In the legal filing, the Justice Department published previously confidential evidence from the Federal Trade Commission’s probe into the social network, including detailed excerpts of depositions with former executives about ways Musk’s directives and efforts to cut costs ran afoul of the company’s security and privacy practices. The company had agreed to implement a number of security safeguards and privacy audits in May 2022 to settle allegations that it deceptively collected users’ data.
The filing marks the first official confirmation of the extent of the FTC’s initial findings of its probe into compliance with its order, revealing “a chaotic environment at the company that raised serious questions about whether and how Musk and other leaders were ensuring [the company’s] compliance.”
FTC orders are among the most critical enforcement tools that the federal government has to hold Silicon Valley accountable, and Facebook in 2019 had to pay a multibillion fine to the agency for violating the terms of its own privacy agreement with the agency.
The new details about Musk’s handling of the FTC order come as the government opposes a request by the social network, now called X, to have a federal court dismiss the consent agreement and shield Musk from a deposition. The filing offers a rare look inside Musk’s leadership of the company, which has been opaque to press despite the world’s richest man’s promises to make X more transparent.
Neither Musk, his lawyer nor X responded to requests for comment.
The FTC has been looking into X’s privacy and security practices for more than a year, opening a probe following a whistleblower complaint that the company had “extreme, egregious deficiencies” in its defenses against hackers, according to court filings. The probe continued as Musk acquired X for $44 billion in late October and nearly immediately launched into massive changes for the site, including creating new subscription services to pay for check marks, restoring thousands of banned accounts and changing many of the rules on the platform. He also eventually let go roughly 80 percent of the staff, leaving the company running on a skeleton crew.
The DOJ described these events as “sudden, radical changes” and said that the FTC had “every reason to seek information about whether these developments signaled a lapse in X Corp.’s compliance.”
The filing highlights Musk’s near immediate changes to the company, particularly in the early days of his takeover. He “exercised granular control of X Corp., at times directing employees in a manner that may have jeopardized data privacy and security,” according to the filing.
As the number of staff dwindled, Musk allegedly told a former employee concerned with compliance with the FTC that he was “the single person responsible” and that “liability falls on him,” according to excerpts from a deposition by Seth Wilson, former Twitter director of threat management and operations.
Multiple employees testified that Musk gave directives that were at odds with the company’s normal processes and policies, according to the filing.
In December 2022, Musk directed that company servers be moved from one data center to another, the filing said. Company policy was to wipe data before removing servers from a center, but the relocated servers were transferred without being wiped because employees did not have “enough time to put together a process that would be in compliance with [their] own policies,” according to the testimony.
Musk also directed employees to launch paid verification service Twitter Blue so quickly that a security and privacy review was not conducted as required by the company’s own policies, according to a deposition cited in the filing from former chief privacy officer Damien Kieran.
Musk’s cost cutting measures — which included five rounds of layoffs between October and December of last year — “impaired” the company from complying with data security promises it made to the government in 2022, according to the filing. It quotes Lea Kissner, the company’s former chief information security officer, as testifying that due to the employee exodus, about half of the controls in the company’s security program no longer had a specific “owner” responsible for their operation. Kieran testified similarly about the company’s privacy program controls, telling the FTC that 37 percent were left unsupervised.
When the FTC asked Kieran who the “most senior” X employee with long-running knowledge about the company’s security team, he replied there was “nobody left.”
“The FTC has had to focus its prior depositions on former employees because nearly every employee who has been identified as a point person for privacy or data security either resigned or was terminated before the FTC could talk to them,” the DOJ wrote in the filing.
The court filing also cites a Washington Post report that detailed how Musk told X employees to give former New York Times columnist Bari Weiss “full access to everything at Twitter.” Longtime security employees blocked Weiss from receiving “direct access” due to concerns it would violate the FTC consent order, according to the DOJ filing, but instead the journalist worked with other individuals who accessed systems for her.
The consent order is one of the government’s most powerful tools to address alleged data privacy abuses in the absence of a federal privacy law. It has emerged as a political lightning rod as Musk and House Republicans have accused FTC Chair Lina Khan of “harassing” X.
X’s arguments have in part hinged on allegations that the FTC attempted to influence Ernst & Young, an independent auditor Twitter hired to assess its compliance with the order. House Judiciary Committee Chair Jim Jordan (R) recently amplified these claims at a congressional hearing with Khan.
The DOJ filing says that E & terminated its engagement with the company in February 2023 “ due to the extensive departures within, and a lack of support from, X Corp.”
