Monday Nov 28

Fall 2022

EVERYBODY’S BUSINESS - Blowing the Whistle on Twitter

There has never been much doubt that the tech giants do not take government regulation seriously, but it is helpful to get confirmation of that from inside the corporations. This is the import of a whistleblower complaint from the former security head of Twitter that became public in August.

Peiter Zatko, known as ‘Mudge,’ once told Congress that hackers could effectively shut down the internet in as little as 30 minutes. PHOTO: MATT MCCLAIN/THE WASHINGTON POST/GETTY IMAGES

Peiter Zatko submitted a document to the Securities and Exchange Commission, the Justice Department and the Federal Trade Commission accusing top company executives of violating the terms of a 2011 settlement with the FTC concerning the failure to safeguard the personal information of users. The agency had alleged that “serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including both access to non-public user information and tweets that consumers had designated as private, and the ability to send out phony tweets from any account.”

Zatko’s complaint, which became an issue in the company’s legal battle with Elon Musk over his aborted takeover bid, alleged that Twitter did not try very hard to comply with the FTC settlement and that it prioritized user growth over reducing the number of bogus accounts. As the Washington Post, which first reported news of the complaint, put it, Zatko alleged “he had warned colleagues that half the company’s servers were running out-of-date and vulnerable software and that executives withheld dire facts about the number of breaches and lack of protection for user data, instead presenting directors with rosy charts measuring unimportant changes.”The revelation of the complaint elicited statements of concern from across the political spectrum. Calls for the FTC to investigate Zatko’s claims came from both Congressional Republicans who like to claim that the tech giants suppress conservative opinions and from Democrats concerned about consumer protection.

Despite all the outrage, Zatko’s accusations are far from surprising. In fact, early in 2022 Twitter agreed to pay $150 million to resolve a case brought by the FTC and the Justice Department alleging that the company was in breach of the 2011 settlement for having told users it was collecting their telephone numbers and email addresses for account security purposes while failing to disclose that it also intended to use that information to help other companies send targeted advertisements to consumers. Since Zatko was fired by Twitter in January, he is in no position to describe company behavior since the most recent settlement. Yet it is difficult to believe that the $150 million fine will be sufficient to get Twitter to become serious about data protection.Twitter is not the only tech company with a checkered history in this area. In 2012 Facebook and the FTC settled allegations that the company deceived consumers by telling them they could keep their information private and then repeatedly allowed it to be shared and made public. Facebook agreed to change its practices.As with Twitter, it eventually became clear that Facebook was not completely living up to its obligations. The FTC brought a new action, and in 2019 the company had to pay a penalty of $5 billion for continuing to deceive users about their ability to control the privacy of their data. The settlement also put more responsibility on the company’s board to make sure that privacy protections are enforced, and it enhanced external oversight by an independent third-party monitor.In 2019 Google and its corporate sibling YouTube

had to pay $170 million to resolve a case brought by the FTC and New York State alleging that the companies violated rules regarding the online collection of personal data on children. In addition to the monetary penalty, the settlement required Google and YouTube to create a system to enable channel owners to identify their child- directed content so that YouTube could more readily comply with the Children’s Online Privacy Protection Act.Zatko’s allegations may prompt the FTC to seek new sanctions against Twitter that go beyond those in the settlement from earlier this year. A multi-billion-dollar fine like that paid by Facebook may be in the making, though monetary penalties should not be the whole story.The big question is whether regulators and lawmakers are willing to find new and more stringent ways to rein in

a group of mega-corporations. The effort in Congress to enact new tech industry antitrust measures seems to have fizzled out for now. Such initiatives need to be revived and expanded to cover a wide range of issues. We cannot let an industry that plays such a substantial role in modern life think it is above the law.


Philip Mattera heads the Corporate Research Project in Washington, DC, and writes the blog Dirt Diggers Digest.

Joomla! Debug Console

Session

Profile Information

Memory Usage

Database Queries