WASHINGTON, D.C. – Twitter likely repeatedly violated the consent decree on its data privacy and security practices, Public Citizen told the Federal Trade Commission (FTC) and the U.S. Department of Justice (DOJ) in a formal complaint sent today. The social media platform’s new owner Elon Musk appears to have grown increasingly cavalier about Twitter’s legal obligations, so the consent decree must be aggressively enforced, Public Citizen said.
“Elon Musk seems to think the law doesn’t apply to him and has signaled that he’s not afraid of the FTC,” said Robert Weissman, president of Public Citizen. “To protect millions of Twitter users and uphold the rule of law, the FTC can’t let Musk or his company off the hook.”
The FTC entered into an initial consent decree with Twitter in 2011, and then updated it in 2022, because of the company’s repeated failure to respect and protect its users’ privacy and security. The revised consent decree, which will remain in effect through 2042, requires Twitter to:
- File a sworn compliance notice with the FTC within 14 days of a change in structure, which includes mergers and sales;
- Maintain a comprehensive privacy and security program overseen by a top executive;
- Conduct an assessment of the risks to users’ privacy, security, and confidentiality prior to rolling out any new or modified product; and
- Report to the FTC within 30 days any time the personal information of 250 or more of its users might have been, accessed, acquired, or publicly exposed without authorization.
Since Musk’s purchase of Twitter in October 2022, there have been numerous sudden shifts in personnel and corporate policy that raise significant questions about Twitter’s compliance with these rules. Among them:
- Did Twitter file a compliance notice with the FTC following its change in ownership?
- Following mass layoffs and resignations – including the exodus of top security, privacy, and compliance officials – is Twitter still maintaining a comprehensive privacy and security program as required?
- According to press reports, Twitter’s engineers have been instructed to “self-certify” compliance. Does this self-certification system comply with the consent decree? And have engineers followed all the requirements?
- The November 2022 rollout of Twitter Blue subscription service, by all accounts, bypassed the company’s normal privacy and security review. Are such allegations true, and if so, do they amount to violations of the consent decree?
- In February, Twitter ended free two-factor authentication for users who are not subscribed to Twitter Blue. Twitter will offer app-based authentication at no charge, but there is good reason to believe many users will end up with no authentication system at all, leaving their accounts vulnerable to breech and security threats. Did Twitter conduct the required assessment of the impacts of this change on users’ privacy and security? And if so, did that assessment conclude users’ privacy and security would be adequately protected?
- In the fall, Musk reportedly ordered engineers to grant reporter Bari Weiss full access to all of Twitter’s systems – one of several reporters given access to what Musk called the “Twitter files.” Did this access violate the consent decree? And if so, did Twitter comply with its reporting and other obligations?
“We appreciate the FTC’s assertion that the agency is ‘tracking recent developments at Twitter with deep concern,’ and we are supportive of all actions to hold the company accountable for any failures to meet their obligations under the consent decree,” the letter reads. “In particular, we urge the DOJ and the FTC to investigate expeditiously whether the company has violated its obligations under the consent decree.”