One Twitter employee now says several other members of the site’s privacy and security unit have also resigned, while another said those who remain are trying to stem the tide of abuse on the company’s paid service, Twitter Blue.
The Federal Trade Commission, which reached its latest consent decision with Twitter in May, said it was “tracking developments at Twitter with deep concern.”
“No CEO or company is above the law, and companies must follow our consent decisions,” said Douglas Farrar, the FTC’s director of public affairs. “Our revised consent order gives us new tools to ensure compliance, and we’re ready to use them.”
Privacy staff said they were most concerned by the rapid rollout of new features without the full security review required by the FTC’s consent decree. They also rejected Musk’s order in an email Wednesday night, the first to staff since taking over the company, that all employees must begin working in the office 40 hours a week, effective Thursday.
Musk’s email did not address Twitter’s long tradition of flexible and remote work. On the contrary, it is said to be very necessary to earn money from Twitter Blue. “Without significant subscription revenue, there’s a good chance Twitter won’t survive the coming economic downturn,” Musk warned. “We need about half of our revenue to be subscriptions.”
Former FTC officials warned that the departures of key privacy and security officials, as well as some of Musk’s proposed changes to Twitter products, opened the company to serious regulatory risks.
David C. Vladeck, who was director of the FTC’s Bureau of Consumer Protection at the time of Twitter’s first settlement with the agency, said the departures and uproar raised the question of whether “compliance requirements will fall through the cracks.”
Vladeck said the punishment could be exponentially higher for Twitter if it is suspected of violating its agreement with the FTC a second time. “There will be some significant fines from the last one,” he said, referring to the May penalty that had a fine of $150 million. “You have to add a decimal point to it.”
Twitter entered into a consent decree with the FTC after allegations that it deceptively used email and phone numbers it said it collected for security purposes to target users with ads. The FTC says this violates a 2011 consent decree it reached with the company.
The new ruling requires Twitter to begin an enhanced privacy and security program, which must be audited by a third party. Under the program, Twitter is required to conduct privacy assessments of new products it launches.
Employees’ Slack messages said that rapid releases of products and changes without effective security reviews are “extremely dangerous” for users.
It said that engineers must bear the burden of ensuring that their products comply with the FTC agreement, putting them at considerable personal legal risk.
The meltdown of the security leadership is especially fraught because an FTC audit is expected by January, according to two people familiar with the schedule.
One said Kissner and other executives had been hiring, despite a company-wide freeze, in a frantic effort to meet compliance rules before then.
“People are in dire need,” said one of them, who made up about half of the company’s shutdown last week and spoke on condition of anonymity to discuss internal issues on Twitter.
The Slack message posted a link to Whistleblower Aid, the law firm that represented former security chief Peiter Zatko when he filed a complaint this year with the Securities and Exchange Commission and other federal officials citing alleged violations related to the FTC, including what it described as inadequate logging of access. to sensitive data and widespread use of out-of-date software.
The letter warned that the FTC could fine Twitter “BILLIONS of dollars.” The writer claimed to have heard Alex Spiro, Musk’s top lawyer, said Musk is “willing to take on a large amount of risk in retaliation to this company and users, because ‘Elon put rockets into space, he is not afraid of the FTC.’ ” Spiro did not immediately respond to a request for comment on the memo.
Other employees said they were taking time off pay on Thursday as a demonstration of rejection.
Kissner, who has been brought in by Zatko, is admired inside Twitter and is seen as an important backstop amid the recent chaos.
“Twitter has experienced several major security incidents in the past few years due to poor internal controls and a permissive data architecture,” said Alex Stamos, former head of data security at Facebook and Yahoo. “The team led by Dr. Kissner made serious strides to close these flaws, as Twitter is required to do by FTC consent decree.”