Former Twitter executives: Privacy and security practices deteriorated under Musk
Elon Musk’s acquisition of the social media platform formerly known as Twitter resulted in a series of security and privacy changes that former employees worried could cause the company to violate a 2011 agreement with the Federal Trade Commission to protect user data, according to newly unsealed court documents.
The Federal Trade Commission is currently investigating whether Twitter — now X Corp. — violated a 2011 agreement Twitter entered into with the agency to settle complaints about Twitter’s privacy practices. The agreement required Twitter to implement a security and privacy program, including regular external audits.
In a court filing unsealed Monday, several former executives said Musk failed to heed warnings about potential security concerns, especially as he fired or laid off large numbers of employees after acquiring the company last year.
Then Chief Privacy Officer Damien Kieran, said that “firings and layoffs meant no one was responsible for about 37% of X Corp.’s privacy program controls.”
One departed executive, Chief Information Security Officer Lea Kissner, said in a deposition that Musk’s decisions “impaired” the company’s ability to protect user contact data, which was at the center of the original 2011 agreement reached with the agency.
Former Director of Security Engineering Andrew Sayler testified that he had “ongoing questions about Elon’s commitment to the overall security and privacy of the organization.” In one incident, Musk directed employees to move X Corp. servers to a new data center but didn’t give employees enough time to follow internal policies to wipe the servers. As a result, they were transferred carrying sensitive data.
Twitter employees interviewed by investigators also expressed concerns that Musk didn’t heed warnings that Twitter Blue — the platform’s subscription service that replaced the company’s effort to verify identities with blue checkmarks — could be used by scammers to purchase verifications to impersonate other accounts. The service was quickly suspended after such fraud occurred.
The FTC launched its investigation in response to “radical changes” at the company, including the departure of “key executives in privacy, data security, and compliance roles,” the “hasty” roll-out of Twitter Blue, and “alarming site outages, product malfunctions, and issues with data access,” per the court filing.
Twitter asked a federal court in July to terminate the 2011 agreement with the FTC, alleging that the agency was “imposing new and burdensome demands and treating the Consent Order as a license for invasive scrutiny of any move X Corp. makes, no matter how remote from the data privacy and security concerns.”
Monday’s filing from the Justice Department asked a federal court to reject that request to terminate the agreement, which the company reached with the Federal Trade Commission in 2011 to settle privacy violations alleged by the agency.
X Corp. claimed in its July petition to terminate the consent order that an employee at Ernst & Young, the firm auditing Twitter, alleged in a deposition that the FTC had predetermined the outcome of its privacy investigation. The DOJ said in its Monday filing that X Corp.’s allegations of “witness tampering” were the result of “mischaracterizing cherry-picked excerpts,” when in fact EY chose to terminate the agreement citing X Corp.’s failure to support the investigation.
The FTC’s handling of its X Corp. investigation has become the latest partisan flashpoint for the agency’s efforts to hold large technology firms to account. In July, congressional Republicans grilled Chairwoman Lina Khan about the agency’s probe of the Musk-owned social media platform. House Judiciary Committee Chairman Jim Jordan, R-Ohio, called the agency’s investigation “outrageous.”
