JOIN USFTC intensifies investigation of Twitter’s privacy practices
The Federal Trade Commission is intensifying an investigation into Twitter’s data and privacy practices and is seeking testimony from Elon Musk, who has laid off the bulk of Twitter’s workforce since acquiring the company last year.
The investigation is focused on whether Twitter has adequate resources to protect its users’ privacy after the mass layoffs and budget cuts ordered by Musk, said five people familiar with the investigation who spoke on the condition of anonymity.
The agency, which currently has oversight over Twitter, investigated a former executive’s claims of security problems last summer and ramped up its inquiry after the abrupt resignations of three top executives responsible for privacy, security and compliance. They left Twitter in November shortly after Musk acquired the company.
The agency has requested a conversation with Musk, two of the people said. It has also sought to interview former Twitter employees who worked on privacy and security at the company.
The inquiry has been criticized by a subcommittee of the Republican-led House Judiciary Committee, which said Tuesday that the FTC was engaged in an “aggressive campaign to harass Twitter” and had issued more than 350 requests for information since Musk took over the company in October.
Musk’s takeover of Twitter has drawn scrutiny from several enforcement agencies. While the FTC has dug into whether Twitter has the resources to abide by its privacy promises to consumers, the European Union has pressured Twitter to release more data about how it fights disinformation. The Securities and Exchange Commission also probed whether Musk’s purchases of Twitter stock had been properly disclosed.
“Protecting consumers’ privacy is exactly what the FTC is supposed to do,” Douglas Farrar, an agency spokesperson, said in a statement. “It should come as no surprise that career staff at the commission are conducting a rigorous investigation into Twitter’s compliance with a consent order that came into effect long before Mr. Musk purchased the company.” The SEC declined to comment.
The FTC has pressed Twitter to explain its management structure and to define Musk’s precise role at the company. It has also questioned whether Twitter has the necessary staff and financial resources to keep up with its privacy obligations, as Musk continues to cut costs and lay off workers.
The agency has also asked for details about recent sales of Twitter’s office equipment, including whether computers had been wiped of user data, and about Twitter’s plan to sell verification check marks, House Republicans said in a report that was released Tuesday.
Under a consent decree it reached with the agency in 2011 and expanded in 2022, Twitter is required to conduct regular security audits and keep the FTC informed about how it handles sensitive data.
The arrangement began in March 2011, when the company settled charges that it had failed to safeguard users’ personal information after two data breaches in 2009. Last year, the FTC fined Twitter $150 million for misleading users about the fact that personal data collected for security purposes was actually being used for advertising, and it expanded its oversight of the company.
The compliance process is laborious, two former Twitter employees said, and once relied on supervision from hundreds of people in Twitter’s privacy, engineering, legal and security teams to run smoothly.
Twitter also used software made by a company called Collibra to keep track of its progress on compliance, but it stopped payments to Collibra as Musk sought to cut costs at Twitter, two people familiar with the arrangement said. Collibra did not respond to requests for comment.
The FTC has questioned whether Twitter still has the staff or the budget to keep up with its compliance obligations. The agency has also sought to understand whether Musk has the final say on privacy issues, and which other executives might be involved in those decisions.
“These demands have no basis in the FTC’s statutory mission and appear to be the result of partisan pressure to target Twitter and silence Musk,” the House Judiciary subcommittee said in its report, which called the FTC’s investigation into Musk “unusual.”
The subcommittee also criticized the FTC for asking Twitter about access to internal company files that it had provided to a group of journalists. An FTC spokesperson said the agency routinely sought information that companies under consent orders, such as Twitter, provided to third parties.
In November, three senior executives responsible for overseeing security, privacy and compliance resigned from Twitter, a day before a deadline for Twitter to submit a response to an FTC demand letter. The FTC, in an effort led by Reenah Kim, a longtime staff attorney who was involved in the agency’s earlier investigation of privacy issues at Facebook, has spoken with at least two of those executives, Damien Kieran and Lea Kissner, three people familiar with the matter said.
Musk’s mass layoffs have roiled the company’s legal department, which has drawn in support and lawyers from Musk’s other companies including electronic car manufacturer Tesla and rocket maker SpaceX. That has led to confusing directives and caused previously junior employees to take up new responsibilities for which they are not qualified, three current and former employees said.
Over the past several months, Twitter has asked the agency for more time to answer its questions about staffing and resources, saying that its corporate structure and the appointment of top leaders are still in flux. The FTC has the power to fine Twitter again, or to punish executives with criminal penalties if they mislead investigators about the state of the company’s privacy practices.
In addition to its investigation of Musk’s takeover, the agency is also scrutinizing claims raised by a former security executive, Peiter Zatko, who said in a whistleblower complaint that Twitter, under its previous management, made false and misleading statements about its security practices.
Lina Khan, chair of the FTC, said during a Senate Judiciary subcommittee hearing in November that she was “extremely disturbed” by Zatko’s claims, particularly his assertion that Twitter had misled the FTC about its compliance practices.
“There has absolutely been a problem with companies treating FTC orders as suggestions,” Khan said. “We have a program underway to really toughen that up.”
Musk’s Twitter also faces potential challenges abroad. In November, Thierry Breton, EU internal market commissioner, said in a statement that the company had “huge work ahead” to become compliant with the bloc’s Digital Services Act, a wide-ranging set of laws set to come into effect in 2024 that addresses disinformation, targeted advertising and content moderation on social media platforms.
Last month, a Twitter security manager wrote in internal messages seen by The New York Times that the company could have been violating EU privacy laws by saving some user data for two years, despite a requirement to delete that data after 13 months. The EU could fine the company up to 4 per cent of Twitter’s global revenue, which would amount to hundreds of millions of dollars, the manager warned.