For privacy failures revealed by that hack, Twitter was forced in 2011 into a consent decree that gives the US Federal Trade Commission (FTC) 20 years of oversight of its security practices. Earlier this year, the clock was reset and Twitter was fined $150 million because it was found to have misused the phone numbers of more than 140 million users. US government lawyers labeled Twitter “a recidivist that engaged in unlawful conduct even after law enforcement action.” That background means Elon Musk’s recent takeover of Twitter made him owner of a company that will be under the eye of the US government’s antitrust and consumer protection agency until 2042. His sweeping layoffs of employees and contractors, in addition to resignations of top privacy and compliance executives, have prompted some security experts to warn the platform is at increased risk of worst-case security breaches. The FTC this month said in a statement it is “tracking recent developments at Twitter with deep concern,” and seven Democratic members of the US Senate called on the agency to investigate Twitter late last week. Failure to comply with the consent decree can carry hundreds of millions of dollars in fines or additional federal court complaints and consent orders. David Vladeck, a law professor at Georgetown University who brought the charges that led to Twitter’s 2011 consent decree while serving as director of the FTC’s Bureau of Consumer Protection, believes that Twitter may already be out of compliance with the 2022 order. Musk gutted the company at a time when it should be preparing an initial assessment—due to be filed with the agency in January—describing in detail how Twitter is in meeting the order’s requirements. In that assessment, Twitter must also identify employees the FTC can contact to ensure future compliance. The report and other documents sent to the commission in relation to the 2022 order must be submitted as true and correct under penalty of perjury. Twitter is required to carry out vulnerability testing every four months, privacy and security risk assessments every year, and get an independent security audit every two years for a decade. If the FTC finds that Twitter isn’t complying, the company could face steep fines and additional consent decrees, Vladeck says. Because the company has already been fined for breaching its original consent decree, the punishment for another breach would be significant, and could place Twitter under even more stringent requirements to ensure security is maintained. “This is one of those cases where, if there’s an additional order, there will be personal responsibility for Musk,” Vladeck says. “His neck may be on the chopping block if there’s another consent decree, and there may be personal responsibility for other significant people within the organization.” The chaotic early weeks of Musk’s ownership of Twitter have already suggested the company risks missing some of its FTC requirements. The Verge reported that the recent relaunch of Twitter’s subscription service skipped traditional privacy and security reviews, and that company lawyers asked employees to self-certify compliance with the FTC orders. The company is required to designate no more than five people to make decisions about how personal data like email addresses and phone numbers are collected and used, and to maintain comprehensive privacy and information security programs. According to an email seen by The Verge, Musk assured Twitter employees the company will do everything possible to comply with the FTC order. But a company lawyer posted a note internally warning that the current head of legal at Twitter, Alex Spiro, said the platform’s new owner plans to take big risks because “Elon puts rockets into space. He’s not afraid of the FTC.” Following questions by Twitter employees worried they could be personally liable for violations of the consent order and face prison time, according to an email seen by TechCrunch, Spiro told employees that compliance is for the company, not individual employees, and shared plans to comply with decree mandates. Of course, internal assessments and external audits like the kind the FTC has required of Twitter don’t always catch problems. A similar FTC order for Facebook didn’t prevent the Cambridge Analytica scandal, in which the firm, working on behalf of the Trump 2016 presidential campaign, used a third-party app to collect the data of more than 50 million people without consent. And documents obtained by Bloomberg Law found that Twitter’s compliance with the 2011 FTC order did not pick up shortcomings later highlighted by security expert turned whistleblower Peiter “Mudge” Zatko in recent testimony before Congress, who said the company lacked basic security measures, such as systems to prevent employees from going through user data. Musk’s tenure at Twitter is also under the scrutiny of regulators in Ireland and the European Union who have signaled that they’re monitoring the company, and in particular its compliance with EU data protection law. The EU’s Digital Services Act also came into force last week. That means that by February 2024, major platforms will have to carry out risk assessments, report on the use of automation in services like content moderation, and repower details about their algorithms such as their error rates. Failure to comply can carry fines of up to 6 percent of global revenue. Musk may have demonstrated to Twitter users and employees—and the rest of the watching world—in recent weeks that he’s willing to ignore the rules sometimes and make sweeping changes to his new company. But he can’t change Twitter’s history of poor security, or the fact that it has to deal with close scrutiny from the FTC for the next 20 years.