notes that… today Twitter violated the FTC’s consent decree as it was required to file a notice with the FTC about Elon’s takeover and how it relates to the compliance with the consent decrees.
As for the background on all this, some of you youngsters might not remember this, but back in 2011 Twitter signed a consent decree with the FTC over its failure to safeguard user info. Now, almost every big tech company these days has a consent decree with the FTC after they royally screwed up something and effectively leaked users’ private data. Most of the consent decrees last for 20 years. That might make you think such consent decrees are meaningless, but the opposite is true. While under these consent decrees, the FTC now has tremendous power to cause a world of hurt to the company for screwing up.
Indeed, remember three years ago when the FTC hit Facebook with a $5 billion fine? Most people remember that as being for the whole Cambridge Analytica thing, but it was actually for violating the consent decree that Facebook had signed years earlier (partly because of Cambridge Analytica, but also some other shoddy privacy practices). In other words, while you’re under the consent decree, if you screw up, you could be in deep trouble. Combined with the example of Uber’s Joe Sullivan, and you realize that fucking with the FTC doesn’t end well for anyone.
Anyway, Twitter’s 2011 consent decree was over misrepresenting how Twitter’s privacy controls worked — users believed they were choosing settings to keep info private, and Twitter wasn’t abiding by them, mainly because Twitter wasn’t very careful with its own security, allowing hackers to breach their systems and read content that users believed was private.
Given that much of the problem was around Twitter’s security practices, the consent decree was focused on making sure that Twitter shaped up its security practices. As you might recall, back in May, Twitter also got hit with a $150 million fine for violating the consent decree. In that case, it was because Twitter used phone numbers that were provided for two-factor authentication, but used them for marketing practices (this was also a big part of that $5 billion fine that hit Facebook, and notably, it looks like Twitter stopped the practice a month or two after the Facebook fine!).
All of this is kinda important right now, as Elon tries to roll out features in record speeds. Because… the consent decree has some requirements for rolling out new products and making sure they’re secure. The original consent decree says that any new product or service must be rolled out with a written plan including the following:
the identification of reasonably-foreseeable, material risks, both internal and external, that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of nonpublic consumer information or in unauthorized administrative control of the Twitter system, and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, account takeovers, or other systems failures
When I started writing this post last night, I wondered if anyone at the company still remembered that they needed to comply with this, and by this morning I knew the answer was yes — though they’ve now all left.
But, also, the order and fine from earlier this year included some modifications to the original consent decree with even more stringent requirements. There’s actually a lot of new stuff in the updated consent decree (which, again, went into effect just months ago). But one thing it requires is the following:
Design, implement, maintain, and document safeguards that control for the material internal and external risks Respondent identifies to the privacy, security, confidentiality, or integrity of Covered Information identified in response to Provision V.D. Each safeguard must be based on the volume and sensitivity of Covered Information that is at risk, and the likelihood that the risk could be realized and result in the: (1) unauthorized collection, maintenance, use, disclosure, alteration, or destruction of, or provision of access to Covered Information; or the (2) misuse, loss, theft, or other compromise of such information. Such safeguards must also include:
- Prior to implementing any new or modified product, service, or practice that collects, maintains, uses, discloses, or provides access to Covered Information, conducting an assessment of the risks to the privacy, security, confidentiality, or integrity of the Covered Information;
- For each new or modified product, service, or practice that does not pose a material risk to the privacy, security, confidentiality, or integrity of Covered Information, documenting a description of each reviewed product, service, or practice and why such product, service, or practice does not pose such a material risk;
- For each new or modified product, service, or practice that poses a material risk to the privacy, security, confidentiality, or integrity of Covered Information, conducting a privacy review and producing a written report (“Privacy Review”) for each such new or modified product, service, or practice. The Privacy Review must:(a) Describe how the product, service, or practice will collect, maintain, use, disclose, or provide access to Covered Information, and for how long;(b) Identify and describe the types of Covered Information the product, service, or practice will collect, maintain, use, disclose, or provide access to;(c) If the Covered Information will be collected from a User, describe the context of the interaction in which Respondent will collect such Covered Information (e.g., under security settings, in pop-up messages in the timeline, or in response to a prompt reading, “Get Better Ads!”);(d) Describe any notice that Respondent will provide Users about the collection, maintenance, use, disclosure, or provision of access to the Covered Information;(e) State whether and how Respondent will obtain consent from Users for the collection, maintenance, use, disclosure, or provision of access to Covered Information;(f) Identify any privacy controls that will be provided to Users relevant to the collection, maintenance, use, disclosure, or provision of access to the Covered Information;(g) Identify any third parties to whom Respondent will disclose or provide access to the Covered Information;(h) Assess and describe the material risks to the privacy, security, confidentiality, and integrity of Covered Information presented by the product, service, or practice;(i) Assess and describe the safeguards to control for the identified risks, and whether any additional safeguards need to be implemented to control for such risks;(j) Explain the reasons why Respondent deems the notice and consent mechanisms described in Provisions V.E.3(d) and V.E.3(e) sufficient;(k) Identify and describe any limitations on the collection, maintenance, use, disclosure, or provision of access to Covered Information based on: (i) the context of the collection of such Covered Information; (ii) notice to Users; and (iii) any consent given by Users at the time of collection or through subsequent authorization;(l) Identify and describe any changes in how privacy and security-related options will be presented to Users, and describe the means and results of any testing Respondent performed in considering such changes, including but not limited to A/B testing, engagement optimization, or other testing to evaluate a User’s movement through a privacy or security-related pathway;(m) Include any other safeguards or other procedures that would mitigate the identified risks to the privacy, security, confidentiality, and integrity of Covered Information that were not implemented, and each reason that such alternatives were not implemented; and(n) Include any decision or recommendation made as a result of the review (e.g., whether the practice was approved, approved contingent upon safeguards or other recommendations being implemented, or rejected);
Now, who knows. Perhaps Twitter will argue that its new verification system and the other features its rolling out with little to no testing don’t qualify for these requirements? Or perhaps along with the dwindling engineering team that is sleeping on the floor there remain a few lawyers who remember all this and have been putting together all of the documentation necessary to comply. But I do wonder how comprehensive such a report can be under these circumstances.
And, clearly, with the resignations last night, it suggests that what needs to happen isn’t happening. And I’m pretty damn sure the FTC is well aware of what’s happening. And while Elon may not give a shit about the FTC, the FTC can make his life absolutely fucking miserable.
Of course, here’s where having the two top legal execs who had been with the company through this whole process might have helped… rather than firing them seconds after taking control of the company.
Update: It appears the FTC is aware of what’s going on:
“We are tracking recent developments at Twitter with deep concern. No CEO or company is above the law, and companies must follow our consent decrees. Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”