F.T.C. Intensifies Investigation of Twitter’s Privacy Practices
The Federal Trade Commission is intensifying an investigation into Twitter’s data and privacy practices and is seeking testimony from Elon Musk, who has laid off the bulk of Twitter’s work force since acquiring the company last year.
The investigation is focused on whether Twitter has adequate resources to protect its users’ privacy after the mass layoffs and budget cuts ordered by Mr. Musk, said five people familiar with the investigation who spoke on the condition of anonymity.
The agency, which currently has oversight over Twitter, investigated a former executive’s claims of security problems last summer and ramped up its inquiry following the abrupt resignations of three top executives responsible for privacy, security and compliance. They left Twitter in November shortly after Mr. Musk acquired the company.
The agency has requested a conversation with Mr. Musk, two of the people said. It has also sought to interview former Twitter employees who worked on privacy and security at the company.
The inquiry has been criticized by a subcommittee of the Republican-led House Judiciary Committee, which said on Tuesday that the F.T.C. was engaged in an “aggressive campaign to harass Twitter” and had issued more than 350 requests for information since Mr. Musk took over the company in October.
Mr. Musk’s takeover of Twitter has drawn scrutiny from several enforcement agencies. While the F.T.C. has dug into whether Twitter has the resources to abide by its privacy promises to consumers, the European Union has pressured Twitter to release more data about how it fights disinformation. The Securities and Exchange Commission also probed whether Mr. Musk’s purchases of Twitter stock had been properly disclosed.
“Protecting consumers’ privacy is exactly what the F.T.C. is supposed to do,” Douglas Farrar, an agency spokesman, said in a statement. “It should come as no surprise that career staff at the commission are conducting a rigorous investigation into Twitter’s compliance with a consent order that came into effect long before Mr. Musk purchased the company.” The S.E.C. declined to comment.
The F.T.C. has pressed Twitter to explain its management structure and to define Mr. Musk’s precise role at the company. It has also questioned whether Twitter has the necessary staff and financial resources to keep up with its privacy obligations, as Mr. Musk continues to cut costs and lay off workers.
The agency has also asked for details about recent sales of Twitter’s office equipment, including whether computers had been wiped of user data, and about Twitter’s plan to sell verification check marks, House Republicans said in a report that was released on Tuesday.
Under a consent decree it reached with the agency in 2011 and expanded in 2022, Twitter is required to conduct regular security audits and keep the F.T.C. informed about how it handles sensitive data.
The arrangement began in March 2011, when the company settled charges that it had failed to safeguard users’ personal information after two data breaches in 2009. Last year, the F.T.C. fined Twitter $150 million for misleading users about the fact that personal data collected for security purposes was actually being used for advertising, and it expanded its oversight of the company.
The compliance process is laborious, two former Twitter employees said, and once relied on supervision from hundreds of people in Twitter’s privacy, engineering, legal and security teams to run smoothly.
Twitter also used software made by a company called Collibra to keep track of its progress on compliance, but it stopped payments to Collibra as Mr. Musk sought to cut costs at Twitter, two people familiar with the arrangement said. Collibra did not respond to requests for comment.
The F.T.C. has questioned whether Twitter still has the staff or the budget to keep up with its compliance obligations. The agency has also sought to understand whether Mr. Musk has the final say on privacy issues, and which other executives might be involved in those decisions.
“These demands have no basis in the F.T.C.’s statutory mission and appear to be the result of partisan pressure to target Twitter and silence Musk,” the House Judiciary subcommittee said in its report, which called the F.T.C.’s investigation into Mr. Musk “unusual.”
The subcommittee also criticized the F.T.C. for asking Twitter about access to internal company files that it had provided to a group of journalists. An F.T.C. spokesman said the agency routinely sought information that companies under consent orders, like Twitter, provided to third parties.
In November, three senior executives responsible for overseeing security, privacy and compliance resigned from Twitter, a day before a deadline for Twitter to submit a response to an F.T.C. demand letter. The F.T.C., in an effort led by Reenah Kim, a longtime staff attorney who was involved in the agency’s earlier investigation of privacy issues at Facebook, has spoken with at least two of those executives, Damien Kieran and Lea Kissner, three people familiar with the matter said.
Mr. Musk’s mass layoffs have roiled the company’s legal department, which has drawn in support and lawyers from Mr. Musk’s other companies including the electronic car manufacturer Tesla and the rocket maker SpaceX. That has led to confusing directives and caused previously junior employees to take up new responsibilities for which they are not qualified, three current and former employees said.
Over the past several months, Twitter has asked the agency for more time to answer its questions about staffing and resources, saying its corporate structure and the appointment of top leaders are still in flux. The F.T.C. has the power to fine Twitter again, or to punish executives with criminal penalties if they mislead investigators about the state of the company’s privacy practices.
In addition to its investigation of Mr. Musk’s takeover, the agency is also scrutinizing claims raised by a former security executive, Peiter Zatko, who said in a whistle-blower complaint that Twitter, under its previous management, made false and misleading statements about its security practices.
Lina Khan, the chairwoman of the F.T.C., said during a Senate Judiciary subcommittee hearing in November that she was “extremely disturbed” by Mr. Zatko’s claims, particularly his assertion that Twitter had misled the F.T.C. about its compliance practices.
“There has absolutely been a problem with companies treating F.T.C. orders as suggestions,” Ms. Khan said. “We have a program underway to really toughen that up.”
Mr. Musk’s Twitter also faces potential challenges abroad. In November, Thierry Breton, the European Union’s internal market commissioner, said in a statement that the company had “huge work ahead” to become compliant with the bloc’s Digital Services Act, a wide-ranging set of laws set to come into effect in 2024 that addresses disinformation, targeted advertising and content moderation on social media platforms.
Last month, a Twitter security manager wrote in internal messages seen by The New York Times that the company could have been violating European Union privacy laws by saving some user data for two years, despite a requirement to delete that data after 13 months. The European Union could fine the company up to 4 percent of Twitter’s global revenue, which would amount to hundreds of millions of dollars, the manager warned.
Mike Isaac contributed reporting.