All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government.

But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private.

The Musk Factor

Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44 billion, taking the formerly public company private. Musk immediately began personally directing many of Twitter’s actions and policies, including changes in moderation and staff. Chaos ensued, and many people — including top company officers — resigned or were fired.

Twitter’s top compliance leaders all quit. The CISO, chief privacy officer and chief compliance officer all left as well, citing their unwillingness to endorse Twitter’s new direction under Elon Musk. Two of the officers had worked at Twitter for seven years each, and the other just one year.

A data governance committee responsible for Twitter’s compliance with a Federal Trade Commission (FTC) consent decree was disbanded as a result of these resignations, and two other members of the committee were fired.

Twitter has appointed an interim data protection officer. It appears that nobody else is charged with complying with FTC and GDPR requirements. In place of sufficient compliance leadership, Twitter’s legal department is reportedly calling on engineers to “self-certify” compliance.

Violations risk billions in fines for Twitter. FTC said recently that it is “tracking recent developments at Twitter with deep concern. No CEO or company is above the law, and companies must follow our consent decrees.”

But Musk’s lawyer, Alex Spiro, reportedly said to a colleague, “Elon puts rockets into space. He’s not afraid of the FTC.”

Whether Musk is “afraid” or not, it could be that huge fines are coming his way. Again.

Twitter’s (and Musk’s) History With the FTC

Back in 2010, when Twitter was only three or four years old, the FTC complained about Twitter’s lack of safeguards around access to tweets and privacy of direct messages, despite Twitter’s public assurances to the contrary. The parties settled on Twitter’s promise that it would stop misrepresenting privacy and security controls and the FTC’s promise that it would fine Twitter if it didn’t.

Then in May of this year (well before Musk bought the company), Twitter was fined $150 million in a civil penalty for lying about its use of personal data. According to the DoJ complaint filed on behalf of the FTC, Twitter told users that they were capturing personal data for account security. They then turned around and used that data for targeted advertising. The company also agreed to offer multi-factor authentication (MFA) options that don’t require a phone number, as well as a list of other security and privacy improvements.

Musk himself has a colorful history with the FTC and the SEC, mostly stemming from tweets that had immediate impacts on the stock prices of companies he mentioned, including his own companies (Tesla and SpaceX) and his own financial interest (Bitcoin).

In September 2018, the SEC charged Musk with misleading investors with a tweet saying that he was considering taking Tesla private at $420 a share and had secured funding. The statement about funding was false, and the SEC charged Musk and Tesla with $20 million fines each. Musk later boasted that the fine was “worth it”.

How Twitter’s Recent Moves Serve as a Bad Example

“Self-certification” is not a certification plan. It’s a recipe for non-compliance.

As former Facebook CSO Alex Stamos tweeted, “self-certifying” with the FTC is not a thing. Somebody will have to make assertions and answer questions on behalf of the company under legal penalty for false statements.

Twitter also risks running afoul of European regulations. As part of Musk’s mass layoffs and staff reductions, Twitter disbanded its European office in Brussels and cut its European headquarters staff in Dublin in half, raising concerns that it won’t have enough people to enforce new EU laws around the curbing of hate speech by tech companies.

A special board of directors in charge of Twitter’s compliance with Europe’s General Data Protection Regulation (GDPR) also folded after Musk fired two of its three members. One secured a court injunction forcing Twitter to keep her on as an employee.

In short, Twitter as a company appears to be de-prioritizing compliance and proceeding haphazardly and arbitrarily. It’s essentially kicking compliance problems down the road while focusing on other matters.

This is, unfortunately, a more dramatic version of how many companies handle compliance. They underfund it, delay its full implementation or treat compliance as an optional annoyance.

As with Twitter, ignoring the compliance part of the business will inevitably lead to fines, penalties and imposed requirements.

Learning from Twitter’s Mistakes

In short, use Twitter as a perfect bad example. Make sure to properly staff and fund your compliance teams. Place direct and clear responsibility on qualified professionals. And get the whole organization on board.

Also, don’t do what Twitter’s doing with making up shortcuts and workarounds. Placing the responsibility for compliance on developers or other non-specialists is no substitute for a team at the top to make sure your organization meets all laws and decrees that apply. And this is especially true of any tech organization that falls under privacy regulations like the GDPR or the California Consumer Privacy Act (CCPA).

Keep an eye on what happens at Twitter. Unless Musk turns around the company’s approach to compliance, it’s not going to end well for Twitter.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read