Twitter has long been under the watchful eye of the US Federal Trade Commission (FTC) for misusing users’ data.
In 2011, Twitter entered a consent decree with the FTC that Twitter’s data security lapses led hackers to obtain sensitive user information. In May, the FTC charged Twitter with new violations for using phone numbers and email addresses provided for two-factor authentication for targeted advertising. The FTC fined Twitter $150 million and imposed strict rules on how Twitter must handle user data.
Mere weeks into Elon Musk’s already-tumultuous tenure as owner and CEO of Twitter, which he bought for $44 billion, Musk appears to be violating its consent decree with the FTC. After the resignations of three company executives responsible for privacy, information security, and compliance this week, Musk reportedly urged software engineers to “self-certify” legal compliance of products and features they are deploying, according to one Twitter lawyer’s internal message to staff, obtained by The Verge. (Quartz has not independently verified the communications.)
This puts Twitter in the FTC’s crosshairs just six months after the company signed its second consent decree agreeing to rigorous compliance and oversight. If Musk is already rolling out new products without proper compliance checks, Twitter could face many millions of dollars worth of civil fines and even stricter limitations on how the company handles data and deploys new products.
“This should have been a warning to Twitter”
Twitter’s latest consent decree isn’t just a slap on the wrist, but a detailed list of steps that Twitter must comply with to stay on the right side of the law. In the settlement, Twitter agreed to:
- Institute new methods for two-factor authentication that don’t include collecting personal data
- Implement a “comprehensive privacy and information security program” that “examine and address the potential privacy and security risks of new products”
- Limit employee access to user information and provide adequate training for any employees working directly with user data
- Designate specific executives “to be responsible for any decision to collect, maintain, use, disclose, or provide access” to sensitive user data
- Undergo a third-party audit every six months.
“This should have been a warning to Twitter that it had to be on its best behavior,” said John Davisson, director of litigation at the Electronic Privacy Information Center, in an interview. “It doesn’t look like that’s how the company is carrying itself right now. There’s just so much upheaval it’s hard to imagine they’re really honoring the terms of this consent decree scrupulously.” Davisson added that the reported mandate to have engineers “self-certify” their own products is “pretty alarming.”
“The idea that even a talented software engineer is going to be well positioned to evaluate systemic privacy and security risks and can self-certify on the fly is absurd,” he said. “It’s not how these processes work and there’s a reason companies hire third parties to do this and have dedicated staff who have expertise in privacy and security to do these evaluations.”
It’s not just about the money
There are steep civil penalties for violating this consent decree. Twitter could be liable for a $46,517 fine per violation. Let’s say Twitter rolled out a modified product like Twitter Blue without doing the proper checks. That implies millions of affected users, and potentially millions or even billions of dollars in fines for Twitter. The company, already saddled with $1 billion in annual interest payments from $12.5 billion in bank loans financing Musk’s acquisition, can ill afford such penalties. Musk has told employees this week that a Twitter bankruptcy is a distinct possibility.
But fines shouldn’t be Musk’s only concern, according to Kathleen McGee, a partner at the law firm Lowenstein Sandler. “It is not just about risking punitive financial damages,” she said. “It is about setting precedent and giving a powerful regulator—and frankly legislators—ammunition to further pursue legal action that restricts a company’s ability to innovate or come up with new applications.” Musk wants to move fast and break things, but Twitter’s disregard for FTC rules will limit his ability to do that. “The more one tries to fight against court-ordered consent decrees,” says McGee, “the more one will find oneself constrained.”