Twitter has agreed to a series of provisions in relation to a Federal Trade Commission complaint that alleged the social network overstated its security and privacy assurances to users.
The complaint centered around breaches in 2009 which included the unauthorized access to member account, including one belonging to President Barack Obama.
Twitter was not required to pay any fines in the settlement, but has agreed to regular security audits, to tighten security measures, and to cease from making inordinate claims to members about the company's ability to protect user accounts.
An article in Wired reports some of the "sloppy" security practices by Twitter include:
- From July 2006 to July 2009, nearly all Twitter employees had total access to the Twitter system, including the ability to reset passwords, read users’ direct messages and nonpublic tweets and send tweets in any user’s name.
- Twitter employees used the public Twitter login page to get into these admin accounts and there were no controls on how strong such passwords had to be or how long they lasted. Twitter did not lock down accounts after multiple wrong password guesses.
A hacker used a simple brute-force dictionary attack to "guess" administrative login credentials, then reset the account password and distributed the information to others.
Subsequently, faux messages were posted on several accounts, including the President's and one from Fox News.
“Twitter has engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security to: prevent unauthorized access to nonpublic user information and honor the privacy choices exercised by its users in designating certain tweets as nonpublic,” the FTC stated in the settlement order.
Among the numerous audit and reporting requirements, the provisions outlined in the FTC order require Twitter to:
- A. set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period;
- B. explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the nonpublic personal information collected from or about consumers;
- C. explain how the safeguards that have been implemented meet or exceed the protections required by Paragraph II of this order; and
- D. certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance to protect the security, privacy, confidentiality, and integrity of nonpublic consumer information and that the program has so operated throughout the reporting period.
While the outcome for Twitter could have been much worse from a punitive standpoint, the strict measures outlined in the settlement should prompt other social networks and online communities to review their stated privacy policies to ensure there is not hint of hyperbole.