Hearing from Twitter whistleblowers, a major tech regulator comes under fire



Washington
CNN business

When a Twitter whistleblower testified in an explosive Senate hearing this week, the social media company wasn’t the only one under fire. Lawmakers on both sides of the aisle repeatedly criticized federal regulators who they say have been scrutinizing the company for years.

“I am concerned that for nearly 10 years the Federal Trade Commission either did not know or did not take sufficient action to ensure that Twitter complied with the consent decree” signed with the agency in 2011, said Senator Chuck Grassley of Iowa. The top Republican on the Senate Judiciary Committee. “Congress … should be mindful of the FTC’s ability, or lack thereof, to successfully oversee these important matters.”

Committee Chairman Dick Durbin also expressed concern about the FTC when it asked whistleblower Peiter “Mudge” Zatko to rate the US agencies’ performance in response to his allegations on Twitter.

“Honestly, I think the FTC is a little, you know, in over their heads,” Zatko replied.

A spokeswoman for the FTC declined to comment for this story.

From November to January 2020, scathing and bipartisan statements from members of Congress and Twitter’s (TWTR) security chief Zatko highlight growing frustration inside and outside Washington over the struggle to hold Silicon Valley accountable after years of scrutiny, despite lawmakers. he did another audition trying to do that.

In testimony this week, Zatko alleged that Twitter had serious security and privacy vulnerabilities that put users and national security at risk. But the day also put the spotlight on a federal agency that critics say has few resources to deal with billion-dollar tech companies like Twitter when it pulls its punches.

Zatko described how Twitter – committed to protecting user data and maintaining a robust information security program under its FTC consent order – allegedly failed to take US regulators seriously and actively misled them.

“Some foreign regulators were much more fearful than the FTC,” Zatko said, comparing the French privacy regulator to “terrifying Twitter.”

Zatko testified that French officials investigating possible privacy violations were demanding specific and quantitative data from Twitter, often on short notice, to back up the company’s compliance claims, and that it was known that they could directly hinder Twitter’s future growth by threatening severe penalties for non-compliance.

“[They took a] “Maybe they won’t let you make money in France, or maybe they won’t let you use a certain data source in France, you know, and you have a week to respond,” Zatko told Sen. Richard Blumenthal. In contrast, Twitter he didn’t fear the FTC, Zatko said, because the agency largely allowed the company to “do its homework” in compliance audits and tended to issue one-off fines that were seen as little more than a cost within the company of doing business.

In response to Zatko’s accusations, Twitter accused the whistleblower of painting a “false narrative” of the company, “full of inconsistencies and inaccuracies”. Twitter also said that Zatko was not involved in the company’s compliance reporting efforts and did not fully understand the company’s legal obligations.

According to the U.S. government filing, Zatko’s allegations are based on statements from employees at the company who were “well aware” of Twitter’s FTC obligations. Twitter never complied with the 2011 order and was never on track to comply, Zatko’s subordinates allegedly told him, according to the disclosure.

Zatko’s testimony has sparked unusual criticism of the agency, considered America’s top privacy and data security regulator, at a time when the agency is said to be more focused on respecting the tech industry under its top chairman, Lina Khan. skeptical of large technology platforms.

The FTC has become increasingly involved in technology oversight in recent decades. In 2011, it hired its first chief technologist, and in 2015, a federal appeals court upheld the FTC’s authority to prosecute companies for data security breaches — a major victory that helped cement the FTC’s role as police on the digital pulse. This year, the FTC launched a process that could eventually create sweeping new privacy rules that apply to nearly every business that handles consumer data, including platforms like Twitter.

But there have been other moments that have prompted critics to question whether the FTC is up to the task. In 2013, the commission voted unanimously not to prosecute Google over concerns about the company’s impact on competition, despite a recommendation to do so by antitrust staff. And while the 2019 privacy settlement with Facebook brought a $5 trillion fine and a host of new legal obligations, critics say the FTC held CEO Mark Zuckerberg and CEO Sheryl Sandberg accountable in the resulting order.

As with Facebook, the latest allegations against Twitter could lead to billions of dollars in new FTC fines, former agency officials told CNN.

But some lawmakers expressed disappointment this week at the FTC’s penalties against the company so far, raising doubts about regulators’ ability to meaningfully prevent future wrongdoing. In May, the FTC reached a $150 million settlement with Twitter to resolve separate allegations that it violated its consent order when Twitter allegedly used account security information to target ads.

“The size of the penalty, just $150 million, is the burden that average drivers face when we pay the toll to get to Manhattan,” said Blumenthal, a former Connecticut attorney general.

Zatko accepted the fine, in fact, “much less than us [at Twitter] he was worried.” Twitter’s nightmare scenario, he said, is if the FTC “comes in and tells us we’re not allowed to monetize email addresses because we’re unable to properly manage them. Then we might not be on good terms with our competitors, and that’s scary.” [Twitter]”.

Legislators and regulators have also consistently called for more resources that can be devoted to enforcement. While there have been some attempts to expand the FTC’s budget and hire more in-house expertise, former agency officials and consumer advocates have described the staff as overworked and overwhelmed by the armies of lawyers that tech giants can bring.

Twitter has said its FTC compliance record speaks for itself, as do third-party audits filed with the agency. But Zatko said that during his time at the company, the FTC allowed Twitter to hire its own auditors, which relied heavily on corporate self-assessments — a practice that former FTC officials have described as routine and an important way for the agency to save time and manpower. . (The latest settlement, earlier this year, prohibits Twitter’s auditors from relying “predominantly” on the company’s self-reporting.)

Zatko alleges that this setup has helped Twitter evade deceptive regulators. In another hearing this week, another Twitter executive could not categorically deny, under repeated and direct questioning from lawmakers, that the company “deliberately misrepresented facts to the FTC.”

That alleged fraud, Blumenthal said at Tuesday’s hearing, may have been coupled with “lack of resources or sheer will” and a “lack of law enforcement.”

He said this problem can only be solved by “restructuring, reforming and revitalizing our regulatory apparatus,” potentially by transferring FTC authority over privacy and security to a new government agency. (Blumenthal isn’t the only senator pushing this proposal: In May, Democratic Senator Michael Bennet of Colorado introduced legislation to create a new commission to regulate digital platforms.)

“Clearly,” Blumenthal said, “what we’re doing now isn’t working.”