Twitter privacy executives quit, sparking FTC alarm
From the Washington Post
Several top privacy and security executives resigned from Twitter on Thursday, citing fears over the risks from Elon Musk’s leadership, in a stunning exodus that prompted federal regulators to warn they might step in.
Chief Information Security Officer Lea Kissner tweeted that they had made the “hard decision” to resign, and the company’s chief privacy officer and chief compliance officer also quit, according to screenshots of an employee’s internal Slack message shared with The Washington Post.
One current Twitter employee said several other members of the site’s privacy and security unit also had resigned, while another said those remaining were trying to stop a wave of abuse in the company’s expanded paid service, Twitter Blue.
The departures prompted a rare warning from the Federal Trade Commission, which has emerged as the government’s top Silicon Valley watchdog. It marked the second time in two days that Washington had expressed concern about the chaotic developments at the company, coming less than 24 hours after President Biden said Musk’s relationships with other countries deserved scrutiny.
The agency said that it was “tracking the developments at Twitter with deep concern” and that it was prepared to take action to ensure the company was complying with a settlement known as a consent order, which requires Twitter to comply with certain privacy and security requirements because of allegations of past data misuse. Twitter was first put under a consent order in 2011, and it agreed to a new order earlier this year for allegedly misusing phone numbers and email addresses collected for security for advertising.
“No CEO or company is above the law, and companies must follow our consent decrees,” said Douglas Farrar, the FTC’s director of public affairs. “Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”
The privacy staffers said they were most concerned by the rapid rollout of new features without the full security reviews that the FTC consent decree requires. They also objected to Musk’s order in an email Wednesday night — his first to the staff since taking control of the company — that all employees had to begin working in the office 40 hours a week, effective Thursday.
Musk’s email did not address Twitter’s long tradition of flexible and remote work. Instead, it cited a dire need to earn money from Twitter Blue. “Without significant subscription revenue, there is a good chance Twitter will not survive the upcoming economic downturn,” Musk warned. “We need roughly half our revenue to be subscriptions.”
The developments signaled how the FTC could be the government agency that acts as a check on Musk, who has overseen unprecedented chaos during his first two weeks at the helm of Twitter. The federal government has only limited oversight of social media companies, but the FTC has used its oversight over consumer protection and competition to establish itself as the country’s top data privacy regulator. The agency has been using consent orders to hold some of the country’s largest tech companies, including Google, Facebook, Snap and others accountable for alleged privacy missteps. In 2019, the agency reached a $5 billion settlement with Facebook for allegedly violating the terms of a prior order.
Former FTC officials warned that the departures of key privacy and security officials, as well as some of Musk’s proposed changes to Twitter products, opened the company to serious regulatory peril.
Twitter agreed in its settlement to designate employees responsible for privacy and security, including a senior corporate manager who would be responsible for certifying that the company was in compliance. The departures raise questions about whether such a chain of command is still in place, and whether the people still there have the authority and relationships to ensure that the order is being enforced.
“There’s a lot of peril for the company if it doesn’t have continuity,” said a former FTC official, who spoke on the condition of anonymity to candidly discuss the regulatory risks for the company.
David C. Vladeck, who was director of the FTC’s Bureau of Consumer Protection at the time of Twitter’s first settlement with the agency, said the departures and the chaos of Musk’s first weeks of ownership raise questions about whether “compliance requirements are going to fall through the cracks.”
Vladeck said the penalties could be exponentially higher for Twitter if it is alleged to be in violation of its agreement with the FTC a second time. “There would be some very significant multiple of the last fine,” he said, referring to the May penalty, which carried a $150 million fine. “You have to add a decimal point to that.”
Twitter entered into the consent decree with the FTC after allegations that it deceptively used email and phone numbers it said it was collecting for security purposes to target users with advertising. The FTC alleged that this violated a 2011 consent decree it had reached with the company.
The new decree required Twitter to start enhanced privacy and security programs, which were to be audited by a third party. Under that program, Twitter is required to conduct a privacy assessment of any new products it launches.
The departures also invited scrutiny in Europe, which unlike the United States, has a general data protection law. Ireland’s Data Protection Commission is seeking more details from the company about the departure of the company’s chief privacy officer, Damien Kieran. Under the European rules, companies are required to have a data protection officer in place.
A spokesman for the Irish DPC said the agency had “not received any official notification from Twitter.” Kieran did not respond to a request for comment. Former Twitter chief compliance officer Marianne Fogarty also did not respond to a request for comment but on Monday tweeted, “I don’t watch Game of Thrones. I certainly don’t want to play it at work.”
Twitter on Wednesday began allowing any user who paid $8 to receive the same blue checkmark that the platform has for years given only to verified politicians, companies and celebrities. But because the company performs no identity verification, a stream of fake accounts has proliferated across the site, including for President Biden, Pope Francis and former British prime minister Tony Blair, some of whom posted sexual jokes or explicit messages. Musk has said the company would suspend such accounts, but a number of fake accounts remained online for hours, receiving tens of thousands of ‘likes’ and retweets.
The departures also invited scrutiny in Europe, which unlike the United States, has a general data protection law. Ireland’s Data Protection Commission is seeking more details from the company about the departure of the company’s chief privacy officer, Damien Kieran. Under the European rules, companies are required to have a data protection officer in place.
A spokesman for the Irish DPC said the agency had “not received any official notification from Twitter.” Kieran did not respond to a request for comment. Former Twitter chief compliance officer Marianne Fogarty also did not respond to a request for comment but on Monday tweeted, “I don’t watch Game of Thrones. I certainly don’t want to play it at work.”
Twitter on Wednesday began allowing any user who paid $8 to receive the same blue checkmark that the platform has for years given only to verified politicians, companies and celebrities. But because the company performs no identity verification, a stream of fake accounts has proliferated across the site, including for President Biden, Pope Francis and former British prime minister Tony Blair, some of whom posted sexual jokes or explicit messages. Musk has said the company would suspend such accounts, but a number of fake accounts remained online for hours, receiving tens of thousands of ‘likes’ and retweets.
The employee Slack message said the quick release of products and changes without effective security reviews was “extremely dangerous” for users. It said engineers would have to take on the burden of certifying that the products complied with FTC agreements, putting them at substantial personal legal risk.
The meltdown of the security leadership is especially fraught because an FTC audit was expected by January, according to two people familiar with the schedule. One said that Kissner and other executives had been hiring, despite a company-wide freeze, in a frantic effort to meet compliance rules before then.
“Desperately needed people,” said one of them, who was among the roughly half of the company laid off last week and spoke on the condition of anonymity to discuss internal issues at Twitter.
The Slack message posted a link to Whistleblower Aid, a law firm that represented former security head Peiter Zatko when he filed a complaint this year with the Securities and Exchange Commission and other federal officials citing alleged violations related to the FTC. The Washington Post previously reported his complaint described as inadequate logging of access to sensitive data and widespread use of out-of-date software.
The message warned that the FTC could fine Twitter “BILLIONS of dollars.” The author claimed to have heard Alex Spiro, Musk’s top lawyer, say Musk is “willing to take on a huge amount of risk in retaliation to this company and users, because ‘Elon puts rockets into space, he’s not afraid of the FTC.’” Spiro did not immediately respond to a request for comment.
Other employees said they were taking paid time off Thursday as a demonstration of disapproval. Kissner, who had been brought in by Zatko, was admired inside Twitter and seen as a crucial backstop amid the recent chaos.
“Twitter has had several major security incidents over the last several years due to poor internal controls and a permissive data architecture,” said Alex Stamos, a former head of data security at Facebook and Yahoo. “The team led by Dr. Kissner made serious strides to closing these flaws, as Twitter is required to do by FTC consent decree.”
Lourdes Turrecha, a cybersecurity and privacy lawyer in Silicon Valley, said the sudden resignations were a bombshell in privacy circles that had already been stunned by Zatko’s whistleblower complaint and the company’s mass layoffs.
“These executives do not want to put their lives on the line and go to jail” if the company breaks the law, she said. “It’s a very hard time to be a chief information security officer or a chief privacy officer in tech right now, especially when your company doesn’t seem to care about its privacy and security practices.”
Several top privacy and security executives resigned from Twitter on Thursday, citing fears over the risks from Elon Musk’s leadership, in a stunning exodus that prompted federal regulators to warn they might step in.
Chief Information Security Officer Lea Kissner tweeted that they had made the “hard decision” to resign, and the company’s chief privacy officer and chief compliance officer also quit, according to screenshots of an employee’s internal Slack message shared with The Washington Post.
One current Twitter employee said several other members of the site’s privacy and security unit also had resigned, while another said those remaining were trying to stop a wave of abuse in the company’s expanded paid service, Twitter Blue.
The departures prompted a rare warning from the Federal Trade Commission, which has emerged as the government’s top Silicon Valley watchdog. It marked the second time in two days that Washington had expressed concern about the chaotic developments at the company, coming less than 24 hours after President Biden said Musk’s relationships with other countries deserved scrutiny.
The agency said that it was “tracking the developments at Twitter with deep concern” and that it was prepared to take action to ensure the company was complying with a settlement known as a consent order, which requires Twitter to comply with certain privacy and security requirements because of allegations of past data misuse. Twitter was first put under a consent order in 2011, and it agreed to a new order earlier this year for allegedly misusing phone numbers and email addresses collected for security for advertising.
“No CEO or company is above the law, and companies must follow our consent decrees,” said Douglas Farrar, the FTC’s director of public affairs. “Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”
The privacy staffers said they were most concerned by the rapid rollout of new features without the full security reviews that the FTC consent decree requires. They also objected to Musk’s order in an email Wednesday night — his first to the staff since taking control of the company — that all employees had to begin working in the office 40 hours a week, effective Thursday.
Musk’s email did not address Twitter’s long tradition of flexible and remote work. Instead, it cited a dire need to earn money from Twitter Blue. “Without significant subscription revenue, there is a good chance Twitter will not survive the upcoming economic downturn,” Musk warned. “We need roughly half our revenue to be subscriptions.”
The developments signaled how the FTC could be the government agency that acts as a check on Musk, who has overseen unprecedented chaos during his first two weeks at the helm of Twitter. The federal government has only limited oversight of social media companies, but the FTC has used its oversight over consumer protection and competition to establish itself as the country’s top data privacy regulator. The agency has been using consent orders to hold some of the country’s largest tech companies, including Google, Facebook, Snap and others accountable for alleged privacy missteps. In 2019, the agency reached a $5 billion settlement with Facebook for allegedly violating the terms of a prior order.
Former FTC officials warned that the departures of key privacy and security officials, as well as some of Musk’s proposed changes to Twitter products, opened the company to serious regulatory peril.
Twitter agreed in its settlement to designate employees responsible for privacy and security, including a senior corporate manager who would be responsible for certifying that the company was in compliance. The departures raise questions about whether such a chain of command is still in place, and whether the people still there have the authority and relationships to ensure that the order is being enforced.
“There’s a lot of peril for the company if it doesn’t have continuity,” said a former FTC official, who spoke on the condition of anonymity to candidly discuss the regulatory risks for the company.
David C. Vladeck, who was director of the FTC’s Bureau of Consumer Protection at the time of Twitter’s first settlement with the agency, said the departures and the chaos of Musk’s first weeks of ownership raise questions about whether “compliance requirements are going to fall through the cracks.”
Vladeck said the penalties could be exponentially higher for Twitter if it is alleged to be in violation of its agreement with the FTC a second time. “There would be some very significant multiple of the last fine,” he said, referring to the May penalty, which carried a $150 million fine. “You have to add a decimal point to that.”
Twitter entered into the consent decree with the FTC after allegations that it deceptively used email and phone numbers it said it was collecting for security purposes to target users with advertising. The FTC alleged that this violated a 2011 consent decree it had reached with the company.
The new decree required Twitter to start enhanced privacy and security programs, which were to be audited by a third party. Under that program, Twitter is required to conduct a privacy assessment of any new products it launches.
The departures also invited scrutiny in Europe, which unlike the United States, has a general data protection law. Ireland’s Data Protection Commission is seeking more details from the company about the departure of the company’s chief privacy officer, Damien Kieran. Under the European rules, companies are required to have a data protection officer in place.
A spokesman for the Irish DPC said the agency had “not received any official notification from Twitter.” Kieran did not respond to a request for comment. Former Twitter chief compliance officer Marianne Fogarty also did not respond to a request for comment but on Monday tweeted, “I don’t watch Game of Thrones. I certainly don’t want to play it at work.”
Twitter on Wednesday began allowing any user who paid $8 to receive the same blue checkmark that the platform has for years given only to verified politicians, companies and celebrities. But because the company performs no identity verification, a stream of fake accounts has proliferated across the site, including for President Biden, Pope Francis and former British prime minister Tony Blair, some of whom posted sexual jokes or explicit messages. Musk has said the company would suspend such accounts, but a number of fake accounts remained online for hours, receiving tens of thousands of ‘likes’ and retweets.
The departures also invited scrutiny in Europe, which unlike the United States, has a general data protection law. Ireland’s Data Protection Commission is seeking more details from the company about the departure of the company’s chief privacy officer, Damien Kieran. Under the European rules, companies are required to have a data protection officer in place.
A spokesman for the Irish DPC said the agency had “not received any official notification from Twitter.” Kieran did not respond to a request for comment. Former Twitter chief compliance officer Marianne Fogarty also did not respond to a request for comment but on Monday tweeted, “I don’t watch Game of Thrones. I certainly don’t want to play it at work.”
Twitter on Wednesday began allowing any user who paid $8 to receive the same blue checkmark that the platform has for years given only to verified politicians, companies and celebrities. But because the company performs no identity verification, a stream of fake accounts has proliferated across the site, including for President Biden, Pope Francis and former British prime minister Tony Blair, some of whom posted sexual jokes or explicit messages. Musk has said the company would suspend such accounts, but a number of fake accounts remained online for hours, receiving tens of thousands of ‘likes’ and retweets.
The employee Slack message said the quick release of products and changes without effective security reviews was “extremely dangerous” for users. It said engineers would have to take on the burden of certifying that the products complied with FTC agreements, putting them at substantial personal legal risk.
The meltdown of the security leadership is especially fraught because an FTC audit was expected by January, according to two people familiar with the schedule. One said that Kissner and other executives had been hiring, despite a company-wide freeze, in a frantic effort to meet compliance rules before then.
“Desperately needed people,” said one of them, who was among the roughly half of the company laid off last week and spoke on the condition of anonymity to discuss internal issues at Twitter.
The Slack message posted a link to Whistleblower Aid, a law firm that represented former security head Peiter Zatko when he filed a complaint this year with the Securities and Exchange Commission and other federal officials citing alleged violations related to the FTC. The Washington Post previously reported his complaint described as inadequate logging of access to sensitive data and widespread use of out-of-date software.
The message warned that the FTC could fine Twitter “BILLIONS of dollars.” The author claimed to have heard Alex Spiro, Musk’s top lawyer, say Musk is “willing to take on a huge amount of risk in retaliation to this company and users, because ‘Elon puts rockets into space, he’s not afraid of the FTC.’” Spiro did not immediately respond to a request for comment.
Other employees said they were taking paid time off Thursday as a demonstration of disapproval. Kissner, who had been brought in by Zatko, was admired inside Twitter and seen as a crucial backstop amid the recent chaos.
“Twitter has had several major security incidents over the last several years due to poor internal controls and a permissive data architecture,” said Alex Stamos, a former head of data security at Facebook and Yahoo. “The team led by Dr. Kissner made serious strides to closing these flaws, as Twitter is required to do by FTC consent decree.”
Lourdes Turrecha, a cybersecurity and privacy lawyer in Silicon Valley, said the sudden resignations were a bombshell in privacy circles that had already been stunned by Zatko’s whistleblower complaint and the company’s mass layoffs.
“These executives do not want to put their lives on the line and go to jail” if the company breaks the law, she said. “It’s a very hard time to be a chief information security officer or a chief privacy officer in tech right now, especially when your company doesn’t seem to care about its privacy and security practices.”
