{"id":5007,"date":"2022-11-01T10:00:35","date_gmt":"2022-11-01T15:00:35","guid":{"rendered":"https:\/\/blogs.luc.edu\/compliance\/?p=5007"},"modified":"2022-11-01T10:00:35","modified_gmt":"2022-11-01T15:00:35","slug":"twitter-whistleblower-exposes-ftcs-ineffective-efforts-to-protect-user-data","status":"publish","type":"post","link":"https:\/\/blogs.luc.edu\/compliance\/?p=5007","title":{"rendered":"Twitter Whistleblower Exposes FTC\u2019s Ineffective Efforts to Protect User Data"},"content":{"rendered":"

Danielle McNamara<\/em><\/p>\n

Senior Editor <\/em><\/p>\n

Loyola University Chicago School of Law, JD 2023<\/em><\/p>\n

In July 2022, former Twitter board member Peiter Zatko filed a complaint<\/a> against Twitter, alleging that \u00a0the social media platform failed to develop a security system consistent with the Federal Trade Commission\u2019s (FTC) requirement to implement a comprehensive information-security program, established in 2011. This allegation has shed light on the potential inability of the FTC to effectively monitor compliance<\/a> with its consent decrees, its primary way of enforcing consumer protection laws.<\/p>\n

Previous FTC complaints against Twitter <\/strong><\/p>\n

Since their inception, the FTC has worked to impose orders on social media platforms like Twitter, Facebook, and Instagram to ensure that consumer data is adequately protected, and Twitter is no stranger to violations. In 2010 the FTC filed its first complaint<\/a> against Twitter. In the complaint, the FTC states that serious deficits in the company\u2019s data security allowed hackers to acquire unauthorized control of Twitter on two occasions in 2009. These breaches led to access to non-public user information, tweets marked private by users, and even the ability to send out tweets from accounts belonging to Fox New and then-President-elect Barack Obama, amongst others.<\/p>\n

The FTC stated that Twitter was vulnerable to these attacks because it failed implement reasonable steps such as requiring employees to use hard-to-guess administrative passwords, suspending administrative passwords after a reasonable number of unsuccessful login attempts, and enforcing periodic changes in administrative passwords. In the subsequent settlement<\/a>of this complaint, Twitter was barred for 20 years from \u201cmisleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers.\u201d In addition, the settlement required that Twitter establish and maintain a \u201ccomprehensive information security program,\u201d which will be assessed every other year for 10 years.<\/p>\n

In May 2022, Twitter was issued upwards of $150 million in civil penalties after the Department of Justice filed another complaint<\/a> on behalf of the FTC, alleging that Twitter violated the order following the 2010 complaint by collecting consumer data for \u201csecurity purposes\u201d and then selling the data commercially. In the complaint, the FTC states that from May 2013 through September 2019, Twitter prompted users to provide phone numbers and email addresses to enable \u201cMulti-Factor Authentication,\u201d which adds another layer of security to protect user accounts. However, within that timeframe Twitter obtained the email addresses and phone numbers of over 140 million users, subsequently using this information to serve targeted ads without the knowledge or consent of the users.<\/p>\n

In addition to the $150 million in civil damages, the FTC added provisions<\/a> to the order to protect user data going forward. Some of these provisions include prohibiting Twitter from using phone numbers and email addresses it illegally obtained to serve ads and requiring Twitter to notify users of its improper use, tell them about the FTC law enforcement action, and explain how each user can turn off personalized adds. In addition, the FTC required Twitter to implement a more stringent security program that includes privacy and security assessments by an independent third party approved by the FTC and required reporting of privacy and security incidents to the FTC within 30 days.<\/p>\n

Zatko\u2019s allegations<\/strong><\/p>\n

Former head of security for Twitter, Zatko filed a 200 page complaint<\/a> with the FTC in July 2022 alleging \u201cegregious deficiencies\u201d in the platform\u2019s current security plans. The complaint alleges that he repeatedly warned colleagues that half of the company\u2019s servers were running vulnerable and out-of-date software. He also alleges that company executives withheld the sheer number of breaches and lack of protection, instead opting to present directors with \u201cunimportant\u201d charts measuring anything but these important security deficits. Moreover, the whistleblower document alleges that Twitter prioritized user growth over reductions in spam, as executives were to win individual bonuses up to $10 million, which were directly tied to increases in daily users.<\/p>\n

Zatko was recruited by Jack Dorsey, former CEO of Twitter, in 2020, following the an especially alarming hack<\/a> in which Twitter accounts of many of the world\u2019s most famous people including then-presidential candidate Joe Biden, former President Barack Obama, and Kim Kardashian. While working for Twitter, Zatko states he was met with a company that had concerningly poor security, giving thousands of employees access to the platform\u2019s most critical controls. He also states it seemed almost impossible to protect the production environment, as all engineers had access to the data and nobody seemed to know where it lived.<\/p>\n

How did the FTC miss Zutko\u2019s alleged violations? <\/strong><\/p>\n

While it is clear that the FTC is aware of Twitter\u2019s apparent lack of proper security measures as evidenced from prior complaints, Zatko\u2019s allegations may demonstrate the FTC\u2019s inability to regulate and maintain orders put in place to assure user privacy. According to interviews<\/a> with a handful of current and former FTC officials, chronic underfunding and understaffing have left the FTC unable to closely monitor orders and impose fines when these orders are violated.<\/p>\n

Senators have also spoken out regarding the allegations. In a letter by Sen. Richard Blumenthal, chair of the Senate subcommittee on consumer protection, Blumenthal states, \u201cIf the commission does not vigorously oversee and enforce its orders, they will not be taken seriously and these dangerous breaches will continue.\u201d In addition, Sen. Chuck Grassley emphasizes the immense issue of allowing such large user platforms with \u201cincredibly weak security infrastructure\u201d continue to operate without sufficient regulation.<\/p>\n

What\u2019s next? <\/strong><\/p>\n

While the FTC has addressed many concerns regarding Twitter\u2019s insufficient attempts at protecting user data, lawmakers and former officials have raised concerns with its implementation of orders and out-of-date procedures<\/a>. For example, although the FTC addressed various concerns in its May 2022 order, it did not address many of the systemic allegations raised in Zatko\u2019s complaint. These include outdated software on servers, blocked automatic updates, and misleading the board about the number of breaches experienced.<\/p>\n

Unfortunately, it appears that the FTC cannot keep up with the sheer number of security violations that large social media platforms are racking up. In order to ensure user privacy, we may need to be focused on creating more comprehensive consumer-data privacy laws that create more up-to-date regulations. These laws could provide the FTC with more legal authority would aid in the everchanging data privacy sector and ensure that consumer protection laws are focused on current security issues.<\/p>\n","protected":false},"excerpt":{"rendered":"

Danielle McNamara Senior Editor Loyola University Chicago School of Law, JD 2023 In July 2022, former Twitter board member Peiter Zatko filed a complaint against Twitter, alleging that \u00a0the social media platform failed to develop a security system consistent with the Federal Trade Commission\u2019s (FTC) requirement to implement a comprehensive information-security program, established in 2011. …
Read more<\/a><\/p>\n","protected":false},"author":97,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1205,1623],"class_list":["post-5007","post","type-post","status-publish","format-standard","hentry","category-uncategorized","tag-journal-of-regulatory-compliance","tag-cybersecurity"],"_links":{"self":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/5007","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/users\/97"}],"replies":[{"embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5007"}],"version-history":[{"count":0,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=\/wp\/v2\/posts\/5007\/revisions"}],"wp:attachment":[{"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5007"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5007"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blogs.luc.edu\/compliance\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5007"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}