Today, the Federal Trade Commission (FTC) and Twitter announced that Twitter has agreed to settle FTC charges that the company failed to take sufficient security measures to protect user privacy settings.
The FTC charges stem from breaches in security that occurred in 2009, when hackers accessed Twitter employee accounts and used administrative controls to access the Twitter accounts of high-profile users, including Barack Obama. (Under hacker control, President Elect Obama’s Twitter account apparently “offered his more than 150,000 followers a chance to win $500 in free gasoline.”) Twitter candidly announced the first security incident in January 2009 and blogged about a second incident in April 2009.
The FTC Complaint (.pdf) lists the following security flaws among Twitter’s failings:
- Twitter allegedly did not have policies that required their administrators to select hard-to-guess passwords and instead, administrators were permitted to use “weak, lowercase, letter-only, common dictionary word[s]” as administrative passwords.
- Twitter employees were allowed to store administrative passwords in plaint text form, so that once hackers broke into their accounts, the hackers had full administrative access to other users’ accounts.
- Twitter did not disable administrative accounts after a number of unsuccessful attempts, allowing hackers easily run automated tools to break into the accounts.
- Twitter administrators were not required to change their passwords regularly.
- Twitter did not limit administrative access to user accounts to those employees that needed such access.
- Twitter did not do enough to restrict administrative access to authorized individuals, including by requiring administrators to log into a separate employee website or restrict administrator access to specific IP addresses.
What may be a key issue for many online businesses developing social networking sites is that, according to the FTC, users’ privacy settings may impose an implicit duty on the website operator to take certain security precautions in order to preserve the user’s settings. In Twitter’s case, the site allowed users to make some “tweets” (short user messages/postings) private and the alleged lack of security allowed hackers to access those private messages. The FTC Complaint (.pdf) claims that “Twitter has engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security to: prevent unauthorized access to nonpublic user information and honor the privacy choices exercised by its users in designating certain tweets as nonpublic.” According to the FTC, the lack of security was so severe that Twitter’s claim that user’s privacy was protected amounted to a deceptive act under the FTC Act.
In its Agreement (.pdf) with the FTC, Twitter consented to adopt a comprehensive information security program and submit independent security assessments to the FTC every other year for the next 10 years. In today’s blog posting, Twitter indicated that “[e]ven before the agreement, we’d implemented many of the FTC’s suggestions and the agreement formalizes our commitment to those security practices.”