Posted June 25, 2010 8:15 am by with 2 comments

Tweet about this on TwitterShare on LinkedInShare on Google+Share on FacebookBuffer this page

With all of the mess that surrounds Facebook and data security etc., it seems at times that other web properties are doing it well. That’s a dangerous assumption. Yesterday Twitter was thrown into the data security spotlight when it took some medicine from the Federal Trade Commission regarding data / security breaches in the past.

The LA Times reports

Twitter has agreed to settle allegations by federal regulators that it put the privacy of its users at risk by failing to protect them from data security lapses last year that let hackers access their accounts.

The Federal Trade Commission said Thursday that the settlement bars Twitter from misleading consumers about its security and privacy practices and requires the start-up to establish a comprehensive information security program.

No monetary damages were assessed.

By now, most people agree that there is no such thing as real and complete Internet security. While that is becoming more and more apparent every day it doesn’t give companies the green light to operate as if it’s not a responsibility that they have to take seriously.

The events that triggered this attention from the FTC were from January and April of 2009.

The FTC complaint said the breaches allowed hackers to gain administrative control over the online service, which lets users send brief messages called tweets to each other. According to the FTC, hackers were able to view e-mail addresses and other private user information, gain access to user messages, reset user passwords and send phony tweets from user accounts.

Hackers do what hackers do. That’s a fact of Internet life. It’s when the following word, in this case the “d” word, is used in relation to your company’s efforts that it’s time to stand up and do something.

The agency claims the incidents deceived users because Twitter’s privacy policy pledged to “employ administrative, physical and electronic measures designed to protect your information from unauthorized access.”

“When a company promises consumers that their personal information is secure, it must live up to that promise,” David Vladeck, head of the FTC’s Bureau of Consumer Protection, said in a statement.

Ouch. Deceived is pretty strong language because it implies intent. Did Twitter truly intend to not live up to its privacy policy? Let’s hope not. Twitter’s response from their legal team via their blog (where’s Biz on this one?)

Within hours of the January breach, we closed the security hole and notified affected account holders. We posted a blog post about it on the same day. In the April incident, within less than 18 minutes of the hack we removed administrative access to the hacker and we quickly notified affected users. We also posted this blog item about the incident within a few days of first learning about it.

Why are we bringing up these incidents from 18 and 14 months ago that we already told people about? Because the United States Federal Trade Commission (FTC) launched an inquiry into our security practices related to these attacks and today announced that we’ve reached an agreement that resolves their concerns. Even before the agreement, we’d implemented many of the FTC’s suggestions and the agreement formalizes our commitment to those security practices.

In this day and age no one likes to be associated with an FTC “look see” and eventual condemnation of privacy policies. While there has been little said to truly draw Twitter into the fray like Facebook has (of course Facebook doesn’t seem to act like morons about privacy like Facebook either) it still is a reminder that the Internet is a fun but potentially dark place.

Tweet at your own risk.

  • I enjoyed your post here and learned something. We all do utilize social media at our own risk. My Facebook account was hacked last summer along with many others – it got rectified quickly -but we do have to use our instincts, too (i.e. did your ‘friend’ really send you a link that looks like it was typed by a cat running across a keyboard ?).

    I don’t think Twitter’s intent was deceptive but I do think their perceived capability at that time of the first breach, esp., was very optimistic, considering they had a staff of c. 45 people and couldn’t handle crashed servers in a timely way, much less hackers. Twitter isn’t my social media favorite but at least, like Facebook, its users are more aware of what hacking is/can look like.

    • I agree with Karl, I don’t think they were deceptive, but I agree – I think the security issue could very well have been an instance of rapid growth of Twitter, and inadequate staffing to handle it all.

      Hopefully they’ve addressed the issue and learned a valuable lesson in internet security.