The FTC’s treatment of Facebook helps illustrate the danger to Musk and Twitter. In 2019, following a complaint alleging violation of a 2012 order, the agency hit the company with a record $5 billion in fines, and named CEO Mark Zuckerberg personally responsible for compliance and certification of documents under penalty of perjury. Heavy fines could be a major problem for Twitter, which, as part of Elon Musk’s takeover, was loaded with debt.
The chaotic early weeks of Musk’s ownership of Twitter have already suggested the company risks missing some of its FTC requirements. The Verge reported that the recent relaunch of Twitter’s subscription service skipped traditional privacy and security reviews, and that company lawyers asked employees to self-certify compliance with the FTC orders. The company is required to designate no more than five people to make decisions about how personal data like email addresses and phone numbers are collected and used, and to maintain comprehensive privacy and information security programs.
According to an email seen by The Verge, Musk assured Twitter employees the company will do everything possible to comply with the FTC order. But a company lawyer posted a note internally warning that the current head of legal at Twitter, Alex Spiro, said the platform’s new owner plans to take big risks because “Elon puts rockets into space. He’s not afraid of the FTC.”
Following questions by Twitter employees worried they could be personally liable for violations of the consent order and face prison time, according to an email seen by TechCrunch, Spiro told employees that compliance is for the company, not individual employees, and shared plans to comply with decree mandates.
Of course, internal assessments and external audits like the kind the FTC has required of Twitter don’t always catch problems. A similar FTC order for Facebook didn’t prevent the Cambridge Analytica scandal, in which the firm, working on behalf of the Trump 2016 presidential campaign, used a third-party app to collect the data of more than 50 million people without consent. And documents obtained by Bloomberg Law found that Twitter’s compliance with the 2011 FTC order did not pick up shortcomings later highlighted by security expert turned whistleblower Peiter “Mudge” Zatko in recent testimony before Congress, who said the company lacked basic security measures, such as systems to prevent employees from going through user data.
Musk’s tenure at Twitter is also under the scrutiny of regulators in Ireland and the European Union who have signaled that they’re monitoring the company, and in particular its compliance with EU data protection law. The EU’s Digital Services Act also came into force last week. That means that by February 2024, major platforms will have to carry out risk assessments, report on the use of automation in services like content moderation, and repower details about their algorithms such as their error rates. Failure to comply can carry fines of up to 6 percent of global revenue.
Musk may have demonstrated to Twitter users and employees—and the rest of the watching world—in recent weeks that he’s willing to ignore the rules sometimes and make sweeping changes to his new company. But he can’t change Twitter’s history of poor security, or the fact that it has to deal with close scrutiny from the FTC for the next 20 years.