Twitter Agrees To Better Protect Tweets


The Federal Trade Commission wants to make sure nobody gets to fake tweets from the President offering free gas, or mimics Fox News Channel in the twittersphere.
In its first complaint against a social network, the Federal Trade Commission Thursday said it has secured an agreement with Twitter that it will not mislead consumers about the extent to which it protects personal information and will take steps to better protect that information. The FTC issues a complaint when it believes a company or individual is breaking the law.

The FTC had charged Twitter with "serious lapse" in data security that allowed hackers to effectively take "administrative control" of Twitter including to private tweets.

"When a company promises consumers that their personal information is secure, it must live up to that promise," said David Vladeck, director of the FTC's Bureau of Consumer Protection, in announcing the settlement. "Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations. Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure."

According to the FTC, between January and May 2009, those hackers were able to "view nonpublic user information, gain access to direct messages and protected tweets, and reset any user's password and send authorized tweets from any user account."

According to the agency "one tweet was sent from the account of then-President-elect Barack Obama, offering his more than 150,000 followers a chance to win $500 in free gasoline. At least one other phony tweet was sent from the account of Fox News."

Those breaches, said the FTC, were because Twitter did not require employees to use hard-to-guess passwords; had not prohibited employees from storing passwords in plain text in personal e-mail accounts; did not disable passwords after a reasonable number of failed attempts; did not restrict access to administrative controls, and more.

Under the settlement, Twitter is barred for 20 years "from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers." but it must also "establish and maintain a comprehensive information security program."

A third party, not yet identified, will get to assess that security program biennially for the next 10 years.

The commisison voted to accept the settlement was 5-0.