Twitter Settles with FTC on Privacy and Security Lapses

Twitter co-founder and CEO Evan Williams
Twitter co-founder and CEO Evan Williams

By settling Federal Trade Commission charges Thursday, Twitter is is just now accepting responsibility for past privacy and security lapses that resulted in two cases of password hacking in January and April 2009.

The worst of the two breaches involved a hacker's automated password guesser, which uncovered a Twitter administrative password that was a lower case, dictionary word (in other words: not very secure), resulting in a number of prominent users' accounts -- including Barack Obama's -- being used to transmit spammy offers for free gasoline.

The more embarrassing of the two involved a hacker gaining access to a Twitter employee's personal email account, and eventually to personal information about founder Evan Williams.

Little Actual Damage Done

Twitter says it immediately took action to prevent both issues from happening again, instituting new password policies (the sort that have been in place in most companies for decades) and security measures. And though both breaches were titillating and shaming for company's management, the actual damage done was very little, both to users' security (only 45 accounts, total, were exposed across both incidents) and to the long-term reputation of the company, despite what pundits had to say at the time.

Twitter's blog post on the issue Thursday concludes that the FTC "today announced that we've reached an agreement that resolves their concerns. Even before the agreement, we'd implemented many of the FTC's suggestions, and the agreement formalizes our commitment to those security practices."

The tone of the FTC's announcement is different; as the parent figure in this little drama, the organization wants to be clear that it's in control and Twitter was a bad, bad child. The headline reads, "Twitter Settles Charges that It Failed to Protect Consumers' Personal Information; Company Will Establish Independently Audited Information Security Program."

Other than the independently audited security program (which the company said it began immediately following the first breach), the key information in this settlement is this bit: "Twitter will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information," violations of which can be fined to the tune of $16,000 per incident.

The Teeth of the Settlement

As Erick Schonfeld at Techcrunch points out, this is the real teeth of the settlement. "Without this order and the settlement, the FTC does not have what is known as civil penalty authority." In other words, the FTC may only mete out punishment if the offending company agrees to it (or, in extreme cases, if a court orders it).

It is, on the FTC's part, a curious choice to portray Twitter as the enemy of privacy and security. While the errors of youth made headlines, it was a sound-and-fury-signifying-nothing incident, especially compared to other privacy and security issues in the social networking world.

And the timing, too, is interesting, especially given Wednesday's conflagration between Twitter and Facebook over ... privacy. Twitter developed a new application to help users find their Facebook friends who are also on Twitter; Facebook swiftly blocked the application. According to Twitter, "The Facebook app cannot currently access your Facebook friend list. We believe this is an issue on Facebook's end."

Speculation that the "issue on Facebook's end" contains some anti-Twitter sentiment abounds, especially given recent news that Facebook had been "massively underreporting" the number of Facebookers using the Twitter app (which updates Facebook status with Twitter updates). And given Facebook's recent conflagration over privacy, it would be interesting to see whether that company is the next investigated by the FTC.