The Washington PostDemocracy Dies in Darkness

Twitter whistleblower exposes limits of FTC’s power

Peiter ‘Mudge’ Zatko alleges that Twitter flouted its promises to regulators to build a comprehensive security program, igniting concerns about enforcement and resources at the Silicon Valley watchdog

On Sept. 13, Peiter Zatko testified before a Senate committee that Twitter executives misled the public about the failed state of its data security practices. (Video: The Washington Post)

A whistleblower’s accusation that Twitter is failing to comply with a 2011 consent decree is raising questions not just about the tech company’s actions, but also about the Federal Trade Commission, the agency that is supposed to ensure Twitter abides by its pledge to protect users’ private data.

Whistleblower Peiter “Mudge” Zatko, Twitter’s former security lead, claimed in his complaint to the Securities and Exchange Commission that Twitter never developed a security system capable of meeting the FTC’s requirement that the platform establish a comprehensive information-security program. And despite its promise never to mislead on privacy, Zatko accused Twitter of “extensive, repeated, uninterrupted violations” of consumer protection laws and making “false and misleading statements” about the state of the company’s privacy and security safeguards.

His allegations, filed in July and published by The Post last month, will be argued over in next month’s trial to determine whether Tesla chief executive Elon Musk must go through with his April agreement to buy Twitter for $44 billion. Musk claims Twitter has violated the sale agreement, in part by misleading shareholders, so he is not obligated to complete the deal.

Former security chief claims Twitter buried ‘egregious deficiencies’

But the issue of the FTC consent decree could also come up Tuesday when Zatko testifies before the Senate Judiciary Committee and in meetings he is expected to have with FTC officials. Critics say Congress has done little over the years to fortify the FTC’s ability to monitor compliance with such consent decrees, which are the agency’s principal means of enforcing U.S. consumer protection laws.

Zatko’s staff told him “unequivocally that Twitter had never been in compliance with the 2011 FTC Consent Order, and was not on track to ever achieve full compliance,” his whistleblower complaint said.

Interviews with more than half a dozen current and former FTC officials suggest that the agency would have been unlikely to uncover that alleged noncompliance. The officials said chronic underfunding and understaffing have left the government’s top Silicon Valley watchdog without the personnel or technical expertise to monitor decrees and levy fines when they are not followed.

Since 2010, the agency has slapped many of the world’s most powerful and valuable tech companies — including Facebook, Google and Snap — with such orders. The orders were initially viewed as a creative way for the agency to police data-security abuses in the absence of a federal data-privacy law, and as a signal to the tech industry that the U.S. government would be more closely scrutinizing their business practices.

Yet the shortcomings of such a regime have become more apparent in recent years, as repeated data abuses have taken place at companies under such orders. At the time of the Cambridge Analytica data-scraping scandal, Facebook was under an FTC order that required it to implement a privacy program. The company ultimately was fined $5 billion for allegedly violating the terms of the order, but critics said it amounted to a blip on the balance sheet of the company, which generates tens of billions of dollars a year.

Lawmakers and former officials are especially alarmed by the allegations about the 2011 Twitter decree, because the FTC recently was investigating the company’s data-security practices and already found problems. The 2011 Twitter settlement, which came after hacks of high-profile accounts including then-President Barack Obama, broadly directed the company to establish a security program.

Earlier this year, the FTC and the Justice Department won a $150 million fine and settlement against Twitter for asking consumers to provide phone numbers to keep their accounts secure, then using that data for marketing. The recent order directs Twitter to take specific steps, such as ensuring that users can authenticate their accounts without sharing phone numbers.

Twitter to pay $150 million fine over deceptively collected data

But that settlement did not address many of the more systemic, extensive allegations in Zatko’s complaint, which says the company ran outdated software on its servers, blocked automatic software updates on laptops, and misled the board about the breaches it suffered and the state of its security.

The FTC’s “record shows that it has been unwilling or unable to fully enforce its privacy orders and prevent further violation,” said Sen. Richard Blumenthal (D-Conn.), the chair of the Senate Commerce panel focused on consumer protection, who will also be among those questioning Zatko on Tuesday. “The FTC is up against some of the most powerful and profitable giants in the world, and it’s literally armed with a slingshot against a nuclear power.”

Former FTC officials said Congress also bears blame for the lax privacy oversight. For decades, consumer advocates and some lawmakers have pushed for a comprehensive consumer-data privacy law that would give the agency more legal authority to police abuses. A bipartisan privacy bill recently advanced in the House, but it is unlikely to become law during a midterm election year with many competing priorities.

The FTC uses decades-old consumer protection laws against privacy abuses, which require it to establish that a company misled consumers about their ability to protect data or demonstrate other harms. That has historically proved to be an uphill battle in court.

Democrats’ efforts to expand the agency’s funding also have faltered. An early version of Biden’s economic package included an additional $1 billion to establish a privacy enforcement division at the agency. But the funding was omitted from the slimmed down version of the package that was signed into law by President Biden recently.

“I would say to Congress … try harder to pass legislation that gives the FTC more tools and more teeth to oversee this complex area,” said Jessica Rich, who previously served as the head of the FTC’s consumer protection bureau. “I get tired of seeing Congress criticize the FTC when it’s been unable to pass basic, baseline privacy and data-security resources for more than 20 years.”

The FTC has a staff of about 40 people monitoring compliance with its many hundreds of consent orders across the economy, according to a person familiar with the agency’s practices, who spoke on the condition of anonymity to candidly discuss internal matters. These lawyers do not necessarily have specific expertise in data security and technology, and the agency’s technologists often split their time between reviewing orders and other privacy and competition investigations.

“The same lawyers who ensure that social media companies have robust privacy and data security programs are making sure labels on bed linens are correct,” Ashkan Soltani, a former FTC chief technologist and now California’s privacy enforcer, said in congressional testimony.

Can Washington keep watch over Silicon Valley? The FTC’s Facebook probe is a high-stakes test.

The agency often moves more slowly than the tech industry, with some orders outdated before they come into force. The agency didn’t reach a settlement with Myspace for alleged data-security misrepresentations until 2012, when the service was already fading in popularity.

The United States’ privacy enforcement resources lag far behind those of other Western countries with significantly smaller populations. According to a 2021 report to Congress, the FTC has about 40 to 45 people working in its privacy division. For comparison, the United Kingdom’s Information Commissioner’s Office has about 768 people, and the Irish Data Protection Commission has about 150 employees. Other countries also have broad laws to protect consumer data in general, such as the European Union’s General Data Protection Regulation; the United States does not.

Steven Bellovin, a Columbia University professor who served as the FTC’s chief technologist in the years after the 2011 Twitter settlements, said the technologists in the privacy and identity division were stretched, but at least motivated. Enforcement was another story, badly lacking tech expertise.

“My understanding is that the real problem has been on follow-ups, during the customary 20-year term of the consent decree,” Bellovin said.

In part because of staff shortages and scarce resources, the FTC has relied on third-party assessors to monitor whether companies are complying with their privacy commitments. But the assessments are different from true audits, where professional codes demanded actual tests and evidence, former FTC staffers said.

In assessments, the outsiders paid by the subject companies were allowed to take management’s word on technical matters, said FTC expert and University of California at Berkeley professor Chris Hoofnagle, and in his experience, those executives might not know what their engineers were doing.

While under a consent decree, for example, Google was certified as compliant on privacy during a period when a new violation occurred and when an earlier case, its use of street-mapping cars to obtain WiFi traffic, was found to have been deliberate. The omissions of these incidents in the assessments “suggests that the assessor had not read the newspaper for two years,” Hoofnagle wrote in a 2016 book. The FTC went after Google a second time, obtaining a then-record $22 million fine in a 2012 settlement.

After months of deadlock, Lina Khan is unleashed

Lina Khan, the agency’s Democratic chair, entered office more than a year ago with great expectations that she would improve the agency’s privacy enforcement. The agency has put some teeth into consent orders, including more prescriptive language so that the agency and its assessors can better oversee compliance.

Khan has also called on Congress to give the FTC more funding, while promising to dedicate more resources toward oversight of digital markets.

The agency is also considering more aggressive penalties to deter companies and executives that violate orders, including criminal referrals to the Justice Department if a company misleads the agency in the course of an investigation.

“The commission is committed to enforcing its orders, and potential violations will be investigated thoroughly,” said Sam Levine, director of the FTC’s consumer protection bureau. “Companies flout FTC orders at their peril.”


An earlier version of this story gave an incorrect date for the publication of a book by University of California at Berkeley professor Chris Hoofnagle. It was 2016, not 2006. This version has been corrected.