A government investigation of Elon Musk’s tenure as leader of Twitter has determined that there may be violations of a 2022 FTC order that required certain privacy and security measures be implemented. Newly published court documents indicate the FTC believes Musk has fostered a “chaotic environment” at the company now known as X, making it excessively difficult for investigators to do their job by laying off a large amount of key privacy personnel and improperly handling server transfers.
While the FTC is full of criticism for Musk’s general handling of the business and response to its investigation, the one hard violation it seems to focus on is failure to conduct a required privacy and security review before rolling out the premium “Twitter Blue” subscription service, which rolled out in December 2022 shortly after Musk took over. The court records also indicate the FTC order may have been violated in Musk’s handling of the “Twitter Files” release of internal information to journalists.
Long-running investigation finds one likely violation of FTC order, possibly more
Musk and the FTC have been going back and forth since the investigation kicked off earlier in the year, with contentious exchanges in the media and during Congressional hearings in which Musk has accused the FTC of harassing the company and engaging in a biased politically-driven campaign against it. House Republicans have backed up Musk’s claim of political bias, pointing to FTC attempts to influence the independent auditor brought in to confirm compliance with the FTC order and its new privacy and security terms. Members of that law firm, Ernst & Young, have countered with claims that Musk has failed to pay required invoices and have been stymied in some aspects of their work by “constant turnover” at the company and refusals to allow it to access the property.
The FTC order stems from a long history of privacy and security issues at Twitter that came before Musk’s tenure, culminating in the 2022 agreement to settle charges of deceptive use of targeted advertising during that time. That settlement also required privacy and security changes to take place, which the FTC says that Musk is generally not keeping pace with.
The most solid charge to date seems to be that Twitter Blue, a brainchild of Musk that launched very quickly after his late 2022 takeover of the company, was not subject to a required privacy and security review before it went public. The court documents indicate Twitter executives have testified to the Department of Justice that this did not happen.
The court documents also outline a collection of other concerns that might turn into violations of the FTC order, pending further investigation. As part of the Twitter Files document dump, Musk reportedly was about to allow at least one of the journalists “unfettered” access to the company’s internal systems. Security staff reportedly had to intervene and control the reporter’s access to specific files and systems.
The FTC has been attempting to depose Musk since he took over Twitter, without much success as of yet. Investigators cite his “granular” control of the company since taking over, and Musk will likely be subject to questioning at some point.
Privacy and security concerns hound Twitter during rapid transformation
With less than a year at the helm thus far, Musk has made rapid and significant changes to what is now gradually becoming his long-desired “everything app” X. Former employees believe that privacy and security have become a secondary concern during this process. Former Chief Information Security Officer Lea Kissner testified that Musk’s decisions made it excessively difficult to protect user data and comply with the terms of the FTC orders the company has been laboring under since a 2011 settlement, and former Chief Privacy Officer Damien Kieran estimates that Musk slashed the privacy and compliance staff to such a degree that 37% of privacy program controls were left without employee coverage.
Former Director of Security Engineering Andrew Sayler piqued the interest of investigators by testifying that he observed privacy and security violations in the movement of servers from one data center to another. Musk reportedly did not give employees enough time to wipe the servers in compliance with company policy, so they were physically moved with personal and sensitive data still on them.
The DOJ has rejected Musk’s request to dismiss the more recent FTC order and release the company from its associated privacy and security obligations. The 2022 order subjects Twitter to independent assessments for 10 years and forbids it from misleading consumers about privacy and security practices for 20 years, under threat of heavy fines. This overlaps with the terms of the 2011 settlement, which had previously established independent assessments for 10 years and similar restrictions on communications with and marketing to consumers for 20 years.