FTC Teaches Twitter that Regulators Have Sharp Teeth

Last Updated Jun 24, 2010 2:21 PM EDT

Apple (AAPL), Google (GOOG), and Intel (INTC) seem to act first and consider regulation later. But there can be a price to pay, as Twitter has just learned. The company has settled charges brought by the Federal Trade Commission "that it deceived consumers and put their privacy at risk by failing to safeguard their personal information." The upshot is a consent degree that will last 20 years, ten years of third party security assessment, and the potential for increased public perception of unreliability -- not good when you want people to trust you with their information.

According to the FTC complaint, Twitter collects a significant amount of information about people, including the following:

  • email address
  • IP addresses
  • mobile carrier and/or mobile phone number, for those updating by phone
  • other users that the person has blocked
  • non-public messages sent
Up until July 2009, almost all Twitter employees had administrator privileges on the system, using the same login form that consumers used. Unfortunately, there was a rash of bad practices that would make any security expert shudder. Here are steps the FTC complaint claimed that Twitter failed to take:
  1. establish or enforce policies sufficient to make administrative passwords hard to guess, including policies that: (1) prohibit the use of common dictionary words as administrative passwords; and (2) require that such passwords be unique â€" i.e., different from any password that the employee uses to access third-party programs, websites, and networks;
  2. establish or enforce policies sufficient to prohibit storage of administrative passwords in plain text in personal email accounts;
  3. suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
  4. provide an administrative login webpage that is made known only to authorized persons and is separate from the login webpage provided to other users;
  5. enforce periodic changes of administrative passwords, such as by setting these passwords to expire every 90 days;
  6. restrict each person's access to administrative controls according to the needs of that person's job; and
  7. impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.
Not pretty. Twitter then compounded the problem with its claim of great interest in maintaining security, at least back in 2007:
Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical and electronic measures designed to protect your information from unauthorized access.
In the consent decree, Twitter doesn't admit to violating the law, or even that the FTC's allegations are correct. Big deal. The company is now saddled with keeping the agency happy and having to prove itself over an extended period of time. Twitter must put a real security infrastructure into place, including ongoing risk assessment, and undergo security audits every two years by an FTC-approved third party.

For the first six months, the FTC gets a copy of every consumer complaint about security. For two years, the agency gets copies of all subpoenas and law enforcement communications.

Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers.
Should the FTC or the U.S. government file a complaint in federal court alleging that Twitter has violated the order, the agreement then extends from that date. This does little to assuage user mistrust of the service.

As consent decrees go, this was relatively small in scope. But they get far worse, and the entire tech industry should take this as a warning shot across the bow.


Image: Flickr user 2sirius, CC 2.0.
  • Erik Sherman On Twitter» On Facebook»

    Erik Sherman is a widely published writer and editor who also does select ghosting and corporate work. The views expressed in this column belong to Sherman and do not represent the views of CBS Interactive. Follow him on Twitter at @ErikSherman or on Facebook.