DOJ To Court: Here Are The Many, Many Reasons Why The FTC Can & Should Be Investigating Elon Musk’s Handling Of User Data

If you read this morning’s story about Elon Musk’s impulsive decision to move servers out of Sacramento and up to Portland in a dangerous and wholly unsecure manner, and wondered if the FTC (who has two consent decrees with the company regarding how it protects users’ private data) was aware of it, we already have your answer. Last night, the DOJ filed a response to Elon trying to get out of the existing FTC consent decrees, and called out this story as one example. (The timing of the story and the filing coming out on the same day is a coincidence: the filing was due yesterday, and the book came out today).

As you may recall, in May of last year (just after Elon signed a deal to purchase the company), the FTC hit then-Twitter with a $150 million penalty for failing to abide by its 2010 consent decree regarding user privacy. It’s always the violation of the earlier consent decree that gets companies in deeper trouble, and beyond the $150 million, there was a new consent decree with even more requirements regarding Twitter keeping data safe and secure.

A few weeks after Elon took over, we pointed out that it appeared that the few people left who remembered the consent decree and understood what it meant all quit in one big statement. And, since then, we’ve been wondering if the FTC would actually do something here. There have been multiple reports saying that Elon’s not at all worried about the FTC, and that he was ready to fight them should they come after him.

Since then, it’s been unclear if the FTC was actually going to do anything. We know that an investigation had begun, but I’d heard some frustration from some people involved, saying that they didn’t believe that Lina Khan was really interested in doing anything. That said, these kinds of things can often take way more time than you’d think, so who knows.

Either way, it appeared that Elon didn’t want to wait, and back in July he had his favorite legal yes man, Alex Spiro (who once said “Musk sends rockets into space, and he’s not afraid of the FTC”), ask to have the consent decree dropped. The filing is all sorts of hilarious. Basically, it takes a “but I am Elon Musk, how could the FTC possibly have any right to question me!” attitude. It kicks off by saying that the investigation into Elon’s handling of the company “has spiraled out of control and become tainted by bias.”

There really is a lot of “how dare the FTC ask info from me, the guy who it’s widely reported doesn’t give a shit about the consent decree or privacy, and who had all the lawyers in charge of complying with that consent decree quit together,” as if that’s somehow unfathomable:

Mr. Musk’s acquisition of Twitter produced a sudden and drastic change in the tone and intensity of the FTC’s investigation into the company. Two weeks after the acquisition, an FTC spokesperson told media outlets that the agency was “tracking recent developments at Twitter with deep concern.” Brad Dress, FTC says it’s ‘tracking the developments at Twitter with deep concern’, The Hill (Nov. 10, 2022, 1:23 PM), bit.ly/3PYGkxj. The FTC took the unusual step of publicly confirming the existence of an investigation and threatening a CEO in his second week on the job: “No CEO or company is above the law, and companies must follow our consent decrees. Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.” Id. That same day, the FTC issued two demand letters seeking information about workforce reductions and Twitter Blue, a recently announced subscription service. See Exs. 7 (Twitter Blue), 8 (workforce reduction). The FTC claimed it sent these letters out of concern that “staff reductions impair Twitter’s ability to protect consumer’s information and comply with the [Consent Order],” Ex. 8, but the demands arrived more than a week before the November 22, 2022 deadline for Twitter to have its Program in place under Part V of the Consent Order. See Koffmann Decl. ¶ 6.

From that date until the present, the FTC has pummeled X Corp. with burdensome demand letters and requests for depositions. X Corp. has made every effort to comply promptly and completely with the FTC’s more than 200 demands for information and documents, and has produced more than 22,000 documents. Koffmann Decl. ¶ 7. But the FTC has continued to ratchet up scrutiny, issuing new demand letters and insisting on further document productions at a rate of nearly one new demand letter every two weeks. Id.. Some of these requests have, at best, tenuous connections to the privacy and security of user data or X Corp.’s compliance with the Consent Order, and many are seemingly issued in response to whatever negative news happens to be published about Twitter that day. Compare Matthew Cantor, Twitter office oddities go up for auction – from bird statues to rotisserie ovens, The Guardian (Dec. 13, 2022, 5:13 PM) (reporting that Twitter planned to auction “surplus corporate office assets” including items ranging from “bizarre decor to high-end cooking equipment”), bit.ly/3XNR43i with Ex. 9 (demanding, in a letter sent that same day, that Twitter “[s]tate whether, as part of its … cost-cutting measures, Twitter is also selling its office equipment”). Another request sought “all communications” sent by any Twitter employee “relating to Elon Musk” in any way, along with every communication sent to or from Mr. Musk since he had acquired control of Twitter

There’s also a lot of “Elon refuses to sit for a deposition, but how dare Lina Khan not agree to personally meet with him.”

The FTC’s unusually combative posture toward Mr. Musk and “Twitter 2.0” came as a surprise. In order to gain a better understanding of the FTC’s concerns, and how Twitter could demonstrate its commitment to user privacy, data protection, and information security, Mr. Musk made several requests to FTC Chair Lina Khan for a meeting. Koffmann Decl. ¶ 11. These included at least three requests conveyed from Twitter’s counsel to FTC staff throughout November and December 2022, as well as at least one voicemail left on his behalf with the Chair’s office. Id.. On January 27, 2023, Chair Khan finally responded but did not agree to a meeting—even in principle. Ex. 13. Instead, she stated that she would “consider scheduling a meeting with Musk,” but only after “Twitter [had] fully complied with all FTC requests,” which at that time totaled well over 100. Id. Ultimately, Mr. Musk was able to secure a meeting with former Commissioner Christine Wilson—ten days after she publicly announced her intention to resign from the FTC

This is the whining of someone used to always talking their way out of trouble by complaining to the manager. Beyond getting rid of the consent decree, the filing is pretty clear that Elon really, really, really does not want to sit for a deposition:

Mr. Musk is the majority owner of X Corp., an executive of the company, the Chief Technical Officer, and the former CEO. Koffmann Decl. ¶ 14. He would also be the very first current employee of X Corp. deposed by the FTC in this investigation. The FTC noticed Mr. Musk’s deposition less than a month after issuing its first post-acquisition demand letters. See supra at 6– 11. The FTC has not shown that he possesses any “unique and first-hand,” non-repetitive knowledge pertaining to X Corp.’s compliance with the Consent Order, which is the issue in dispute. The FTC’s attempt to depose Mr. Musk before anyone else at the company “shed[s] considerable light” on its true purpose: an improper effort to harass and annoy Mr. Musk himself.

Anyway, this week, the DOJ filed its response on behalf of the FTC, and you can almost hear the exasperated sighing.

The 2022 Administrative Order was designed to ensure X Corp. protects its users’ privacy and secures their data. For example, the order requires X Corp. to implement and maintain a privacy and data security program. It also requires the company to provide information about its compliance to the FTC upon request. In seeking “relief” from these obligations, X Corp. does not argue that the safeguards to which it consented have become unnecessary or unworkable. Rather, it complains the FTC asked too many questions after Elon Musk acquired the company. But the FTC asked questions because of sudden, radical changes at the company: within weeks of the acquisition, half of X Corp.’s employees were terminated or resigned, including key executives in privacy, data security, and compliance roles. At Musk’s urging, the company hastily released a new version of a product that it abruptly pulled back within days of its release. And numerous reports detailed alarming site outages, product malfunctions, and issues with data access controls. The FTC had every reason to seek information about whether these developments signaled a lapse in X Corp.’s compliance. X Corp.’s motion does not credibly argue otherwise; in fact, it largely fails to acknowledge the circumstances that catalyzed the FTC’s requests.

Instead, the company’s motion rests on hyperbolic allegations of “witness tampering” and an investigation “tainted by bias.” It supports these accusations by mischaracterizing cherry-picked excerpts from the deposition of a partner at Ernst & Young (“EY”), the firm X Corp. initially retained to assess its privacy and data security program pursuant to the 2022 Administrative Order. Yet X Corp. fails to mention that EY chose to terminate its engagement in February 2023 due to the extensive departures within, and a lack of support from, X Corp. Nor does X Corp. acknowledge that it has since retained a new independent assessor, which renders immaterial the company’s allegations regarding EY, since EY never produced a report of X Corp.’s program or submitted one to the FTC.

It also points out that, um, there are pretty obvious reasons to want to depose Musk, including that Musk himself told a concerned employee he would be “the single person responsible” for complying with the existing consent decree:

After the acquisition, Musk became X Corp.’s Chief Executive Officer as well as its sole director, President, Treasurer, and Secretary. Def. Ex. 5 at 2, 9. Musk also personally assumed supervisory authority over X Corp.’s privacy and information security program under the 2022 Administrative Order. Id. at 9. During his deposition, former Director of Threat Management and Operations Seth Wilson described a meeting with Musk and others on or about November 10, 2022, concerning possible security incidents and compliance with the 2022 Administrative Order. See Wilson Tr. at 74:14-24. Wilson testified he was concerned about compliance since X Corp. had lost both its Chief Information Security Officer and Chief Privacy Officer, and thus sought clarity from Musk on the “escalation point” for incidents. Id. at 72:10- 23, 77:12-24. At this meeting, Musk gave assurances that he was “the single person responsible” and that liability “falls on him.” Id. at 75:20-76:7. In terms of reporting security incidents, Musk told Wilson, “just go straight to me.”

And, uh, all this seems like a pretty good reason why Musk should be at the top of the list of people deposed:

As set forth above, several former employees testified about how Musk exercised granular control of X Corp., at times directing employees in a manner that may have jeopardized data privacy and security. Among other things, those individuals testified about Musk’s personal involvement in: (1) massive reductions in workforce, resulting in numerous gaps in ownership for privacy and security controls; (2) a hasty transport of unencrypted company servers without adherence to X Corp. data security policies; (3) a hurried release and retraction of a Twitter Blue product re-launch; and (4) individuals, including a third-party journalist not employed by the company, receiving broad and apparently unjustified access to X Corp. systems. See supra pp. 7-9. Moreover, Musk has apparently declared that he is the “single person responsible” for ensuring compliance with the 2022 Administrative Order. Wilson Tr. at 75:20-76:7. The evidence belies X Corp.’s characterization that Musk is merely a high-level supervisor without firsthand knowledge of the privacy and security issues at hand.

That (2) bit matches pretty clearly with the story we just posted regarding Elon hastily moving the servers out of Sacramento, where they failed to take even the most basic security and privacy measures seriously. Speaking of those servers, the DOJ filing notes that the servers contained… something sensitive. So sensitive it’s redacted in the filing.

There are other bits in there, like Elon demanding that Matt Taibbi and his rag tag crew be given full access to Twitter internal systems:

Former X Corp. employees testified about several concerning incidents involving Musk. For example, in early December 2022, Musk reportedly directed staff to grant an outside third-party journalist “full access to everything at Twitter. . . . No limits at all.” 3 See Sayler Tr. at 216:19-217:10; Wilson Tr. at 60:22-61:11. Consistent with Musk’s direction, the journalist was initially assigned a company laptop and internal account, with the intent that they be given “elevated privileges beyond just what a[n] average employee might have.” Wilson Tr. at 61:21-63:3; see Sayler Tr. at 216:19-218:17. But, concerned such an arrangement could expose nonpublic user information in potential violation of the 2022 Administrative Order, longtime information security employees intervened and implemented safeguards to mitigate the risks. See Sayler Tr. at 216:19-217:10; Wilson Tr. 63:23-64:3. Ultimately, the journalist did not receive “direct access” to X Corp. systems, but instead “was working with some other individuals within [the company] who were potentially accessing such services on [their] behalf.” Sayler Tr. at 218:10-17.

Wilson also received a screenshot of “a text message from Elon” directing that an executive assistant was to receive access to certain systems “immediately, and anybody standing in the way [was] to be fired.” Wilson Tr. at 64:4-65:10. Wilson thought the access was inconsistent with the assistant’s position. Id. at 66:16-22. To him, this “raised some concerns” that employees would “get pressure from an access standpoint to do things” and “be given access” to systems that “weren’t commensurate with their job responsibility.” Id. at 64:4-65:10. Former Director of Security Engineering Andrew Sayler similarly testified he had “ongoing questions about Elon’s commitment to the overall security and privacy of the organization” because “the manner in which Elon was requesting us to grant access to third parties that had not undergone our regular vetting process struck” Sayler as “having some degree of disregard for the overall sensitivity and security at that level of access.”

The filing also (which will surprise no one) admits regarding Musk’s demands that engineers launch his new “Twitter Blue” offering within a week that, of course, the company did not go through its privacy and security protocols that were mandatory under the latest consent decree. And, also how security engineers pointed out security and privacy flaws… and were ignored:

In another example, Musk insisted on launching the new Twitter Blue user verification service on an accelerated basis, despite staffing limitations. According to Kissner, Musk insisted the service “ha[d] to launch right now,” even though X Corp. was “so reduced in size that [teams were] struggling to keep the service up.” Kissner Tr. 130:22-132:12. Kieran recalled Twitter Blue was implemented so quickly that, “to ensure the speed that the product and engineering team was trying to work at,” the security and privacy review was not conducted in accordance with the company’s process for software development. See Kieran Tr. at 146:13-21. Sayler described how some of the security team’s recommendations went unheeded, including measures for mitigating the risk that people would purchase verification to impersonate other accounts. Sayler Tr. at 155:13-156:3. These concerns were well-founded: Twitter Blue was suspended the day after it was launched, after reports of fake accounts and impersonations

So, uh, yeah, it seems clear why the consent decree should remain and that Musk should sit for the depo.

Since modifying a consent decree requires showing that there were significant changed circumstances, the best that Sprio could cook up was that the FTC’s “harassment” represented changed circumstances. The DOJ points out that’s not even remotely close to how any of this works.

X Corp. contends the FTC’s alleged “harassment campaign” against it “constitutes a ‘changed circumstance’ rendering continued enforcement” of the Court’s Stipulated Order inequitable. Def. Mem. at 9, 14. Specifically, the company claimsthe FTC “impos[ed] new and burdensome [discovery] demands” and made “improper attempts to influence [EY’s] independent assessment,” id. at 14, and that those actions demonstrate “bias and prejudgment,” id. at 18. This argument fails for multiple reasons.

First, X Corp. has offered “no evidence to support [its] contention that the [FTC] has used the consent decree to conduct bad-faith, harassing investigations” that would warrant modification. SEC v. Musk, No. 22-1291, 2023 WL 3451402, at *2 (2d Cir. 2023) (unpublished). 5 Rather, the actions of which X Corp. complains were all taken to “investigate [X Corp.’s] compliance with the decree, as provided for in the parties’ agreement.” Id.

By claiming that the FTC’s investigation “has lost any plausible connection to lawful purposes,” Def. Mem. at 2, X Corp. ignores the obvious: under the 2022 Administrative Order, the FTC had ample authority to investigate X Corp.’s compliance, and the “fundamental transformation” within X Corp. gave it every reason to do so. To name just a few such reasons: shortly after the Musk acquisition, X Corp. laid off or fired at least half of its workforce, supra p. 5, and by April 2023 the company had reportedly lost about 80% of its workforce through subsequent rounds of terminations and resignations. 6 This exodus significantly impacted X Corp.’s privacy, data security, governance, risk, and compliance functions. Supra p. 6. Key compliance officers resigned—including the company’s entire Data Governance Committee—and the company’s former Chief Information Security Officer issued dire warnings about X Corp.’s data security and privacy practices under new leadership. Id. X Corp.’s independent assessor, EY, abruptly resigned due to a perceived lack of timely support from, and dramatic changes within, X Corp

If anything, I’m wondering if Elon’s posturing here actually forces the FTC’s hand and make it more likely to bring a complaint against the company. By making this effort to ditch the consent decree and avoid sitting for a deposition, Musk is making a mockery of the FTC consent decree process.

If the FTC lets him get away with it, it completely undermines the FTC’s authority on things like this and will lead to many others disregarding consent decrees as well. Surely this is more important than whatever this failed lawsuit the FTC brought was?