“I’m concerned that for almost 10 years the Federal Trade Commission didn’t know or didn’t take strong enough action to ensure Twitter complied with the consent decree” it signed with the agency in 2011, said Iowa Sen. Chuck Grassley, the Senate Judiciary Committee’s top Republican. “Congress should … be mindful of the FTC’s ability, or lack thereof, to successfully oversee these important issues.”
Committee chair Dick Durbin also signaled concerns about the FTC when he asked the whistleblower, Peiter “Mudge” Zatko, to grade US regulatory agencies’ performance in light of his Twitter allegations.
“Honestly, I think the FTC is a little, you know, over their head,” Zatko replied.
An FTC spokesperson declined to comment for this story.
In his testimony this week, Zatko alleged Twitter had serious, undisclosed security and privacy vulnerabilities that have put users and national security at risk. But the day also put the spotlight on a federal agency that critics say is both under-resourced to take on billion-dollar tech companies like Twitter, and that pulls its punches when it does.
Zatko described how Twitter — which had committed to protecting user data and maintaining a strong information security program under its FTC consent order — allegedly did not take US regulators seriously and actively misled them.
“Some of the foreign regulators were much more feared than the FTC,” Zatko said, noting that France’s privacy regulator “terrified Twitter in comparison.”
Zatko testified that French officials investigating possible privacy violations demanded concrete, quantitative data from Twitter, often on short deadlines, to back up the company’s claims of compliance, and were known to threaten steep penalties for noncompliance that could directly hinder Twitter’s future growth.
“[They took a] ‘maybe you won’t be allowed to monetize in France, or maybe you won’t be allowed to use a particular data source in France,’ you know, and ‘you have a week to respond,’ sort of approach,” Zatko told Sen. Richard Blumenthal. In contrast, Twitter did not fear the FTC, Zatko claimed, because the agency largely allowed the company to “grade their own homework” in compliance audits and tended to issue one-time fines that were viewed within the company as little more than a cost of doing business.
In response to Zatko’s allegations, Twitter has accused the whistleblower of painting a “false narrative” of the company that is “riddled with inconsistencies and inaccuracies.” Twitter has also said Zatko was not involved in efforts to prepare company compliance reports and did not fully comprehend the company’s legal obligations.
According to his disclosure to the US government, Zatko’s allegations are informed by statements from his own staff at the company whom he says were “intimately familiar” with Twitter’s FTC obligations. Twitter was not ever in compliance with the 2011 order and was never on track to become compliant, Zatko’s subordinates allegedly told him, according to the disclosure.
Limited fines and resources
Zatko’s testimony has prompted unusually outspoken criticism of an agency that is considered America’s chief privacy and data security regulator — and done so at a time when that agency is said to be more focused on reining in the tech industry under Chair Lina Khan, a high-profile skeptic of large tech platforms.
The FTC has become increasingly involved in technology oversight in recent decades. In 2011, it hired its first chief technologist, and in 2015, a federal appeals court affirmed the FTC’s authority to prosecute companies for data security lapses — a major victory that helped cement the FTC’s role as a cop on the digital beat. This year, the FTC launched a process that could eventually lead to the creation of sweeping new privacy regulations covering virtually all businesses that handle consumer data, including platforms such as Twitter.
But there have been other moments that prompted critics to doubt whether the FTC is up to the task. In 2013, the commission voted unanimously not to sue Google over concerns about the company’s impact on competition, despite a recommendation from agency antitrust staff to do so. And although a privacy settlement with Facebook in 2019 led to a record $5 billion fine and numerous new legal obligations for that company, critics have said the FTC should have insisted on holding CEO Mark Zuckerberg and COO Sheryl Sandberg personally accountable in the resulting order.
As with Facebook, the latest allegations against Twitter could lead to billions of dollars in new FTC fines, former agency officials have told CNN.
But some lawmakers expressed disappointment this week with the penalties the FTC has imposed thus far on the company, and raised doubts about regulators’ ability to meaningfully deter future wrongdoing. In May, the FTC reached a $150 million settlement with Twitter to resolve separate allegations it violated its consent order, when Twitter allegedly used account security information for targeted advertising purposes.
“The size of the penalty, a mere $150 million, amounts to the kind of burden on us average drivers when we pay the toll to go into Manhattan,” said Blumenthal, a former Connecticut attorney general.
Zatko agreed the fine was indeed “much less than we [at Twitter] had been concerned about.” Twitter’s nightmare scenario, he said, was if the FTC “were to come in and tell us we’re not allowed to monetize email addresses because of our continued inability to handle them correctly. Then we might not be on fair footings with our competitors, and that scared [Twitter].”
Lawmakers and regulators have also consistently called for more resources that can be devoted to enforcement. While there have been some attempts to expand FTC budgets and hire more in-house experts, former agency officials and consumer advocates have described staff as overwhelmed with work and outmatched by the armies of lawyers tech giants can bring to bear.
‘What we’re doing right now is not working’
Zatko alleges that this setup has helped Twitter get away with misleading regulators. In a separate hearing this week, another Twitter executive could not categorically deny, under repeated and direct lawmaker questioning, allegations that the company “has willfully misrepresented facts to the FTC.”
That alleged deception, said Blumenthal in Tuesday’s hearing, perhaps along with “inadequate resources or a failure of will,” may explain what he characterized as “a lack of vigor in law enforcement.”
“Clearly,” Blumenthal said, “what we’re doing right now is not working.”
