Twitter Whistleblower Exposes FTC’s Ineffective Efforts to Protect User Data

Danielle McNamara

Senior Editor

Loyola University Chicago School of Law, JD 2023

In July 2022, former Twitter board member Peiter Zatko filed a complaint against Twitter, alleging that  the social media platform failed to develop a security system consistent with the Federal Trade Commission’s (FTC) requirement to implement a comprehensive information-security program, established in 2011. This allegation has shed light on the potential inability of the FTC to effectively monitor compliance with its consent decrees, its primary way of enforcing consumer protection laws.

Previous FTC complaints against Twitter

Since their inception, the FTC has worked to impose orders on social media platforms like Twitter, Facebook, and Instagram to ensure that consumer data is adequately protected, and Twitter is no stranger to violations. In 2010 the FTC filed its first complaint against Twitter. In the complaint, the FTC states that serious deficits in the company’s data security allowed hackers to acquire unauthorized control of Twitter on two occasions in 2009. These breaches led to access to non-public user information, tweets marked private by users, and even the ability to send out tweets from accounts belonging to Fox New and then-President-elect Barack Obama, amongst others.

The FTC stated that Twitter was vulnerable to these attacks because it failed implement reasonable steps such as requiring employees to use hard-to-guess administrative passwords, suspending administrative passwords after a reasonable number of unsuccessful login attempts, and enforcing periodic changes in administrative passwords. In the subsequent settlementof this complaint, Twitter was barred for 20 years from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers.” In addition, the settlement required that Twitter establish and maintain a “comprehensive information security program,” which will be assessed every other year for 10 years.

In May 2022, Twitter was issued upwards of $150 million in civil penalties after the Department of Justice filed another complaint on behalf of the FTC, alleging that Twitter violated the order following the 2010 complaint by collecting consumer data for “security purposes” and then selling the data commercially. In the complaint, the FTC states that from May 2013 through September 2019, Twitter prompted users to provide phone numbers and email addresses to enable “Multi-Factor Authentication,” which adds another layer of security to protect user accounts. However, within that timeframe Twitter obtained the email addresses and phone numbers of over 140 million users, subsequently using this information to serve targeted ads without the knowledge or consent of the users.

In addition to the $150 million in civil damages, the FTC added provisions to the order to protect user data going forward. Some of these provisions include prohibiting Twitter from using phone numbers and email addresses it illegally obtained to serve ads and requiring Twitter to notify users of its improper use, tell them about the FTC law enforcement action, and explain how each user can turn off personalized adds. In addition, the FTC required Twitter to implement a more stringent security program that includes privacy and security assessments by an independent third party approved by the FTC and required reporting of privacy and security incidents to the FTC within 30 days.

Zatko’s allegations

Former head of security for Twitter, Zatko filed a 200 page complaint with the FTC in July 2022 alleging “egregious deficiencies” in the platform’s current security plans. The complaint alleges that he repeatedly warned colleagues that half of the company’s servers were running vulnerable and out-of-date software. He also alleges that company executives withheld the sheer number of breaches and lack of protection, instead opting to present directors with “unimportant” charts measuring anything but these important security deficits. Moreover, the whistleblower document alleges that Twitter prioritized user growth over reductions in spam, as executives were to win individual bonuses up to $10 million, which were directly tied to increases in daily users.

Zatko was recruited by Jack Dorsey, former CEO of Twitter, in 2020, following the an especially alarming hack in which Twitter accounts of many of the world’s most famous people including then-presidential candidate Joe Biden, former President Barack Obama, and Kim Kardashian. While working for Twitter, Zatko states he was met with a company that had concerningly poor security, giving thousands of employees access to the platform’s most critical controls. He also states it seemed almost impossible to protect the production environment, as all engineers had access to the data and nobody seemed to know where it lived.

How did the FTC miss Zutko’s alleged violations?

While it is clear that the FTC is aware of Twitter’s apparent lack of proper security measures as evidenced from prior complaints, Zatko’s allegations may demonstrate the FTC’s inability to regulate and maintain orders put in place to assure user privacy. According to interviews with a handful of current and former FTC officials, chronic underfunding and understaffing have left the FTC unable to closely monitor orders and impose fines when these orders are violated.

Senators have also spoken out regarding the allegations. In a letter by Sen. Richard Blumenthal, chair of the Senate subcommittee on consumer protection, Blumenthal states, “If the commission does not vigorously oversee and enforce its orders, they will not be taken seriously and these dangerous breaches will continue.” In addition, Sen. Chuck Grassley emphasizes the immense issue of allowing such large user platforms with “incredibly weak security infrastructure” continue to operate without sufficient regulation.

What’s next?

While the FTC has addressed many concerns regarding Twitter’s insufficient attempts at protecting user data, lawmakers and former officials have raised concerns with its implementation of orders and out-of-date procedures. For example, although the FTC addressed various concerns in its May 2022 order, it did not address many of the systemic allegations raised in Zatko’s complaint. These include outdated software on servers, blocked automatic updates, and misleading the board about the number of breaches experienced.

Unfortunately, it appears that the FTC cannot keep up with the sheer number of security violations that large social media platforms are racking up. In order to ensure user privacy, we may need to be focused on creating more comprehensive consumer-data privacy laws that create more up-to-date regulations. These laws could provide the FTC with more legal authority would aid in the everchanging data privacy sector and ensure that consumer protection laws are focused on current security issues.