FTC Tells Twitter to Toughen Security Protocols

Government's First Privacy Case Against a Social Network Includes 20-Year Ban From 'Misleading Consumers'

By Published on .

NEW YORK (AdAge.com) -- The Federal Trade Commission intends to show how seriously it is taking concerns over consumer privacy online by making popular social-networking site Twitter create an independently audited information security program.

The FTC and Twitter came to a settlement today on charges that the site "deceived consumers and put their privacy at risk." This was in response to significant lapses in Twitter's data security that allowed hackers on two separate occasions in 2009 to take control of accounts including those of then President-elect Barack Obama, Fox News and Britney Spears. This was the 30th case the FTC has filed targeting faulty data security but the first one ever filed against a social-networking service.

The settlement includes a 20-year ban on Twitter from "misleading consumers about the extent to which it maintains and protects the security, privacy and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers. The company also must establish and maintain a comprehensive information security program, which will be assessed by a third party every other year for 10 years."

Steve Rubel, senior VP-director of insights for Edelman Digital, said the ruling further proves the FTC is serious about monitoring social media. "The FTC is watching key social networks to make sure they can be trusted, and that's a further sign that this administration may not be afraid to regulate certain channels," he said.

In a statement, David Vladeck, director of the FTC's Bureau of Consumer Protection, said any company promising consumers protection of their personal information must live up to that promise.

"Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations," Mr. Vladeck said. "Consumers who use social-networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure."

Mr. Rubel said news of the settlement may not look like a good story for Twitter on the surface, but he believes it highlights that the government deems it an important communications channel that consumers need to be able to trust.

"This validates Twitter because it acknowledges that they are a very powerful public-facing platform that people rely on, on a regular basis," Mr. Rubel said. "The government is obviously watching how many people use Twitter and how they are using it. The notable thing for me is that the government cares about the trustworthiness of the social networks we rely on regularly."

Mr. Rubel said this is going to force Twitter to "grow up a lot faster" than it was probably prepared to. "They are going to have to endure more cost and regulation than they did before," he said. "But the government wants to maintain the integrity of that service for the benefit of consumers, which is a good thing in the long run."

The FTC went on to list the "reasonable steps" Twitter failed to implement that could have prevented hackers from accessing the accounts. Among the steps the FTC said Twitter failed to take included: requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites or networks; prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts; enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days; and suspending or disabling administrative passwords after a reasonable number of unsuccessful log-in attempts.

After the settlement, Twitter posted a statement on its blog from its general counsel, Alexander Macgillivray. "We've reached an agreement that resolves [the FTC's] concerns. Even before the agreement, we'd implemented many of the FTC's suggestions, and the agreement formalizes our commitment to those security practices."

Most Popular
In this article: