A current Twitter employee said several other members of the site’s privacy and security unit had also resigned, while another said those remaining were trying to stem a wave of abuse in the company’s expanded paid service, Twitter Blue.
The Federal Trade Commission, which reached its latest consent decree with Twitter in May, said it is “tracking developments at Twitter with deep concern.”
“No CEO or company is above the law, and companies must comply with our consent decrees,” said Douglas Farrar, the FTC’s director of public affairs. “Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”
Privacy officials said they were most concerned about the rapid rollout of new features without the full security assessments required by the FTC consent decree. They also objected to Musk’s order in an email Wednesday night, his first to employees since taking control of the company, that all employees must begin working in the office 40 hours a week, effective Thursday.
Musk’s email did not address Twitter’s long tradition of flexible and remote work. Instead, it cited a major need to monetize Twitter Blue. “Without significant subscription revenue, there’s a good chance Twitter won’t survive the coming economic downturn,” Musk warned. “We need about half of our revenue to be subscriptions.”
Former FTC officials warned that the departures of key privacy and security officials, as well as some of Musk’s proposed changes to Twitter products, opened the company to serious regulatory danger.
David C. Vladeck, who was director of the FTC’s Bureau of Consumer Protection at the time of Twitter’s first settlement with the agency, said the departures and chaos raise questions about whether “compliance requirements are going to fall through the cracks.”
Vladeck said the penalties could be exponentially higher for Twitter if it is alleged to be in violation of the agreement with the FTC a second time. “It would be a very significant multiple of the last fine,” he said, referring to the May penalty that brought a $150 million fine. “You have to add a decimal point to it.”
Twitter entered into the consent decree with the FTC following allegations that it deceptively used email and phone numbers it said it collected for security purposes to target users with advertising. The FTC alleged that this violated a 2011 consent decree it had reached with the company.
The new decree required Twitter to initiate enhanced privacy and security programs, which would be audited by a third party. Under this program, Twitter is required to conduct a privacy assessment of all new products it launches.
Twitter to pay $150 million in fines for deceptively collected data
The employee Slack message said that rapidly releasing products and changes without effective security assessments was “extremely dangerous” for users.
It said engineers would have to shoulder the burden of verifying that the products complied with FTC agreements, putting them at significant personal legal risk.
The security management meltdown is particularly charged because an FTC audit was expected by January, according to two people familiar with the schedule.
One said Kissner and other executives had hired, despite a company-wide freeze, in a frantic effort to meet compliance rules before then.
“Need people badly,” said one of them, who was among about half the company laid off last week.
The Slack message posted a link to Whistleblower Aid, a law firm that represented former security chief Peiter Zatko when he filed a complaint this year with the Securities and Exchange Commission and other officials citing alleged violations related to the FTC, including what he said was inadequate logging of access to sensitive data and extensive use of outdated software.
The message warned that the FTC could fine Twitter “BILLIONS of dollars.” The author claimed they heard Alex Spiro, Musk’s top lawyer, say that Elon is “willing to take on a huge amount of risk in return for this company and its users, because “Elon puts rockets into space, he’s not afraid of the FTC .” ” Spiro did not immediately respond to a request for comment on the memo.
Other employees said they took Thursday off as a show of disapproval.
Kissner, who was brought in by Zatko, was admired on Twitter and seen as a crucial backstop amid the recent chaos.
“Twitter has had several major security incidents in recent years due to poor internal controls and a permissive data architecture,” said Alex Stamos, a former head of data security at Facebook and Yahoo. “The team led by Dr. Kissner took serious steps to close these bugs, as Twitter is required to do under the FTC Consent Decree.”