Washington CNN Business  — 

When a Twitter whistleblower testified at an explosive Senate hearing this week, the social media company wasn’t the only one to come under fire. Lawmakers on both sides of the aisle repeatedly criticized federal regulators who for years had supposedly been keeping a close eye on the company.

“I’m concerned that for almost 10 years the Federal Trade Commission didn’t know or didn’t take strong enough action to ensure Twitter complied with the consent decree” it signed with the agency in 2011, said Iowa Sen. Chuck Grassley, the Senate Judiciary Committee’s top Republican. “Congress should … be mindful of the FTC’s ability, or lack thereof, to successfully oversee these important issues.”

Committee chair Dick Durbin also signaled concerns about the FTC when he asked the whistleblower, Peiter “Mudge” Zatko, to grade US regulatory agencies’ performance in light of his Twitter allegations.

“Honestly, I think the FTC is a little, you know, over their head,” Zatko replied.

An FTC spokesperson declined to comment for this story.

The sharp, bipartisan remarks from members of Congress and Zatko, Twitter’s (TWTR) head of security from November 2020 until this January, highlight the growing frustration inside and outside Washington about the struggle to hold Silicon Valley accountable after years of scrutiny — even as lawmakers held yet another hearing in an attempt to do just that.

In his testimony this week, Zatko alleged Twitter had serious, undisclosed security and privacy vulnerabilities that have put users and national security at risk. But the day also put the spotlight on a federal agency that critics say is both under-resourced to take on billion-dollar tech companies like Twitter, and that pulls its punches when it does.

Zatko described how Twitter — which had committed to protecting user data and maintaining a strong information security program under its FTC consent order — allegedly did not take US regulators seriously and actively misled them.

“Some of the foreign regulators were much more feared than the FTC,” Zatko said, noting that France’s privacy regulator “terrified Twitter in comparison.”

Zatko testified that French officials investigating possible privacy violations demanded concrete, quantitative data from Twitter, often on short deadlines, to back up the company’s claims of compliance, and were known to threaten steep penalties for noncompliance that could directly hinder Twitter’s future growth.

“[They took a] ‘maybe you won’t be allowed to monetize in France, or maybe you won’t be allowed to use a particular data source in France,’ you know, and ‘you have a week to respond,’ sort of approach,” Zatko told Sen. Richard Blumenthal. In contrast, Twitter did not fear the FTC, Zatko claimed, because the agency largely allowed the company to “grade their own homework” in compliance audits and tended to issue one-time fines that were viewed within the company as little more than a cost of doing business.

Peiter Zatko, known as Mudge in the computer hacking community, poses for a portrait in Washington, D.C., U.S., August 22, 2022. Photo by Sarah Silbiger for CNN

In response to Zatko’s allegations, Twitter has accused the whistleblower of painting a “false narrative” of the company that is “riddled with inconsistencies and inaccuracies.” Twitter has also said Zatko was not involved in efforts to prepare company compliance reports and did not fully comprehend the company’s legal obligations.

According to his disclosure to the US government, Zatko’s allegations are informed by statements from his own staff at the company whom he says were “intimately familiar” with Twitter’s FTC obligations. Twitter was not ever in compliance with the 2011 order and was never on track to become compliant, Zatko’s subordinates allegedly told him, according to the disclosure.

Limited fines and resources

Zatko’s testimony has prompted unusually outspoken criticism of an agency that is considered America’s chief privacy and data security regulator — and done so at a time when that agency is said to be more focused on reining in the tech industry under Chair Lina Khan, a high-profile skeptic of large tech platforms.

The FTC has become increasingly involved in technology oversight in recent decades. In 2011, it hired its first chief technologist, and in 2015, a federal appeals court affirmed the FTC’s authority to prosecute companies for data security lapses — a major victory that helped cement the FTC’s role as a cop on the digital beat. This year, the FTC launched a process that could eventually lead to the creation of sweeping new privacy regulations covering virtually all businesses that handle consumer data, including platforms such as Twitter.

But there have been other moments that prompted critics to doubt whether the FTC is up to the task. In 2013, the commission voted unanimously not to sue Google over concerns about the company’s impact on competition, despite a recommendation from agency antitrust staff to do so. And although a privacy settlement with Facebook in 2019 led to a record $5 billion fine and numerous new legal obligations for that company, critics have said the FTC should have insisted on holding CEO Mark Zuckerberg and COO Sheryl Sandberg personally accountable in the resulting order.

As with Facebook, the latest allegations against Twitter could lead to billions of dollars in new FTC fines, former agency officials have told CNN.

But some lawmakers expressed disappointment this week with the penalties the FTC has imposed thus far on the company, and raised doubts about regulators’ ability to meaningfully deter future wrongdoing. In May, the FTC reached a $150 million settlement with Twitter to resolve separate allegations it violated its consent order, when Twitter allegedly used account security information for targeted advertising purposes.

“The size of the penalty, a mere $150 million, amounts to the kind of burden on us average drivers when we pay the toll to go into Manhattan,” said Blumenthal, a former Connecticut attorney general.

Zatko agreed the fine was indeed “much less than we [at Twitter] had been concerned about.” Twitter’s nightmare scenario, he said, was if the FTC “were to come in and tell us we’re not allowed to monetize email addresses because of our continued inability to handle them correctly. Then we might not be on fair footings with our competitors, and that scared [Twitter].”

Lawmakers and regulators have also consistently called for more resources that can be devoted to enforcement. While there have been some attempts to expand FTC budgets and hire more in-house experts, former agency officials and consumer advocates have described staff as overwhelmed with work and outmatched by the armies of lawyers tech giants can bring to bear.

‘What we’re doing right now is not working’

Twitter has said its FTC compliance record speaks for itself, in the form of third-party audits filed with the agency. But Zatko said during his time at the company, the FTC allowed Twitter to hire its own auditors, who relied heavily on corporate self-assessments — a practice former FTC officials have described as routine and as an important way the agency saves on time and manpower. (The latest settlement, from earlier this year, now prohibits Twitter auditors from relying “primarily” on the company’s own self-reporting.)

Zatko alleges that this setup has helped Twitter get away with misleading regulators. In a separate hearing this week, another Twitter executive could not categorically deny, under repeated and direct lawmaker questioning, allegations that the company “has willfully misrepresented facts to the FTC.”

That alleged deception, said Blumenthal in Tuesday’s hearing, perhaps along with “inadequate resources or a failure of will,” may explain what he characterized as “a lack of vigor in law enforcement.”

He said this issue can only be effectively addressed by “restructuring, reforming and energizing our regulatory apparatus” — potentially by even transferring FTC authority over privacy and security to a whole new government agency. (Blumenthal is not the only senator to float such a proposal: In May, Colorado Democratic Sen. Michael Bennet introduced legislation to create a new commission regulating digital platforms.)

“Clearly,” Blumenthal said, “what we’re doing right now is not working.”