December 28, 2022 By Mike Elgan 4 min read

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government.

But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private.

The Musk factor

Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44 billion, taking the formerly public company private. Musk immediately began personally directing many of Twitter’s actions and policies, including changes in moderation and staff. Chaos ensued, and many people — including top company officers — resigned or were fired.

Twitter’s top compliance leaders all quit. The CISO, chief privacy officer and chief compliance officer all left as well, citing their unwillingness to endorse Twitter’s new direction under Elon Musk. Two of the officers had worked at Twitter for seven years each, and the other just one year.

A data governance committee responsible for Twitter’s compliance with a Federal Trade Commission (FTC) consent decree was disbanded as a result of these resignations, and two other members of the committee were fired.

Twitter has appointed an interim data protection officer. It appears that nobody else is charged with complying with FTC and GDPR requirements. In place of sufficient compliance leadership, Twitter’s legal department is reportedly calling on engineers to “self-certify” compliance.

Violations risk billions in fines for Twitter. FTC said recently that it is “tracking recent developments at Twitter with deep concern. No CEO or company is above the law, and companies must follow our consent decrees.”

But Musk’s lawyer, Alex Spiro, reportedly said to a colleague, “Elon puts rockets into space. He’s not afraid of the FTC.”

Whether Musk is “afraid” or not, it could be that huge fines are coming his way. Again.

Twitter’s (and Musk’s) history with the FTC

Back in 2010, when Twitter was only three or four years old, the FTC complained about Twitter’s lack of safeguards around access to tweets and privacy of direct messages, despite Twitter’s public assurances to the contrary. The parties settled on Twitter’s promise that it would stop misrepresenting privacy and security controls and the FTC’s promise that it would fine Twitter if it didn’t.

Then in May of this year (well before Musk bought the company), Twitter was fined $150 million in a civil penalty for lying about its use of personal data. According to the DoJ complaint filed on behalf of the FTC, Twitter told users that they were capturing personal data for account security. They then turned around and used that data for targeted advertising. The company also agreed to offer multi-factor authentication (MFA) options that don’t require a phone number, as well as a list of other security and privacy improvements.

Musk himself has a colorful history with the FTC and the SEC, mostly stemming from tweets that had immediate impacts on the stock prices of companies he mentioned, including his own companies (Tesla and SpaceX) and his own financial interest (Bitcoin).

In September 2018, the SEC charged Musk with misleading investors with a tweet saying that he was considering taking Tesla private at $420 a share and had secured funding. The statement about funding was false, and the SEC charged Musk and Tesla with $20 million fines each. Musk later boasted that the fine was “worth it”.

How Twitter’s recent moves serve as a bad example

“Self-certification” is not a certification plan. It’s a recipe for non-compliance.

As former Facebook CSO Alex Stamos tweeted, “self-certifying” with the FTC is not a thing. Somebody will have to make assertions and answer questions on behalf of the company under legal penalty for false statements.

Twitter also risks running afoul of European regulations. As part of Musk’s mass layoffs and staff reductions, Twitter disbanded its European office in Brussels and cut its European headquarters staff in Dublin in half, raising concerns that it won’t have enough people to enforce new EU laws around the curbing of hate speech by tech companies.

A special board of directors in charge of Twitter’s compliance with Europe’s General Data Protection Regulation (GDPR) also folded after Musk fired two of its three members. One secured a court injunction forcing Twitter to keep her on as an employee.

In short, Twitter as a company appears to be de-prioritizing compliance and proceeding haphazardly and arbitrarily. It’s essentially kicking compliance problems down the road while focusing on other matters.

This is, unfortunately, a more dramatic version of how many companies handle compliance. They underfund it, delay its full implementation or treat compliance as an optional annoyance.

As with Twitter, ignoring the compliance part of the business will inevitably lead to fines, penalties and imposed requirements.

Learning from Twitter’s mistakes

In short, use Twitter as a perfect bad example. Make sure to properly staff and fund your compliance teams. Place direct and clear responsibility on qualified professionals. And get the whole organization on board.

Also, don’t do what Twitter’s doing with making up shortcuts and workarounds. Placing the responsibility for compliance on developers or other non-specialists is no substitute for a team at the top to make sure your organization meets all laws and decrees that apply. And this is especially true of any tech organization that falls under privacy regulations like the GDPR or the California Consumer Privacy Act (CCPA).

Keep an eye on what happens at Twitter. Unless Musk turns around the company’s approach to compliance, it’s not going to end well for Twitter.

More from Application Security

Exploiting GOG Galaxy XPC service for privilege escalation in macOS

7 min read - Being part of the Adversary Services team at IBM, it is important to keep your skills up to date and learn new things constantly. macOS security was one field where I decided to put more effort this year to further improve my exploitation and operation skills in macOS environments. During my research, I decided to try and discover vulnerabilities in software that I had pre-installed on my laptop, which resulted in the discovery of this vulnerability. In this article, I…

Critically close to zero(day): Exploiting Microsoft Kernel streaming service

10 min read - Last month Microsoft patched a vulnerability in the Microsoft Kernel Streaming Server, a Windows kernel component used in the virtualization and sharing of camera devices. The vulnerability, CVE-2023-36802, allows a local attacker to escalate privileges to SYSTEM. This blog post details my process of exploring a new attack surface in the Windows kernel, finding a 0-day vulnerability, exploring an interesting bug class, and building a stable exploit. This post doesn’t require any specialized Windows kernel knowledge to follow along, though…

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today