A current Twitter employee said several other members of the site’s privacy and security unit had also quit, while another said those remaining were trying to stem a wave of abuse in the paid service. extended company, Twitter Blue.
The Federal Trade Commission, which entered into its latest consent decree with Twitter in May, said it was “following developments on Twitter with grave concern.”
“No CEO or company is above the law, and companies must follow our consent decrees,” said Douglas Farrar, director of public affairs for the FTC. “Our revised consent order gives us new tools to ensure compliance, and we’re ready to use them.”
Privacy staffers said they were most concerned about the rapid rollout of new features without the comprehensive security reviews required by the FTC’s consent decree. They also objected to Musk’s order in an email late Wednesday, his first to staff since taking over the company, that all employees must start working in the office 40 hours a week, at from Thursday.
Musk’s email didn’t address Twitter’s long tradition of flexible, remote working. Instead, he cited an urgent need to make money with Twitter Blue. “Without significant subscription revenue, there’s a good chance Twitter won’t survive the coming economic downturn,” Musk warned. “We need about half of our revenue to be subscriptions.”
Former FTC officials have warned that the departures of key privacy and security officials, as well as some of Musk’s proposed changes to Twitter products, put the company at serious regulatory peril.
David C. Vladeck, who was director of the FTC’s Consumer Protection Bureau at the time of Twitter’s first deal with the agency, said the departures and chaos raise questions about whether “compliance requirements will fall through the cracks.”
Vladeck said the penalties could be exponentially higher for Twitter if it is alleged to violate its agreement with the FTC a second time. “There would be a very significant multiple of the last fine,” he said, referring to the May penalty which carried a $150 million fine. “You need to add a decimal point to that.”
Twitter entered into the consent decree with the FTC after allegations that it deceptively used emails and phone numbers it said it collects for security purposes to target users with advertising. The FTC alleged that this violated a 2011 consent decree it entered into with the company.
The new executive order required Twitter to launch enhanced privacy and security programs, which had to be audited by a third party. As part of this program, Twitter is required to conduct a privacy assessment of all new products it launches.
The Slack employee’s post said rapidly releasing products and changes without an effective security review was “extremely dangerous” for users.
He said engineers would have to bear the burden of certifying that products complied with FTC agreements, which would expose them to substantial personal legal risk.
The collapse of the security branch is particularly dire because an FTC audit was expected by January, according to two people familiar with the timeline.
One said Kissner and other executives had hired, despite a company-wide freeze, in a frantic effort to meet compliance rules before then.
“Desperately needed people,” said one, who was part of about half of the company laid off last week and spoke on condition of anonymity to discuss internal Twitter issues.
The Slack message posted a link to Whistleblower Aid, a law firm that represented former security chief Peiter Zatko when he filed a lawsuit this year with the Securities and Exchange Commission and other federal officials citing alleged FTC-related violations, including what he described as inadequate logging of access to sensitive data and widespread use of outdated software.
The post warned that the FTC could fine Twitter “BILLIONS of dollars.” The author claimed to have heard Alex Spiro, Musk’s top lawyer, say that Musk was “willing to take enormous risks in retaliation against this company and its users because ‘Elon puts rockets into space, he not afraid of the FTC.” Spiro did not immediately respond to a request for comment on the memo.
Other employees said they were taking paid time off on Thursday as a sign of disapproval.
Kissner, who was brought in by Zatko, was admired on Twitter and seen as crucial support amid the recent chaos.
“Twitter has experienced several major security incidents over the past few years due to poor internal controls and a permissive data architecture,” said Alex Stamos, former chief data security officer at Facebook and Yahoo. “The team led by Dr. Kissner has made serious progress in closing these loopholes, as Twitter is required to do by the FTC’s consent decree.”