Many people use Twitter to share their deepest feelings to the cyberworld (in 140 characters or less) about topics ranging from their dismay about the current unemployment rate to the joy of Landon Donovan’s dramatic goal in the World Cup. But sometimes Twitter users just want to send private messages to their friends and colleagues and of course, no one wants their private information to be shared with the public or to be misrepresented through phony tweets in such a public forum. However, according to the FTC, Twitter users’ private information may have been at more risk than they were led to believe through Twitter’s privacy disclosures.
Last week, the FTC voted 5-0 to settle charges against Twitter that it deceived consumers by failing to provide the necessary safeguards to protect their personal information. The FTC alleged that “serious lapses” in data security allowed hackers to obtain unauthorized administrative control of Twitter, including access to non-public user information, tweets that consumers designated as private, and the ability to send phony tweets from any user. This was the first case of this kind brought by the FTC against a social networking service.
In its complaint, the FTC alleged that Twitter made several misleading statements on its webpage about the protection of their users’ private information and the ability to make private, direct Twitter messages and to create private Twitter accounts. For example, the Twitter webpage states that users can “send followers private tweets, called direct messages” and that “only author and recipient can view direct messages.” With regard to protected accounts, the webpage states that users “have the option of … protecting the account to keep [their] updates private” and “only approved followers are able to see [their] profile page.”
The FTC then highlighted two security breaches where Twitter users’ private information was put at risk. In January 2009, a hacker submitted thousands of guesses into Twitter’s login webpage using an automatic password-guessing tool and eventually hit on the correct password to gain administrative control of Twitter. According to the FTC, the administrative password was a weak, lowercase, common dictionary word. The hacker then reset several passwords of Twitter users and posted the passwords on a website. Other hackers used these reset passwords to send phony tweets from approximately nine user accounts. One of the victims was then-President-elect Barack Obama, over whose name a phony tweet offered his more than 150,000 followers a chance to win $500 in free gasoline cards. At least one other phony tweet came from Fox News. In a second security breach in April 2009, a hacker accessed a Twitter employee’s personal e-mail account and used information there to guess the employee’s Twitter administrative password. After gaining administrative control of Twitter, the hacker reset at least one Twitter user’s password and was able to access nonpublic user information and tweets for any Twitter users.
Twitter stressed on its corporate blog that both of these security breaches were small in scale - with the January 2009 breach affecting 45 accounts and the April breach affecting ten accounts - and that the breaches were both short in duration. Twitter also informed its users of the security breaches by posting a blog about each incident. Lastly, Twitter noted that at the time of the security breaches, the company had less than 50 employees and that it was the “victim of an attack.” Despite Twitter’s pleas for sympathy, the FTC alleged that Twitter made itself vulnerable to the attacks because “it failed to take reasonable steps to prevent unauthorized administrative control of its system.” According to the FTC, the reasonable steps Twitter should have taken in protecting their users’ privacy include:
- requiring employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks;
- prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts;
- suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts;
- providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;
- enforcing periodic changes of administrative passwords, for example, by setting them to expire every 90 days;
- restricting access to administrative controls to employees whose jobs required it; and
- imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.
Under the terms of the consent order, Twitter is barred for 20 years from misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information. Twitter must also establish and maintain a comprehensive information security program, which will be assessed by an independent auditor every other year for 10 years.
The FTC’s action against Twitter returned to the legal theory that the disconnect between Twitter’s information security promises and its alleged failure to provide reasonable information security was false and deceptive. While this is a bit of a departure from recent FTC enforcement actions alleging that failure to provide reasonable information security was itself an unfair and unreasonable trade practice under Section 5, the net result is the same: a twenty-year relationship with the FTC, additional guidance for companies and consumers about the FTC’s view of reasonable information security, and a reminder that each new form of Internet-based personal interaction between the user and others has its own information security threats and challenges.
- Ronald Lee and Chester Choi
