The FTC Dings Twitter’s Security Practices — What Does This Mean for Everyone Else?

[Post by Venkat]

In the Matter of Twitter, Inc. (FTC; June 24, 2010) (Consent Order) (FTC Press Release)

Twitter recently agreed to a consent order with the FTC that requires Twitter to implement a variety of security measures with respect to “nonpublic consumer information” of Twitter users. The FTC probe (which was resolved by agreement) stemmed from highly publicized security breaches where hackers gained “unauthorized administrative control of the Twitter system.” In the first incident, hackers gained control of 35 high profile Twitter accounts, including the accounts of Bill O’Reilly, Britney Spears, the Huffington Post, and Facebook. Separately, someone gained access to a Twitter employee’s email account, which contained the employee’s admin password for Twitter.

The consent order requires Twitter to implement a variety of security features which are above and beyond what many sites have in place. The consent order also requires Twitter to undergo a period audit by an outside auditor, and comply with some onerous-looking record-keeping requirements (retain consumer complaints, “widely-disseminated statements” about its security and privacy practices, etc.). Interestingly, the FTC faulted Twitter for failing to comply with security standards which many sites probably do not meet:

• requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks;

• prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts;

• suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts;

• providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;

• enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days;

• restricting access to administrative controls to employees whose jobs required it; and

• imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

The million dollar question, of course, is, what this means for other websites. Should Facebook be taking a look at the consent order (which in any event is a useful best practices-type guide)? It’s tough to say. One thing worth noting is that the FTC focused on language in the older version of Twitter’s privacy policy:

The privacy policy posted on Twitter’s website stated that ‘Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.’

This language was contained in Twitter’s initial privacy policy, but was removed from its privacy policy during a revision which Twitter implemented in November 2009. (Here’s my blog post at the time, noting this change in particular: “The old policy made some statements regarding security measures implemented by Twitter which Twitter [wisely] removed from the current version.”.) While it’s tempting to look at this settlement as the FTC taking a hard line on Twitter’s current privacy and security practices, this may not necessarily be the case. The FTC focused on representations made by Twitter to end users (in its old policy) that may have lulled the end users into a false sense of certainty around Twitter’s privacy and security practices. Either way, Twitter took on some pretty serious obligations as a result of the settlement.

I’m not sure what the moral of the story is here. One clear takeaway is to not include flowery language in your privacy policy or terms that provide end users false assurances about your security practices. Another one may be to not “borrow” your terms of service from another website (or be careful when drawing “inspiration” from another website when putting together your own terms of use and policies).

NB: I noticed a few tweaks to Twitter’s policy which was revised a couple of weeks ago. The revised policy makes clear that: (1) Twitter tracks user interactions with links; and (2) Twitter uses more than just Google analytics. Neither of these changes seem particularly material, although it’s always nice to be reminded that websites track your interactions with links. Either way, I thought they were worth noting:

Links: Twitter may keep track of how you interact with links in Tweets by redirecting clicks or through other means. We do this to help improve our Services, including advertising, and to be able to share aggregate click statistics such as how many times a particular link was clicked on.

Third Party Services: Twitter uses a variety of services hosted by third parties to help provide our Services, such as hosting our various blogs and wikis, and to help us understand the use of our Services, such as Google Analytics. These services may collect information sent by your browser as part of a web page request, such as cookies or your IP request.

Added: The BBC reports (June 24, 2010) that “Obama’s Twitter hacker receives a suspended sentence.” According to French investigators, the hacker (Francois Cousteix) “deduced the passwords of Twitter administrators from public information on the web, thus gaining access to the accounts of important and famous individuals.” Mr. Cousteix’s actions spurred (in part) the FTC probe. Also, Gawker thinks that Twitter got off too easy: “The Pathetic Punishment of Twitter.” Many people probably had the opposite reaction, but that’s neither here nor there.

Additional coverage:

FTC analysis: [pdf] (“Analysis of Proposed Consent Order to Aid Public Comment

In the Matter of Twitter, Inc., File No. 0923093“)

TechCrunch: (FTC Bars Twitter “For 20 Years From Misleading Consumers” About Privacy After 2009 Hacks)

Wired: (Twitter Settles With FTC Over ‘Happiness” Breach)

CNET: (“Twitter, FTC reach agreement on security“)