The Federal Trade Commission (FTC) has found that Twitter/X owner Elon Musk gave staff orders that would have violated a FTC consent decree on privacy and security — if they’d been carried out. It turns out that the only reason Twitter/X remained in compliance was because its staff disobeyed their then-CEO.
In an open letter to House Judiciary chairman Jim Jordan published on Wednesday, FTC chair Lina Khan shared the agency’s conclusions from its investigation into Musk’s 2022 Twitter/X takeover. Twitter/X and the FTC had a longstanding 2011 agreement in place prior to Musk’s buyout, which requires the company to “implement and maintain a comprehensive privacy and information security program.” This includes protecting users’ personal data and limiting employees’ access to it.
However, shortly after his takeover, Musk ordered Twitter/X staff to give several external writers complete access to the company’s internal documents and systems. According to a Washington Post report, the billionaire stated that at least one of his handpicked writers should have “full access to everything at Twitter” with “no limits at all.”
Elon Musk’s 6 dumbest X / Twitter decisions of 2023
Musk’s decision to give third-parties such unfettered access to company-held data drew the FTC’s attention and raised alarms among Twitter/X’s employees. Granting these external writers such universal access would have allowed them to view Twitter/X users’ personal information such as direct messages, real names, and telephone numbers, violating the FTC order to carefully protect such data.
As such, Twitter/X’s staff decided to just ignore Musk.
“[B]ased on a concern that such an arrangement would risk exposing nonpublic user information in potential violation of the FTC’s Order, longtime information security employees at Twitter intervened and implemented safeguards to mitigate the risks,” wrote Khan. “Ultimately the third-party individuals did not receive direct access to Twitter’s systems, but instead worked with other company employees who accessed the systems on the individuals’ behalf.”
Staff still gave the writers enough information for them to create the Twitter Files — documents which Musk later attempted to downplay after they failed to show the anti-conservative bias he had been searching for at Twitter/X. But Twitter/X’s employees did not provide the writers with unlimited access to the company’s systems and data, directly opposing Musk’s directive.
If staff had simply followed Musk’s orders, Twitter/X would likely be facing some expensive consequences right now. The social media platform was previously fined $150 million in May 2022 after violating the FTC’s agreement, having used users’ personal information to sell advertising rather than strictly for security purposes.
Considering Twitter/X’s significantly decreased value — as well as its flailing attempts at building revenue streams to replace its fleeing advertisers — its money the company probably wouldn’t be ready to lose again.
“The FTC’s investigation confirmed that staff was right to be concerned, given that Twitter’s new CEO had directed employees to take actions that would have violated the FTC’s Order,” wrote Khan. “FTC staff efforts to ensure Twitter was in compliance with the Order were appropriate and necessary, especially given Twitter’s history of privacy and security lapses and the fact that it had previously violated the 2011 FTC Order.”
Khan also noted that Twitter/X’s infamous mass layoffs had left the company ill-equipped to ensure it was correctly carrying out its duties and responsibilities. Musk began to drastically reduce Twitter/X’s workforce as soon as he took ownership of the company, with around 80 percent of staff laid off before five months had passed.
“Simply put, there was no one left at the company responsible for interpreting and modifying data policies and practices to ensure Twitter was complying with the FTC’s Order to safeguard Americans’ personal data,” said Khan.
Twitter/X filed a motion to end the FTC’s order last July, seeking to get rid of the privacy and security obligations it imposed on the company. Fortunately for anyone who prefers companies be held accountable for what they do with your data, the attempt was ultimately unsuccessful.