More Twitter privacy and security executives abandon ship

It's a day ending in the letter "y" which inevitably means there's more drama at Twitter. Chief information security officer Lea Kissner, chief privacy officer Damien Kieran and chief compliance officer Marianne Fogarty have all quit, according to The Verge. The report suggests that the company's engineers will now be responsible for ensuring compliance with regulations. Twitter is currently subject to a Federal Trade Commission consent order, which includes certain privacy and security requirements.

"I've made the hard decision to leave Twitter," Kissner wrote in a tweet. "I've had the opportunity to work with amazing people and I'm so proud of the privacy, security and IT teams and the work we've done."

I've made the hard decision to leave Twitter. I've had the opportunity to work with amazing people and I'm so proud of the privacy, security, and IT teams and the work we've done.

I'm looking forward to figuring out what's next, starting with my reviews for @USENIXSecurity 😁

— Lea Kissner (@LeaKissner) November 10, 2022

The departures will surely have a significant impact on Twitter's security and privacy teams. To that end, The Verge obtained a Slack message purportedly shared by a Twitter lawyer, which notes that engineers have been asked to "self-certify" that they're complying with FTC requirements and other laws. "This will put huge amount of personal, professional and legal risk onto engineers," the message reads. "I anticipate that all of you will [be] pressured by management into pushing out changes that will likely lead to major incidents." The lawyer, who urged workers to seek whistleblower protection if they felt the need to, warned that such changes are "extremely dangerous for our users."

The FTC consent order is part of a settlement Twitter reached with the agency in May. One of the conditions requires the company to employ a "comprehensive privacy and information security program" to examine new products for privacy and security risks. The lawyer noted that if Twitter violates the consent order, it could be on the hook for "billions of dollars" in fines, which would be "extremely detrimental to Twitter’s longevity as a platform."

This week, the company revamped the Twitter Blue service and started allowing users to obtain a checkmark (previously used to denote that an account was verified) for $8 per month. That's already created a minefield of impersonation, spoof accounts and scams.

A Twitter employee suggested to The Verge that the rushed rollout of the paid checkmark scheme, as mandated by new owner Elon Musk, bypassed the typical privacy review process. “The people normally tasked with this stuff were given little notice, little time, and [it's] unreasonable to think [the privacy review] was comprehensive,” said the employee, who noted that none of the team's recommendations were put into effect before the new Twitter Blue went live. That team was only able to review possible risks the night before Twitter rolled out the retooled service.

“No CEO or company is above the law, and companies must follow our consent decrees,” Douglas Farrar, the FTC’s director of public affairs, told The Washington Post. “Our revised consent order gives us new tools to ensure compliance, and we are prepared to use them.”

Engadget has contacted Twitter for comment.