In a rare comment, the FTC said it was monitoring developments ‘with concern’

One current Twitter employee said several other members of the site’s privacy and security unit also had resigned, while another said those remaining were trying to stop a wave of abuse in the company’s expanded paid service, Twitter Blue.

The Federal Trade Commission, which reached its latest consent decree with Twitter in May, said it was “tracking the developments at Twitter with deep concern.”

“No CEO or company is above the law, and companies must follow our consent decrees,” said Douglas Farrar, the FTC’s director of public affairs. “Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”

The privacy staffers said they were most concerned by the rapid rollout of new features without the full security reviews that the FTC consent decree requires. They also objected to Musk’s order in an email Wednesday night — his first to the staff since taking control of the company — that all employees had to begin working in the office 40 hours a week, effective Thursday.

Musk’s email did not address Twitter’s long tradition of flexible and remote work. Instead, it cited a dire need to earn money from Twitter Blue. “Without significant subscription revenue, there is a good chance Twitter will not survive the upcoming economic downturn,” Musk warned. “We need roughly half our revenue to be subscriptions.”

Former FTC officials warned that the departures of key privacy and security officials, as well as some of Musk’s proposed changes to Twitter products, opened the company to serious regulatory peril.

Twitter agreed in its settlement to designate employees responsible for privacy and security, including a senior corporate manager who would be responsible for certifying that the company was in compliance. The departures raise questions about whether such a chain of command is still in place, and whether the people still there have the authority and relationships to ensure that the order is being enforced.

“There’s a lot of peril for the company if it doesn’t have continuity,” said a former FTC official, who spoke on the condition of anonymity to candidly discuss the regulatory risks for the company.

David C. Vladeck, who was director of the FTC’s Bureau of Consumer Protection at the time of Twitter’s first settlement with the agency, said the departures and the chaos of Musk’s first weeks of ownership raise questions about whether “compliance requirements are going to fall through the cracks.”

Vladeck said the penalties could be exponentially higher for Twitter if it is alleged to be in violation of its agreement with the FTC a second time. “There would be some very significant multiple of the last fine,” he said, referring to the May penalty, which carried a $150 million fine. “You have to add a decimal point to that.”

Twitter entered into the consent decree with the FTC after allegations that it deceptively used email and phone numbers it said it was collecting for security purposes to target users with advertising. The FTC alleged that this violated a 2011 consent decree it had reached with the company.

The new decree required Twitter to start enhanced privacy and security programs, which were to be audited by a third party. Under that program, Twitter is required to conduct a privacy assessment of any new products it launches.

Twitter to pay $150 million fine over deceptively collected data

The employee Slack message said the quick release of products and changes without effective security reviews was “extremely dangerous” for users.

It said engineers would have to take on the burden of certifying that the products complied with FTC agreements, putting them at substantial personal legal risk.

The meltdown of the security leadership is especially fraught because an FTC audit was expected by January, according to two people familiar with the schedule.

One said that Kissner and other executives had been hiring, despite a company-wide freeze, in a frantic effort to meet compliance rules before then.

“Desperately needed people,” said one of them, who was among the roughly half of the company laid off last week and spoke on the condition of anonymity to discuss internal issues at Twitter.

The Slack message posted a link to Whistleblower Aid, a law firm that represented former security head Peiter Zatko when he filed a complaint this year with the Securities and Exchange Commission and other federal officials citing alleged violations related to the FTC, including what he described as inadequate logging of access to sensitive data and widespread use of out-of-date software.

The message warned that the FTC could fine Twitter “BILLIONS of dollars.” The author claimed to have heard Alex Spiro, Musk’s top lawyer, say Musk is “willing to take on a huge amount of risk in retaliation to this company and users, because ‘Elon puts rockets into space, he’s not afraid of the FTC.’” Spiro did not immediately respond to a request for comment.

Former security chief claims Twitter buried ‘egregious deficiencies’

Other employees said they were taking paid time off Thursday as a demonstration of disapproval.

Kissner, who had been brought in by Zatko, was admired inside Twitter and seen as a crucial backstop amid the recent chaos.

“Twitter has had several major security incidents over the last several years due to poor internal controls and a permissive data architecture,” said Alex Stamos, a former head of data security at Facebook and Yahoo. “The team led by Dr. Kissner made serious strides to closing these flaws, as Twitter is required to do by FTC consent decree.”

Lourdes Turrecha, a cybersecurity and privacy lawyer in Silicon Valley, said the sudden resignations were a bombshell in privacy circles that had already been stunned by Zatko’s whistleblower complaint and the company’s mass layoffs.

“These executives do not want to put their lives on the line and go to jail” if the company breaks the law, she said. “It’s a very hard time to be a chief information security officer or a chief privacy officer in tech right now, especially when your company doesn’t seem to care about its privacy and security practices.”

Zakrzewski reported from Washington, D.C. Drew Harwell contributed.