Twitter’s Potential Violations of the FTC Consent Decree
Letter to the Federal Trade Commission and the Justice Department
Federal Trade Commission
400 7th St., SW
Washington, D.C. 20024
U.S. Department of Justice
950 Pennsylvania Ave. NW
Washington, D.C. 20530
Dear Chair Khan and Attorney General Garland,
This letter is to commend the Federal Trade Commission (FTC) for its investigation into Twitter’s potential violations of its consent decree with the FTC regarding data privacy and security practices and to urge the FTC and/or the U.S. Department of Justice (DOJ) to act with urgency in bringing any and all warranted enforcement actions against the company.
In 2011, Twitter and the FTC entered into a consent decree to resolve agency allegations that Twitter deceived consumers and put their privacy at risk by failing to safeguard their personal information. The consent decree remains in place for 20 years and imposes a series of obligations on Twitter to prevent it from deceiving consumers or risking their privacy.
In 2022, the FTC alleged that Twitter had violated the terms of the consent decree. Twitter settled the dispute by paying a $150 million fine and agreeing to an updated consent decree, imposing new obligations and remaining in effect for an additional 20 years, through 2042. The obligations in the current consent decree include:
- A duty to file a sworn compliance notice with the FTC within 14 days of the company experiencing a change in structure, including mergers and sales. (2022 consent decree, Section XI.B)
- Creation and maintenance of a “comprehensive privacy and security program” overseen by a designated senior official. (2022 consent decree, Section V)
- Prior to implementing any new or modified product, “conducting an assessment of the risks to the privacy, security, confidentiality, or integrity” of users’ personal information. (2022 consent decree, Section V.E.1)
- Reporting to the FTC within 30 days of any “covered incident,” where personal information of 250 or more users “was, or is reasonably believed to have been, accessed, acquired, or publicly exposed without authorization.” (2022 consent decree, Section IX)
In October 2022, Elon Musk purchased Twitter. Since that time, there have been numerous, sudden shifts in personnel and corporate policy that raise significant questions about Twitter’s compliance with the FTC consent decree.
We appreciate the FTC’s assertion that the agency is “tracking recent developments at Twitter with deep concern” and we are supportive of all actions to hold the company accountable for any failures to meet their obligations under the consent decree. In particular, we urge the DOJ and FTC to investigate expeditiously whether the company has violated its obligations under the consent decree. Specifically:
- Following the October change in ownership of Twitter, did the company file the sworn compliance notice with the FTC?
- Following the ownership change, the company’s heads of security, privacy and compliance quit. Then Musk fired roughly half of all staff. Still others left soon afterwards, refusing an ultimatum from Musk to be “hard core.” This mass exodus, by itself, raises questions about whether the company is maintaining a “comprehensive privacy and security program.” More specifically, a data governance team that monitored the company’s compliance with the FTC consent decree reportedly fell apart after members were fired and quit. Does Twitter still maintain a “comprehensive privacy and security program” in compliance with the very specific obligations stipulated in the consent decree?
- The consent decree provisions impose a requirement on Twitter to follow a series of measures to protect privacy and security. Following the departure of the heads of security, privacy and compliance, Huffpost reported that engineers have been instructed to “self-certify” compliance with the consent decree. Is it possible for a self-certification system to comply with the consent decree? Have engineers in fact followed the requirements of the consent decree and are any self-certifications compliant with the consent decree?
- In November, Twitter launched Twitter Blue as a subscription service for verification. The new service led to a rash of fake accounts and was quickly suspended. An employee told the Verge that the launch of Twitter Blue “disregarded the company’s normal privacy and security review, with a ‘red team’ reviewing potential risks the night before the launch. ‘The people normally tasked with this stuff were given little notice, little time, and unreasonable to think it [the privacy review] was comprehensive.’ None of the red team’s recommendations were implemented before Twitter Blue’s relaunch, the employee said.” Are these allegations true and if so, do they constitute violations of the consent decree?
- In February, Twitter announced it was ending text message two-factor authentication for users who are not subscribed to Twitter Blue. Text message two-factor authentication will remain available only for those paying $8 to participate in the reinstated Twitter Blue service. Twitter will offer app-based authentication at no charge, but there is good reason to believe many users will end up with no authentication system at all leaving their accounts vulnerable to breech and security threats. This shift plainly implicates the process and substantive obligations of the FTC consent decree. Did Twitter conduct the required assessment of this change on users’ privacy and security? Did any such assessment conclude based on evidence that the service modification would adequately protect users?
- In the fall, Musk reportedly ordered engineers to grant reporter Bari Weiss full access to all their systems. “Please give Bari full access to everything at Twitter,” Musk wrote a subordinate in a message viewed by the Washington Post. “No limits at all.” Calling the move “highly inappropriate” and “super unprecedented,” a former employee explained that Twitter’s previous policies would not have allowed such access to be given to an outside party, who could potentially access private messages. Weiss was one of several reporters given access to what Musk labeled the “Twitter files.” It is possible that other reporters were given access to internal information comparable to what was made available to her. Did the access provided to Weiss and possibly others constitute a “covered incident?” If so, did Twitter comply with its reporting and other obligations regarding covered incidents?
Underscoring the concern about these and other incidents is Elon Musk’s apparent disregard for the importance of the FTC consent decree and the duties it imposes on Twitter to protect users’ privacy and security. News reports regarding Musk’s statements may suggest to a knowledgeable observer that he does not appreciate the limits imposed by the terms of the consent decree. Such a sentiment could be compounded by reports that his short-term designee to run Twitter’s legal department said Musk was willing to take risks regarding user privacy and compliance with the consent decree because Musk “puts rockets into space, he’s not afraid of the FTC.”
In an internal correspondence, a lawyer on the company’s privacy team wrote, “Elon has shown that his only priority with Twitter users is how to monetize them. I do not believe he cares about the human rights activists. the dissidents, our users in un-monetizable regions, and all the other users who have made Twitter the global town square you have all spent so long building, and we all love.”
The FTC entered into the initial consent decree with Twitter and the updated consent decree of last year because of the company’s repeated failure to respect and protect users’ privacy and security. The consent decree should prod Twitter not just to adhere to its terms but to exercise an abundance of caution to repeat its past wrongs. Instead, the available evidence suggests that, under new ownership, the company may be increasingly cavalier about its users and its legal obligations.
Both to protect the interests of millions of Twitter users and to uphold the integrity of the FTC, we urge you to urgently investigate Twitter’s adherence to the consent decree and to enforce aggressively the terms of the consent decree without delay.
Thank you for your attention to this matter. We would be pleased to meet with you at your convenience or provide additional information as needed.
President, Public Citizen
Big Tech Accountability Advocate, Public Citizen