US says FTC probe uncovered privacy risks caused by Musk's drastic changes.
JON BRODKIN - 9/13/2023, 4:43 AM
US government lawyers criticized Elon Musk's leadership at the company formerly named Twitter yesterday, telling a judge that Musk's attempt to terminate a privacy settlement and Federal Trade Commission investigation should be rejected.
"After agreeing last year to settle charges that it once again misled consumers about the privacy and security of their information, X Corp. (formerly Twitter, Inc.) now seeks to jettison that agreement and limit further scrutiny of its data practices. X Corp.'s motion is meritless and should be denied," Department of Justice lawyers representing the US government wrote in the filing in US District Court for the Northern District of California.
In July, Musk's X Corp. asked the court to terminate or modify a privacy settlement that Twitter and the FTC agreed to in May 2022 before Musk bought the company. X claimed that the FTC's ongoing investigation into whether it is complying with the settlement "has spiraled out of control and become tainted by bias." X's motion also sought "a protective order staying the notice of deposition of Elon Musk."
The US response yesterday said the investigation is warranted by the dramatic changes that Musk brought to the social media firm. It also said that Musk should be deposed in the FTC investigation because he "has unique, first-hand knowledge about the current state and direction of the company's data practices and efforts to comply with the 2022 Administrative Order."
The US said the FTC found troubling information when it used its discovery rights under the settlement to request "records and other information to determine whether X Corp. was properly protecting user data during this transformation," and when it deposed five former executives and employees who held roles in privacy and security. The FTC depositions so far have targeted "former employees because nearly every employee who has been identified as a point person for privacy or data security either resigned or was terminated before the FTC could talk to them," the government said.
“Chaotic environment”
"The information obtained revealed a chaotic environment at the company that raised serious questions about whether and how Musk and other leaders were ensuring X Corp.'s compliance with the 2022 Administrative Order," the US wrote in the partially redacted filing.
Musk conducted "at least five rounds of terminations, layoffs, or other reductions" in the weeks after his October 2022 purchase of Twitter, eliminating over half of the workforce, the US noted.
"Within days of the initial layoffs, three key data privacy and security executives all resigned: Chief Privacy Officer Damien Kieran, Chief Information Security Officer Lea Kissner, and Chief Compliance Officer Marianne Fogarty," the filing said. "These three had been the sole remaining members of the company's Data Governance Committee, which was tasked with interpreting and modifying data policies and practices to ensure X Corp. complied with the 2022 Administrative Order."
The US filing said that during a deposition, "Kissner testified that decisions by Musk and others—including layoffs and other 'cost-cutting pressure and decisions'—impaired X Corp.'s ability to 'put technical restrictions and controls in place... around the company's use of contact data to make sure that it was being used... for the purpose that the particular contact data was collected.'"
Kissner further testified that after the mass employee exodus, "about half of the controls in X Corp.'s information security program did not have a designated 'owner' responsible for their operation. Similarly, at his deposition, Kieran testified that the firings and layoffs meant no one was responsible for about 37 percent of X Corp.'s privacy program controls," the US wrote.
“Musk’s conduct”
The next section of the US government filing is titled "Musk's Conduct." After buying the social network and taking over as CEO and sole director, "Musk also personally assumed supervisory authority over X Corp.'s privacy and information security program under the 2022 Administrative Order," the US said.
"Former X Corp. employees testified about several concerning incidents involving Musk," the US wrote. "For example, in early December 2022, Musk reportedly directed staff to grant an outside third-party journalist 'full access to everything at Twitter... No limits at all.' Consistent with Musk's direction, the journalist was initially assigned a company laptop and internal account, with the intent that they be given 'elevated privileges beyond just what a[n] average employee might have.'"
The journalist who received that access was reportedly Bari Weiss. According to the US court filing, longtime security employees at Twitter were "concerned such an arrangement could expose nonpublic user information in potential violation of the 2022 Administrative Order" and thus "intervened and implemented safeguards to mitigate the risks." Instead of receiving direct access to company systems, the journalist was said to be "working with some other individuals within [the company] who were potentially accessing such services on [their] behalf."
The next section of the US government filing is titled "Musk's Conduct." After buying the social network and taking over as CEO and sole director, "Musk also personally assumed supervisory authority over X Corp.'s privacy and information security program under the 2022 Administrative Order," the US said.
"Former X Corp. employees testified about several concerning incidents involving Musk," the US wrote. "For example, in early December 2022, Musk reportedly directed staff to grant an outside third-party journalist 'full access to everything at Twitter... No limits at all.' Consistent with Musk's direction, the journalist was initially assigned a company laptop and internal account, with the intent that they be given 'elevated privileges beyond just what a[n] average employee might have.'"
The journalist who received that access was reportedly Bari Weiss. According to the US court filing, longtime security employees at Twitter were "concerned such an arrangement could expose nonpublic user information in potential violation of the 2022 Administrative Order" and thus "intervened and implemented safeguards to mitigate the risks." Instead of receiving direct access to company systems, the journalist was said to be "working with some other individuals within [the company] who were potentially accessing such services on [their] behalf."
Abrupt move of servers with sensitive data
The filing then described a December 2022 incident in which Musk directed that Twitter servers be moved from one data center to another.
"X Corp. policy was that 'data cannot leave the data center unless it's been wiped.' But because employees only had 'a matter of days and weeks, not, like months or quarters' to conduct the move, they did not have 'enough time to put together a process that [] would be in compliance with [their] own policies,'" the brief said.
The hurried server move was also
described in the new biography of Musk by Walter Isaacson.
The US government brief said the relocated servers were not wiped before being moved to a new data center. The type of data on the relocated servers was apparently so sensitive that it could not be described in the US court filing, which redacts the sentence that describes what the servers contained.
The "Musk's Conduct" section ends with a description of the rushed launch of the Twitter Blue revamp that gave "verification" checkmarks to paying users:
According to Kissner, Musk insisted the service "ha[d] to launch right now," even though X Corp. was "so reduced in size that [teams were] struggling to keep the service up." Kieran recalled Twitter Blue was implemented so quickly that, "to ensure the speed that the product and engineering team was trying to work at," the security and privacy review was not conducted in accordance with the company's process for software development.
Sayler described how some of the security team's recommendations went unheeded, including measures for mitigating the risk that people would purchase verification to impersonate other accounts. These concerns were well-founded: Twitter Blue was suspended the day after it was launched, after reports of fake accounts and impersonations.
X “complains the FTC asked too many questions”
The US brief also responded to X's claim that the FTC "attempted to bully" audit firm Ernst & Young (EY) "into acting as an arm of its enforcement staff digging up dirt on X Corp., rather than an objective, independent, third-party auditor."
"X Corp. fails to mention that EY chose to terminate its engagement in February 2023 due to the extensive departures within, and a lack of support from, X Corp. Nor does X Corp. acknowledge that it has since retained a new independent assessor, which renders immaterial the company's allegations regarding EY, since EY never produced a report of X Corp.'s program or submitted one to the FTC," the US told the court.
When Twitter agreed to the privacy settlement last year, there was a stipulated order issued by the court and an administrative order issued by the FTC. The obligations that X complains about "flow from the FTC's administrative order and not the court's stipulated order," the US said.
The US argued that the court lacks authority to terminate the FTC's 2022 administrative order "because X Corp. did not first seek that relief from the Commission itself." But even if the compliance obligations were part of the stipulated order, X "has not identified a change in circumstances that renders the order's safeguards unworkable or contrary to the public interest," the US said.
"In seeking 'relief' from these obligations, X Corp. does not argue that the safeguards to which it consented have become unnecessary or unworkable. Rather, it complains the FTC asked too many questions after Elon Musk acquired the company," the US said. "But the FTC asked questions because of sudden, radical changes at the company: within weeks of the acquisition, half of X Corp.'s employees were terminated or resigned, including key executives in privacy, data security, and compliance roles."
The US said that X's "motion rests on hyperbolic allegations of 'witness tampering' and an investigation 'tainted by bias.'" The reality, according to the government, is that Musk's hasty revamp of Twitter Blue, along with "alarming site outages, product malfunctions, and issues with data access controls," gave the FTC "every reason to seek information about whether these developments signaled a lapse in X Corp.'s compliance."