How much conflict does Twitter have with authorities?
CNN Business reports from Washington. According to legal experts and former federal officials, this week’s explosive whistleblower disclosure by Twitter’s former head of security exposes the company to new federal investigations and the possibility of billions of dollars in fines, stricter regulatory obligations, or other penalties from the US government.
Peiter “Mudge” Zatko, a whistleblower, has made a nearly 200-page disclosure to authorities alleging that Twitter (TWTR) has numerous information security flaws and that, in some cases, its executives have misled the company’s board and the public about the company’s condition, if not engaged in outright fraud. Twitter (TWTR) now faces significant legal risks as a result of this disclosure.
Zatko was fired by Twitter in January for what the company claimed was poor performance after working there from November 2020 until then. Twitter has accused him of spreading “a false narrative about Twitter and our privacy and data security practices that is riddled with inconsistencies and inaccuracies and lacks important context.” Zatko is a well-known cybersecurity specialist with previous experience in executive positions at Google.
Observing the terms of a 2011 FTC privacy settlement.
According to Zatko’s disclosure to the US government, Twitter has “egregious deficiencies” in terms of cybersecurity, has lied to regulators about how it handles user data, and is not abiding by the terms of a 2011 privacy settlement with the Federal Trade Commission. This legally binding agreement calls for, among other things, the establishment of “reasonable safeguards” to protect users’ personal information. The FTC refused to comment on the revelation.
According to Zatko’s devastating disclosure, more than half of Twitter employees, including all of its engineers, have excessive internal access to both the firm’s actual user data and its live product, which is referred to within the company as “production.”
The disclosure states that access to live production settings should be kept to a minimum as “a core technical and security concept.” However, developers at Twitter created, evaluated, and developed new software while it was still in use, with access to sensitive data and real-time consumer information in the system.
According to third-party audits submitted to the agency in accordance with the 2011 consent decree, Twitter has informed CNN that its FTC compliance record speaks for itself. Twitter said that it abides by pertinent privacy laws and that it has been open with regulators about its efforts to address any systemic flaws. Twitter said that Zatko did not take part in the audit work and was unaware of Twitter’s FTC requirements and how the business was carrying them out.
Moon Journey from NASA’s Artemis I Launch
According to the declaration, Zatko’s employees were “intimately familiar” with the FTC’s concerns over Twitter, and it was they who informed Zatko that Twitter had never been in compliance with the 2011 order and was not even on pace to do so.
According to John Tye, founder of Whistleblower Aid, the group defending Zatko, “We fully stand by the contents of Mudge’s disclosure,” he told CNN.
Zatko’s whistleblower acts may qualify him for a financial reward from the US government. If the penalties total more than $1 million, the SEC has stated that whistleblowers may be eligible for up to a 30% cut of the agency fines associated with the action for providing “original, timely, and credible information that leads to a successful enforcement action.” Since 2012, the SEC has given more than 270 whistleblowers more than $1 billion in rewards.
According to Tye, Zatko disclosed his information to the SEC “to assist the agency in enforcing the laws” and to get federal whistleblower protection. The likelihood of a reward did not influence Mudge’s choice.
The whistleblower statement comes months after the FTC made its own accusations that Twitter had violated the 2011 order by using account security information for advertising purposes. In a second FTC settlement, Twitter agreed to pay $150 million in May to settle these allegations.
Now, Zatko’s revelation raises the possibility of yet another potential violation of Twitter’s FTC commitments, which, in Jon Leibowitz’s opinion, is an extraordinarily risky situation for a business and its executives to be in. Leibowitz served as chair of the FTC at the time of Twitter’s 2011 settlement.
In an interview with CNN, Leibowitz said, “If the facts are true, they would constitute violations of the order and of the FTC Act – and it would make Twitter a three-time loser.”
First 80 Gbps Transmission Bandwidth Cable Launched
Despite Twitter’s public statements about protecting user privacy and security, the initial 2011 settlement stemmed from two alleged incidents in which
were allegedly able to compromise weak employee passwords and abuse their access to take control of Twitter accounts and snoop on personal data.
The settlement reached by Twitter was not an admission of guilt. However, Zatko claims that Twitter never followed through on its need to develop “a comprehensive information security program that is reasonably designed to preserve the security, privacy, confidentiality, and integrity of nonpublic consumer information.”
Twitter agreed to even more specific cybersecurity duties as part of its most recent FTC settlement this year, including maintaining “access procedures and controls” for all databases that include user data.
Zatko asserts that not much has changed at Twitter since the FTC’s initial complaint more than ten years ago, despite the company’s increasing legal constraints.
His submission to Congress claims that “things actually grew considerably worse.” According to the report, Twitter permitted the exact same type of misuse of data for advertising purposes to occur in a totally different instance last year while the firm was actively negotiating the second settlement with the FTC.
Twitter refused to address Zatko’s claim on the occurrence in response to more than 50 specific queries from CNN over the disclosure.
The possibility of a fresh agreement or lawsuit
The disclosure may carry extremely high stakes. The FTC may slap the toughest sanctions it has ever placed on Twitter if it determines that the business has broken its order a third time. A prominent critic of internet platforms and of what she terms a “commercial surveillance” business that benefits from low national privacy laws, Lina Khan presently serves as chair of the FTC. Under Khan, the FTC is considering writing extensive new privacy regulations that may have a significant impact on the way businesses throughout the economy, including Twitter, collect, utilize, and exchange personal data.
According to former FTC officials, should it decide that a violation took place, the agency would primarily have two possibilities for holding Twitter responsible.
In the event of a settlement, the FTC may even seek to identify specific executives, holding them responsible for their actions and requiring them to accept commitments that could subject them to liability should they or the business breach the order once more.
Leibowitz stated that the FTC should “very seriously explore putting the executives involved under order” if it turns out that Twitter did break the law.
He continued by saying that the mere threat of naming specific executives could have an impact. “I can’t tell you how many CEOs came into my office saying, ‘Please don’t identify me,'” Leibowitz recalled his time as FTC head. Just don’t name me, please.
The FTC has a wide range of instruments at its disposal, according to Megan Gray, a former FTC enforcement attorney who worked on some of the agency’s most significant privacy cases.
Pingback: The first BioFest Invest pitch competition - Kissasian