Lessons from Twitter's Settlement with the FTC

The announcement that social-networking phenomenon Twitter has agreed to settle Federal Trade Commission (“FTC”) charges that it had engaged in inadequate privacy and information security practices illustrates some simple mistakes that social media and other online companies can make.

If the consent decree is approved, Twitter will have to live with the oversight that accompanies an FTC consent decree for 20 years (or more than four times the length of time that the company has existed).

Twitter Security Breaches

Since 2006, Twitter has operated www.twitter.com, a site that enables users to send “tweets” ' consisting of 140 characters or less ' to “followers.” To be able to send or follow tweets, a consumer must register at the Twitter Web site. During the registration process, Twitter collects certain information that is presented as the user's public profile. Twitter also collects other, nonpublic information from users, including e-mail and Internet protocol addresses, and mobile telephone numbers. Users adopt user names and create passwords to control access to their accounts.

The FTC's complaint, in essence, alleges that Twitter engaged in lax security practices.

The FTC alleges that, for the three years from July 2006 to July 2009, Twitter gave nearly all of its employees the ability to exercise administrative control of the system, which included the ability to access a user's nonpublic information and reset passwords.

During that time, Twitter employed fewer than 50 people. And, until January 2009, Twitter employees accessed the administrative system through the same Web page as did users. Finally, the FTC noted that from July 2006 until July 2008, Twitter did not provide its employees with a company e-mail address, but, instead, instructed employees to use a personal e-mail account for company business.

Problems became apparent in January 2009, when a hacker obtained unauthorized administrative access to the Twitter system, and gained access both to nonpublic information and to the ability to reset passwords. As it turned out, the administrative password used was, in the words of the FTC complaint, “a weak, lowercase, letter-only, common dictionary word.”

Subsequently, some fraudulently reset passwords were used to send fake tweets, purportedly from sources such as then-President-elect Barack Obama and Fox News.

The complaint also alleges that, in an unrelated event a few months later, a hacker (now known to be from France) obtained a Twitter employee's administrative password from the employee's personal e-mail account, where the password had been stored in plain text for some six months. The complaint alleges that at least one password thereafter was changed without authorization.

These security errors by Twitter are, in a sense, understandable, as one can see why a startup Web company might initially want much of the staff to help administer the site, or might not want to go to the trouble of establishing corporate e-mail accounts. But an arguably understandable business practice for a startup company is not necessarily the same as a good security practice, especially for a fast-growing, increasingly prominent social-networking company with worldwide usage.

Violation Alleged

The FTC must identify a claimed violation of law in order to take action.

Here, the FTC observed that Twitter had made a number of statements to users of its Web site to the effect that it employed “administrative, physical, and electronic measures designed to protect your information from unauthorized access,” and that the privacy of nonpublic messages and information was protected.

The FTC charged that such representations by Twitter were false and misleading, insofar as they claimed that Twitter used “reasonable and appropriate security measures” to prevent unauthorized access to nonpublic information or to honor users' privacy choices. Thus, the FTC alleged that Twitter had engaged in deceptive acts or practices in violation of Section 5 of the FTC Act.

It should be noted that the FTC did not base its conclusion that Twitter had been deceptive simply on the fact that the two breaches had occurred. Instead, the FTC focused on the poor security practices that had facilitated the breaches, including Twitter's failure to:

• Establish policies to make administrative passwords difficult to guess, including prohibiting common dictionary words;
• Establish policies prohibiting the storage of administrative passwords in plain text in personal e-mail accounts;
• Disable administrative passwords after a number of unsuccessful login attempts;
• Enforce periodic changes of administrative passwords; and
• Restrict access to administrative controls to only those employees whose job duties required administrative access.

Remedial Undertakings

To settle the charges, the FTC and Twitter agreed to a consent decree in which Twitter committed to take a number of steps to improve its security practices, including some that the company claims it has already implemented. The new steps include a number of practices that the FTC has developed in a series of security cases over the years. These include:

• Designating an employee to be in charge of, and accountable for, an information security program;
• Identifying reasonably foreseeable material security risks, both internal and external, and assessing the adequacy of whatever security measures are in place to control those risks;
• Testing and monitoring of the safeguards;
• Taking reasonable steps to select and retain service providers
  capable of appropriately safeguarding nonpublic consumer information received from Twitter; and
• Performing ongoing evaluation and adjustment of the information security program over time.

In addition, Twitter will need to undergo initial and biennial assessments of its information security over the next 10-and-a-half years.

Finally, Twitter has agreed to a number of recordkeeping requirements relating to its claims about consumer complaints received regarding, and other documents relating to, its information security and compliance with the consent decree.

The announcement that social-networking phenomenon Twitter has agreed to settle Federal Trade Commission (“FTC”) charges that it had engaged in inadequate privacy and information security practices illustrates some simple mistakes that social media and other online companies can make.

If the consent decree is approved, Twitter will have to live with the oversight that accompanies an FTC consent decree for 20 years (or more than four times the length of time that the company has existed).

Twitter Security Breaches

Since 2006, Twitter has operated www.twitter.com, a site that enables users to send “tweets” ' consisting of 140 characters or less ' to “followers.” To be able to send or follow tweets, a consumer must register at the Twitter Web site. During the registration process, Twitter collects certain information that is presented as the user's public profile. Twitter also collects other, nonpublic information from users, including e-mail and Internet protocol addresses, and mobile telephone numbers. Users adopt user names and create passwords to control access to their accounts.

The FTC's complaint, in essence, alleges that Twitter engaged in lax security practices.

The FTC alleges that, for the three years from July 2006 to July 2009, Twitter gave nearly all of its employees the ability to exercise administrative control of the system, which included the ability to access a user's nonpublic information and reset passwords.

During that time, Twitter employed fewer than 50 people. And, until January 2009, Twitter employees accessed the administrative system through the same Web page as did users. Finally, the FTC noted that from July 2006 until July 2008, Twitter did not provide its employees with a company e-mail address, but, instead, instructed employees to use a personal e-mail account for company business.

Problems became apparent in January 2009, when a hacker obtained unauthorized administrative access to the Twitter system, and gained access both to nonpublic information and to the ability to reset passwords. As it turned out, the administrative password used was, in the words of the FTC complaint, “a weak, lowercase, letter-only, common dictionary word.”

Subsequently, some fraudulently reset passwords were used to send fake tweets, purportedly from sources such as then-President-elect Barack Obama and Fox News.

The complaint also alleges that, in an unrelated event a few months later, a hacker (now known to be from France) obtained a Twitter employee's administrative password from the employee's personal e-mail account, where the password had been stored in plain text for some six months. The complaint alleges that at least one password thereafter was changed without authorization.

These security errors by Twitter are, in a sense, understandable, as one can see why a startup Web company might initially want much of the staff to help administer the site, or might not want to go to the trouble of establishing corporate e-mail accounts. But an arguably understandable business practice for a startup company is not necessarily the same as a good security practice, especially for a fast-growing, increasingly prominent social-networking company with worldwide usage.

Violation Alleged

The FTC must identify a claimed violation of law in order to take action.

Here, the FTC observed that Twitter had made a number of statements to users of its Web site to the effect that it employed “administrative, physical, and electronic measures designed to protect your information from unauthorized access,” and that the privacy of nonpublic messages and information was protected.

The FTC charged that such representations by Twitter were false and misleading, insofar as they claimed that Twitter used “reasonable and appropriate security measures” to prevent unauthorized access to nonpublic information or to honor users' privacy choices. Thus, the FTC alleged that Twitter had engaged in deceptive acts or practices in violation of Section 5 of the FTC Act.

It should be noted that the FTC did not base its conclusion that Twitter had been deceptive simply on the fact that the two breaches had occurred. Instead, the FTC focused on the poor security practices that had facilitated the breaches, including Twitter's failure to:

• Establish policies to make administrative passwords difficult to guess, including prohibiting common dictionary words;
• Establish policies prohibiting the storage of administrative passwords in plain text in personal e-mail accounts;
• Disable administrative passwords after a number of unsuccessful login attempts;
• Enforce periodic changes of administrative passwords; and
• Restrict access to administrative controls to only those employees whose job duties required administrative access.

Remedial Undertakings

To settle the charges, the FTC and Twitter agreed to a consent decree in which Twitter committed to take a number of steps to improve its security practices, including some that the company claims it has already implemented. The new steps include a number of practices that the FTC has developed in a series of security cases over the years. These include:

• Designating an employee to be in charge of, and accountable for, an information security program;
• Identifying reasonably foreseeable material security risks, both internal and external, and assessing the adequacy of whatever security measures are in place to control those risks;
• Testing and monitoring of the safeguards;
• Taking reasonable steps to select and retain service providers
  capable of appropriately safeguarding nonpublic consumer information received from Twitter; and
• Performing ongoing evaluation and adjustment of the information security program over time.

In addition, Twitter will need to undergo initial and biennial assessments of its information security over the next 10-and-a-half years.

Finally, Twitter has agreed to a number of recordkeeping requirements relating to its claims about consumer complaints received regarding, and other documents relating to, its information security and compliance with the consent decree.