Twitter Settles FTC Complaint

In the Federal Trade Commission’s first such case against a social networking service, Twitter has agreed to settle FTC charges that the company deceived its customers about its security and put their privacy at risk by failing to protect their personal information.

The FTC charges came after two well-known hacker attacks on Twitter in 2009 — including one in January in which then President-elect Barack Obama’s Twitter account was hijacked and the hacker sent a tweet offering Obama’s more than 150,000 Twitter followers a chance to win $500 in free gasoline.

Twitter, which operates one of the world’s most popular social media Web sites, allows users to send “tweets” – brief messages of 140 characters or fewer – to “followers” who sign up to receive such messages via e-mail or phone text.

The FTC charged that lapses in the company’s data security allowed the hackers to gain administrative control of Twitter, to get access to “tweets” that users had designated as private, and to send out phony tweets from a number of well-known account holders — including Obama, Fox News and Britney Spears.

The FTC said the hacks showed that Twitter hadn’t implemented adequate security measures — including requiring hard-to-guess passwords and requiring Twitter employees to change their passwords frequently.

“When a company promises consumers that their personal information is secure, it must live up to that promise,” David Vladeck, an FTC official, said in a June 24 release announcing the settlement. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations. Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure.”

Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about how it protects consumer information, including how it prevents unauthorized access to non-public information. The company also must establish and maintain a comprehensive information security program, which will be evaluated by an independent auditor every other year for 10 years.

In a June 24 post on Twitter's blog, company officials wrote that “we’ve reached an agreement that resolves (FTC) concerns” and added: “Even before the agreement, we'd implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices.”

The vulnerability of personal data on social media Web sites has become a huge issue during the last couple of years. Identity Theft 911.org wrote about the issue in its April 2010 newsletter.