Top Twitter security official resigns


SAN FRANCISCO — Several top privacy and security executives resigned from Twitter on Thursday, citing concerns about the risks posed by Elon Musk’s leadership, in a shocking wave of departures that prompted federal regulators to warn they could potentially will intervene.

Lea Kissner, Chief Information Security Officer tweet According to a screenshot of an internal Slack message shared with The Washington Post, an employee has made the “difficult decision” to resign, as has the company’s chief privacy officer and chief compliance officer.

Several other members of the site’s privacy and security division have also resigned, one current Twitter employee said, while another said the remainder were trying to stem a wave of abuse on the company’s expanded paid service, Twitter Blue.

The FTC reached its latest consent order with Twitter in May, saying it “is closely monitoring developments at Twitter.”

“No CEO or company is above the law, and companies must comply with our consent statute,” said Douglas Farrar, director of public affairs at the FTC. “Our revised consent decree gives us new tools to ensure compliance and we are ready to use them.”

Privacy staffers say their biggest concern is rolling out new features quickly without the full security review required by the FTC consent statute. They also objected to Musk’s order in an email Wednesday night — his first to employees since he took control of the company — that all employees must start working 40 hours a week in the office, effective Thursday. .

Musk’s email did not mention Twitter’s long tradition of flexible and remote work. Instead, it cites the urgent need to make money from Twitter Blue. “Without significant subscription revenue, there’s a good chance Twitter won’t survive the coming recession,” Musk warned. “We need about half of our revenue to come from subscriptions.”

The departure of key privacy and security officials, along with some of Musk’s proposed changes to Twitter’s products, has exposed the company to serious regulatory risks, former FTC officials have warned.

In the settlement, Twitter agreed to name employees responsible for privacy and security, including a senior company manager responsible for certifying the company’s compliance. The departure raises the question of whether such a chain of command still exists, and whether those still there have the power and connections to ensure orders are carried out.

“Without continuity, companies face a lot of danger,” said a former FTC official, speaking on condition of anonymity, discussing candidly the regulatory risks facing the company.

David C. Vladeck, director of the FTC’s Bureau of Consumer Protection at the time of Twitter’s first settlement with the FTC, said the departure and confusion of Musk’s ownership in the first few weeks raised concerns about “compliance”. Whether the request will fail” questioned. crack. “

Penalties against Twitter could be multiplied if Twitter is accused of violating its agreement with the FTC for a second time, Vladeke said. “The multiplier of the last fine will be very substantial,” he said, referring to the $150 million fine in May. “You must put a decimal point on it.”

Twitter entered into a consent order with the FTC after accusing it of fraudulently using emails and phone numbers, alleging that the emails and phone numbers were collected for security purposes to target users with ads. The FTC alleges this violated the 2011 consent statute it reached with the company.

The new decree requires Twitter to launch enhanced privacy and security programs that will be audited by third parties. Under the program, Twitter must conduct a privacy assessment of any new product it launches.

The departures have also drawn scrutiny in Europe, which, unlike the US, has general data protection laws.

Twitter to pay $150 million fine for deceptively collecting data

Slack, an employee, said it was “extremely dangerous” for users to quickly release products and changes without a valid security review.

It said engineers would have to bear the burden of proving that products complied with the FTC agreement, exposing them to significant personal legal risk.

The breakdown in security leadership is particularly worrying as the FTC audit is expected in January, according to two people familiar with the timeline.

Despite the company-wide freeze, Kisner and other executives were hired to frantically meet compliance rules ahead of that, one person said.

“People are desperately needed,” said one of them, one of about half the people at the company who was fired last week, speaking on Twitter on condition of anonymity to discuss internal issues.

The Slack message posted a link to Whistleblower Aid, the law firm that filed a complaint this year with the SEC and other federal officials on behalf of former security chief Peiter Zatko over alleged FTC-related violations, including what he said was a Inadequate access records for sensitive data and widespread use of outdated software.

The message warned that the FTC could fine Twitter “multi-billion dollars.” The authors claim to have heard Musk’s lead attorney, Alex Spiro, say that Musk was “willing to take huge risks to retaliate against this company and users because ‘Elon sent rockets into space and he’s not afraid of federal trade) Committee.'” Spiro did not immediately respond to a request for comment.

Former security chief claims Twitter buried ‘serious flaw’

Other employees said they would take paid leave on Thursday in protest.

Kisner, who was brought in by Zatko, is well-regarded within Twitter and is seen as a key back-up in the recent chaos.

“Twitter has had several major security incidents over the past few years due to poor internal controls and lax data architecture,” said Alex Stamos, former head of data security at Facebook and Yahoo. “The team led by Dr. Kissner has made significant progress in eliminating these flaws, as the FTC consent statute requires Twitter to do.”

Silicon Valley-based cybersecurity and privacy lawyer Lourdes Turrecha said the abrupt resignation was a bombshell for the privacy community, already stunned by Zatko’s whistleblower complaint and the company’s mass layoffs.

If the company breaks the law, “these executives don’t want to risk their lives and go to jail,” she said. “Being a CISO or Chief Privacy Officer in technology right now is a really tough time, especially when your company doesn’t seem to care about its privacy and security practices.”

Zakrzewski contributed reporting by Drew Harwell from Washington, DC.

Source link