The FTC concluded that Twitter did not violate data security rules despite Musk’s orders

The Federal Trade Commission (FTC) has concluded that Elon Musk ordered employees of Twitter (now X) to take actions that would violate an FTC consent decree regarding the privacy and security of user data. The investigation stems from the late 2022 episode, informally known as “The Twitter Files,” where Musk ordered staff to allow outside writers to access internal documents from the company’s systems. However, the FTC says Twitter’s security veterans “took appropriate measures to protect users’ personal information,” possibly sparing Musk’s company from government repercussions by ignoring his directive.

FTC Chair Lina Khan discussed the findings in a public letter sent Tuesday to House Judiciary Committee Chairman Jim Jordan (through The Washington Post). Jordan and his fellow Republicans have I tried to turn the FTC investigation into a political issue, framing the investigation as a violation of free speech — perhaps to shore up GOP support from Musk’s legion of rabid supporters. Jordan and his colleagues previously described the investigation as “attempts to harass, intimidate and target American businesses.”

Hahn’s response to Jordan takes on a tone akin to that of a patient teacher explaining the nuances of a complex situation to a child who insists on seeing simplistic absolutes. “The efforts of FTC staff to ensure that Twitter complies with the order are appropriate and necessary, especially given Twitter’s history of privacy and security breaches and the fact that it has previously violated the FTC order commission since 2011,” Khan wrote.

“When a firm has a history of repeated violations, the FTC takes special care to ensure compliance with its orders,” the FTC chairman wrote.

The FTC investigation stems from allegations that Musk, newly minted as Twitter’s owner, ordered employees to give outside writers “full access to everything” at the end of 2022. If employees obeyed Musk’s directive, the company would likely violate an agreement with the Federal Trade Commission (originally from 2011, but updated in 2022) requiring the company to strictly limit access to user data.

In November 2022, the FTC said publicly watched Twitter’s development after the Musk acquisition with “deep concern.” This followed the resignation of Chief Information Security Officer Lea Kisner and other members of the company’s data governance committee. They expressed concern that Musk’s launch of a new account verification system did not give them enough time to implement security reviews required by the FTC.

In the end, Twitter’s security veterans ignored Musk’s “full access to everything” order. “Twitter’s long-time information security officials stepped in and implemented safeguards to mitigate the risks,” Khan wrote in the letter. “The FTC’s investigation confirmed that staff have a right to be concerned, given that Twitter’s new CEO has directed employees to take actions that would violate the FTC’s order.”

Instead of giving outside writers the “full access” that Musk wanted them to have, Twitter employees accessed the systems and relayed selected information to the group of outsiders. “Ultimately, the third parties did not gain direct access to Twitter’s systems, but instead worked with other company employees who accessed the systems on behalf of the individuals,” Hahn wrote.

The FTC says it will continue to monitor X’s compliance with the order. “When we heard credible public reports of potential privacy violations of Twitter users, we quickly launched an investigation,” FTC spokesman Douglas Farrar said in a statement to The Washington Post. “The order remains in effect, and the FTC continues to use the order’s tools to protect Twitter users’ data and ensure the company remains in compliance.”