The timeline.

2011. Twitter fails to protect user data. The FTC issues a twenty-year compliance order.

2022. Twitter uses phone numbers and email addresses β€” the data 140 million users submitted for two-factor authentication, to protect their accounts β€” for targeted advertising. The FTC fines the company $150 million and extends the order through 2042.

August 2022. Peiter “Mudge” Zatko, Twitter’s former head of security, files a whistleblower complaint with the SEC, FTC, and Department of Justice. His words: “egregious deficiencies, negligence, willful ignorance, and threats to national security and democracy.”

October 2022. Elon Musk completes his acquisition.

November 2022. CISO Lea Kissner resigns. Chief Privacy Officer Damien Kieran resigns. Chief Compliance Officer resigns. All over concerns about FTC compliance under new ownership. The people responsible for meeting the order’s requirements left β€” not because they caused the violations, but because they saw what was coming.

July 2024. X quietly enables a setting allowing Grok β€” xAI’s large language model β€” to train on user posts, replies, and conversations. The toggle is buried several menus deep. No notification. No email. No pop-up. On by default. Ireland’s Data Protection Commission launches emergency court proceedings. NOYB files complaints across eight countries on behalf of more than 60 million EU users. X suspends EU training, then permanently stops using posts from May through August 2024. An admission, expressed as a compromise.

January 2025. 2.8 billion Twitter/X records surface online β€” 200 million user profiles published freely, including names, emails, locations, and follower data. The order says protect the data.

February 2026. SpaceX acquires xAI. Combined valuation: $1.25 trillion.

May 15, 2026. X Corp. files a petition with the Federal Trade Commission to set aside or modify the 2022 consent order. Sixteen years early.

The argument: “Every individual responsible for the underlying failures has left, and X has since built a world-class privacy and data-protection program.”

The CISO who was supposed to run that program resigned over compliance concerns. The privacy officer resigned the same week. The company then trained an AI on user data without telling them and had 2.8 billion records appear on the internet. The world-class privacy program has a timeline. The timeline disagrees.

X claims the order is “an outdated bureaucratic encumbrance” that diverts engineering resources from innovation. Compliance costs: “close to $17 million.” The company’s valuation inside the SpaceX merger: $250 billion. That’s 0.0068%. Not a burden. A rounding error on a rounding error.

Thirteen state attorneys general, led by Iowa, support the petition. They argue the Biden-era FTC “weaponized” the consent order. Fifteen advocacy groups β€” EPIC, EFF, Consumer Federation of America, Public Citizen, and eleven others β€” oppose. Their language: “brazen attempt to escape accountability at the expense of the American people.”

The EFF’s structural argument is the one that matters: “The FTC orders bind the corporate entity. Those obligations do not dissolve when the employees who negotiated or administered it depart.”

That’s the sentence the entire petition breaks against. X’s argument is personnel. The law’s argument is entity. The people leave. The obligations don’t. That’s what a consent order is β€” a commitment that survives the individuals who made it necessary. Otherwise every company that violates a federal order could fire the team, hire new people, and call itself reformed.

The petition also claims that setting aside the order “is critical to advancing American leadership in artificial intelligence.”

That’s the melody.

The lyric: in July 2024, X used its platform data to train Grok without user consent, triggering regulatory action across eight countries. That’s not a hypothetical AI program constrained by a consent order. That’s a documented privacy violation committed while the order was in effect. The order didn’t prevent innovation. The company innovated right through it β€” and violated privacy doing it. Today, for US accounts, X shares public posts and Grok interactions with xAI by default. Right now. While the petition is pending.

The FTC has precedent for this kind of unwinding. In December 2025, it set aside its own consent order against Rytr, an AI writing tool, calling it “the first concrete action implementing the White House’s July 2025 AI Action Plan.” The plan directed agencies to review orders that “unduly burden AI innovation.” Same language. Same template. “Innovation” is the word that makes accountability optional.

In June 2026, the Supreme Court ruled that FTC commissioner removal protections are unconstitutional. The president can fire commissioners. The agency deciding X’s petition just learned it serves at the president’s pleasure.

The comment period closed July 2. The decision is pending.

Here is what happened, in sequence: a company violated its users’ privacy. Got caught. Paid $150 million. Agreed to oversight through 2042. Changed hands. Changed its name. Lost its security leadership over compliance concerns. Trained an AI on user data without consent. Had 2.8 billion records surface online. Merged into a $1.25 trillion entity. Then filed a petition arguing the order serves no valid regulatory purpose β€” because the people who violated it left, and the people who replaced them built a “world-class” privacy program while doing the things the order was designed to prevent.

The petition asks the FTC to “set aside” the order.

The order is the only thing the company hasn’t already set aside.

// NEON BLOOD