Musk's conduct in spotlight of US FTC privacy probe of X, interview transcripts show
Musk's conduct in spotlight of US FTC privacy probe of X, interview transcripts show
Newly unsealed transcripts of FTC investigative interviews over the past year with the former chiefs of privacy and data security at Twitter — now X — provide a new view into the tumultuous early days of Elon Musk’s ownership of Twitter and the legal jeopardy the company may still face because of the actions of the mercurial billionaire. Previously unreported, the documents illustrate how the FTC has increasingly come to focus its law enforcement probes on the responsibility of CEOs, such as Musk, for the actions of their companies.
Keep scrolling for the story from MLex®, or start your 14-day free trial now for real-time access to in-depth news and analysis from our Data Privacy & Security correspondents around the globe.
16 January 2024
By Mike Swift
Early on the evening of Nov. 9, 2022, two weeks after Elon Musk took ownership of Twitter in a $44 billion deal, Lea Kissner, the company’s chief information security officer, sat down at the computer.
“Effective immediately,” Kissner’s email to Twitter began, “I resign from Twitter for multiple reasons. For example, as the CISO, a member of the Data Governance Committee, and the head of the security program, I am being exposed to great personal risk based on company decisions by new leadership.”
Within 24 hours on Nov. 9, Twitter’s chief privacy officer, Damien Kieran; and its head of compliance, Marianne Fogerty, also quit, eviscerating the leadership of Twitter’s data protection team. Kissner added in that resignation email, which was unsealed by a court and has not been previously reported, that despite “warnings to company leadership” about the “potential consequences” of slashing Twitter’s privacy and security compliance workforce in half, the new leadership didn’t seem to care.
A lawyer with the US Federal Trade Commission asked Kissner in a sworn deposition a few months later who specifically the CISO was referring to in ignoring those warnings.
“I had in mind Elon Musk and Alex Spiro and the folks that Elon had brought in from like Tesla and other companies,” Kissner said, referring in Spiro to the lawyer who has become famous in recent years for defending Musk and celebrities such as Jay-Z, Alec Baldwin and New England Patriots owner Robert Kraft.
Newly unsealed transcripts of the FTC investigative interviews over the past year with Kissner, Kieran and others provide a new view into the tumultuous early days of Musk’s ownership of Twitter, and the legal jeopardy the company may still face because of the actions of the mercurial billionaire.
The documents also illustrate how the FTC has increasingly come to focus its law enforcement probes on the responsibility of CEOs, such as Musk, for the actions of their companies.
Quietly unsealed by a federal judge in the days before Christmas as attachments to a Twitter lawyer's letter to the court, the more than 100 pages of deposition transcripts are heavily redacted, but nevertheless reveal the lines of inquiry the FTC was pursuing last year as it probed whether Twitter violated an FTC privacy compliance order for the second time.
One area the FTC has been probing, the transcripts show, was whether Twitter, at Musk’s insistence, illegally gave a group of hand-picked outsiders access to non-public user data as part of the billionaire’s hyped “Twitter Files.” Musk asserted the “Twitter Files” revealed that the company’s former leadership colluded with the Biden Administration and other Washington liberals to suppress conservative speech.
The FTC was also looking at Musk’s crash efforts to raise revenue by the launch of “Twitter Blue,” the paid subscription service that allowed users to buy a blue check verification mark. Kissner and other privacy and security leaders unsuccessfully warned Musk and the company’s new leadership that would lead to the mass impersonation by cyber-criminals of real Twitter users — a scenario that came to pass.
One clear focus of the FTC’s probe, however, is Musk himself, and his attitude toward the privacy and security of Twitter’s users as he rushed to remake a company that he said was hemorrhaging money. In the FTC’s depositions, Spiro emerges as Musk’s key lieutenant in the radical remaking of the company that would soon become known as X Corp.
An FTC lawyer in one investigative interview asked Andy Sayler, who was Twitter’s director of engineering when Musk bought the company, whether a meeting he had with Musk and Spiro regarding the FTC order and the company’s security and privacy functions “changed your opinion of Mr. Musk's commitment to complying with the order?”
“I don't recall specific events that would have changed that,” answered Sayler, who has since left Twitter for a data security job at another tech company. “Generally speaking, the various events we underwent with respect to the way employees were being treated continued to raise concerns to me about our ability to retain the talent we would need to comply with this [FTC] order.”
No Sleep
Following FTC allegations that Twitter, before Musk’s purchase of the company, broke the law by taking phone numbers and other personal information its users provided for security purposes and reused that data to make money by targeting ads, the company agreed in the spring of 2022 to pay $150 million to settle with the enforcer.
Among other changes, the 2022 settlement ordered Twitter to within 180 days “establish and implement, and thereafter maintain a comprehensive privacy and information security program.” The FTC’s questions appear to focus squarely on whether, under Musk, X has complied with its legal commitment to maintain a comprehensive data protection program.
Since the middle of 2023, however, the company has been battling — so far unsuccessfully — to reverse the 2022 consent order because, it argued, the FTC’s probe was “tainted by bias.”
The FTC’s interviews with the former Twitter executives, who were subpoenaed by the FTC, became public because the agency asked US Magistrate Judge Thomas Hixon to unseal them as it defends the bias claims filed by Musk’s company. An FTC spokeswoman declined to comment on the case today.
The investigative interviews, conducted by FTC lawyers from December 2022 to May 2023, focused on the organizational maelstrom that ran through Twitter following Musk closing the acquisition in October 2022. Within a few weeks, Kieran, the company’s chief privacy officer, had lost about half his team, either to layoffs or to resignations of people who weren’t prepared to meet Musk’s extraordinary work demands.
“Was that like 15, 16 people?” an FTC lawyer asked the CPO during his interview in December 2022.
“Yeah, 15, 16 people,” Kieran agreed.
Kieran and Kissner, the CISO, soon followed in resigning from Twitter. The day following the mass resignation of Twitter’s senior data protection leaders on November 9, with news outlets trumpeting the news about the mass departures, Musk and Spiro convened a meeting with the few senior data protection team members still at the company.
Given that Twitter no longer had a CISO or a chief data protection officer as required by the EU’s GDPR, remaining members of the Data Governance Team were worried that they could be placed in personal legal jeopardy. They were particularly worried about Twitter failing to comply with the recent FTC consent decree the company entered into as part of a $150 million settlement.
It was a late-night meeting, well past 10 pm, in a darkened conference room in Twitter’s San Francisco headquarters. Some attendees beamed in via Zoom. The late hour wasn’t out of the ordinary during those turbulent times. In those chaotic and painful days of mass resignations and layoffs, “a lot of us weren't sleeping,” former Twitter threat management director Seth Wilson told the FTC in a deposition last year.
Spiro was there but didn’t talk much — it was mostly Musk. Don’t worry, one the world’s richest men told them, he would take care of the FTC.
Musk “was very clear that, you know, he is the single person responsible, you know. Like, it falls on him,” Wilson told the FTC in an interview last May. “He mentioned that he'd just gotten off a call with the Federal Trade Commission and that everything was good. That relationship was good. He wasn't concerned.”
Musk’s good vibes with the FTC didn’t last long. By last June, just seven months later, Twitter asked a federal court to terminate the $150 million privacy settlement it reached with the FTC in 2022.
Twitter Blue
Wilson and Sayler, who described the Nov. 10 meeting to the FTC in depositions months later, were not completely relieved by Musk’s assurances. One initiative they and others at Twitter had been worried and angry about was Musk’s plan to quickly raise revenue by selling blue verification checks as part of a “Twitter Blue” subscription.
“It was a fairly radical shift in what verification meant on Twitter, and I think all of the abuse that one would predict going along with that largely occurred,” Sayler told the FTC in a deposition in April last year.
Kissner testified to having raised the alarm to Musk and Spiro that Twitter Blue would be a privacy disaster for users. “Twitter Blue, it did play out exactly like one would have expected it to play out, and that wasn't good,” the former CISO told the FTC.
Indeed, within a few weeks in November 2022, stories about people paying $8 to get a Twitter Blue verification to impersonate celebrity accounts ranging from LeBron James and O.J. Simpson to George W. Bush were filling the media. People magazine told its readers that someone purchasing Bush’s soon-to-be suspended Twitter Blue account tweeted "I miss killing Iraqis.”
One question FTC lawyers asked several of the former Twitter executives was whether Musk or someone else was “the final decision-maker” in the launch of Twitter Blue.
“I do not know,” Sayler told the FTC. “If I had to speculate, it would either have been one of the engineers on the product team who was driving that effort or Elon himself.”
The FTC has been seeking to depose Musk as part of its investigation X Corp, but it is unclear whether that ever happened. X lost its bid in November to overturn the $150 million FTC settlement when Hixon denied X’s motions to terminate or tailor the settlement. The “obligations that X Corp. seeks to be relieved of come from the FTC’s Administrative Order, not this Court’s Stipulated Order,” Hixon wrote.
Total access?
Another area of focus for the FTC was whether Musk illegally gave access to non-public data about Twitter users to outsiders, including celebrity journalists Bari Weiss and Matt Taibbi, who Musk picked to report on the “Twitter Files.”
Twitter’s privacy and security leaders told the FTC they had to beat back Musk’s efforts to give Weiss and others full access to non-public Twitter data and the ability to access any internal communications by employees through Twitter’s Slack accounts. Weiss suddenly showed up at Twitter headquarters in San Francisco one night, they told the FTC, and demanded that she be given full access to Twitter’s systems on Musk’s authority.
“I think there was a request from Elon to provide Ms. Weiss with full access to Twitter systems,” Sayler told the FTC.
In this case, Twitter’s data protection leaders pushed back, according to both Sayler and Wilson. While accounts were created that would have given Weiss such full access, the data protection chiefs created what Wilson called “a safer alternative” and she was never given access to those accounts.
“Was Ms. Weiss ever granted access to any Twitter systems or services that would allow her to see users' nonpublic information?” an FTC lawyer asked Sayler.
“I don't believe she was granted direct access to any services. I believe she was working with some other individuals within Twitter who were potentially accessing such services on her behalf,” the engineering director replied.
It is unclear from their interviews, which have been significantly redacted, what kind of non-public information about Twitter users she may have had indirect access to via those “other individuals.”
X has hired a replacement to head the company’s compliance with the EU’s General Data Protection Regulation and other privacy laws. He is Renato Leite Monteiro, who serves as X's global head of privacy, global data protection officer, and senior legal director.
X no longer has a channel for journalists to ask questions of the privately owned company and the company has replied to some journalists’ questions with a poop emoji, but MLex reached out to X’s lawyer in this case, Daniel Koffman, seeking comment. Koffman did not reply.
At one point, MLex reported last year, Musk asked to meet with FTC Chair Lina Khan to discuss the investigation. She rebuffed the billionaire in a letter in late January 2023, saying Twitter had refused to cooperate with the FTC's probe, including its demand that Musk submit to a sworn deposition.
The company told Hixon in a court filing late last year that the FTC committed “staggering misconduct” by trying to manipulate the findings of an independent auditor charged with assessing whether the former Twitter’s protections for user data complied with the 2022 consent decree.
For access to breaking news and predictive analysis on data privacy & cybersecurity regulation in the US and around the world, start your free trial today.