Geoff Bowser Profile picture
Nov 10 15 tweets 3 min read
The idea of engineers self-certifying compliance with an FTC consent decree jumped out to me as patently absurd. So I found and read the consent decree. This 🧵 discusses how this policy violates that decree and why I believe these people had no option but to resign. 1/15
Below is the relevant section of the consent decree.** It is available at ftc.gov/sites/default/…

In this thread I will go through various issues. 2/15

**I believe this is current ImageImage
Twitter agreed to maintain "a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of nonpublic consumer information."

Having engineers self-certify probably isn't a comprehensive program. 3/15
However, even it were to be considered a program (under a broad definition). It certainly is not one that has been reasonable designed to protect nonpublic consumer information. 4/15
Twitter agreed that "Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities" 5/15
First, I don't think a slack message would satisfy the in writing aspect, but in addition, Twitter has apparently provided no guidance as to how to self-certify. It also lacks any safeguards, as safeguards inherently imply a force keeping the engineers in bounds. 6/15
In Subpart A Twitter agreed to "the designation of an employee or employees to coordinate and be accountable for the information security program."

It appears those people just resigned, self-certification is not coordination and lacks accountability for the program. 7/15
Subpart B concerns the development of safeguards and the requirements thereof.

Presumably this was already done and a specific program was put into place.

I think it violates that paragraph to just ignore that prior development process without conducting a new one. 8/15
Subpart C concerns ongoing testing and monitoring of the safeguards adopted.

It appears the people who would be responsible for this are no longer there. The engineers are not able to comply with this on their own. 9/15
Subpart D relates to the application of safeguards to third party service providers.

Presumably this is not something engineers could possibly certify. And I don't think have the service providers self-certify would be sufficient. 10/15
Subpart E specifically requires changes and adjustments based on monitoring, change in business structure/operations, or any other changes that could materially effect security.

This is a big one and why I assume these people resigned. 11/15
In normal operations only the first part of that subsection would apply, normal monitoring. But two things just happened that trigger the other parts.

1. Musk took over, this is exactly the type of change in business structure/operation contemplated, and; 12/15
2. The changes to Twitter blue/verification is exactly the type of thing contemplated by the third part of Sub. E.

Under the Consent Order both should have required an extensive risk analysis and the design of new safeguards. 13/15
My guess is that Musk balked at conducting this analysis due to time, expense, and ego.

But, remember Sub A made the designated employees responsible for these obligations.

If I was their attorney I probably would have told them to resign if no analysis was performed. 14/15
So what does that mean for Twitter. I would expect the FTC to use its levers of power to aggressively pursue this.

For the rest of us. I can't say for sure, but I would think twice before providing them any info you're not okay being public (SSN, CC#). 15/15

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Geoff Bowser

Geoff Bowser Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us on Twitter!

:(