Comment SAN FRANCISCO — Several top privacy and security executives resigned from Twitter on Thursday, citing fears of risks from Elon Musk’s leadership, in a surprise exit that prompted federal regulators to warn they could step in. Chief Information Security Officer Lea Kissner tweeted that they had made the “tough decision” to resign, and the company’s chief privacy officer and chief compliance officer also resigned, according to screenshots of an employee’s internal Slack message shared with the Washington Post. A current Twitter employee said several other members of the site’s privacy and security unit had resigned, while another said those who remained were trying to stem a wave of abuse at the company’s expanded paid service, Twitter Blue. The departures prompted a rare warning from the Federal Trade Commission, which has emerged as Silicon Valley’s top government watchdog. It was the second time in two days that Washington expressed concern about the chaotic developments at the company, less than 24 hours after President Biden said Musk’s dealings with other countries merited scrutiny. The agency said it was “following developments at Twitter with deep concern” and was prepared to take action to ensure the company complies with a settlement known as a consent order, which requires Twitter to comply with certain privacy requirements and security due to allegations of data abuse in the past. Twitter was first placed under a consent order in 2011 and agreed to a new order earlier this year for allegedly misusing phone numbers and email addresses collected for security purposes for advertising. Twitter to pay $150 million fine for fraudulently collected data “No CEO or company is above the law, and companies must follow our consent decrees,” said Douglas Farrar, the FTC’s director of public affairs. “The revised consent order gives us new tools to ensure compliance, and we are ready to use them.” Privacy officials said they were more concerned about the rapid release of new features without the full security reviews required by the FTC’s consent decree. They also objected to Musk’s order in a Wednesday night email — his first to staff since taking control of the company — that all employees must begin working in the office 40 hours a week starting Thursday. Musk’s email was not about Twitter’s long tradition of flexible and remote work. Instead, he cited a dire need to monetize Twitter Blue. “Without significant subscription revenue, there’s a good chance Twitter won’t survive the coming economic downturn,” Musk warned. “We need about half of our revenue to be subscriptions.” The developments showed how the FTC could be the government agency acting as a check on Musk, who has overseen unprecedented chaos in his first two weeks at the Twitter helm. The federal government has only limited oversight of social media companies, but the FTC has used its oversight of consumer protection and competition to establish itself as the nation’s top data privacy regulator. The agency is using consent orders to hold some of the nation’s biggest tech companies, including Google, Facebook, Snap and others accountable for alleged privacy violations. In 2019, the service reached a $5 billion settlement with Facebook for allegedly violating the terms of a prior order. Former FTC officials warned that the departures of key privacy and security officials, as well as some of Musk’s proposed changes to Twitter products, opened the company to serious regulatory risk. Twitter agreed in its settlement to appoint officials responsible for privacy and security, including a senior corporate officer who would be responsible for certifying that the company was in compliance. The departures raise questions about whether such a chain of command still exists and whether the people still there have the power and connections to ensure the order is enforced. “There’s a lot of risk to the company if it doesn’t have continuity,” said a former FTC official, who spoke on condition of anonymity to discuss candidly the regulatory risks to the company. David C. Vladeck, who was director of the FTC’s Bureau of Consumer Protection at the time of Twitter’s first settlement with the agency, said the departures and chaos of Musk’s first few weeks of ownership raise questions about whether “compliance requirements the cracks are going to subside.” Vladeck said the penalties could be exponentially higher for Twitter if it is found to be in violation of its agreement with the FTC a second time. “There would be a very significant multiple of the last fine,” he said, referring to the May sentence, which carried a $150 million fine. “You have to add a comma to it.” Twitter signed the consent decree with the FTC following allegations that it used deceptive emails and phone numbers it said it collects for security purposes to target users with ads. The FTC claimed this violated a 2011 consent decree it had reached with the company. The new order required Twitter to initiate improved privacy and security programs, which were to be audited by a third party. As part of this program, Twitter is required to conduct a privacy assessment for any new products it releases. The departures have also drawn scrutiny in Europe, which, unlike the United States, has a general data protection law. The Irish Data Protection Commission is seeking further details from the company regarding the departure of its chief data protection officer, Damien Kieran. Under European rules, companies are required to have a data protection officer. A spokesman for the Irish DPC said the agency had “not received any official notification from Twitter”. Kieran did not respond to a request for comment. Twitter’s former chief compliance officer, Marianne Fogarty, also did not respond to a request for comment, but on Monday tweeted: “I don’t watch Game of Thrones. I definitely don’t want to play it at work.” Twitter on Wednesday began allowing any user who paid $8 to receive the same blue checkmark that the platform has for years given only to verified politicians, companies and celebrities. But because the company doesn’t perform any identity verification, a stream of fake accounts has proliferated across the site, including Presidents Biden, Pope Francis and former British Prime Minister Tony Blair, some of whom have posted sexual jokes or explicit messages. Musk said the company would suspend such accounts, but a number of fake accounts remained online for hours, receiving tens of thousands of likes and retweets. Twitter’s paid verification service is here. What you need to know. While Musk is on a collision course with the US government, fake but verified accounts of George W. Bush, Tony Blair and Rudy Giuliani have proliferated across the site. One of Musk’s last tweets, seven hours ago, was a response to someone who reported that a fake President Biden was talking about having sex, to which Musk responded with two laughing emojis. The employee’s Slack message said that the rapid release of products and changes without effective security controls was “extremely dangerous” for users. It said engineers would have to shoulder the burden of certifying that products comply with FTC agreements, putting them at significant personal legal risk. The collapse of security leadership is particularly fraught because an FTC audit was expected by January, according to two people familiar with the timeline. One said Kisner and other executives had been hiring despite the company-wide freeze in a frantic effort to meet compliance rules by then. “Desperately needed people,” said one of them, who was among about half the company laid off last week and spoke on condition of anonymity to discuss internal matters on Twitter. The Slack message posted a link to Whistleblower Aid, a law firm that represented former security chief Peiter Zatko when he filed a complaint this year with the Securities and Exchange Commission and other federal officials alleging alleged FTC-related violations. The Washington Post previously reported his complaint described as inadequate logging of access to sensitive data and widespread use of out-of-date software. The message warned that the FTC could fine Twitter “BILLIONS of dollars.” The author claimed to have heard Alex Spiro, Musk’s top lawyer, say Musk was “willing to take a huge risk in retaliation against this company and users because ‘Elon puts rockets into space, he’s not afraid of the FTC.’ Spiro did not immediately respond to a request for comment. Former security chief claims Twitter buried ‘extreme flaws’ Other employees said they were taking Thursday off in protest. Kisner, brought in by Zatko, was admired on Twitter and seen as a critical backstop amid the recent chaos. “Twitter has had several major security incidents in recent years due to inadequate internal controls and a permissive data architecture,” said Alex Stamos, former head of data security at Facebook and Yahoo. “The team led by Dr. Kisner took serious steps to cover these flaws, as Twitter is required to do under the FTC’s consent decree.” Lourdes Turrecha, a cybersecurity and privacy attorney in Silicon Valley, said the sudden resignations were a bombshell in privacy circles already reeling from Zatko’s whistleblower complaint and mass layoffs at the company. “These executives don’t want to put their lives on the line and go to jail” if the company violates the law, he said. “It’s very difficult to be an information security officer or privacy officer in technology right now, especially when…
