It's a day ending in the letter "y" which inevitably means there's more drama at . Chief information security officer Lea Kissner, chief privacy officer Damien Kieran and chief compliance officer Marianne Fogarty have all quit, according to . The report suggests that the company's engineers will now be responsible for ensuring compliance with regulations. Twitter is currently subject to a Federal Trade Commission consent order, which includes certain privacy and security requirements.
I've made the hard decision to leave Twitter. I've had the opportunity to work with amazing people and I'm so proud of the privacy, security, and IT teams and the work we've done.— Lea Kissner (@LeaKissner) November 10, 2022
I'm looking forward to figuring out what's next, starting with my reviews for @USENIXSecurity 😁
The departures will surely have a significant impact on Twitter's security and privacy teams. To that end, The Verge obtained a Slack message purportedly shared by a Twitter lawyer, which notes that engineers have been asked to "self-certify" that they're complying with FTC requirements and other laws. "This will put huge amount of personal, professional and legal risk onto engineers," the message reads. "I anticipate that all of you will [be] pressured by management into pushing out changes that will likely lead to major incidents." The lawyer, who urged workers to seek whistleblower protection if they felt the need to, warned that such changes are "extremely dangerous for our users."
The FTC consent order is part of in May. One of the conditions requires the company to employ a "comprehensive privacy and information security program" to examine new products for privacy and security risks. The lawyer noted that if Twitter violates the consent order, it could be on the hook for "billions of dollars" in fines, which would be "extremely detrimental to Twitter’s longevity as a platform."
A Twitter employee suggested to The Verge that the of the paid checkmark scheme, as mandated by new owner , bypassed the typical privacy review process. “The people normally tasked with this stuff were given little notice, little time, and [it's] unreasonable to think [the privacy review] was comprehensive,” said the employee, who noted that none of recommendations were put into effect before the new Twitter Blue went live. That team was only able to review possible risks the night before Twitter rolled out the retooled service.
“No CEO or company is above the law, and companies must follow our consent decrees,” Douglas Farrar, the FTC’s director of public affairs, told The Washington Post. “Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”
Engadget has contacted Twitter for comment.