The Federal Trade Commission and Twitter have agreed to settle charges stemming from two security breaches in early 2009, during which hackers were able to obtain unauthorized administrative control of the social networking service, access private user data, hijack user accounts, and send out phony tweets (including from the accounts of then President-Elect Barack Obama and Fox News). There was no fine, but the social networking service has agreed to a 20 year injunction barring it from “misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information.” Additionally, under the terms of the settlement, Twitter will be subject to the oversight of a third party auditor for 10 years, who will assess Twitter’s development of a comprehensive security program.
The FTC complaint alleges that Twitter violated Section 5(a) of the FTC Act by falsely representing to consumers that it would use reasonable safeguards to protect user information from unauthorized access. Specifically, Twitter’s website along with other privacy related claims, contained the statement:
Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.
The FTC claims that this representation was false, and that Twitter was vulnerable to attacks from hackers because it failed to take reasonable steps to:
- Require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks;
- Prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;
- Suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
- Provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
- Enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;
- Restrict access to administrative controls to employees whose jobs required it; and
- Impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.
The FTC’s complaint contains allegations that hackers exploited these failings in two waves of attacks on Twitter accounts in January and April 2009. The first attack resulted in the infiltration of accounts belonging to Fox News and then President-elect Obama along with 43 other users whose passwords were stolen, changed, posted on the Internet for public viewing, and used to send unauthorized graphic, inappropriate, or spamming tweets. The second attack was less severe, but still resulted in unauthorized access to at least 10 user accounts. Recently, Twitter issued an announcement to its users explaining that these incidents took place when Twitter was still in its nascent stages and the company had less than 50 employees. Twitter also noted that it was able to close the security holes and notified affected account holders within hours of each breach.
While this is the FTC’s first such action against a social networking site, the FTC has now made its position on this type of privacy breach clear. Its primary concern is ensuring that the social networking service has the ability to protect against unauthorized access to nonpublic user information from the start. David Vladeck, the director of the FTC’s bureau of consumer protection, explained:
When a company promises consumers that their personal information is secure, it must live up to that promise. Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations.
The proposed consent order reflects this concern, focusing on Twitter’s development of a comprehensive information security program, including administrative, technical, and physical safeguards to protect any nonpublic consumer information that may be housed in Twitter accounts.
Twitter has been proactive in its response to the FTC’s investigation and has already implemented many of the FTC’s suggestions and in its announcement emphasized that the agreement merely “formalizes Twitter’s commitment to those security practices.”