FTC Puts Social Nets on Notice With Twitter Smackdown

Twitter has agreed to settle Federal Trade Commission charges that it deceived consumers and put their privacy at risk by failing to safeguard users’ personal information, the FTC announced Thursday.

In what was the agency’s first such case against a social networking service, the FTC charged that serious lapses in Twitter’s data security practices allowed hackers to obtain unauthorized administrative control of Twitter, including access to nonpublic user information, tweets that users had designated as private, and the ability to send out phony message from any account — including one belonging to Barack Obama, who at the time was the U.S. President-Elect.

Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it protects the security, privacy and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to such information and to honor the privacy choices made by consumers.

‘It Must Live Up to That Promise’

The company must also establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years.

The Commission vote approving the complaint and settlement was 5-0.

“When a company promises consumers that their personal information is secure, it must live up to that promise,” said David Vladeck, director of the FTC’s Bureau of Consumer Protection. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations.”

Tweeting as Obama

The FTC’s case dates back to early 2009, when hackers were able to gain administrative control of Twitter on two occasions.

In January, a hacker used an automated password-guessing tool to find an administrative password on the site. The password was a weak, lowercase, common dictionary word; using it, the hacker reset several passwords and posted some of them elsewhere for access by others.

Using these fraudulently reset passwords, other intruders sent phony tweets from approximately nine user accounts. One tweet was sent from the account of then-President-Elect Barack Obama, offering his more than 150,000 followers a chance to win US$500 in free gasoline.

During a second security breach in April 2009, a hacker was able to guess the administrative password of a Twitter employee after compromising the employee’s personal email account, where two similar passwords were stored in plain text. The hacker reset at least one Twitter user’s password and could access nonpublic user information and tweets for any Twitter users.

Twitter was vulnerable to these attacks, the FTC charged, because it failed to prevent unauthorized administrative control of its system.

‘We Closed the Security Hole’

“Within hours of the January breach, we closed the security hole and notified affected account holders,” Twitter wrote Thursday in a blog post announcing the FTC settlement. “We posted a blog post about it on the same day .”

Following the April incident, “within less than 18 minutes of the hack we removed administrative access to the hacker and we quickly notified affected users,” Twitter added. “We also posted this blog item about the incident within a few days of first learning about it.”

Regarding the FTC settlement, “even before the agreement, we’d implemented many of the FTC’s suggestions,” Twitter asserted. “The agreement formalizes our commitment to those security practices.”

‘Singled Out Because of Its Visibility’

The settlement “shows how aggressive the FTC is being or going to be with respect to data security,” Greg Sterling, founder and principal with Sterling Market Intelligence, told the E-Commerce Times. “As a general matter that’s good, and the same standards should be applied across the board to companies doing business online.”

At the same time, however, “it appears like Twitter is being singled out a bit here for more zealous treatment or enforcement because of its visibility,” Sterling noted. “It may be that the agency has sought to ‘make an example’ of the company precisely for that reason.”

‘The FTC Is Serious’

Indeed, “the FTC is making a very strong statement here about the level of privacy protection and end-user data security expected from social media sites,” agreed Keith Crosley, director of market development with Proofpoint. “To some extent, one could say that they are making an example of Twitter.”

The takeaway — “not just for social media sites, but for any online service that provides messaging features — is that the FTC is serious about ensuring end-user privacy and proper access control,” Crosley told the E-Commerce Times.

“There’s a dimension to the FTC’s decision that goes beyond the issue of the privacy of users’ personal information,” he explained. “It’s also making it very clear that, if a service has features that purport to provide ‘private’ messaging, there had better be a secure architecture and proper information security procedures to back up that claim.”

Password Security Recommendations

There are some useful password security recommendations within the text of the FTC’s decision, Crosley added. “I think online service providers who don’t take these ‘best practices’ to heart do so at their own peril.”

End users, meanwhile, “should think about the issue of password security, especially with messaging services, and adopt some of these recommendations themselves,” he suggested.

“For example, use strong or hard-to-guess passwords for sites that have messaging components or where personal information is stored, change your passwords on a semi-annual basis, and avoid using the same passwords on multiple sites,” Crosley recommended.

‘The Government Will Be Watching’

The preservation of privacy is “key to any social website, even though the users share their innermost secrets with the world on them,” Washington, D.C., technology attorney Raymond Van Dyke told the E-Commerce Times. “Twitter, brought up on charges of fraud and deception in the FTC for these two intrusions, reasonably settled the matter with a government eager to set an example.”

The FTC’s 20-year probation “puts all companies on notice that affirmative measures will be absolutely necessary to protect passwords and user privacies — or else,” Van Dyke noted. “Time will tell if this action will cause a rash of hacking at other companies and further FTC complaints.

“How robust must security protocols be to avoid FTC censure? How personal can these social sites become and still keep secrets — with the blurring of lines inevitable?” he added.

In any case, “with personal social networking sites rapidly growing both in number and degree of sharing, the FTC wants all such sites to do their utmost to protect users,” he concluded. “Some secrets, however, even though not the deepest, darkest ones shared with everyone, must remain secret, and the government will be watching.”