FTC concludes Twitter didn’t violate data security rules, in spite of Musk's orders

The Federal Trade Commission (FTC) concluded Elon Musk ordered Twitter (now X) employees to take actions that would have violated an FTC consent decree regarding consumers’ data privacy and security. The investigation arose from the late 2022 episode informally known as “The Twitter Files,” where Musk ordered staff to let outside writers access internal documents from the company’s systems. However, the FTC says Twitter security veterans “took appropriate measures to protect consumers’ private information,” likely sparing Musk’s company from government repercussions by ignoring his directive.

FTC Chair Lina Khan discussed the conclusions in a public letter sent Tuesday to House Judiciary Committee Chair Jim Jordan, as reported by The Washington Post. Jordan and his Republican colleagues have tried to turn the FTC’s investigation into a political wedge issue, framing the inquiry as a free speech violation — perhaps to shore up GOP support from Musk’s legion of rabid supporters. Jordan and his peers previously described the investigation as “attempts to harass, intimidate, and target an American business.”

Khan’s response to Jordan adopts a tone resembling that of a patient teacher explaining the nuance of a complicated situation to a child who insists on seeing simplistic absolutes. “FTC staff efforts to ensure Twitter was in compliance with the Order were appropriate and necessary, especially given Twitter’s history of privacy and security lapses and the fact that it had previously violated the 2011 FTC Order,” Khan wrote.

“When a firm has a history of repeat offenses, the FTC takes particular care to ensure compliance with its orders,” she continued.

In an emailed statement to Engadget, FTC Office of Public Affairs director Douglas Farrar wrote, “When we heard credible public reports of potential violations of protections for Twitter users’ data, we moved swiftly to investigate. The order remains in place and the FTC continues to deploy the order’s tools to protect Twitter users’ data and ensure the company remains in compliance.”

The FTC’s investigation stemmed from allegations that Musk, newly minted as Twitter’s owner, ordered staff to give outside writers “full access to everything” in late 2022. Had staff obeyed Musk’s directive, the company likely would have violated a settlement with the FTC (originally from 2011 but updated in 2022) requiring the company to tightly restrict access to consumer data.

In November 2022, the FTC said publicly it was monitoring Twitter’s developments following Musk’s acquisition with “deep concern.” That followed the resignation of chief information security officer Lea Kissner and other members of the company’s data governance committee. They expressed concerns that Musk’s launch of a new account verification system didn’t give them adequate time to deploy security reviews required by the FTC.

Ultimately, Twitter security veterans ignored Musk’s “full access to everything” order. “Longtime information security employees at Twitter intervened and implemented safeguards to mitigate the risks,” Khan wrote in the letter. “The FTC’s investigation confirmed that staff was right to be concerned, given that Twitter’s new CEO had directed employees to take actions that would have violated the FTC’s Order.”

Rather than supplying outside writers with the “full access” Musk wanted them to have, Twitter employees accessed the systems and relayed select information to the group of outsiders. “Ultimately the third-party individuals did not receive direct access to Twitter’s systems, but instead worked with other company employees who accessed the systems on the individuals’ behalf,” Khan wrote.

The FTC says it will continue to monitor X’s adherence to the order. “When we heard credible public reports of potential violations of protections for Twitter users’ data, we moved swiftly to investigate,” FTC spokesman Douglas Farrar said in a statement to The Washington Post. “The order remains in place and the FTC continues to deploy the order’s tools to protect Twitter users’ data and ensure the company remains in compliance.”

Update, February 22, 2024, 1:23 PM ET: This story has been updated to add a statement from an FTC director.