The Federal Trade Commission entered into a settlement with the social networking site Twitter on Thursday, June 25th. The settlement was the result two 2009 hacker breaches, which resulted in 35 user accounts (mostly celebrities and politicians) being compromised and passwords disclosed. For those wondering, the first breach was achieved in January 2009 by using a password guessing tool to gain access through a lowercase/weak password protected Twitter administrative account and then reset user account passwords. The second breach in April 2009 allowed the hacker to gain access to a Twitter employee's email account, where that employee had "similar" passwords stored in plain text, resulting in further user password resets. You may recall hearing about (or receiving) the "Tweet" from President-elect Obama offering you an opportunity to receive $500 in free gas. Seriously, that happened.
According to the FTC press release, [u]nder the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers. The company also must establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years."
What did Twitter do wrong, you may ask? The FTC alleged in its complaint that Twitter was really bad at preventing unauthorized access to its system. Really, really bad. Specifically, Twitter failed to take reasonable steps to:
- require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks;
- prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;
- suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
- provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
- enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;
- restrict access to administrative controls to employees whose jobs required it; and
- impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.
Sounds like pretty reasonable steps for Twitter to have taken. Frankly, it sounds like pretty reasonable expectations in 2000, not just 2009. Your IT Department surely has at least these requirements, right? Right?
To many, this settlement is further evidence that the "we are serious this time, seriously" approach touted by the FTC in recent years is merely lip service.
That being said, the ban on misleading customers for 20 years is not just empty words. If Twitter allows any other privacy breach to occur, it will find itself without much leniency from the FTC. It also puts the FTC in a position to immediately fine Twitter up to $16,000 per incident for future lapses, a power that the FTC does not have absent the settlement and resulting (future, expected) order.
The comment period on the settlement will end on July 26, 2010, at which time it expected that the order will be entered and the settlement will become final.