SAN FRANCISCO — Several top executives resigned from Twitter on Thursday, some of whom cited fears over the risks from Elon Musk’s leadership in a stunning exodus that prompted federal regulators to warn they might step in.
Roth’s was one of a number of resignations including Chief Information Security Officer Lea Kissner, the company’s chief privacy officer and its chief compliance officer, according to people familiar with the matter who spoke on the condition of anonymity to discuss sensitive internal matters. Several other members of the site’s privacy and security unit also had resigned and those remaining were trying to stop a wave of abuse in the company’s expanded paid service, Twitter Blue, according to those people.
The privacy departures prompted a rare warning from the Federal Trade Commission, which has emerged as the government’s top Silicon Valley watchdog. It marked the second time in two days that a federal official has expressed concern about the chaotic developments at the company, coming less than 24 hours after President Biden said Musk’s relationships with other countries deserved scrutiny.
The agency said that it was “tracking the developments at Twitter with deep concern” and that it was prepared to take action to ensure the company was complying with a settlement known as a consent order, which requires Twitter to comply with certain privacy and security requirements because of allegations of past data misuse. Three of the resignations Thursday were by members of a data governance committee established in the FTC deal, according to a former employee who spoke on the condition of anonymity to discuss internal matters.
Twitter was first put under a consent order in 2011, and it agreed to a new order earlier this year. If the FTC finds Twitter is not complying with that order, it could fine the company hundreds of millions of dollars, potentially damaging the company’s already precarious financial state.
“No CEO or company is above the law, and companies must follow our consent decrees,” said Douglas Farrar, the FTC’s director of public affairs. “Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”
Twitter and Musk did not respond to requests for comment. Musk sent an email to Twitter employees Thursday afternoon emphasizing that the company would abide by the consent decree.
“I cannot emphasize enough that Twitter will do whatever it takes to adhere to both the letter and spirit of the FTC consent decree. Anything you read to the contrary is absolutely false,” he wrote. “The same goes for any other government regulatory matters where Twitter operates.”
The exodus Thursday continues a chaotic start for Musk, who, after completing his $44 billion deal late last month to take the company private, ousted the company’s previous leadership and inserted himself as CEO. Last week, he laid off roughly half of Twitter’s 7,500 staff members and managed to offend advertisers, both by promoting misinformation and blaming some of the departures on activist pressure aimed at destroying free speech.
Civil rights groups called on advertisers to suspend their campaigns on Twitter, and many have.
Musk also rolled out his first major product change: an overhaul of Twitter’s verification system — opening up the process to attaining a blue check mark badge to users who were willing to pay $8. The initial rollout was dialed back as Musk expressed concern over its design. And once the features launched this week, Twitter was flooded with accounts impersonating celebrities, athletes and other public figures through the easily purchased check mark.
These type of fast rollouts of products were particularly concerning to privacy staffers, who said they need full security reviews that the FTC consent decree requires, according to the people familiar with the matter. They also objected to Musk’s order in an email Wednesday night — his first to the staff since taking control of the company — that all employees had to begin working in the office 40 hours a week, effective Thursday.
Musk’s email did not address Twitter’s long tradition of flexible and remote work. Instead, it cited a dire need to earn money from Twitter Blue. “Without significant subscription revenue, there is a good chance Twitter will not survive the upcoming economic downturn,” Musk warned. “We need roughly half our revenue to be subscriptions.”
At the all-hands meeting with staffers on Thursday, Musk fielded questions on issues such as his new return-to-office policy and data privacy concerns raised by the slew of departures, according to two people who spoke on the condition of anonymity because they were not authorized to speak publicly about the company. Musk said Twitter would accept the resignation of anyone who did not want to abide by the new policy, if they were physically able to do so.
He also sought to quell concerns about Twitter’s privacy practices. For that, he turned to a tactic increasingly used at the new Twitter: citing his experience running Tesla, the electric vehicle maker that made him the world’s richest person. Tesla has extensive experience with privacy, he said, noting the cars have surround-view cameras that pose privacy issues of their own. But the company has gone to great lengths to protect user data, he said. The issue, he said, isn’t new to him.
The atmosphere inside the company was tense, as many questioned Musk’s leadership, according to the people.
“People are enraged, with very few expecting RTO would happen this soon,” said one employee who had been retained in the layoffs, but decided to leave anyway. “I am ethically not okay with making the richest person in the world even richer. Also not okay with this alpha dog mentality — it’s already trickling down.”
Roth had worked at Twitter for more than seven years, during which time he played a critical role in some of the company’s thorniest content decisions related to former president Donald Trump and the 2020 elections. Following the firings of other executives on Musk’s arrival two weeks ago, he emerged as a vocal defender of the company’s continued defenses against misinformation under the new leadership.
He leaves Twitter just two days after the midterm elections, at a time when multiple key Senate and House races have not yet been called.
Roth’s former colleagues said his departure will contribute to the disarray at the company.
“While we cannot predict what might happen in the post election period, I can imagine scenarios where ‘tough calls’ would have naturally made their way up to Yoel,” said Edward Perez, Twitter’s former product director for civic integrity, which includes its election policies. Perez is now a board member at the OSET Institute, a nonpartisan nonprofit devoted to election security and election integrity. “Now of course it begs the question: who has sufficient institutional knowledge at this critical time?”
Meanwhile, the FTC’s scrutiny signaled one of the only checks on Musk’s new power so far. The federal government has only limited oversight of social media companies, but the FTC has used its oversight of consumer protection and competition to establish itself as the country’s top data privacy regulator. The agency has used consent orders to hold some of the country’s largest tech companies — including Google, Facebook and Snap — accountable for alleged privacy missteps. In 2019, the agency reached a $5 billion settlement with Facebook over its alleged violation of a prior order.
In its settlement with the FTC, Twitter agreed to designate employees responsible for privacy and security, including a senior corporate manager who would be responsible for certifying that the company was in compliance.
“There’s a lot of peril for the company if it doesn’t have continuity,” said a former FTC official who spoke on the condition of anonymity to candidly discuss the regulatory risks for the company.
David C. Vladeck, who was director of the FTC’s Bureau of Consumer Protection at the time of Twitter’s first settlement with the agency, said the departures and the chaos of Musk’s first weeks of ownership raise questions about whether “compliance requirements are going to fall through the cracks.”
Elon Musk and Twitter
Twitter entered into the consent decree with the FTC after allegations that it used email and phone numbers it said it was collecting for security purposes to target users with advertising. The new decree required Twitter to start enhanced privacy and security programs, which were to be audited by a third party, as well as to conduct a privacy assessment of any new products it launches.
The executive departures Thursday also invited scrutiny in Europe, which unlike the United States has a general data protection law. Ireland’s Data Protection Commission is seeking more details from the company about the departure of the company’s chief privacy officer, Damien Kieran. Under the European rules, companies are required to have a data protection officer in place.
A spokesman for the Irish DPC said the agency had “not received any official notification from Twitter.” Kieran did not respond to a request for comment. Former Twitter chief compliance officer Marianne Fogarty also did not respond to a request for comment but on Monday tweeted: “I don’t watch Game of Thrones. I certainly don’t want to play it at work.”
In an internal Slack message shared with The Washington Post, an employee said the quick release of products and changes without effective security reviews was “extremely dangerous” for users. The message said engineers would have to take on the burden of certifying that the products complied with FTC agreements, putting them at substantial personal legal risk.
The Slack message posted a link to Whistleblower Aid, a law firm that represented former security head Peiter Zatko when he filed a complaint this year with the Securities and Exchange Commission and other federal officials citing alleged violations related to the FTC. The Washington Post previously reported that his complaint described inadequate logging of access to sensitive data and widespread use of out-of-date software.
The message warned that the FTC could fine Twitter “BILLIONS of dollars.” The author claimed to have heard Alex Spiro, Musk’s top lawyer, say Musk is “willing to take on a huge amount of risk in retaliation to this company and users, because ‘Elon puts rockets into space, he’s not afraid of the FTC.’ ”
Spiro told The Post on Thursday night that the company “will work closely with the agency to ensure we are in compliance.”
Spiro, in an email addressed to Musk but sent to Twitter staff Thursday, attempted to reassure workers concerned about how the consent decree could affect them. He sought to assuage employee fears of personal consequences, such as jail time, if Twitter fell outside compliance.
“It is the company’s obligation. It is the company’s burden. It is the company’s liability,” he wrote.
Other employees said they were taking paid time off Thursday as a demonstration of disapproval. Kissner, who had been brought in by Zatko, was admired inside Twitter and seen as a crucial backstop amid the recent chaos.
“Twitter has had several major security incidents over the last several years due to poor internal controls and a permissive data architecture,” said Alex Stamos, a former head of data security at Facebook and Yahoo. “The team led by Dr. Kissner made serious strides to closing these flaws, as Twitter is required to do by FTC consent decree.”
Fake accounts continued to gain steam on Thursday.
One tweet by a blue-check account posing as the pharmaceutical giant Eli Lilly gained 1,500 retweets and more than 10,000 likes and remained online after three hours Thursday afternoon. An Eli Lilly spokesperson told The Post on Thursday they “are in communication with Twitter to address the issue.”
Musk has said the company would suspend such accounts, but a number of fake accounts remained online for hours, receiving tens of thousands of likes and retweets. Early Thursday, in a response to someone mentioning that a fake Biden was talking about performing a sex act, Musk responded with two cry-laughing emoji.
Lourdes Turrecha, a cybersecurity and privacy lawyer in Silicon Valley, said the sudden resignations were a bombshell in privacy circles that had already been stunned by Zatko’s whistleblower complaint and the company’s mass layoffs.
“These executives do not want to put their lives on the line and go to jail” if the company breaks the law, she said. “It’s a very hard time to be a chief information security officer or a chief privacy officer in tech right now, especially when your company doesn’t seem to care about its privacy and security practices.”
Cat Zakrzewski reported from Washington.