Musk Almost Violated FTC Privacy Order Before Staff Stopped Him

Elon Musk almost violated a federal privacy order when he took over the site formerly known as Twitter in 2022, but the company’s data security employees prevented a breach from occurring, the US Federal Trade Commission concluded.

The FTC’s determination was contained in a letter FTC Chair Lina Khan sent to House Republicans Wednesday, though the agency’s probe remains ongoing.

“FTC staff efforts to ensure Twitter was in compliance with the order were appropriate and necessary, especially considering Twitter’s history of privacy and security lapses,” Khan wrote in the letter.

The FTC chair and House Republicans have sparred over Musk for the last year, with the GOP alleging the agency has been “attempting to harass” the company since his takeover. The Republican-led House Judiciary Committee was particularly incensed by the FTC’s questions regarding “Twitter Files,” a series of stories by selected journalists documenting how employees discussed the removal of former President Donald Trump from the platform following the Jan. 6 riot and how to handle accounts that spread misinformation.

Musk has alleged the Twitter Files revealed the platform’s bias against conservative viewpoints.

The FTC will continue to monitor Twitter over its compliance with the consent order and is still pursuing litigation to depose Musk, FTC spokesman Douglas Farrar said

Musk took over Twitter — since renamed X — in October 2022, vowing to champion free speech on the site. He quickly set about imposing new procedures and firing staff, leading to an exodus of about two-thirds of the company’s employees.

Those changes alarmed the company’s former top privacy officials, according to sworn interviews they gave the FTC, who feared Musk’s orders might lead to breaches of a May 2022 federal privacy settlement. Violations of the settlement could lead to millions of dollars in fines or even charges against individuals, as in the case of Uber Technologies Inc.’s former security chief, who was convicted of covering up a 2016 hack at the ride-hailing app.

The FTC had already opened a new inquiry into Twitter after the company’s former chief cybersecurity officer, Peiter Zatko, filed a whistleblower complaint in September 2022. Zatko testified before Congress that the platform was a “ticking bomb of security vulnerabilities.” The agency subsequently expanded the probe to look into Musk’s changes.

The agency’s letter Wednesday didn’t name the employees interviewed as part of the probe, but excerpts from their sworn interviews were filed in federal court proceedings. The agency has been seeking to depose Musk since last June, which led the company to sue in an unsuccessful effort to bar the agency’s interview.

Andrew Sayler, the company’s former director of security engineering, told FTC investigators that Musk’s orders to give journalists complete access to Twitter’s systems showed a “disregard for the overall sensitivity and security” of the company’s systems. Musk originally asked Sayler and other security employees to provide unrestricted access to some journalists, including Bari Weiss, for the “Twitter Files.”

Sayler and Seth Wilson, another former senior cybersecurity official, said they declined to provide Weiss with direct access to Twitter’s systems, which could have violated the FTC consent order. Instead, they created a “safer alternative” for the journalists to get details for their stories without accessing any user information, Wilson said.

Sayler, who left the company in December 2022, also said that Musk ignored warnings from the security team that paid verification would likely lead to impersonations.

“Various issues that we had raised as risks came to fruition,” he said in an April 2023 interview. “All of the abuse that one would predict going along with that largely occurred.”

Damien Kieran, the company’s former chief privacy officer, told FTC lawyers in a December 2022 interview that Twitter Blue was implemented without the normal privacy and security review required of most product updates. Kieran resigned in November 2022, along with Lea Kissner, the most senior cybersecurity officer, and Twitter’s head of compliance.

The Washington Post earlier reported on the FTC letter.

To contact the reporter on this story:
Leah Nylen in Washington at lnylen2@bloomberg.net

To contact the editors responsible for this story:
Sara Forden at sforden@bloomberg.net

Elizabeth Wasserman

© 2024 Bloomberg L.P. All rights reserved. Used with permission.