The US Federal Trade Commission (FTC) is deepening an investigation it opened this autumn into Twitter’s privacy and data security practices in the wake of the company’s takeover by billionaire Elon Musk, according to people familiar with the matter. FTC lawyers questioned two former senior executives in the past month about whether Twitter has been able to comply with the agency’s 2011 consent order since Musk took over, said three people familiar with the matter, who asked not to be named discussing a confidential investigation. Musk’s October 27 acquisition led to an exodus of many of the social media company’s legal, privacy and compliance executives, prompting the wider investigation. The FTC had already opened a new inquiry into Twitter after the company’s former chief cybersecurity officer, Peiter Zatko, filed a whistle-blower complaint, said the people. Zatko testified before Congress in September, alleging the platform was a “ticking bomb of security vulnerabilities”. Musk’s Twitter also parted ways with Wilson Sonsini Goodrich & Rosati, the law firm that formerly represented the company before the FTC and negotiated both the 2011 consent decree and the terms of a related May settlement over a breach of that agreement. Wilson Sonsini declined to comment. Roughly 5,000 of Twitter’s 7,500 employees have left the company since Musk assumed control, including the general counsel and chief privacy officer. FTC lawyers have interrogated two former top Twitter executives in the past month – Damien Kieran, the former chief privacy officer, and Lea Kissner, the most senior cybersecurity officer, the people said. Kieran and Kissner both quit Twitter on November 10, alongside the head of compliance. The investigation marks at least the third time the FTC has scrutinised the social media platform over its privacy and data security practices. The review could lead to millions of dollars in fines and a new FTC order imposing obligations on Musk himself that would apply across his companies and remain in effect even if he steps down as chief executive officer or leaves Twitter. Twitter to restrict who can vote on policy after Musk’s exit poll “Why has Bloomberg News been asleep at the switch regarding government censorship of social media?” Musk said in an email seeking comment about the FTC investigation. An FTC spokesman declined to comment. The agency said in a November statement that it’s tracking recent developments at Twitter with “deep concern”. “No CEO or company is above the law, and companies must follow our consent decrees,” FTC spokesman Douglas Farrar said at the time. “Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.” Twitter paid a US$150 million fine in May for violating its 2011 consent decree by misusing phone numbers that users uploaded for security purposes to instead target them with advertising. That settlement extended the FTC’s oversight of Twitter through at least 2042. In his complaint to the FTC, Congress and other federal agencies, Zatko, also known as Mudge, alleged further violations of the 2011 settlement, including that data from Twitter users who deactivated their accounts wasn’t properly deleted and that executives misrepresented information to the FTC about the company’s privacy policies. The FTC lacks the authority to fine companies for a first violation, but can impose penalties for subsequent breaches. Those fines can be hefty: the agency can levy penalties of as much as US$46,517 for each violation. During the Trump administration, the agency used that authority to fine Facebook, since renamed Meta Platforms Inc, a record US$5 billion over the Cambridge Analytica data scandal in which the personal information of Facebook users was sold to a political consultancy without their consent. It also required CEO Mark Zuckerberg to personally attest to the company’s privacy compliance going forward. The FTC under Chair Lina Khan has taken an aggressive approach to corporate wrongdoing, particularly with repeat offenders. In October, the FTC settled with alcohol delivery app Drizly LLC over a 2018 data breach. Drizly is a subsidiary of Uber Technologies Inc, which is also under order with the FTC over data breaches in 2016 and 2017. The Drizly order also names CEO James Cory Rellas, imposing responsibilities on him at any future employer that collects a significant amount of consumer information. EU parliament invites Elon Musk to testify “FTC orders mean something,” Khan told a conference of business executives on December 6. “It’s not OK for an executive just to relegate that to the lawyers and be totally removed from it, especially when it’s something so central like data security.” Khan declined to comment directly on Twitter when asked at that same conference, but said the agency would be examining the role of executives in any investigations of the social media company. Before Musk’s takeover, Twitter denied Zatko’s allegations, saying they are “riddled with inconsistencies and inaccuracies”, and that access to data is controlled by monitoring systems and background checks.