Twitter Settles Privacy Charges and Establishes Security Program

Questions of online privacy and security are front and center again today as Twitter settled Federal Trade Commission charges over privacy breaches. The settlement resolves the FTC charges that lapses in the company's data security program allowed hackers to take control of Twitter, accessing tweets designated private, and sending phony tweets from the likes of Barack Obama and news outlets.

Source: Twitter

The details of the security breach are surprising — the password to gain administrative control of Twitter was a lower case common word, considered a "weak" password.

The hacker reset numerous passwords and posted some of them on a web site.

The FTC charged that Twitter failed to take necessary steps to protected unauthorized control of its site.

The settlement requires Twitter to maintain a comprehensive information security system, which a third party will audit every other year for a decade. It also bars Twitter from misleading consumers about its security and privacy of its systems, as well as the measures it takes to prevent that kind of breach from happening again. Some security experts say that the FTC's "best practices" for password protection aren't mandated by federal law. But Twitter isn't complaining. Today it posted a blog saying "Even before the agreement, we'd implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices."

This was the first FTC's case against a social networking service and it's certainly not the last. (This was the FTC's 30th case targeting faulty data security). Under scrutiny on these issues

Facebook overhauled its security settings last month.

And with services like FourSquare built around users' location and even


devices geo-locating its devices, privacy is front and center for Web 2.0.

Twitter has a major advantage when dealing with privacy concerns — it's primarily a *public* information network, not a *private* social network. Twitter's inherent purpose minimizes its challenges in the space, but with all the attention on privacy issues Twitter tells me it plans to be active in all the conversations among policymakers and regulators, about how to provide its users with clear, consistent, and safe privacy policies and practices.

Questions? Comments?