Washington
CNN Business
–
When a Twitter whistleblower testified at an explosive Senate hearing this week, the social media company wasn’t the only one under fire. Lawmakers on both sides of the aisle repeatedly criticized federal regulators who for years have allegedly kept a close eye on the company.
“I’m concerned that for nearly 10 years the Federal Trade Commission didn’t know or didn’t take strong enough action to ensure that Twitter was in compliance with the consent decree” it signed with the agency in 2011, the Iowa-Senator said. s, Chuck Grassley. the top Republican on the Senate Judiciary Committee. “Congress should be mindful of the FTC’s ability, or lack thereof, to successfully oversee these important issues.”
Committee Chairman Dick Durbin also signaled concerns about the FTC when he asked the whistleblower, Peiter “Mudge” Zatko, to assess the performance of US regulatory agencies in light of his Twitter allegations.
“Honestly, I think the FTC is a little, you know, over their heads,” Zatko replied.
An FTC spokesman declined to comment for this story.
The sharp, bipartisan remarks from members of Congress and Zatko, Twitter’s ( TWTR ) head of security from November 2020 to this January, highlight growing frustration inside and outside Washington about the fight to hold Silicon Valley accountable after years review – even as a legislator held a hearing in an attempt to do so.
In his testimony this week, Zatko alleged that Twitter had serious and undisclosed security and privacy vulnerabilities that have put users and national security at risk. But the day also put the spotlight on a federal agency that critics say is under-resourced to take on billion-dollar tech companies like Twitter, and that pulls the punches when it does.
Zatko described how Twitter — which had pledged to protect user data and maintain a robust information security program under its FTC consent order — allegedly failed to take US regulators seriously and actively misled them. .
“Some of the foreign regulators were a lot more scared than the FTC,” Zatko said, noting that the French privacy regulator “terrified Twitter by comparison.”
Zatko testified that French officials investigating potential privacy violations demanded concrete, quantitative data from Twitter, often on short notice, to back up the company’s claims of compliance, and were known to threaten steep penalties for noncompliance that could directly prevent the future growth of Twitter.
“[They took a] “Maybe you won’t be allowed to make money in France, or maybe you won’t be allowed to use a certain data source in France”, you know, and “you have a week to respond”, kind of approach, ” Zatko. said Sen. Richard Blumenthal. In contrast, Twitter did not fear the FTC, Zatko asserted, because the agency mostly allowed the company to “do its homework” in compliance audits and tended to issue fines once they were seen inside. company as little more than a cost of doing business.
In response to Zatko’s allegations, Twitter has accused the whistleblower of painting a “false narrative” of the company that is “filled with inconsistencies and inaccuracies.” Twitter has also said that Zatko was not involved in efforts to prepare the company’s compliance reports and did not fully understand the company’s legal obligations.
According to his disclosure to the US government, Zatko’s claims are informed by statements from his staff at the company, who he says were “intimately familiar” with Twitter’s FTC obligations. Twitter was never in compliance with the 2011 order and was never on track to become compliant, Zatko’s subordinates told him, according to the disclosure.
Zatko’s testimony has prompted unusually outspoken criticism of an agency considered America’s top privacy and data security regulator — and did so at a time when that agency is said to be more focused on reining in the tech industry under President Lina Khan, a skeptical profile of big tech platforms.
The FTC has become increasingly involved in technology oversight in recent decades. In 2011, it hired its first chief technology officer, and in 2015, a federal appeals court upheld the FTC’s authority to prosecute companies for data security lapses — a major victory that helped cement the FTC’s role like a cop on the digital beat. This year, the FTC launched a process that could eventually lead to the creation of sweeping new privacy regulations covering nearly all businesses that handle consumer data, including platforms such as Twitter.
But there have been other moments that have led critics to question whether the FTC is up to the task. In 2013, the commission voted unanimously not to sue Google over concerns about the company’s impact on competition, despite a recommendation by antitrust agency staff to do so. And although a privacy settlement with Facebook in 2019 led to a record $5 billion fine and many new legal liabilities for that company, critics have said the FTC should have insisted on holding CEO Mark Zuckerberg and Sheryl Sandberg personally liable. in the resulting order.
As with Facebook, the latest allegations against Twitter could lead to billions of dollars in new FTC fines, former agency officials have told CNN.
But some lawmakers expressed disappointment this week with the fines the FTC has levied against the company so far and raised doubts about regulators’ ability to meaningfully deter future wrongdoing. In May, the FTC reached a $150 million settlement with Twitter to resolve separate allegations that it violated the consent order, where Twitter allegedly used account security information for targeted advertising purposes.
“The size of the fine, just $150 million, is a burden on us average drivers when we pay the toll to get into Manhattan,” said Blumenthal, a former Connecticut attorney general.
Zatko admitted that the fine was indeed “much smaller than ours [at Twitter] was worried.” Twitter’s worst-case scenario, he said, was if the FTC “came in and told us we’re not allowed to monetize email addresses because of our continued inability to handle them correctly. Then we we may not be on a fair footing with our competitors, and that is feared [Twitter].”
Lawmakers and regulators have also repeatedly asked for more resources that can be devoted to enforcement. While there have been some efforts to expand the FTC’s budgets and hire more in-house experts, former agency officials and consumer advocates have described the staff as overworked and likened to armies of lawyers that giants of technology can bring.
Twitter has said its FTC compliance record speaks for itself, in the form of third-party audits submitted to the agency. But Zatko said during his time at the company, the FTC allowed Twitter to hire its own auditors, who relied heavily on corporate self-assessments — a practice that former FTC officials have described as routine and an important way the agency saves time. and workforce. . (The latest settlement, from earlier this year, now prohibits Twitter’s auditors from relying “primarily” on the company’s own self-reporting.)
Zatko claims this setup has helped Twitter fend off rogue regulators. In a separate hearing this week, another Twitter executive could not categorically deny, under repeated and direct questions from lawmakers, allegations that the company “willfully misrepresented facts to the FTC.”
That alleged fraud, Blumenthal said at Tuesday’s hearing, perhaps along with “insufficient resources or a failure of will,” could explain what he characterized as a “lack of energy in law enforcement.”
He said the issue can only be effectively addressed by “restructuring, reforming and revitalizing our regulatory apparatus” — potentially even by transferring the FTC’s authority over privacy and security to an entirely new government agency. (Blumenthal isn’t the only senator to introduce such a proposal: In May, Colorado Democratic Sen. Michael Bennet introduced legislation to create a new commission to regulate digital platforms.)
“It’s clear,” Blumenthal said, “what we’re doing right now is not working.”
