Ars Technica — AI · · 7 min read

Musk’s X poses “serious risk to Americans’ privacy,” advocates warn FTC

Mirrored from Ars Technica — AI for archival readability. Support the source by reading on the original site.

Story text
Size Small Standard Large Width * Standard Wide Links Standard Orange
* Subscribers only
  Learn more

Ahead of a July 2 deadline to submit public comments, advocates are warning the Federal Trade Commission that it must keep close watch over Elon Musk’s X and firmly reject a recent bid to end the agency’s ongoing audits of the platform’s data handling.

Last month, the FTC posted a notice explaining that X had argued that an FTC order was no longer necessary due to changes Musk had made to the platform.

The initial order came as a penalty after the FTC found that a coding error had caused then-Twitter to improperly share users’ contact information for ad targeting that had initially been submitted for two-factor authentication. Under the order, X is subjected to costly independent audits, and the FTC has authority to demand documents to ensure compliance with data privacy laws without taking additional legal action.

According to X, the order imposes burdensome costs and should be terminated, partly because the company has completely rebranded since Musk took over Twitter. X also argued that the order’s requirements were duplicative since X now faces similar obligations under the European Union’s General Data Privacy Regulation (GDPR).

However, 15 privacy and consumer protection advocates—including Demand Progress, the Electronic Frontier Foundation, the Electronic Privacy Information Center, and the National Consumers League—co-signed a letter this week refuting all of X’s arguments.

They’re urging the FTC to “unequivocally reject X Corp.’s brazen attempt to escape accountability at the expense of the American people.”

“X Corp.’s petition fails to clear the demanding legal standard necessary to grant the extraordinary action the corporation is requesting,” the letter said. “To the contrary, X Corp. and its current leadership present a serious risk to Americans’ privacy and data security, demonstrating the need for continued” FTC oversight.

X’s AI training and tools raise red flags

Musk’s big argument seems to be that since he’s rebranded Twitter as X, then folded X into SpaceX, that the old Twitter business has been transformed and there is no longer a risk of X’s improper data handling.

However, advocates argued that Musk’s changes to X have only raised additional concerns about the platform’s data handling that should heighten the FTC’s monitoring and are not a cause to terminate it.

Among top concerns, they cited global backlash to Grok, which triggered a lawsuit from three girls who accused X of allowing the chatbot to generate child sex abuse materials (CSAM) and other non-consensual intimate images (NCII). And just last year, “2.8 billion records leaked from the platform,” advocates noted, while Musk was busy managing DOGE efforts to extract “sensitive information” about millions of Americans. They also pointed out that the FTC had already found that Musk “had directed employees to take actions that would have violated” the order, while seeking to give journalists unbridled access to internal data to investigate the so-called “Twitter Files.”

Further, any questions of how much control Musk wants users to have over their data can be answered by X’s controversial decision to collect “hundreds of millions of posts on the X platform” for AI training “without meaningful or explicit user consent,” advocates said. Rather than seek user consent, X merely updated its terms, advocates said, seemingly banking its AI business on users not reading about updates.

According to Cambridge Analytica, “when Musk changed X’s rules to allow AI training on user-generated content, he didn’t invent a new business model. He industrialized the surveillance capitalism business model Cambridge Analytica pioneered: behavioral data at massive scale enables population-level personality modeling.”

Supposedly, Musk’s X business model training Grok on public posts is “identical” to the business model behind one of the biggest data scandals in history, Cambridge Analytica wrote. X’s AI works to “extract maximum behavioral data, build prediction models, sell persuasion capability. Musk just replaced Facebook’s advertising-to-third-parties model with direct AI-deployment-to-Musk-aligned-entities,” their post said.

Opt-out methods are available but “practically invisible,” Cambridge Analytica noted, citing research finding that “73 percent of X users were unaware their tweets trained Grok.”

Cambridge Analytica suggested that many users would likely be creeped out to realize that deleting X posts doesn’t delete the behavioral signal to the AI model. That means the algorithm is likely to continue targeting content at users based on information the user chose to remove.

As Cambridge Analytica sees it, the X platform’s chatbot Grok represents a “failure” that proves that “consent frameworks designed for individual users” following the Facebook scandal “don’t prevent industrial-scale behavioral exploitation.”

“Grok shows that the model survived intact—it just moved from Facebook’s API to X’s native AI infrastructure,” their post said. “The technology improved, the regulation stayed static, and the surveillance deepened beyond what Cambridge Analytica achieved.”

Other platforms like TikTok and Instagram similarly borrow the wrong lessons from the scandal, Cambridge Analytica said. But “Musk’s iteration is distinctive only in its transparency about extraction scope. “ X is especially bad, Cambridge Analytica explained, because:

“X explicitly reserves the right to train AI on your complete behavioral history. Other platforms perform equivalent extraction while maintaining ambiguity in their terms of service. X’s brazenness—Musk announcing Grok’s capabilities without pretense of user benefit—might paradoxically prevent effective regulation by making the surveillance mechanism obvious rather than hidden.”

Advocates warned the FTC that there’s no reason to give away the agency’s powers to sanction X if future violations are found, simply because Musk finds it inconvenient to comply with the order.

Giving in to Musk’s demand would mean “effectively stripping away” the FTC’s “most effective deterrence and accountability mechanisms that protect American consumers against a known repeat offender,” they warned.

Additionally, X should not be allowed to use a state court finding, determining that its terms of service adequately informed users about Twitter’s accidental ad targeting, in order to override violations found under the FTC Act, advocates said.

And finally, the GDPR is not a substitute for FTC monitoring, they argued. That seems particularly clear since X is currently under investigation for its “unauthorized collection of European users’ data to train its Grok AI model without valid GDPR consent” advocated noted.

“X Corp.’s foray into artificial intelligence development should prompt greater FTC oversight of the company’s privacy practices, not less,” advocates said.

Former AG supports X

X did not respond to Ars’ request to comment.

However, former US Attorney General William Barr has submitted comments supporting X. In his letter, Barr called out hundreds of FTC info demands after Musk bought Twitter as excessive.

Arguing against “permanent agency control of private companies,” Barr pushed the FTC to stop treating the termination of consent orders as requiring extraordinary circumstances, and at the very least reopen the order to consider if the scope of X’s restrictions is proper.

Whether X’s petition can succeed may hinge on X’s legal analysis, though, which advocates claim was “misleading.”

For example, neither of the cases X cited actually supports its claim that a “transformed” company shouldn’t be obligated to maintain an order after restructuring, advocates argued. In one case, an order was terminated by invoking a “sunset” policy that requires such an outcome after 20 years. In the other, an order was not fundamentally changed due to a market shift, as X argued, but eventually modified after 16 years of compliance.

In contrast to those cases, X’s order is “merely four years old,” advocates said, and X has shown it still requires scrutiny. Further, Musk agreed to accept the costs and comply with the order when he bought Twitter, so he should be stuck with it for the entire duration, they argued.

More glaringly, advocates pointed out that X is largely unchanged, serving the same functions as a platform as Twitter.

Musk, therefore, remains “in the exact same business of operating a social media platform, still utilizes user data for targeted advertising, and now has new uses and desires for consumer information in its AI business that make the 2022 Order’s oversight even more vital,” advocates said.

Photo of Ashley Belanger
Ashley Belanger Senior Policy Reporter
Ashley Belanger Senior Policy Reporter
Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.

Discussion (0)

Sign in to join the discussion. Free account, 30 seconds — email code or GitHub.

Sign in →

No comments yet. Sign in and be the first to say something.

More from Ars Technica — AI