His allegations, filed in July and published by The Post last month, will be argued over in next month’s trial to determine whether Tesla CEO Elon Musk must go through with his April agreement to buy Twitter for $44 billion. Musk claims Twitter has violated the sale agreement, in part by misleading shareholders, so that he is not obligated to complete the deal.
But the issue of the FTC consent decree could also come up on Tuesday when Zatko testifies before the Senate Judiciary Committee, and in meetings he’s expected to have with FTC officials. Critics say Congress has done little over the years to fortify the FTC’s ability to monitor compliance with such consent decrees, which are the agency’s principle means of enforcing U.S. consumer protection laws.
Zatko’s staff told him “unequivocally that Twitter had never been in compliance with the 2011 FTC Consent Order, and was not on track to ever achieve full compliance,” his whistleblower complaint alleges.
Interviews with more than half a dozen current and former FTC officials suggest that the agency would have been unlikely to uncover that alleged noncompliance. The officials said that chronic underfunding and understaffing have left the government’s top Silicon Valley watchdog without the personnel or technical expertise to monitor decrees and levy fines when they are not followed.
Since 2010, the agency has slapped many of the world’s most powerful and valuable tech companies — including Facebook, Google and Snap — with such orders. The orders were initially viewed as a creative way for the agency to police data security abuses in the absence of a federal data privacy law, and a signal to the tech industry that the U.S. government would be more closely scrutinizing their business practices.
Yet the shortcomings of such a regime has become more apparent in recent years, as repeated data abuses have taken place at companies under such orders. At the time of the Cambridge Analytica data-scraping scandal, Facebook was under an FTC order which required it to implement a privacy program. The company ultimately was fined $5 billion for allegedly violating the terms of the order, but critics said it amounted to a blip on the balance sheet of the company, which generates tens of billions of dollars a year.
Lawmakers and former officials are especially alarmed by the allegations about the 2011 Twitter decree, because the FTC recently was investigating the company’s data security practices and already found problems. The 2011 Twitter settlement, which came in the wake of hacks of high-profile accounts including former president Barack Obama, broadly directed the company to establish a security program.
Earlier this year, the FTC and the Justice Department won a $150 million fine and settlement against Twitter for asking consumers to provide phone numbers to keep their accounts secure, then using that data for marketing. The recent order directs Twitter to take specific steps, such as ensuring that users can authenticate their accounts without sharing phone numbers.
But that settlement did not address many of the more systemic, extensive allegations in Zatko’s complaint, which says the company ran outdated software on its servers, blocked automatic software updates on laptops, and misled the board about the breaches it suffered and the state of its security.
The FTC’s “record shows that it has been unwilling or unable to fully enforce its privacy orders and prevent further violation,” said Sen. Richard Blumenthal (D-Conn.), the chair of the Senate Commerce panel focused on consumer protection, who will also be among those questioning Zatko on Tuesday. “The FTC is up against some of the most powerful and profitable giants in the world, and it’s literally armed with a slingshot against a nuclear power.”
Former FTC officials say Congress also bears blame for the lax privacy oversight. For decades, consumer advocates and some lawmakers have pushed for a comprehensive consumer data privacy law that would give the agency more legal authority to police abuses. A bipartisan privacy bill recently advanced in the House, but it is unlikely to become law during a midterm election year with many competing priorities.
The FTC currently uses decades-old consumer protection laws to enforce against privacy abuses, which require it to establish that a company misled consumers about their ability to protect data or demonstrate other harms. That has historically proven to be an uphill battle in court.
Democrats’ efforts to expand the agency’s funding also have faltered. An early version of Biden’s economic package included an additional $1 billion to establish a new privacy enforcement division at the agency. But the funding was omitted from the slimmed down version of the package that was signed into law by President Biden earlier this month.
“I would say to Congress … try harder to pass legislation that gives the FTC more tools and more teeth to oversee this complex area,” said Jessica Rich, who previously served as the head of the FTC’s consumer protection bureau. “I get tired of seeing Congress criticize the FTC when it’s been unable to pass basic, baseline privacy and data security resources for more than 20 years.”
The FTC currently has a staff of about 40 people monitoring compliance with its many hundreds of consent orders across the economy, according to a person familiar with the agency’s practices, who spoke on the condition of anonymity to candidly discuss internal matters. These lawyers do not necessarily have specific expertise in data security and technology, and the agency’s technologists often split their time between reviewing orders and other privacy and competition investigations.
“The same lawyers who ensure that social media companies have robust privacy and data security programs are making sure labels on bed linens are correct,” Ashkan Soltani, a former FTC chief technologist and now California’s privacy enforcer, said in congressional testimony.
The agency often moves more slowly than the tech industry, with some orders outdated before they come into force. The agency didn’t reach a settlement with MySpace for alleged data security misrepresentations until 2012, when the service was already fading in popularity.
The United States’ privacy enforcement resources lag far behind other Western countries with significantly smaller populations. According to a 2021 report to Congress, the FTC has about 40 to 45 people working in its privacy division. For comparison, the United Kingdom’s Information Commissioner’s office has about 768 people, and the Irish Data Protection Commissioner has about 150 employees. Other countries also have broad laws to protect consumer data in general, such as the European Union’s General Data Protection Regulation; the United States does not.
Steven Bellovin, a Columbia University professor who served as the FTC’s chief technologist in the years just after the 2011 Twitter settlements, said that the technologists in the privacy and identity division were stretched, but at least motivated. Enforcement was another story, badly lacking tech expertise.
“My understanding is that the real problem has been on follow-ups, during the customary 20-year term of the consent decree,” Bellovin said.
In part because of staff shortages and scarce resources, the FTC has relied on third-party assessors to monitor whether companies are complying with their privacy commitments. But the assessments are very different from true audits, where professional codes demanded actual tests and evidence, former FTC staffers said.
In assessments, the outsiders paid by the subject companies were allowed to simply take management’s word on technical matters, said FTC expert and University of California-Berkeley Professor Chris Hoofnagle, and in his experience those executives might not know what their engineers were doing.
While under a prior consent decree, for example, Google was certified as compliant on privacy during a period when two major violations occurred, including it being caught using street-mapping cars to suck down WiFi traffic. The omissions of these incidents in the assessments “suggests that the assessor had not read the newspaper for two years,” Hoofnagle wrote in a 2006 book.
Lina Khan, the agency’s Democratic chair, entered office more than a year ago with great expectations that she would improve the agency’s privacy enforcement. The agency has put some teeth into consent orders, including more prescriptive language so that the agency and its assessors can better oversee compliance.
Khan has also called on Congress to give the FTC more funding, while promising to dedicate more resources toward oversight of digital markets.
The agency is also considering more aggressive penalties to deter companies and executives that violate orders, including criminal referrals to the Justice Department if a company misleads the agency in the course of an investigation.
“The commission is committed to enforcing its orders, and potential violations will be investigated thoroughly,” said Sam Levine, director of the FTC’s Bureau of Consumer Protection. “Companies flout FTC orders at their peril.”