X Corp

Overview

X Corp, formerly Twitter Inc, is a social media platform that has undergone one of the most disruptive ownership transitions in technology history. In October 2022, Elon Musk completed his $44 billion acquisition of Twitter, taking the publicly traded company private. Musk subsequently renamed the company to X Corp and rebranded the platform from Twitter to X in July 2023, retiring one of the most recognizable brand identities in social media.

The Musk Acquisition and Its Consequences

Musk's acquisition, financed through a combination of personal funds, equity commitments from investors including Larry Ellison and Saudi Prince Alwaleed bin Talal, and approximately $13 billion in bank debt, immediately triggered sweeping changes. Within days of closing, Musk fired approximately 80% of the company's workforce, reducing headcount from roughly 7,500 to fewer than 1,500 employees. The layoffs gutted critical teams including trust and safety, content moderation, human rights, ethical AI, accessibility, and communications.

The mass layoffs were not merely a cost-cutting exercise. They systematically dismantled the infrastructure Twitter had built over a decade to address platform safety, election integrity, harassment, and misinformation. The trust and safety team, once over 100 strong, was reduced to a skeleton crew. The election integrity team was dissolved entirely ahead of the 2024 U.S. presidential election cycle. The human rights team, which monitored the platform's impact on vulnerable populations globally, was eliminated.

Platform as Public Square

Twitter/X occupies a unique position in the social media ecosystem as a real-time public discourse platform. Unlike Facebook or Instagram, Twitter has historically served as the primary venue for breaking news, political discourse, government communications, and crisis response. This makes the platform's data practices and governance decisions consequential far beyond its approximately 550 million monthly active users. Journalists, politicians, emergency services, and activists depend on the platform as critical communications infrastructure.

Data Collection Practices

X Corp collects extensive user data through direct interactions, passive monitoring, and third-party integrations. Under Musk's ownership, data collection has expanded in several significant directions.

Core Data Collection

The platform collects standard social media data including:

• Account information: Name, email, phone number, date of birth, location
• Content data: Posts, direct messages, media uploads, bookmarks, and lists
• Behavioral data: Engagement patterns, viewing history, search queries, and interaction timing
• Device data: IP addresses, device identifiers, browser type, operating system, and carrier information
• Location data: GPS coordinates (if enabled), IP-based geolocation, and location metadata from posts

Phone Number Exploitation

In May 2022, the FTC fined Twitter $150 million for using phone numbers and email addresses collected for two-factor authentication to target users with advertising. From 2014 to 2019, Twitter collected phone numbers and emails under the pretense of account security and then fed this data into its advertising targeting systems, allowing advertisers to match their customer lists against Twitter's security-purposed contact information. This practice affected over 140 million users and represented a fundamental betrayal of user trust, people who took steps to secure their accounts were rewarded with targeted advertising.

Grok AI Training on User Data

In 2024, X Corp began training its Grok AI chatbot on user posts and interactions without explicit user consent. The feature was enabled by default, with users required to manually navigate buried settings to opt out. The European Data Protection Board flagged this practice, and Ireland's Data Protection Commission secured a commitment from X to suspend Grok training on EU user data pending regulatory review. However, for users outside the EU, post content continues to feed into X's AI training pipeline without meaningful consent mechanisms.

API Data Sales

Twitter historically licensed its full-firehose data feed to third parties, including data analytics firms and surveillance technology companies. Dataminr, a real-time data analytics company in which Twitter held a stake, provided law enforcement and intelligence agencies with tools to monitor protests, track activists, and conduct surveillance using Twitter data. Although Twitter publicly stated it prohibited the use of its data for surveillance, the Dataminr relationship, which continued for years after this policy was announced, contradicted these assurances.

Direct Message Privacy

X's direct messages are not end-to-end encrypted by default. Despite Musk publicly promising encrypted DMs as a priority feature, the rollout in 2023 was limited to verified (paying) users messaging other verified users, with significant restrictions including no group message encryption and no media encryption. The vast majority of DMs on the platform remain accessible to X Corp, and by extension to any entity that compromises X's systems or compels data access through legal process. For a platform used by journalists, dissidents, and political figures, the absence of robust DM encryption represents a significant privacy gap.

Third-Party Tracking

X's advertising pixel and conversion tracking API allow the company to collect browsing data from third-party websites that embed X's tracking code. This off-platform tracking builds behavioral profiles that extend well beyond activity on the X platform itself, tracking purchases, page visits, and interactions across the web.

Known Clients & Government Contracts

Data Licensing Relationships

Twitter's data licensing business, which generated hundreds of millions in annual revenue, provided raw platform data to a range of commercial and government clients:

• Dataminr: Received Twitter's full firehose of public data and provided real-time alerts to clients including the CIA, Department of Defense, FBI, and hundreds of police departments. In 2016, the ACLU revealed that Dataminr was being used to track Black Lives Matter protests.
• Meltwater, Brandwatch, and Sprinklr: Social listening platforms that purchased Twitter data for commercial analytics
• Academic researchers: Through the now-discontinued Academic Research API

Under Musk's ownership, API pricing was dramatically restructured. The free tier was eliminated, basic access was priced at $100/month, and enterprise access reached $42,000/month. This pricing change effectively shut out academic researchers, journalists, and civil society organizations that had used the API to study misinformation, hate speech, and platform manipulation.

Government Communications

Numerous government agencies, military branches, emergency services, and elected officials use X as a primary public communications channel. This creates an unusual dependency where the public must engage with a private platform, and accept its data collection practices, to access government information and services.

Advertising Clients

X's advertising revenue, which was approximately $4.5 billion annually before the acquisition, has declined sharply. Major advertisers including Apple, Disney, IBM, Comcast, and Warner Bros. paused or reduced spending following Musk's acquisition, citing brand safety concerns after content moderation was relaxed. Despite revenue declines, X continues to collect and monetize user data through its remaining advertising operations.

Privacy Incidents & Litigation

FTC Consent Decree and $150 Million Fine (2022)

The Federal Trade Commission's May 2022 enforcement action found that Twitter violated a 2011 FTC consent decree by misusing phone numbers and email addresses provided for security purposes. The $150 million penalty was accompanied by enhanced requirements including:

• Prohibition on profiting from deceptively collected data
• Implementation of a comprehensive privacy program
• Regular third-party audits
• Specific protections for data collected for account security

The consent decree remains in effect through 2042. The FTC has publicly expressed concern about compliance following the mass layoffs of privacy and security staff under Musk's ownership.

200 Million Email Address Leak (January 2023)

In January 2023, security researchers discovered a dataset containing approximately 200 million email addresses linked to Twitter accounts, available for download on hacking forums. The data was compiled by exploiting an API vulnerability that Twitter had been alerted to in January 2022 through its bug bounty program but failed to patch promptly. The vulnerability allowed attackers to submit email addresses and phone numbers to determine whether they were associated with Twitter accounts, effectively de-anonymizing users.

The leak was particularly dangerous for pseudonymous accounts, including political dissidents, journalists, whistleblowers, and individuals in authoritarian countries who relied on Twitter anonymity for personal safety. An earlier exploitation of the same vulnerability, reported in August 2022, had exposed data for 5.4 million accounts.

FTC Compliance Concerns Post-Acquisition

In March 2023, the FTC sent a letter to Twitter expressing concern about the company's ability to comply with its existing consent decree given the mass layoffs. The agency noted the departure of Twitter's Chief Privacy Officer, Chief Information Security Officer, and Chief Compliance Officer, as well as the dissolution of the trust and safety team. Twitter's then-CEO Linda Yaccarino assured the FTC of continued compliance, but the agency has maintained heightened scrutiny.

Election Integrity Team Dissolution

In late 2022, Musk disbanded Twitter's election integrity team entirely. This team had been responsible for combating coordinated manipulation campaigns, state-sponsored information operations, and voter suppression tactics. The dissolution occurred ahead of major elections in the United States (2024), European Union (2024), India (2024), and dozens of other countries, leaving the platform without dedicated resources to address electoral manipulation.

EU Digital Services Act Compliance

The European Commission opened formal proceedings against X in December 2023 under the Digital Services Act (DSA), investigating the platform's content moderation practices, transparency of advertising, and researcher data access. Preliminary findings in July 2024 concluded that X violated the DSA through its deceptive verified account system (blue checkmarks), inadequate advertising transparency, and failure to provide researcher access to platform data.

Brazil Suspension (2024)

Brazil's Supreme Court ordered X suspended nationwide in August 2024 after the platform refused to comply with court orders to remove accounts accused of spreading misinformation and undermining democratic institutions. The standoff resulted in X being blocked for all Brazilian users and highlighted Musk's willingness to sacrifice platform access rather than comply with local regulatory orders.

Threat Score Analysis

X Corp receives a composite threat score of 68/100, reflecting the significant degradation of privacy and safety infrastructure under Musk's ownership:

• Data Collection (72/100): X collects extensive user data including behavioral patterns, device information, location data, and content. The exploitation of security-purposed phone numbers for advertising demonstrated willingness to misuse sensitive data. The default-on Grok AI training on user posts without meaningful consent adds a new dimension of data extraction. The collection scope is comparable to other major social platforms but aggravated by the demonstrated pattern of misusing data collected for one purpose.

• Third-Party Sharing (75/100): Twitter's historical data licensing to Dataminr and other firms, including documented use by intelligence agencies and law enforcement for surveillance, represents significant third-party data exposure. The API data firehose provided real-time access to public posts, user metadata, and social graph information. While Musk's API pricing changes reduced some third-party access, this was motivated by revenue extraction rather than privacy protection, and enterprise-tier data access remains available.

• Breach History (78/100): The 200 million email leak was one of the largest social media data exposures, with particular risk to pseudonymous users in hostile environments. The failure to patch a known vulnerability for months despite bug bounty notification indicates systemic security negligence. The mass layoffs of security engineers further increased breach risk by reducing the team responsible for vulnerability management and incident response.

• Government Contracts (50/100): X does not function as a traditional government contractor. However, the historical Dataminr relationship channeled Twitter data to intelligence and law enforcement agencies for surveillance purposes. The platform's role as de facto public communications infrastructure creates dependencies that benefit government information control.

• Transparency (35/100): Under Musk's ownership, transparency has deteriorated sharply. The communications team was eliminated, press inquiries receive auto-generated responses, transparency reports have been delayed and reduced in detail, and the company has been openly hostile to regulatory engagement. The dissolution of the trust and safety, human rights, and election integrity teams removed the internal infrastructure necessary for accountability. Musk's personal use of the platform to attack critics, journalists, and regulators further undermines institutional credibility.

Weighted calculation: (72 * 0.25) + (75 * 0.25) + (78 * 0.20) + (50 * 0.15) + (35 * 0.15) = 18 + 18.75 + 15.6 + 7.5 + 5.25 = 65.1, adjusted to 68 due to the systemic dismantlement of privacy and safety infrastructure and ongoing FTC consent decree compliance concerns.

Transparency & Accountability

X Corp under Musk's ownership represents a case study in the rapid erosion of corporate accountability at a major technology platform.

Institutional Destruction

The mass layoffs eliminated virtually every team responsible for privacy compliance, content safety, and regulatory engagement. Specific losses include:

• Chief Privacy Officer, CISO, and Chief Compliance Officer: All departed or were terminated
• Trust and Safety team: Reduced from 100+ staff to a skeleton crew
• Election Integrity team: Dissolved entirely
• Human Rights team: Eliminated
• Communications team: Eliminated; press inquiries receive automated poop emoji responses
• Ethical AI team: Dissolved

FTC Consent Decree at Risk

The 2022 FTC consent decree, which runs through 2042, requires Twitter/X to maintain a comprehensive privacy program with independent oversight. The departure of senior privacy and compliance officers and the reduction of the privacy engineering team raises serious questions about the company's ability to satisfy these requirements. Former FTC officials have publicly stated that the personnel changes appear inconsistent with the consent decree's mandates.

Regulatory Defiance

Under Musk, X has adopted an increasingly adversarial posture toward regulators. The company challenged the EU's DSA findings, defied Brazilian court orders resulting in a nationwide ban, and has publicly questioned the legitimacy of content regulation by democratic governments. This posture, combined with the elimination of internal compliance teams, signals that regulatory accountability has been deprioritized as a corporate value.

Verification as Disinformation Vector

The replacement of Twitter's legacy verification system (which confirmed identity) with a paid subscription model (which confirms payment) has created a disinformation vector. Paid blue checkmarks create a false impression of authority and legitimacy, enabling impersonation and lending credibility to misleading content. The European Commission specifically cited this system as a DSA violation.

Data Governance Under Private Ownership

Twitter's transition from a publicly traded company to a private entity under Musk's ownership removed a significant layer of accountability. Public companies are required to disclose material risks, maintain internal controls under Sarbanes-Oxley, and face shareholder oversight. Private ownership eliminates these requirements. Quarterly earnings calls, SEC filings, and independent board oversight, all mechanisms that provided external visibility into Twitter's operations, ceased when the company went private.

The $13 billion in bank debt used to finance the acquisition created additional pressure to monetize user data aggressively. With annual interest payments exceeding $1 billion, X Corp faces structural incentives to extract maximum revenue from its data assets, potentially at the expense of user privacy protections.

Community Notes vs. Institutional Safety

Musk replaced Twitter's professional content moderation apparatus with Community Notes, a crowdsourced fact-checking system that relies on user consensus to flag misleading content. While Community Notes has produced some effective corrections, it cannot replace the institutional capabilities that were eliminated:

• Speed: Community Notes operates on consensus timelines, often taking hours or days to attach notes to viral misinformation that spreads in minutes
• Coordinated threats: Professional trust and safety teams specialized in detecting state-sponsored manipulation campaigns and coordinated inauthentic behavior, threats that crowdsourced systems are not designed to address
• Proactive detection: The dissolved election integrity and threat intelligence teams proactively identified emerging campaigns before they achieved viral reach

International Regulatory Exposure

X Corp faces active regulatory proceedings across multiple jurisdictions. Beyond the EU's DSA enforcement and Brazil's suspension order, the platform faces investigations or enforcement actions in:

• Australia: eSafety Commissioner investigations into failure to address child exploitation material and harmful content
• India: Compliance disputes over IT Rules requiring traceability of message originators
• Turkey: Fines for non-compliance with social media law requiring local legal representation
• Germany: NetzDG enforcement actions related to content moderation failures

The combination of reduced compliance staff and an adversarial regulatory posture creates escalating legal exposure across virtually every major market where X operates.