Twitter privacy executives quit, sparking FTC alarm

SAN FRANCISCO - Several top privacy and security executives resigned from Twitter on Thursday, citing fears over the risks from Elon Musk's leadership, a stunning exodus that prompted federal regulators to warn they might step in.

Chief Information Security Officer Lea Kissner tweeted Thursday morning that they had made the "hard decision" to resign, and the company's chief privacy officer and chief compliance officer also quit, according to screenshots of an employee's internal Slack message shared with The Washington Post.

Subscribe to The Post Most newsletter for the most important and interesting stories from The Washington Post.

Also Thursday, Twitter's head of safety and integrity, Yoel Roth, left the company, according to Twitter employees who, like others, spoke on the condition of anonymity because they were not authorized to comment. Roth had become the public face of Twitter's content moderation policies in the days after Musk assumed ownership of the company.

One current Twitter employee said several other members of the site's privacy and security unit also had resigned, while another said those remaining were trying to stop a wave of abuse in the company's expanded paid service, Twitter Blue.

The privacy executives' departures prompted a rare warning from the Federal Trade Commission, which has emerged as the government's top Silicon Valley watchdog. It marked the second time in two days that a federal official has expressed concern about the chaotic developments at the company, coming less than 24 hours after President Biden said Musk's relationships with other countries deserved scrutiny.

The agency said that it was "tracking the developments at Twitter with deep concern" and that it was prepared to take action to ensure the company was complying with a settlement known as a consent order, which requires Twitter to comply with certain privacy and security requirements because of allegations of past data misuse.

Twitter was first put under a consent order in 2011, and it agreed to a new order earlier this year. If the FTC finds Twitter is not complying with that order, it could fine the company hundreds of millions of dollars, potentially damaging the company's already precarious financial state.

"No CEO or company is above the law, and companies must follow our consent decrees," said Douglas Farrar, the FTC's director of public affairs. "Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them."

The privacy staffers said they were most concerned by the rapid rollout of new features without the full security reviews that the FTC consent decree requires. They also objected to Musk's order in an email Wednesday night - his first to the staff since taking control of the company - that all employees had to begin working in the office 40 hours a week, effective Thursday.

Musk's email did not address Twitter's long tradition of flexible and remote work. Instead, it cited a dire need to earn money from Twitter Blue. "Without significant subscription revenue, there is a good chance Twitter will not survive the upcoming economic downturn," Musk warned. "We need roughly half our revenue to be subscriptions."

Musk held his first all-hands meeting with staffers on Thursday, taking questions on issues such as his new return-to-office policy and data privacy concerns raised by the departure of executives, according to a person who tuned in.

Musk said Twitter would accept the resignation of anyone who did not want to abide by the new policy, if they were physically able to do so. He also sought to quell concerns about Twitter's privacy practices. For that, he turned to a tactic increasingly used at the new Twitter - citing his experience running Tesla, the electric-vehicle maker that made him the world's richest person.

Tesla has extensive experience with privacy, he said, noting the cars have surround-view cameras that pose privacy issues of their own. But the company has gone to great lengths to protect user data, he said. The issue, he said, isn't new to him.

He noted how Tesla does not conduct market surveys - rather it focuses on making products people will love, he said, hinting at an ethos he seeks to bring to Twitter.

Asked how he could make Twitter more advertiser friendly, Musk said the increasing reliance on payments would lend itself to easy transactions for advertisers.

The meeting was roughly half an hour long, conducted on short notice. Musk showed up about 10 minutes late.

Some employees said his decisions did not inspire confidence at the company, and Slack was filled with questions about the return-to-office policy from outraged employees.

Questions included: "What's the motivation? Work hard or get fired?" and "How do you plan to restore totally destroyed trust?

"People are enraged, with very few expecting RTO would happen this soon," said one employee who had been retained in the layoffs but decided to leave. "I am ethically not okay with making the richest person in the world even richer. Also not okay with this alpha dog mentality - it's already trickling down."

Musk's tactics had led to sniping between remaining employees, the person said, as colleagues who used to collaborate took aim at one another in public channels.

The FTC is the only government agency that could act through its consent decrees as a check on Musk, whose first two weeks at the helm of Twitter have been chaotic. The federal government has only limited oversight of social media companies, but the FTC has used its oversight of consumer protection and competition to establish itself as the country's top data privacy regulator. The agency has used consent orders to hold some of the country's largest tech companies - including Google, Facebook and Snap - accountable for alleged privacy missteps. In 2019, the agency reached a $5 billion settlement with Facebook over its alleged violation of a prior order.

Former FTC officials warned that the departures of key privacy and security officials, as well as some of Musk's proposed changes to Twitter products, opened the company to serious regulatory peril.

In its settlement with the FTC, Twitter agreed to designate employees responsible for privacy and security, including a senior corporate manager who would be responsible for certifying that the company was in compliance. The departures raise questions about whether such a chain of command is still in place and whether the people still there have the authority and relationships to ensure that the order is being enforced.

"There's a lot of peril for the company if it doesn't have continuity," said a former FTC official who spoke on the condition of anonymity to candidly discuss the regulatory risks for the company.

David C. Vladeck, who was director of the FTC's Bureau of Consumer Protection at the time of Twitter's first settlement with the agency, said the departures and the chaos of Musk's first weeks of ownership raise questions about whether "compliance requirements are going to fall through the cracks."

Vladeck said the penalties could be exponentially higher for Twitter if it is alleged to be in violation of its agreement with the FTC a second time. "There would be some very significant multiple of the last fine," he said, referring to the May penalty, which carried a $150 million fine. "You have to add a decimal point to that."

Twitter entered into the consent decree with the FTC after allegations that it used email and phone numbers it said it was collecting for security purposes to target users with advertising. The FTC alleged that this violated the 2011 consent decree.

The new decree required Twitter to start enhanced privacy and security programs, which were to be audited by a third party. Under that decree, Twitter is required to conduct a privacy assessment of any new products it launches.

It's unclear exactly what the FTC's deliberations could accomplish. Musk has shown little hesitation to make changes in his whirlwind takeover, slashing half its workforce and unveiling massive product changes. Musk has routinely scoffed at federal oversight and the financial watchdogs of the Securities and Exchange Commission. In 2018, after the agency fined him $20 million for misleading Tesla investors, he said in a "60 Minutes" interview, "I do not respect the SEC."

But the FTC has also shown increasing energy in wanting to hold even the country's biggest companies to account. Its chair, Lina Khan, said in a Senate subcommittee hearing in September that the agency intends to strictly enforce its rules against companies that treat its "orders as suggestions."

The executive departures Thursday also invited scrutiny in Europe, which unlike the United States has a general data protection law. Ireland's Data Protection Commission is seeking more details from the company about the departure of the company's chief privacy officer, Damien Kieran. Under the European rules, companies are required to have a data protection officer in place.

A spokesman for the Irish DPC said the agency had "not received any official notification from Twitter." Kieran did not respond to a request for comment. Former Twitter chief compliance officer Marianne Fogarty also did not respond to a request for comment but on Monday tweeted: "I don't watch Game of Thrones. I certainly don't want to play it at work."

Twitter on Wednesday began allowing any user who pays $8 a month to receive the same blue check mark that the platform has for years given only to verified politicians, companies and celebrities. But because the company performs no identity verification, a stream of fake accounts has proliferated across the site, including for Biden, Pope Francis and former prime minister Tony Blair of Britain.

One tweet by a blue-check account posing as the pharmaceutical giant Eli Lilly gained 1,500 retweets and more than 10,000 likes and remained online after three hours Thursday afternoon. An Eli Lilly spokesperson told The Post on Thursday they "are in communication with Twitter to address the issue."

Musk has said the company would suspend such accounts, but a number of fake accounts remained online for hours, receiving tens of thousands of likes and retweets. Early Thursday, in a response to someone mentioning that a fake Biden was talking about performing a sex act, Musk responded with two cry-laughing emoji.

The employee Slack message said the quick release of products and changes without effective security reviews was "extremely dangerous" for users. It said engineers would have to take on the burden of certifying that the products complied with FTC agreements, putting them at substantial personal legal risk.

The meltdown of the security leadership is especially fraught because an FTC audit was expected by January, according to two people familiar with the schedule. One said that Kissner and other executives had been hiring, despite a company-wide freeze, in a frantic effort to meet compliance rules before then.

"Desperately needed people," said one of them, who was among the roughly half of the company laid off last week and spoke on the condition of anonymity to discuss internal issues at Twitter.

The Slack message posted a link to Whistleblower Aid, a law firm that represented former security head Peiter Zatko when he filed a complaint this year with the Securities and Exchange Commission and other federal officials citing alleged violations related to the FTC. The Washington Post previously reported that his complaint described inadequate logging of access to sensitive data and widespread use of out-of-date software.

The message warned that the FTC could fine Twitter "BILLIONS of dollars." The author claimed to have heard Alex Spiro, Musk's top lawyer, say Musk is "willing to take on a huge amount of risk in retaliation to this company and users, because 'Elon puts rockets into space, he's not afraid of the FTC.'" Spiro did not immediately respond to a request for comment.

Other employees said they were taking paid time off Thursday as a demonstration of disapproval. Kissner, who had been brought in by Zatko, was admired inside Twitter and seen as a crucial backstop amid the recent chaos.

"Twitter has had several major security incidents over the last several years due to poor internal controls and a permissive data architecture," said Alex Stamos, a former head of data security at Facebook and Yahoo. "The team led by Dr. Kissner made serious strides to closing these flaws, as Twitter is required to do by FTC consent decree."

Lourdes Turrecha, a cybersecurity and privacy lawyer in Silicon Valley, said the sudden resignations were a bombshell in privacy circles that had already been stunned by Zatko's whistleblower complaint and the company's mass layoffs.

"These executives do not want to put their lives on the line and go to jail" if the company breaks the law, she said. "It's a very hard time to be a chief information security officer or a chief privacy officer in tech right now, especially when your company doesn't seem to care about its privacy and security practices."


Zakrzewski reported from Washington.


Video Embed Code

Video: President Biden on Nov. 9 said that Elon Musk's joint acquisition of Twitter was "worth being looked at," considering the involvement of foreign governments.(The Washington Post)

Embed code:

Related Content

Where learning is against the law: A secret school for Afghan girls

Salty, yellow water disgusts residents and breaks pipes in war-torn Mykolaiv

In one Ukrainian village, occupation ended - and the feud began