December 28, 2022 By Mike Elgan 4 min read

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government.

But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private.

The Musk factor

Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44 billion, taking the formerly public company private. Musk immediately began personally directing many of Twitter’s actions and policies, including changes in moderation and staff. Chaos ensued, and many people — including top company officers — resigned or were fired.

Twitter’s top compliance leaders all quit. The CISO, chief privacy officer and chief compliance officer all left as well, citing their unwillingness to endorse Twitter’s new direction under Elon Musk. Two of the officers had worked at Twitter for seven years each, and the other just one year.

A data governance committee responsible for Twitter’s compliance with a Federal Trade Commission (FTC) consent decree was disbanded as a result of these resignations, and two other members of the committee were fired.

Twitter has appointed an interim data protection officer. It appears that nobody else is charged with complying with FTC and GDPR requirements. In place of sufficient compliance leadership, Twitter’s legal department is reportedly calling on engineers to “self-certify” compliance.

Violations risk billions in fines for Twitter. FTC said recently that it is “tracking recent developments at Twitter with deep concern. No CEO or company is above the law, and companies must follow our consent decrees.”

But Musk’s lawyer, Alex Spiro, reportedly said to a colleague, “Elon puts rockets into space. He’s not afraid of the FTC.”

Whether Musk is “afraid” or not, it could be that huge fines are coming his way. Again.

Twitter’s (and Musk’s) history with the FTC

Back in 2010, when Twitter was only three or four years old, the FTC complained about Twitter’s lack of safeguards around access to tweets and privacy of direct messages, despite Twitter’s public assurances to the contrary. The parties settled on Twitter’s promise that it would stop misrepresenting privacy and security controls and the FTC’s promise that it would fine Twitter if it didn’t.

Then in May of this year (well before Musk bought the company), Twitter was fined $150 million in a civil penalty for lying about its use of personal data. According to the DoJ complaint filed on behalf of the FTC, Twitter told users that they were capturing personal data for account security. They then turned around and used that data for targeted advertising. The company also agreed to offer multi-factor authentication (MFA) options that don’t require a phone number, as well as a list of other security and privacy improvements.

Musk himself has a colorful history with the FTC and the SEC, mostly stemming from tweets that had immediate impacts on the stock prices of companies he mentioned, including his own companies (Tesla and SpaceX) and his own financial interest (Bitcoin).

In September 2018, the SEC charged Musk with misleading investors with a tweet saying that he was considering taking Tesla private at $420 a share and had secured funding. The statement about funding was false, and the SEC charged Musk and Tesla with $20 million fines each. Musk later boasted that the fine was “worth it”.

How Twitter’s recent moves serve as a bad example

“Self-certification” is not a certification plan. It’s a recipe for non-compliance.

As former Facebook CSO Alex Stamos tweeted, “self-certifying” with the FTC is not a thing. Somebody will have to make assertions and answer questions on behalf of the company under legal penalty for false statements.

Twitter also risks running afoul of European regulations. As part of Musk’s mass layoffs and staff reductions, Twitter disbanded its European office in Brussels and cut its European headquarters staff in Dublin in half, raising concerns that it won’t have enough people to enforce new EU laws around the curbing of hate speech by tech companies.

A special board of directors in charge of Twitter’s compliance with Europe’s General Data Protection Regulation (GDPR) also folded after Musk fired two of its three members. One secured a court injunction forcing Twitter to keep her on as an employee.

In short, Twitter as a company appears to be de-prioritizing compliance and proceeding haphazardly and arbitrarily. It’s essentially kicking compliance problems down the road while focusing on other matters.

This is, unfortunately, a more dramatic version of how many companies handle compliance. They underfund it, delay its full implementation or treat compliance as an optional annoyance.

As with Twitter, ignoring the compliance part of the business will inevitably lead to fines, penalties and imposed requirements.

Learning from Twitter’s mistakes

In short, use Twitter as a perfect bad example. Make sure to properly staff and fund your compliance teams. Place direct and clear responsibility on qualified professionals. And get the whole organization on board.

Also, don’t do what Twitter’s doing with making up shortcuts and workarounds. Placing the responsibility for compliance on developers or other non-specialists is no substitute for a team at the top to make sure your organization meets all laws and decrees that apply. And this is especially true of any tech organization that falls under privacy regulations like the GDPR or the California Consumer Privacy Act (CCPA).

Keep an eye on what happens at Twitter. Unless Musk turns around the company’s approach to compliance, it’s not going to end well for Twitter.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today