In August, a complaint by Twitter’s former Chief Security Officer Peiter “Mudge” Zatko came to light alleging numerous security problems with the company, including employees who were working for foreign governments and a lack of encryption and software updates. As I wrote at the time, the complaint was a big deal not because most of the things Mudge accused Twitter of doing were illegal, but rather because the company was already subject to a consent decree with the Federal Trade Commission for previous security and privacy problems, and if it violated the terms of that consent order, it could be subject to very significant fines (see, for instance, the FTC’s $5 billion Facebook fine in 2019 when that company violated a previous FTC order).
So the obvious thing for Twitter to have done would have been to get its act together and make sure it was scrupulously attending to every single provision of its 2010 settlement and its 2022 settlement with the government. Instead, perhaps unsurprisingly, under Elon Musk Twitter seems to have gone hard in the opposite direction, with the departures of three of its top security and privacy executives on Thursday: chief information security officer Lea Kissner, chief privacy officer Damien Kieran, and chief compliance officer Marianne Fogarty. The three Twitter employees all resigned voluntarily, following a large round of layoffs at Twitter last week. Later on Thursday, reports surfaced on Twitter that Yoel Roth, the company’s head of Trust & Safety, would also be leaving.
These departures are terrible news for Twitter on two fronts. One is simply that they leave the company more vulnerable than ever to breaches, account compromises, insider threats, and all the other risks that Mudge warned the company was already not adequately defending itself against. With the people responsible for overseeing security and privacy on their way out, it’s not clear who, if anyone, is responsible for actually implementing security protections for the company, reviewing potential alerts, and responding to intrusions.
On top of that, users whose accounts are compromised—for instance, if their credentials are stolen or intruders are able to reset passwords using access to employee tools—may have a harder time fixing the problem if the Trust & Safety team, which is typically responsible for addressing these types of issues, no longer has a leader.
Those are major risks to Twitter users. But perhaps the bigger risk for Twitter right now is that it is still in the midst of a very delicate and high-stakes investigation by the FTC and just about everyone responsible for navigating that process or who was in a position to understand how to steer it has now left the company.
In what should be a warning sign for Twitter, the FTC’s director of public affairs, Douglas Farrar, told Reuters that the FTC is “tracking recent developments at Twitter with deep concern.” He added, “Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.” That order, for instance, requires that Twitter must produce a written “Privacy Review” report for each “new or modified product, service, or practice that poses a material risk to the privacy, security, confidentiality, or integrity” of customers’ personal information. It also requires Twitter to submit a written report about any data breach affecting more than 250 Twitter users to the FTC within 30 days of its discovery. There are also fairly onerous requirements for compliance monitoring, third-party audits, and mandatory security and privacy programs.
It’s simply not clear who’s going to oversee any of these processes without people leading the security, privacy, and compliance teams. According to reporting in the Verge, the Twitter legal team has instructed engineers to “self-certify” that their products and services are in compliance with the FTC orders, even as the new Twitter Blue service released this week apparently bypassed the standard security and privacy checks in place at the company. The notion that engineers will self-certify the privacy and security of their services is sheer nonsense. The reason that companies have dedicated privacy and security teams is because these are specialized areas that require particular expertise to assess.
Moreover, most Twitter engineers probably don’t even know the specific terms of the company’s consent orders with the government (and why should they?). How are they going to certify that the work they’ve done is in compliance with the rules laid out in orders most of them have probably never read? And why would they want to be in that position, especially after Uber’s former chief security officer was convicted, earlier this year, of obstruction of FTC proceedings because he deceived the government about Uber’s 2016 breach?
It’s also not clear who’s going to be in communication with the FTC about how the company is complying with these orders. Perhaps this is because the company simply isn’t planning to cooperate with FTC investigations or requirements anymore. That was a little bit the sense Elon Musk’s lawyer Alex Spiro, who has been heavily involved in this takeover of Twitter, gave in a conversation on Slack. Reuters reports that an attorney on Twitter’s privacy team posted a note on Slack saying that Spiro had said Musk is willing to take on a “huge amount of risk” because “Elon puts rockets into space, he’s not afraid of the FTC.”
But Musk should be afraid of the FTC, for no other reason than that the agency can fine Twitter literally billions of dollars—and Musk’s own message to employees this week suggests that the company is already in significant financial trouble. So rockets notwithstanding, Musk should tread cautiously with the FTC. The rest of us should tread cautiously with turning over sensitive information (like, say, credit card numbers or bank account information) to Twitter at a moment when the company seems more insecure than ever.