Twitter security staff kept firm in compliance by disobeying Musk, FTC says


Elon Musk sits on stage while being interviewed during a conference.
Enlarge / Elon Musk at the New York Times DealBook Summit on November 29, 2023, in New York City.

Getty Images | Michael Santiago

Twitter employees prevented Elon Musk from violating the company’s privacy settlement with the US government, according to Federal Trade Commission Chair Lina Khan.

After Musk bought Twitter in late 2022, he gave Bari Weiss and other journalists access to company documents in the so-called “Twitter Files” incident. The access given to outside individuals raised concerns that Twitter (which is currently named X) violated a 2022 settlement with the FTC, which has requirements designed to prevent repeats of previous security failures.

Some of Twitter’s top privacy and security executives also resigned shortly after Musk’s purchase, citing concerns that Musk’s rapid changes could cause violations of the settlement.

FTC staff deposed former Twitter employees and “learned that the access provided to the third-party individuals turned out to be more limited than the individuals’ tweets and other public reporting had indicated,” Khan wrote in a letter sent today to US Rep. Jim Jordan (R-Ohio). Khan’s letter said the access was limited because employees refused to comply with Musk’s demands:

The deposition testimony revealed that in early December 2022, Elon Musk had reportedly directed staff to grant an outside third-party individual “full access to everything at Twitter… No limits at all.” Consistent with Musk’s direction, the individual was initially assigned a company laptop and internal account, with the intent that the third-party individual be given “elevated privileges” beyond what an average company employee might have.

However, based on a concern that such an arrangement would risk exposing nonpublic user information in potential violation of the FTC’s Order, longtime information security employees at Twitter intervened and implemented safeguards to mitigate the risks. Ultimately the third-party individuals did not receive direct access to Twitter’s systems, but instead worked with other company employees who accessed the systems on the individuals’ behalf.

Khan: FTC “was right to be concerned”

Jordan is chair of the House Judiciary Committee and has criticized the investigation, claiming that “the FTC harassed Twitter in the wake of Mr. Musk’s acquisition.” Khan’s letter to Jordan today argues that the FTC investigation was justified.

“The FTC’s investigation confirmed that staff was right to be concerned, given that Twitter’s new CEO had directed employees to take actions that would have violated the FTC’s Order,” Khan wrote. “Once staff learned that the FTC’s Order had worked to ensure that Twitter employees took appropriate measures to protect consumers’ private information, compliance staff made no further inquiries to Twitter or anyone else concerning this issue.”

Khan also wrote that deep staff cuts following the Musk acquisition, and resignations of Twitter’s top privacy and compliance officials, meant that “there was no one left at the company responsible for interpreting and modifying data policies and practices to ensure Twitter was complying with the FTC’s Order to safeguard Americans’ personal data.” The letter continued:

During staff’s evaluation of the workforce reductions, one of the company’s recently departed lead privacy and security experts testified that Twitter Blue was being implemented too quickly so that the proper “security and privacy review was not conducted in accordance with the company’s process for software development.” Another expert testified that he had concerns about Mr. Musk’s “commitment to overall security and privacy of the organization.” Twitter, meanwhile, filed a motion seeking to eliminate the FTC Order that protected the privacy and security of Americans’ data. Fortunately for Twitter’s millions of users, that effort failed in court.

FTC still trying to depose Musk

While no violation was found in this case, the FTC isn’t done investigating. When contacted by Ars, an FTC spokesperson said the agency cannot rule out bringing lawsuits against Musk’s social network for violations of the settlement or US law.

“When we heard credible public reports of potential violations of protections for Twitter users’ data, we moved swiftly to investigate,” the FTC said in a statement today. “The order remains in place and the FTC continues to deploy the order’s tools to protect Twitter users’ data and ensure the company remains in compliance.”

The FTC also said it is continuing attempts to depose Musk. In July 2023, Musk’s X Corp. asked a federal court for an order that would terminate the settlement and prevent the FTC from deposing Musk. The court denied both requests in November. In a filing, US government lawyers said the FTC investigation had “revealed a chaotic environment at the company that raised serious questions about whether and how Musk and other leaders were ensuring X Corp.’s compliance with the 2022 Administrative Order.

We contacted X today, but an auto-reply informed us that the company was busy and asked that we check back later.



Source link

About The Author

Scroll to Top