Elon Musk has never shown much regard for regulators: not the ones in Alameda County who ordered Tesla’s Fremont plant to shut down in the early days of the pandemic, not the ones at the SEC who said he couldn’t just make up stuff about Tesla’s finances on Twitter, and not the ones at the National Highway Traffic Safety Administration who keep investigating all those pesky Autopilot crashes.
If his brief, tumultuous tenure at Twitter is any indication, he’s not too worried about the Federal Trade Commission either.
Over the last week, Twitter has appeared undeterred by a new consent decree it reached with the FTC in May, which requires the company to carefully consider and document the risks new products pose to privacy and security on the platform before they launch. At Musk’s insistence, Twitter has, instead, raced to open up new revenue streams, including its $8 Twitter Blue subscription product, with seemingly little regard for its legal mandate to consider the risk.
“Please note that Twitter will do lots of dumb things in coming months,” Musk tweeted Wednesday — the same day Twitter unveiled a new verification badge for certain accounts, only to kill it again a few hours later. “We will keep what works & change what doesn’t.”
An internal Slack message posted late Wednesday, reviewed by Protocol and reported earlier by The Verge, seemed to confirm the situation was even more legally dicey than it at first appeared. One Twitter lawyer claimed that the company might soon ask engineers — not legal or privacy experts — to “self-certify compliance with FTC requirements and other laws.” The message came amid a mass exodus of privacy and cybersecurity leaders Wednesday, which included Twitter’s chief information security officer, its chief privacy officer, and its chief compliance officer. The exits were first reported by Protocol.
According to the Slack message, the employee claimed to have heard Twitter’s new head of legal, Alex Spiro, say that Musk is “not afraid of the FTC.” Protocol was not able to confirm that any engineers have actually been asked to “self-certify” legal compliance, and Spiro did not respond to Protocol’s request for comment.
Still, Slack message or no Slack message, Musk’s fickle, frenzied approach to shipping new products already suggests he is utterly unfazed by the threat of FTC enforcement. But should he be?
On the one hand, Musk isn’t just the richest person in the world, capable of paying off even a hefty fine; he’s a devoted heckler of government authority figures who’s repeatedly laughed in the face of just about every regulator that’s crossed him — and gotten away with it. This is a man with a court-ordered Twitter sitter who turned around and just bought Twitter.
It’s not just Musk who’s gotten away with a lot either. Just three months back, Twitter whistleblower Peiter “Mudge” Zatko alleged in a complaint to the SEC that “Twitter had never been in compliance” with its initial 2011 consent decree due to lax internal security practices and the mishandling of user data. Among the violations Zatko observed was Twitter taking users’ email addresses and phone numbers, which they’d provided for security purposes, and using them for marketing — the action that led to the FTC modifying Twitter’s consent decree and fining the company just $150 million.
It wasn’t the first time the FTC had levied a nominal fine on a tech company that violated an order. Even its $5 billion fine of Facebook in the wake of the Cambridge Analytica scandal in 2019 was met with downright delight by Facebook shareholders, who sent its stock price soaring.
On the other hand, the FTC has been in more of a fighting mood lately when it comes to CEOs behaving badly. Just last month, the commission personally named James Cory Rellas, the CEO of alcohol delivery company Drizly, in an order over a data breach. The order will dictate not just Drizly’s security practices, but the security practices of every future company where Rellas works.
In a statement, FTC spokesperson Douglas Farrar told Protocol the commission was “tracking the developments at Twitter with deep concern” and said that the FTC’s revised consent order gives it "new tools to ensure compliance, and we are prepared to use them.”
Also working against Musk is the departure of so many top privacy and security leaders at Twitter, which puts the company at enhanced risk of a data breach that could potentially lead to significant fines, said William Kovacic, former FTC commissioner and professor at George Washington University Law School. “You can get into the billions of dollars in a hurry,” Kovacic told Protocol. “Now, does [Musk] care? I would think at some point it’s not irrelevant to him.” That may be especially true given the financial risk Musk has personally taken on in acquiring Twitter — and what it’s cost his other companies.
Kovacic added that the FTC could come up with an especially big number “if they thought the company was thumbing its nose at them.”
But by far the biggest personal risk to disobeying the FTC may be borne by whichever Twitter employees are asked to step in and certify that Twitter is complying with the FTC’s orders going forward. A federal court recently made an example of Uber security chief Joe Sullivan, holding him criminally accountable for failing to disclose a breach to government officials.
Under the FTC consent decree, Twitter is required to have a senior leader or team of senior leaders who are personally accountable for making security and privacy decisions and a senior officer who certifies compliance with the FTC annually. If anything, it’s this grave risk to these people — not Musk himself — that may force Twitter to abide by the FTC’s rules.
“Why would anyone take the fall for him?! This isn't the mob. Some execs would [definitely] face personal liability for illegal acts,” tweeted Riana Pfefferkorn, a research scholar at the Stanford Internet Observatory and former outside counsel to Twitter. “He’s shown he’s not afraid of the SEC. But regular mortals *do* worry about jail and lawsuits. And he needs regular mortals.”
Lizzy Lawrence and Ben Brody contributed reporting.