The unraveling of Twitter may have just accelerated with the departure of top executives responsible for the company's security and privacy functions.
This sort of exodus would be a bad sign for any company, of course. But Elon Musk's Twitter is also subject to a Federal Trade Commission consent decree, most recently updated in May, after past privacy and security practices came under fire. On Thursday, the agency was quick to express its concern with the latest developments, including in comments to The Washington Post.
There's a lot going on here, so Protocol has rounded up what you need to know about the departures of top security and privacy leaders at Twitter.
Chief Information Security Officer Lea Kissner confirmed their departure in a tweet, and Protocol reported that Kissner, as well as Twitter's chief privacy officer and chief compliance officer, resigned on Wednesday night. The Washington Post reported that "several other members" of the security and privacy teams have exited as well.
What prompted their departure?
The two-word answer would seem to be “Elon Musk.” Former Twitter privacy staff members told The Washington Post that Musk's push for the rapid product updates meant that feature changes would, by extension, need to be done without a full privacy and security review.
Such a review is obviously crucial for protecting users, under any circumstances. But the FTC consent decree from May makes these reviews even more obligatory. Therefore, rolling out new features without reviewing the security and privacy implications would seem to directly clash with the FTC order.
And while Musk has proven again and again that he doesn’t care much about the desires of regulators, Twitter’s security and privacy teams certainly did. "Dollars to donuts, that small team mandated by the FTC order = all the people who just quit," tweeted Riana Pfefferkorn, a former outside counsel for Twitter.
Given the turmoil caused by less than two weeks of Musk’s ownership, it would appear to have not only become impossible to do that job from a practical standpoint, but also potentially legally tenuous. That’s particularly the case after the recent conviction of Uber's former chief security officer, Joe Sullivan, on federal charges that included obstruction of FTC proceedings.
"Why would anyone take the fall for [Musk]?! This isn't the mob. Some execs would def face personal liability for illegal acts," Pfefferkorn tweeted. "After Joe Sullivan, I bet folks won’t feel like finding out."
Who will take over for them?
There was no immediate word as to a successor to Kissner or the other executives who departed. And for all of the reasons just mentioned, these might be tough jobs to fill.
"You would have to be insane to take the Twitter CISO job now," tweeted Alex Stamos, Facebook's former chief security officer and now director of Stanford's Internet Observatory.
What does this mean for Twitter security and privacy?
Nothing good. "There is a serious risk of a breach with drastically reduced staff," Stamos tweeted.
Meanwhile, the expansion of the Twitter Blue service to include the ability to pay for verification has already seen significant abuse from fraudulent actors, even prior to the departure of key security and privacy team members. And for a site where account takeovers and fraud are everyday issues in normal times, additional chaos in that sphere is all but inevitable.
What is the FTC saying?
The FTC is "tracking the developments at Twitter with deep concern," according to comments provided to The Washington Post.
As Politico reported previously, the FTC was already on “high alert” for violations of the May agreement, particularly in the wake of the whistleblower complaint in August from Twitter’s former security chief, Peiter “Mudge” Zatko.
On Thursday, the FTC's public affairs director, Douglas Farrar, reportedly told The Post: "No CEO or company is above the law, and companies must follow our consent decrees. Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”
This story was updated to correct the length of time that Elon Musk has owned Twitter.