In Twitter whistleblower hearing, a major tech regulator came under fire

Iowa Sen. Chuck Grassley said, “I am concerned that for nearly 10 years the Federal Trade Commission did not know or Twitter did not take sufficient action to ensure compliance with the consent decree.” Top Republican on the Senate Judiciary Committee. “Congress must be mindful of the ability, or lack thereof, of the FTC to successfully monitor these important issues.”

Committee chairman Dick Durbin also indicated concerns about the FTC when he asked whistleblower Peter “Mudge” Zatko to grade the performance of US regulatory agencies in light of his Twitter allegations.

“Honestly, I think the FTC is a little, you know, in over their head,” Zatko replied.

An FTC spokesperson declined to comment for this story.

Sharp, bipartisan remarks from Congress and Jatko members, Twitter (TWTR ,TWTR,) Security chiefs from November 2020 to this January highlight growing frustration inside and outside Washington about the struggle to hold Silicon Valley accountable after years of scrutiny – even as lawmakers attempt to do the same I held another hearing.

In his testimony this week, Zatko alleged that Twitter contained serious, undeclared security and privacy vulnerabilities that put users and national security at risk. But that day also drew headlines over a federal agency that critics say both doesn’t have the resources to take on billion-dollar tech companies like Twitter, and pulls its punches when it does.

Zatko explained how Twitter – which under its FTC consent order had committed to protecting user data and maintaining a robust information security program – reportedly did not take US regulators seriously and actively misled them .

“Some foreign regulators were a lot more intimidated than the FTC,” Zatko said, noting that France’s privacy regulator “horrified Twitter in comparison.”

Zatko testified that French officials investigating potential privacy breaches demanded concrete, quantifiable data from Twitter to support the company’s claims of compliance, often over short time frames, and harsh penalties for non-compliance. were known to make threats that could directly hinder the future growth of Twitter.

,[They took a] ‘You probably won’t be allowed to monetize in France, or maybe you won’t be allowed to use a particular data source in France,’ you know, and ‘you have a week to respond’ ,’ a one-of-a-kind approach,” Zatko told Sen. Richard Blumenthal. In contrast, Twitter was not afraid of the FTC, Zatko claimed, largely because the agency asked the company to “grade its own homework” in compliance audits. and there was a tendency to issue one-time fines seen within the company of little more than the cost of doing business.

Peter Zatko, known in the computer hacking community as Mudge, poses for a portrait in Washington, DC, US, August 22, 2022.  Photo by Sarah Silbiger for CNN

In response to Jatco’s allegations, Twitter accused whistleblowers of portraying a “false narrative” of the company that is “full of inconsistencies and inaccuracies.” Twitter has also said that Zatco was not involved in the company’s efforts to prepare a compliance report and did not fully understand the company’s legal obligations.

According to his disclosure to the US government, Zatko’s allegations are informed by statements from his own employees at the company, whom he says were “seriously acquainted” with Twitter’s FTC obligations. According to the disclosure, Zatko’s subordinates reportedly told him that Twitter was never in compliance with the 2011 order and was never on track to comply.

Limited fines and resources

Zatko’s testimony has prompted unusually outspoken criticism of an agency considered America’s main privacy and data protection regulator – and at a time when that agency is said to be chair. The tech industry under Leena Khan focuses more on rein in, which is a high-profile skeptic of the big tech platforms.

The FTC has become increasingly involved in technology oversight in recent decades. In 2011, it hired its first chief technologist, and in 2015, a federal appeals court upheld the FTC’s authority to prosecute companies for data protection lapses—a major victory that saw a cop on the digital beat. helped to strengthen the role of the FTC. This year, the FTC began a process that could eventually lead to the creation of broad new privacy rules covering nearly all businesses that handle consumer data, including platforms like Twitter.

Twitter shareholders voted overwhelmingly in favor of Elon Musk's $44 billion acquisition deal

But there have been other moments that have led critics to doubt whether the FTC is up to the task. In 2013, the commission voted unanimously not to sue Google over concerns about the company’s impact on competition, despite a recommendation from the agency’s antitrust staff to do so. And although a confidentiality agreement with Facebook in 2019 resulted in a record $5 billion fine and a number of new legal liabilities for that company, critics have said the FTC has to hand down CEO Mark Zuckerberg and COO Sheryl Sandberg personally in the resulting order. The emphasis should have been on being held accountable.

As with Facebook, the latest allegations against Twitter could lead to billions of dollars in new FTC fines, former agency officials have told CNN.

But some lawmakers this week expressed dismay at the penalties the FTC has imposed on the company so far, and cast doubts about the ability of regulators to meaningfully prevent wrongdoing in the future. In May, the FTC struck a $150 million settlement with Twitter to resolve separate allegations that it violated its consent order when Twitter allegedly used account security information for targeted advertising purposes. .

Blumenthal, a former Connecticut attorney general, said: “The size of the fine, a mere $150 million, amounts to the kind of burden we have when we pay tolls to get into Manhattan.”

Zatko agreed that the fine was actually “much less than us”. [at Twitter] Twitter’s nightmare scenario, he said, was if the FTC “came and told us we’re not allowed to monetize email addresses because of our inability to handle them correctly. Then we can’t be in a fair position with our competitors, and that’s intimidating. [Twitter],

Lawmakers and regulators have also consistently called for more resources that could be devoted to enforcement. While there have been some attempts to expand the FTC budget and hire more in-house experts, former agency officials and consumer advocates have described employees as overwhelmed with work and unmatched by the armies of attorneys the tech giant can endure. can.

‘What we’re doing right now isn’t working’

Twitter has said that its FTC compliance record speaks for itself in the form of third-party audits filed with the agency. But Zatko said that during his time at the company, the FTC allowed Twitter to appoint its own auditors, who relied heavily on corporate self-assessments — a practice that former FTC executives routinely practiced. and is an important way by which the agency saves time and manpower. , (The latest agreement, from earlier this year, now prevents Twitter auditors from relying “primarily” on the company’s self-reporting.)

Jatco alleges that this setup has helped Twitter get away from misleading regulators. In a separate hearing this week, another Twitter executive could not explicitly deny, under repeated and direct lawmaker inquiries, allegations that the company “misrepresented facts to the FTC.”

That alleged deception, Blumenthal said at Tuesday’s hearing, perhaps along with “insufficient resources or a failure of will,” could explain what he characterized as a “lack of power in law enforcement.”

He added that the issue can only be effectively addressed by “reorganizing, reforming and activating our regulatory mechanisms” — potentially even by moving the FTC authority on privacy and security to a whole new government agency. (Blumenthal isn’t the only senator to bring such a proposal: In May, Colorado Democratic Sen. Michael Bennett introduced legislation to create a new commission regulating digital platforms.)

“Clearly,” Blumenthal said, “what we’re doing right now isn’t working.”

Leave a Reply