June 24, 2010
The FTC Dings Twitter's Security Practices -- What Does This Mean for Everyone Else?
[Post by Venkat]
Twitter recently agreed to a consent order with the FTC that requires Twitter to implement a variety of security measures with respect to "nonpublic consumer information" of Twitter users. The FTC probe (which was resolved by agreement) stemmed from highly publicized security breaches where hackers gained "unauthorized administrative control of the Twitter system." In the first incident, hackers gained control of 35 high profile Twitter accounts, including the accounts of Bill O’Reilly, Britney Spears, the Huffington Post, and Facebook. Separately, someone gained access to a Twitter employee's email account, which contained the employee's admin password for Twitter.
The consent order requires Twitter to implement a variety of security features which are above and beyond what many sites have in place. The consent order also requires Twitter to undergo a period audit by an outside auditor, and comply with some onerous-looking record-keeping requirements (retain consumer complaints, "widely-disseminated statements" about its security and privacy practices, etc.). Interestingly, the FTC faulted Twitter for failing to comply with security standards which many sites probably do not meet:
• requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks;
• prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts;
• suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts;
• providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
• enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days;
• restricting access to administrative controls to employees whose jobs required it; and
• imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.
NB: I noticed a few tweaks to Twitter's policy which was revised a couple of weeks ago. The revised policy makes clear that: (1) Twitter tracks user interactions with links; and (2) Twitter uses more than just Google analytics. Neither of these changes seem particularly material, although it's always nice to be reminded that websites track your interactions with links. Either way, I thought they were worth noting:
Links: Twitter may keep track of how you interact with links in Tweets by redirecting clicks or through other means. We do this to help improve our Services, including advertising, and to be able to share aggregate click statistics such as how many times a particular link was clicked on.
Third Party Services: Twitter uses a variety of services hosted by third parties to help provide our Services, such as hosting our various blogs and wikis, and to help us understand the use of our Services, such as Google Analytics. These services may collect information sent by your browser as part of a web page request, such as cookies or your IP request.
Added: The BBC reports (June 24, 2010) that "Obama's Twitter hacker receives a suspended sentence." According to French investigators, the hacker (Francois Cousteix) "deduced the passwords of Twitter administrators from public information on the web, thus gaining access to the accounts of important and famous individuals." Mr. Cousteix's actions spurred (in part) the FTC probe. Also, Gawker thinks that Twitter got off too easy: "The Pathetic Punishment of Twitter." Many people probably had the opposite reaction, but that's neither here nor there.
FTC analysis: [pdf] ("Analysis of Proposed Consent Order to Aid Public Comment
In the Matter of Twitter, Inc., File No. 0923093")
TechCrunch: (FTC Bars Twitter "For 20 Years From Misleading Consumers" About Privacy After 2009 Hacks)
Wired: (Twitter Settles With FTC Over 'Happiness" Breach)
CNET: ("Twitter, FTC reach agreement on security")
Posted by Venkat at June 24, 2010 02:23 PM | Privacy/Security