FTC tracking developments at Twitter with ‘deep concern’ after CISO resigns
Jonathan Greig November 10, 2022

FTC tracking developments at Twitter with ‘deep concern’ after CISO resigns

Jonathan Greig

November 10, 2022

FTC tracking developments at Twitter with ‘deep concern’ after CISO resigns

The Federal Trade Commission (FTC) said it is monitoring the recent fracas around Twitter just hours after the company’s chief information security officer announced their resignation. 

Twitter was fined $150 million in May after it was caught by the Justice Department and FTC covertly using account security data for targeted advertising. Alongside the fine, the company agreed to a slate of other rules related to its security and advertising practices.

All of that has been thrown into limbo by the recent purchase of the company by Tesla CEO Elon Musk — who completed his acquisition of the social media giant two weeks ago in a $44 billion deal — and high-profile departures at the company. 

Since taking over, Musk has fired half of Twitter’s employees and pushed through several changes to how the site functions in an effort to increase its profitability. 

On Thursday, Twitter Chief Information Security Officer Lea Kissner, Chief Privacy Officer Damien Kieran, and Chief Compliance Officer Marianne Fogarty all resigned. 

The three quit the day before Twitter is required to send the FTC a report on its compliance with the order from May. 

The New York Times and Verge reported that one employee shared a lengthy message in Twitter’s public Slack channel critical of Musk’s efforts to further monetize the company. The employee allegedly claimed Musk was not afraid of the ramifications of potential FTC violations, and the company’s legal department was planning to “shift the burden to engineers’ to self-certify compliance with FTC requirements and other laws.”

“This will put a huge amount of personal, professional and legal risk onto engineers. I anticipate that all of you will be pressured by management into pushing out changes that will likely lead to major incidents,” the employee is quoted as saying. 

“All of this is extremely dangerous for our users. Also, given that the FTC can (and will!) fine Twitter BILLIONS of dollars pursuant to the FTC Consent Order, extremely detrimental to Twitter’s longevity as a platform. Our users deserve so much better than this.” 

The fines issued by the FTC in May were part of a 20-year consent order over its data privacy practices. The FTC can monitor Twitter’s compliance with the order and conduct periodic audits. 

The three senior executives who quit on Thursday were in charge of making privacy and security decisions that would keep the company in compliance with FTC rules, which are legally binding. 

A FTC spokesperson told The Record that they are “tracking recent developments at Twitter with deep concern.”

“No CEO or company is above the law, and companies must follow our consent decrees,” the spokesperson said. “Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”

Riana Pfefferkorn, a lawyer who has worked with Twitter, said any changes to the platform’s technology have to be reported to the FTC, meaning Twitter may have already violated the consent order, given the changes Musk has pushed through since taking over.

Twitter did not respond to requests for comment.

The company’s rollout of the Twitter Blue subscription service, in which verification can be purchased by subscription, was quickly abused by thousands of people who used the feature to spoof public figures and businesses.

Even before the fiasco around Musk, Twitter was facing significant security and privacy headwinds. Former Twitter security chief Peiter “Mudge” Zatko testified before the Senate Judiciary Committee in September and spoke of alleged infiltration of Twitter by foreign agents, widespread lack of data controls and ineffective U.S. regulation.

Tom Kellermann, senior vice president of cyber strategy at Contrast Security, warned the resignations of privacy and security leaders at the company “will create a vacuum.”

“Lack of investment in cybersecurity and content moderation will allow for cyberspies and cartels to launch targeted cyberattacks from the platform,” he said.

“Confusion over security policies and new management of the platform will be used by attackers to drop payloads and attacks, not just disinformation.” 

Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.