Twitter's Security Measures Get FTC's Scrutiny

By June 24, 2010

Twitter has announced an agreement with the Federal Trade Commission today to implement security measures. This statement occurs at the conclusion of an inquiry that was launched in 2009 after security breaches took place that inf

iltrated a Twitter administrator's account, compromised many high profile accounts and other occurrences. As Twitter's blog recounts, "In the first incident, unauthorized joke tweets were made from nine accounts and attackers may have accessed nonpublic information such as email addresses and mobile phone numbers. In the second, nonpublic information was accessible and at least one user’s password was reset." While many of the FTC's recommendations have already been put into practice at Twitter, the agreement formalizes their commitment to continue to do so.

The FTC's release on the matter states that their main complaint against Twitter is that the microblogging service claims more security than it actually delivers to its account holders. After the release of private information and compromising of the accounts of President Obama, Fox News, and others, the FTC decided that Twitter's security claims and actual measures were widely differing in scope. The measures set up some specific practices:

require "hard-to-guess administrative passwords" for employees
no admin passwords stored in plain text within personal e-mail accounts
suspend/disable unsuccessful login attempts after some number of attempts
provide separate, authorized admin login from user login page
enforce periodic admin password changes
restrict admin controls to minimum number of employees
impose restrictions on admin access (such as to certain IP addresses)

The double-sided recommendations of clarifying security weaknesses to users and strengthening security practices aim to prevent any more rogue tweets from hackers posing as celebrities. CNET suggests that Twitter may be compelled to a list of practices that are beyond its resources - the FTC is bypassing normal rulemaking procedures in this decision.

Legal mentions © L’Atelier BNP Paribas