Lessons from Twitter's Settlement with the FTC

The recent announcement that social-networking phenomenon Twitter has agreed to settle Federal Trade Commission (“FTC”) charges that Twitter engaged in inadequate privacy and information-security practices illustrates some simple mistakes social media and other online companies can make.

If the consent decree is approved, Twitter will have to live with the oversight that accompanies an FTC consent decree for 20 years. The FTC notes that a consent agreement is not an admission by a company or other entity of wrongdoing, but carries the force of law after the agreement is implemented.

The “settlement” is detailed in a news release dated June 24, 2010, on the FTC's Web site. The public-comment period for the proposed action closed on July 27. [Editor's Note: As of this issue's publication, no final decsion has been released.]

Twitter Security Breaches

Since 2006, Twitter has operated www.twitter.com, from which users send Tweets ' consisting of 140 or fewer characters ' to followers. e-Commerce enterprises and other types of businesses have begun using Twitter extensively to stay connected to customers and other partners.

To send or follow Tweets, a consumer must register at the Twitter Web site. During the registration process, Twitter collects information later presented as the user's public profile. Twitter also collects other, non-public information from users, including e-mail and Internet protocol addresses, and mobile telephone numbers. Users adopt usernames and create passwords to control access to their accounts.

The FTC's complaint, in essence, alleges that Twitter engaged in lax security practices.

The FTC alleges that, from July 2006 to July 2009, Twitter gave nearly all its employees the ability to exercise administrative system control, which included the ability to access a user's non-public information and to reset passwords.

During that time, Twitter employed fewer than 50 people. Until January 2009, Twitter employees accessed the administrative system through the same Web page as did users. Finally, the FTC notes that from July 2006 until July 2008, Twitter did not provide employees with a company e-mail address, but, instead, instructed employees to use a personal e-mail account for company business.

Problems became apparent in January 2009, when a hacker obtained unauthorized administrative access to the Twitter system, and gained access to non-public information and to the ability to reset passwords. The administrative password used was, in the words of the FTC complaint, “a weak, lowercase, letter-only, common dictionary word.”

Subsequently, some fraudulently reset passwords were used to send fake Tweets, purportedly from sources such as then-president-elect Barack Obama and Fox News.

The complaint also alleges that, in an unrelated event a few months later, a hacker (now known to be from France) obtained a Twitter employee's administrative password from the employee's personal e-mail account, where the password had been stored in plain text for six months. The complaint alleges that at least one password was changed after that without authorization.

These security errors by Twitter are, in a sense, understandable, as one can see why a start-up Web company might initially want much of the staff to help administer the site, or might not want to go to the trouble of establishing corporate e-mail accounts. But an arguably understandable business practice for a start-up company is not necessarily the same as a good security practice, especially for a fast-growing, increasingly prominent social-networking company with worldwide usage.

Violation Alleged

The FTC must identify a claimed violation of law in order to take action.

Here, the FTC observed that Twitter had made a number of statements to users of its Web site to the effect that it employed “administrative, physical, and electronic measures designed to protect your information from unauthorized access,” and that the privacy of non-public messages and information was protected.

The FTC charged that such representations by Twitter were false and misleading, insofar as they claimed that Twitter used “reasonable and appropriate security measures” to prevent unauthorized access to non-public information or to honor users' privacy choices. Thus, the FTC alleged that Twitter had engaged in deceptive acts or practices in violation of Section 5 of the FTC Act.

It should be noted that the FTC did not base its conclusion that Twitter had been deceptive simply on the fact that the two breaches had occurred. Instead, the FTC focused on the poor security practices that had facilitated the breaches, including Twitter's failure to:

• Establish policies to make administrative passwords difficult to guess, including prohibiting common dictionary words;
• Establish policies prohibiting the storage of administrative passwords in plain text in personal e-mail accounts;
• Disable administrative passwords after a number of unsuccessful login attempts;
• Enforce periodic changes of administrative passwords; and
• Restrict access to administrative controls to only those employees whose jobs required administrative access.

Remedial Undertakings

To settle the charges, the FTC and Twitter agreed to a consent decree in which Twitter committed to take a number of steps to improve its security practices, including some that the company claims it had already implemented prior to the decree unveiling. The new steps include a number of practices the FTC has developed in a series of security cases. These include:

• Designating an employee to be in charge of, and accountable for, an information security program;
• Identifying reasonably foreseeable material security risks, internal and external, and assessing the adequacy of whatever security measures are in place to control those risks;
• Testing and monitoring of the safeguards;
• Taking reasonable steps to select and retain service providers capable of appropriately safeguarding non-public consumer information received from Twitter; and
• Performing ongoing evaluation and adjustment of the information-security program over time.

In addition, Twitter will need to undergo initial and biennial assessments of its information security over the next 10-and-a-half years.

Finally, Twitter has agreed to a number of recordkeeping requirements relating to its claims about consumer complaints received regarding, and other documents relating to, its information security and compliance with the consent decree.

The recent announcement that social-networking phenomenon Twitter has agreed to settle Federal Trade Commission (“FTC”) charges that Twitter engaged in inadequate privacy and information-security practices illustrates some simple mistakes social media and other online companies can make.

If the consent decree is approved, Twitter will have to live with the oversight that accompanies an FTC consent decree for 20 years. The FTC notes that a consent agreement is not an admission by a company or other entity of wrongdoing, but carries the force of law after the agreement is implemented.

The “settlement” is detailed in a news release dated June 24, 2010, on the FTC's Web site. The public-comment period for the proposed action closed on July 27. [Editor's Note: As of this issue's publication, no final decsion has been released.]

Twitter Security Breaches

Since 2006, Twitter has operated www.twitter.com, from which users send Tweets ' consisting of 140 or fewer characters ' to followers. e-Commerce enterprises and other types of businesses have begun using Twitter extensively to stay connected to customers and other partners.

To send or follow Tweets, a consumer must register at the Twitter Web site. During the registration process, Twitter collects information later presented as the user's public profile. Twitter also collects other, non-public information from users, including e-mail and Internet protocol addresses, and mobile telephone numbers. Users adopt usernames and create passwords to control access to their accounts.

The FTC's complaint, in essence, alleges that Twitter engaged in lax security practices.

The FTC alleges that, from July 2006 to July 2009, Twitter gave nearly all its employees the ability to exercise administrative system control, which included the ability to access a user's non-public information and to reset passwords.

During that time, Twitter employed fewer than 50 people. Until January 2009, Twitter employees accessed the administrative system through the same Web page as did users. Finally, the FTC notes that from July 2006 until July 2008, Twitter did not provide employees with a company e-mail address, but, instead, instructed employees to use a personal e-mail account for company business.

Problems became apparent in January 2009, when a hacker obtained unauthorized administrative access to the Twitter system, and gained access to non-public information and to the ability to reset passwords. The administrative password used was, in the words of the FTC complaint, “a weak, lowercase, letter-only, common dictionary word.”

Subsequently, some fraudulently reset passwords were used to send fake Tweets, purportedly from sources such as then-president-elect Barack Obama and Fox News.

The complaint also alleges that, in an unrelated event a few months later, a hacker (now known to be from France) obtained a Twitter employee's administrative password from the employee's personal e-mail account, where the password had been stored in plain text for six months. The complaint alleges that at least one password was changed after that without authorization.

These security errors by Twitter are, in a sense, understandable, as one can see why a start-up Web company might initially want much of the staff to help administer the site, or might not want to go to the trouble of establishing corporate e-mail accounts. But an arguably understandable business practice for a start-up company is not necessarily the same as a good security practice, especially for a fast-growing, increasingly prominent social-networking company with worldwide usage.

Violation Alleged

The FTC must identify a claimed violation of law in order to take action.

Here, the FTC observed that Twitter had made a number of statements to users of its Web site to the effect that it employed “administrative, physical, and electronic measures designed to protect your information from unauthorized access,” and that the privacy of non-public messages and information was protected.

The FTC charged that such representations by Twitter were false and misleading, insofar as they claimed that Twitter used “reasonable and appropriate security measures” to prevent unauthorized access to non-public information or to honor users' privacy choices. Thus, the FTC alleged that Twitter had engaged in deceptive acts or practices in violation of Section 5 of the FTC Act.

It should be noted that the FTC did not base its conclusion that Twitter had been deceptive simply on the fact that the two breaches had occurred. Instead, the FTC focused on the poor security practices that had facilitated the breaches, including Twitter's failure to:

• Establish policies to make administrative passwords difficult to guess, including prohibiting common dictionary words;
• Establish policies prohibiting the storage of administrative passwords in plain text in personal e-mail accounts;
• Disable administrative passwords after a number of unsuccessful login attempts;
• Enforce periodic changes of administrative passwords; and
• Restrict access to administrative controls to only those employees whose jobs required administrative access.

Remedial Undertakings

To settle the charges, the FTC and Twitter agreed to a consent decree in which Twitter committed to take a number of steps to improve its security practices, including some that the company claims it had already implemented prior to the decree unveiling. The new steps include a number of practices the FTC has developed in a series of security cases. These include:

• Designating an employee to be in charge of, and accountable for, an information security program;
• Identifying reasonably foreseeable material security risks, internal and external, and assessing the adequacy of whatever security measures are in place to control those risks;
• Testing and monitoring of the safeguards;
• Taking reasonable steps to select and retain service providers capable of appropriately safeguarding non-public consumer information received from Twitter; and
• Performing ongoing evaluation and adjustment of the information-security program over time.

In addition, Twitter will need to undergo initial and biennial assessments of its information security over the next 10-and-a-half years.

Finally, Twitter has agreed to a number of recordkeeping requirements relating to its claims about consumer complaints received regarding, and other documents relating to, its information security and compliance with the consent decree.