Modernizing Authentication — What It Takes to Transform Secure Access
Microblogging service Twitter has reached a settlement with the Federal Trade Commission to resolve a complaint charging the company with lax security measures that allowed hackers to obtain administrative controls and send out bogus tweets in the guise of prominent users of the service including then-President-elect Obama.
"When a company promises consumers that their personal information is secure, it must live up to that promise," David Vladeck, director of the FTC's Bureau of Consumer Protection, said in a statement. "Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations."
Under the terms of the settlement, Twitter has agreed to establish and maintain a comprehensive data security framework for ten years that will be subjected to a third-party audit every other year.
According to the commission, the settlement also explicitly bars Twitter from "misleading consumers about the extent to which it maintains and protects the security, privacy and confidentiality of nonpublic consumer information" for a period of 20 years.
The settlement resolves an FTC inquiry into a series of security incidents that plagued Twitter in the early months of 2009, just as the service was entering a period of meteoric growth.
The first incident occurred in January, when a hacker deployed an automated password-guessing program to snag administrative access to the site. The FTC said the password was "weak," a common word spelled in lowercase.
Armed with administrative privileges, the hacker reset the passwords of multiple users and published the new login credentials on a Website. That disclosure resulted in other pranksters sending out bogus tweets from nine users' accounts, including Obama and Fox News.
A second and similar incident occurred in April when a hacker accessed a Twitter employee's personal e-mail account. That account happened to contain two other passwords that were similar to the employee's administrative password, which the hacker was ultimately able to crack and use to access nonpublic information about Twitter's users.
The FTC's complaint charged Twitter with failing to implement several best practices regarding password security, such as using character combinations that are difficult to guess and disabling access after a limited number of failed login attempts.
Twitter general counsel Alexander Macgillivray acknowledged the settlement in a blog post, describing the breaches as a product of a different era in the company's evolution, noting that Twitter employed fewer than 50 people at the time.
Macgillivray himself only joined Twitter in July 2009, after a stint as associate general counsel at Google (NASDAQ: GOOG) where he served as the lead attorney handling the search giant's controversial book-scanning settlement with authors and publishers.
Macgillivray said that 45 accounts were compromised in the January incident and ten more in April. He said that the security holes in each incident were closed the same day and that Twitter promptly notified all affected users.
"Even before the agreement, we'd implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices," he added.
The settlement continues the FTC's work addressing Internet security and data vulnerabilities. It also fits into the commission's heightened interest in the privacy concerns associated with social networks, an ongoing inquiry that has been the subject of several FTC workshops and could result in a new policy framework for addressing online data sharing in the Web 2.0 era.
"Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure," Vladeck said.