The social networking and micro-blogging service Twitter recently agreed to settle charges with the Federal Trade Commission (FTC) regarding its privacy and data security practices. Similar to settlement terms reached with other online merchants, the settlement bars Twitter from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information. Notably, the agreement also requires Twitter to maintain a comprehensive information security program and submit to audits of the program for 10 years. The settlement agreement does not include a monetary penalty. The FTC alleged that despite Twitter’s promises on its website to protect the personal information of its users, Twitter’s practices failed to provide reasonable and appropriate security. Unlike many of the other companies that the FTC has pursued regarding online security practices, Twitter does not sell goods online or collect financial information from its users.
The FTC’s complaint alleged that between January and May 2009, intruders twice obtained control of Twitter administrative accounts because of deficient password security policies. In January 2009, an intruder gained control of Twitter by using a “brute force” automated password-guessing tool that attempted to login to Twitter thousands of times until it guessed the correct password. The password was a weak, lowercase, letter-only common dictionary word. In April 2009, an intruder compromised a Twitter employee’s personal email account by unspecified means. The intruder was able to guess the Twitter employee’s administrative password based on two similar passwords that were stored in the employee’s email in plain text for at least six months before the security incident. With administrative access, the intruders were capable of accessing nonpublic user information and nonpublic tweets from any Twitter user and resetting Twitter users’ passwords. The first intruder reset certain user passwords and posted tweets from the compromised accounts.
According the FTC, Twitter was vulnerable to these attacks because it failed to prevent unauthorized administrative control of its system. The FTC claimed that Twitter failed to take reasonable steps to:
- Require employees to use hard-to-guess passwords that were not used for other purposes;
- Prohibit employees from storing administrative passwords in plain-text within their personal e-mail accounts;
- Suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;
- Provide an administrative login page that is separate from the ordinary user login page and whose location is known only to authorized users;
- Enforce periodic changes of administrative passwords;
- Restrict access to administrative controls to employees whose jobs required it; and
- Impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.
Pursuant to the agreement, Twitter is required to engage in a number of actions to address its security practices, most notably:
- Identifying reasonably-foreseeable, material risks that could result in unauthorized disclosure of nonpublic consumer information or unauthorized administrative control of the Twitter system; and
- Implementing reasonable safeguards to address the identified risks.
The agreement also includes provisions requiring Twitter to designate an employee or employees to coordinate and be accountable for the information security program. Additionally, the agreement includes provisions addressing Twitter’s use of service providers and requiring Twitter to evaluate and adjust its information security to address material changes to its business or other events that might materially impact the effectiveness of its security program.
The FTC’s pursuit of, and subsequent agreement with, Twitter is significant because it demonstrates that the FTC’s concern regarding the protection of personal information is not limited to personal financial information and identity theft. Unlike many of the other companies that the FTC has pursued regarding online security practices, Twitter is not an online merchant and does not collect financial information from its users. Nevertheless, a Twitter user’s account may contain other personally identifiable information and may contain private tweets. The FTC’s pursuit of Twitter demonstrates that the FTC is interested in holding companies to their representations regarding their security practices. The FTC’s allegations regarding Twitter’s security practices may also prove useful to companies, as the allegations signal several behaviors that the FTC considers being inconsistent with reasonable security.