Does Twitter Have Any Employees Left Who Remember That The Company Is Under A Strict Consent Decree With The FTC?
from the something-to-look-into dept
Yesterday I tweeted out a question about whether or not there was anyone left at Twitter who remembered that the company was under a pretty strict FTC consent decree:
Apparently the answer was yes, but they didn’t include Elon Musk. Late last night, a few hours after that tweet, the Chief Information Security Officer, the Chief Privacy Officer, and the Chief Compliance Officer all quit, apparently citing potential FTC violations as the reason. Lea Kissner, the former CISO tweeted about it early this morning:
According to the Verge, Elon and his entourage have made it clear that he doesn’t give a fuck about the FTC. It details a note on an internal Twitter Slack from a company lawyer:
In a note posted to Twitter’s Slack and viewable to all staff that was obtained by The Verge, an attorney on the company’s privacy team wrote, “Elon has shown that his only priority with Twitter users is how to monetize them. I do not believe he cares about the human rights activists. the dissidents, our users in un-monetizable regions, and all the other users who have made Twitter the global town square you have all spent so long building, and we all love.”
The note goes on to say that its author, who The Verge knows the identity of but is choosing not to disclose, has “heard Alex Spiro (current head of Legal) say that Elon is willing to take on a huge amount of risk in relation to this company and its users, because ‘Elon puts rockets into space, he’s not afraid of the FTC.’”
So, here’s the thing. While Elon may think he’s not afraid of the FTC, he should be. The FTC is not the SEC and the FTC does not fuck around. Violating the FTC can lead to criminal penalties. I mean, it was just a month ago that Uber’s former Chief Security Officer was convicted on federal charges for obstruction against the FTC.
And you wonder why Twitter’s Chief Security Officer resigned?
The Verge article also notes the following:
Musk’s new legal department is now asking engineers to “self-certify” compliance with FTC rules and other privacy laws, according to the lawyer’s note and another employee familiar with the matter, who requested anonymity to speak without the company’s permission.
Anyone working in Twitter needs to know that “self-certifying” something that violates the FTC’s consent decree may be tied to a prison sentence and huge fines. This is not how any of this should be working.
Stanford’s Riana Pfefferkorn (who used to be outside counsel for Twitter) has a great Twitter thread explaining the many ways in which this is fucked up. That thread notes that… today Twitter violated the FTC’s consent decree as it was required to file a notice with the FTC about Elon’s takeover and how it relates to the compliance with the consent decrees.
As for the background on all this, some of you youngsters might not remember this, but back in 2011 Twitter signed a consent decree with the FTC over its failure to safeguard user info. Now, almost every big tech company these days has a consent decree with the FTC after they royally screwed up something and effectively leaked users’ private data. Most of the consent decrees last for 20 years. That might make you think such consent decrees are meaningless, but the opposite is true. While under these consent decrees, the FTC now has tremendous power to cause a world of hurt to the company for screwing up.
Indeed, remember three years ago when the FTC hit Facebook with a $5 billion fine? Most people remember that as being for the whole Cambridge Analytica thing, but it was actually for violating the consent decree that Facebook had signed years earlier (partly because of Cambridge Analytica, but also some other shoddy privacy practices). In other words, while you’re under the consent decree, if you screw up, you could be in deep trouble. Combined with the example of Uber’s Joe Sullivan, and you realize that fucking with the FTC doesn’t end well for anyone.
Anyway, Twitter’s 2011 consent decree was over misrepresenting how Twitter’s privacy controls worked — users believed they were choosing settings to keep info private, and Twitter wasn’t abiding by them, mainly because Twitter wasn’t very careful with its own security, allowing hackers to breach their systems and read content that users believed was private.
Given that much of the problem was around Twitter’s security practices, the consent decree was focused on making sure that Twitter shaped up its security practices. As you might recall, back in May, Twitter also got hit with a $150 million fine for violating the consent decree. In that case, it was because Twitter used phone numbers that were provided for two-factor authentication, but used them for marketing practices (this was also a big part of that $5 billion fine that hit Facebook, and notably, it looks like Twitter stopped the practice a month or two after the Facebook fine!).
All of this is kinda important right now, as Elon tries to roll out features in record speeds. Because… the consent decree has some requirements for rolling out new products and making sure they’re secure. The original consent decree says that any new product or service must be rolled out with a written plan including the following:
the identification of reasonably-foreseeable, material risks, both internal and external, that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of nonpublic consumer information or in unauthorized administrative control of the Twitter system, and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, account takeovers, or other systems failures
When I started writing this post last night, I wondered if anyone at the company still remembered that they needed to comply with this, and by this morning I knew the answer was yes — though they’ve now all left.
But, also, the order and fine from earlier this year included some modifications to the original consent decree with even more stringent requirements. There’s actually a lot of new stuff in the updated consent decree (which, again, went into effect just months ago). But one thing it requires is the following:
Design, implement, maintain, and document safeguards that control for the material internal and external risks Respondent identifies to the privacy, security, confidentiality, or integrity of Covered Information identified in response to Provision V.D. Each safeguard must be based on the volume and sensitivity of Covered Information that is at risk, and the likelihood that the risk could be realized and result in the: (1) unauthorized collection, maintenance, use, disclosure, alteration, or destruction of, or provision of access to Covered Information; or the (2) misuse, loss, theft, or other compromise of such information. Such safeguards must also include:
- Prior to implementing any new or modified product, service, or practice that collects, maintains, uses, discloses, or provides access to Covered Information, conducting an assessment of the risks to the privacy, security, confidentiality, or integrity of the Covered Information;
- For each new or modified product, service, or practice that does not pose a material risk to the privacy, security, confidentiality, or integrity of Covered Information, documenting a description of each reviewed product, service, or practice and why such product, service, or practice does not pose such a material risk;
- For each new or modified product, service, or practice that poses a material risk to the privacy, security, confidentiality, or integrity of Covered Information, conducting a privacy review and producing a written report (“Privacy Review”) for each such new or modified product, service, or practice. The Privacy Review must:
(a) Describe how the product, service, or practice will collect, maintain, use, disclose, or provide access to Covered Information, and for how long;
(b) Identify and describe the types of Covered Information the product, service, or practice will collect, maintain, use, disclose, or provide access to;
(c) If the Covered Information will be collected from a User, describe the context of the interaction in which Respondent will collect such Covered Information (e.g., under security settings, in pop-up messages in the timeline, or in response to a prompt reading, “Get Better Ads!”);
(d) Describe any notice that Respondent will provide Users about the collection, maintenance, use, disclosure, or provision of access to the Covered Information;
(e) State whether and how Respondent will obtain consent from Users for the collection, maintenance, use, disclosure, or provision of access to Covered Information;
(f) Identify any privacy controls that will be provided to Users relevant to the collection, maintenance, use, disclosure, or provision of access to the Covered Information;
(g) Identify any third parties to whom Respondent will disclose or provide access to the Covered Information;
(h) Assess and describe the material risks to the privacy, security, confidentiality, and integrity of Covered Information presented by the product, service, or practice;
(i) Assess and describe the safeguards to control for the identified risks, and whether any additional safeguards need to be implemented to control for such risks;
(j) Explain the reasons why Respondent deems the notice and consent mechanisms described in Provisions V.E.3(d) and V.E.3(e) sufficient;
(k) Identify and describe any limitations on the collection, maintenance, use, disclosure, or provision of access to Covered Information based on: (i) the context of the collection of such Covered Information; (ii) notice to Users; and (iii) any consent given by Users at the time of collection or through subsequent authorization;
(l) Identify and describe any changes in how privacy and security-related options will be presented to Users, and describe the means and results of any testing Respondent performed in considering such changes, including but not limited to A/B testing, engagement optimization, or other testing to evaluate a User’s movement through a privacy or security-related pathway;
(m) Include any other safeguards or other procedures that would mitigate the identified risks to the privacy, security, confidentiality, and integrity of Covered Information that were not implemented, and each reason that such alternatives were not implemented; and
(n) Include any decision or recommendation made as a result of the review (e.g., whether the practice was approved, approved contingent upon safeguards or other recommendations being implemented, or rejected);
Now, who knows. Perhaps Twitter will argue that its new verification system and the other features its rolling out with little to no testing don’t qualify for these requirements? Or perhaps along with the dwindling engineering team that is sleeping on the floor there remain a few lawyers who remember all this and have been putting together all of the documentation necessary to comply. But I do wonder how comprehensive such a report can be under these circumstances.
And, clearly, with the resignations last night, it suggests that what needs to happen isn’t happening. And I’m pretty damn sure the FTC is well aware of what’s happening. And while Elon may not give a shit about the FTC, the FTC can make his life absolutely fucking miserable.
Of course, here’s where having the two top legal execs who had been with the company through this whole process might have helped… rather than firing them seconds after taking control of the company.
Update: It appears the FTC is aware of what’s going on:
“We are tracking recent developments at Twitter with deep concern. No CEO or company is above the law, and companies must follow our consent decrees. Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”
Filed Under: compliance, consent decree, criminal penalties, elon musk, ftc, lea kissner, privacy, verification
Comments on “Does Twitter Have Any Employees Left Who Remember That The Company Is Under A Strict Consent Decree With The FTC?”
'I wonder if they know something I don't...'
Yeah, when two top employees of the company quit because of potential violations of an agreement with the government and you boss wants you to put your name on documents telling the government that the company is super-duper compliant with that agreement, putting your own finances and/or freedom at risk… might be time to start looking really hard for another job if you weren’t already doing that.
Never mind the moderation learning curve it’s like Musk is going for a world record for ‘How quickly and in how many ways can you utterly destroy a previously successful business?’
Re: new speedrun category?
destroy a company any% world record coming up?
It wasn’t just “two top employees.” It was the three top employees who deal with data governance.
It’s hard to express just how hard Elon screwed the pooch. Data breach incoming.
“…when two top employees of the company quit because of potential violations…”
Worse. The chiefs of Information Security, Privacy and Compliance were the ones quitting. Those who have in common that knowing when it’s time to yank the handbrake because the federales are about to hand out matching solid-steel bracelets is their literal job description.
From the OP; “…a few hours after that tweet, the Chief Information Security Officer, the Chief Privacy Officer, and the Chief Compliance Officer all quit, apparently citing potential FTC violations as the reason.”
THAT is like you telling your lawyer what you’ve done and the guy just gives you a long dead-eyed stare and tells you he quits.
Except the analogy doesn’t go far enough since, apparently, the first thing that happened was the actual lawyers telling Musk he couldn’t do what he intended to do were immediately fired.
There’s a real risk that beyond this flaming dumpster fire, actual jail time beckons for Musk.
Damn, Elon upgraded Twitter from being a dumpster fire to being a towering inferno. 🍿
In accord with rojcowles’ comment:
Elon puts rockets into space, he’s not afraid of copyright enforcement!
He will be. He will be…
I’m sure that most people will be happy if he decides to use one of those rockets to go somewhere that the SEC and FTC don’t have jurisdiction.
He’d probably need to make it quick, though. His space adventures are fairly dependent on government contracts from what I understand, and I don’t think that these agencies are above talking to each other.
It’s all of that lovely new hair of his adding fuel.
how could this get any worse?
Everyone out of the pool NOW! When the boss is so clueless he could get employees in legal trouble, it is time for everyone to skedaddle.
I’m just wondering about tomorrow’s news? Finding bodies in the dumpster out back of Twitter HQ?
Perhaps the overload crash at Mastodon the other day wasn’t just a flood of new users, but an overwhelming influx of applications from ex-Twits.
Fall on their sword
We don’t know, maybe his fanboy engineers are willing to fall on their swords for him.
Wee bit of a difference between defending someone when all that’s on the line is your reputation versus doing so when a hefty fine if not prison sentence are possible consequences.
Sadly not unlikely that at least a few may just do that.
At which point I’m fairly sure Musk will just quietly throw them under the bus.
How can it be that in libertarian america where “rugged individualism” is such a thing that people distrust the utility of unions so very many employees accept being utterly subjugated yes-men to the boss-man?
Because america is a nation of temporarily embarrassed millionaires who idolize the people who got there before them and fight tooth and nail against any restrictions on the rich because any day now that will be them.
Re: Re: Re:
…I hold out hope that ain’t the truth because a nation such as that will resemble every hopeful empire within the last three millennia to crash and burn within a measly few centuries solely on the basis of citizenry and ruler stupidity.
Re: Re: Re:2
So the US has a bit of history called “The Trump presidency” I suggest you check it out. Of course that’s only some similarities to historical empires. Hopefully there’s still some time to make some (notable) differences too.
 Well, I suspect it will fill most sane people with some combination of horror, disbelief, and/or rage. AFAIK none of those are generally good for the health, so maybe looking at it too much is NOT a good idea. Though failing to learn anything from it can have different set of negative consequences.
This comment has been flagged by the community. Click here to show it.
Nothing is going to happen. Twitter will continue on and none of you will stay gone for long.
Lame fan fiction. At least Mary Sue yourself into this absurd fantasy. Maybe write your Canadian girlfriend into it too.
A huge fine from the FTC wasn’t on my bingo card!
Twitter is already going to struggle with solvency, this is just what they need. How long til bankruptcy and musk gets pushed out by the bankruptcy court?
Just like MySpace. Everyone still uses MySpace, right? Right?!?
Re: Lol (Dorian)
“heard Alex Spiro (current head of Legal) say that Elon is willing to take on a huge amount of risk in relation to this company and its users, because ‘Elon puts rockets into space, he’s not afraid of the FTC.’”
“Musk’s new legal department is now asking engineers to “self-certify” compliance with FTC rules and other privacy laws, according to the lawyer’s note”
Yeah, I’m a software and hardware engineer. No, I am not an attorney. I don’t play one on TV or the internet. Yes, I own a copy of Black’s Law Dictionary. In it, it says many things I don’t logically understand with my $MANY years of university education in electronics, electrical, and software engineering. Therefore, I don’t understand anything about the law other than it will be up to me, with an imperfect understanding of how the law fucking works to keep my own ass out of jail. Let me give that some careful, considered adult rumination.
Ok, that’s done.
“Oh, Hell no!”
Self-certifying is a valid action only in one possible scenario; When you’re the guy who wrote the rules you’re certifying against and the only one likely to censor yourself for any mistakes.
Musk seems to think that’s the case for FTC regulations.
Aye, internet history has shown that mass exoduses due to mismanagement or policy changes due to new ownership never stick, just ask Flickr, Tumblr, Myspace, Livejournal, Yahoo Groups…
Yes, and the FTC dismantling Ma Bell didn’t happen.
Tell yourself that, Elon. Twitter has its uses, but between the checkmark fiasco, there being actual alternatives and the influx of MAGAts and trolls invited by a stoned manchild, I doubt the future looks bright.
Speedrunning the destruction of a ten billion dollar+ market cap company should not be a category at Awesome Games Done Quick, but here we are.
Wow, that consent decree seems like a thing every company should have to obey.
Has anybody checked Delaware’s business filings to see if anybody has incorporated Twitter Organization II there yet?
Please come back!
Wecome back to Twitter! BTW, please sign this document. What is it? Oh, never mind, just some routine paperwork. Definitely nothing that would expose you to criminal prosecution.
It was probably a three-way footrace to the FTC’s legal counsel to get a deal.
New Elon meme?
I feel that this statement
‘Elon puts rockets into space, he’s not afraid of … ‘
needs some alternate completions
‘Elon puts rockets into space, he’s not afraid of Virginia Wolfe’
‘Elon puts rockets into space, he’s not afraid of the FAA. Actually he’s terrified of the FAA as they could shut down SpaceX in a heartbeat. What was my point again?’
Elon puts rockets into space, he ain’t afraid of no ghosts.
Elon puts rockets into space, at first I was afraid, I was petrified.
Can I sue Elon for not performing his fiduciary duties at Tesla?
Only if you owned stock during one of his sporadic dips into the pool of insanity, thus causing your holdings to drop a significant percentage of value. (i.e., your stock went underwater at the same time Musk exhibited a case of constipation of the brain and diarrhea of the mouth.)
Re: Re: Suing Twitter...
Look at Tornetta vs Musk, arguing Elon is way overpaid for Tesla CEO. It’s coming up soon for trial in Delaware.
I personally think Tesla is overvalued … Full Self Driving isn’t real yet, and Elon is gonna have to dump a bunch of shares to pay for the Twitter implosion. He’s also abused his employees. These chickens are nearing the roost.
The Verge article has quite the closer
From the linked article:
He doesn’t need one at Tesla or SpaceX, so why does he need one at Twitter… afterall, he’s his own Chief Twit!
(“twit” does have the same pejorative meaning in SA and USA English as it does in British English, doesn’t it?)
This apparent desire for those without a clue is why Musk transferred so many engineers from tesla
Some real gems in there
Reading the replies to that last link/twitter post is a real treat, with a nice split between ‘He’s upset who? Oh he is so screwed’, people dismissing the idea that he’ll face any punishment since he’s rich(not an unrealistic view sadly) and the law and order lot freaking out when someone on their side on on the receiving end of some law and order, like always seems to be the case.
Ths is why he asked people to vote Republican.
He thinks (probably correctly) that the Republicans will gut the FTC when they have the opportunity.
I don't need no damn due diligence!
Surely this poison pill would have come out in a pre-sale due diligence process that would make any (sane) potential buyer run for the hills and forget they ever considred making an offer?
Elon’s exploring the wonderful world of Twitter in a pair of Wellies, when he really needs a wet-suit.
Possibly a diving bell.
He needs an entire oceanic research fleet, not a shoddily kitbashed sub that supposedly could navigate caves.
More like a dry suit.
He wants NONE of this sticking to him and with a wet suit you still get wet.
I’m not a lawyer, I’m just a software engineer who’s been involved in a few legal matters with companies I’ve worked at. One of the things I do regularly, though, is parse complex technical specifications to determine exactly how to comply with them. The law’s just another such spec, my main issue is not having access to the full set of resources to get unambiguous definitions of a lot of terminology or at least the expected outcome of applying an ambiguous rule to a particular type of input.
One thing that’s clear in my mind about those “self-certifications”: the questions are whether you’re willing to swear under oath in court as to the truth of what you’re certifying and whether you have the evidence in hand to back up your statements. If you have any doubts whatsoever about either one, you really need to consult with your own lawyer before signing because the fact you’re being asked this in a situation like this means the higher-ups are on the prowl for scapegoats.
If you have any doubts whatsoever about either one, you really need to consult with your own lawyer before signing because the fact you’re being asked this in a situation like this means the higher-ups are on the prowl for scapegoats.
I had been looking at it through the lens of Musk just not caring about the consent decree and trying to rush things through anyway but after reading this line I wonder if you stumbled upon the real reason, namely giving him someone to throw under the bus should the FTC come calling. Just have the engineers self-certify and then if the company gets called on it Musk can claim that the people below him told him everything was great so how could he know there were violations occurring?
Might not be Musk directly. I’d start with whatever senior attorney in Legal or Compliance would have to sign off on the documents filed with the FTC as being true and correct. They don’t have the time or the staff (thanks to Musk) to do sufficient “due diligence” and work out the weasel-wording so they technically give the FTC what’s required while not saying anything that can be proven to be untrue or incorrect. The other options are either currently not possible or will get them fired on the spot. So, getting the paperwork to be able to say “I have been told we comply by people I have a legal basis to believe” it is.
Re: Re: Re:
Is there such a person? Those top people all quit/got fired, and I haven’t heard about replacements (though I haven’t really been following it that closely).
Re: Re: Re:2
Even if they have, I think the problems are accelerating far beyond what one person could cope with anyway.
Let’s see what happens, but at the moment it’s almost as if Musk saw the destruction of Alex Jones and decided to try and speed run it.
When I buy something ...
When I, as a real person, buy something, I have to pay for it. If I borrow money to pay for it, it’s on me to pay it back. Somehow when you buy a company you can borrow money and make the company liable for the debt.
How does that work? Why does that work?
I think it like a house loan, the house is the collateral. If Musk defaults, the creditors own Twitter. For what it’s worth.
If the loan is structured that way. I did a little googling and couldn’t find details. They may not be public.
Twitter fired its documentation team
This is a comment about the third to last paragraph where it is asked who at Twitter is putting together the documentation to comply.
In an article from MIT https://www.technologyreview.com/2022/11/08/1062886/heres-how-a-twitter-engineer-says-it-will-break-in-the-coming-weeks/
It was noted down at the bottom that Twitter apparently laid off its technical publications team. These custodians of procedure and tribal knowledge are there for a reason. Reasons like being able to answer:
You see, if lawyers, regulators or angry clients come knocking, you want to have these answers ready. Even if you screwed up, if you can show just cause and good faith in your documentation, that can do a lot to mitigate the situation.
Twitter consent decree
I think it’s obvious there has been at least one violation and in keeping the penalty adequate to the means of the company or individual and since Twitter is now a private company, a fine of 350 billion dollars seems sufficient but that could go up significantly as the violations pile up.
All changes are subject to the CO
According to the FTC consent order
For each new or modified product, service, or practice that does not pose a material risk to the privacy, security, confidentiality, or integrity of Covered Information, documenting a description of each reviewed product, service, or practice and why such product, service, or practice does not pose such a material risk
So even if EM claims a new feature (or even a new internal process) doesn’t pose a risk there still needs to be documentation explaining why it doesn’t pose a risk.
When you get rid of people based on how thick their code printouts are what’s the betting you get rid of a lot of people who know how to write this documentation?
There once was a “genius” named Elon
Whose head mostly looked like a melon
He bought Twitter used
The rules he abused
The Fed’ll soon make him a felon
If, I don’t know what the rules are, the FTC has the ability to force old agreements on a company under completely new ownership and management…
Then the FTC has too much power.