Network News

X My Profile
View More Activity

Twitter settles FTC charge on security, privacy violations

Update: With comments by Twitter's general counsel

Twitter has settled charges brought by the Federal Trade Commission that it “deceived consumers” by allowing hackers to obtain administrative control over Twitter because of loose security.

The FTC said Thursday that the popular social networking site allowed hackers in 2009 to obtain “tweets,” the 140-character micro-blogs users sent out, that were designated private and send out phony tweets pretending to be from then-President elect Barack Obama and Fox News, among others.

Under the settlement, the FTC said Twitter will set up a new security program to be assessed by a third party. It will also be prohibited from what the agency described as “misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers.”

The FTC does not seek monetary damages and the case, as all investigations at the agency, was not public.

“When a company promises consumers that their personal information is secure, it must live up to that promise,” said David Vladeck, director of the FTC’s Bureau of Consumer Protection. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations.”

In a statement, Twitter's General Counsel Alexander Macgillivray, said the number of people affected by the questioned incidents were small. And it was a time when the company was also small -- 50 employees -- grappling with an explosion of users on the popular information-sharing platform.

The company said it has worked on its security measures and that no other complaints have been brought against the company on privacy or security lapses.

"Even before the agreement, we'd implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices,"  Macgillivray said in the statement.

The FTC’s announcement Thursday, highlighted an effort by the consumer protection agency to address growing concerns about how social networking sites handle user privacy and security of information as hundreds of millions of users around the world flock to these platforms to share pictures, videos and other personal information. The case was the 30th brought by the FTC targeting faulty data security, and the agency’s first such case against a social networking service.

Specifically, the agency investigated episodes of hacker attacks between January and May 2009. At that time, infiltrators were able to gain administrative control to view nonpublic user information, gain access to direct messages and protected tweets, and reset any user’s password and send authorized tweets from any user account.

The FTC outlines the episodes below:

In January 2009, a hacker used an automated password-guessing tool to gain administrative control of Twitter, after submitting thousands of guesses into Twitter’s login webpage. The administrative password was a weak, lower case, common dictionary word. Using the password, the hacker reset numerous user passwords and posted some of them on a website, where other people could access them. Using these fraudulently reset passwords, other intruders sent phony tweets from approximately nine user accounts. One tweet was sent from the account of then-President-elect Barack Obama, offering his more than 150,000 followers a chance to win $500 in free gasoline. At least one other phony tweet was sent from the account of Fox News.

During a second security breach, in April 2009, a hacker compromised a Twitter employee’s personal e-mail account where two passwords similar to the employee’s Twitter administrative password were stored, in plain text. Using this information, the hacker was able to guess the employee’s Twitter administrative password. The hacker reset at least one Twitter user’s password, and could access private user information and tweets for any Twitter users.

By Cecilia Kang  |  June 24, 2010; 10:52 AM ET
 
Save & Share:  Send E-mail   Facebook   Twitter   Digg   Yahoo Buzz   Del.icio.us   StumbleUpon   Technorati   Google Buzz   Previous: Lawmakers grill Apple CEO Jobs on location information gathering
Next: Facebook snags White House economic adviser Levine as global policy head

No comments have been posted to this entry.

The comments to this entry are closed.

 
 
RSS Feed
Subscribe to The Post

© 2010 The Washington Post Company