Twitter overhauls security practicesby
25th Jun 2010
Share this content
Twitter has consented to a radical overhaul of its information security practices in a bid to settle the privacy case being pursued against it by US regulators.
But the Federal Trade Commission (FTC) has warned that the case is only likely to be the first of many as it increasingly cracks down on data protection abuses, particularly among social networking sites.
Although most US companies are not covered by federal privacy laws, the body is currently using boilerplate assurances on web sites to go after companies that have lost customer information to hackers.
Under a tentative settlement reached with the consumer arm of the FTC, however, Twitter promised that it would introduce a comprehensive security programme that will be subject to a third party audit every other year for the next decade.
It also agreed not to mislead customers "about the extent to which it maintains and protects the security, privacy and confidentiality of non-public consumer information" and said it would amend existing notification messages, the FTC said in a statement.
The Commission had charged Twitter with just such misleading behaviour and cited two security lapses that took place last year to back up its allegations. The first saw a hacker use an automated programme that guessed at passwords to obtain administrative control of the micro-blogging site, after flooding it with thousands of possible phrases.
The second involved a separate hacker gaining control of the site after cracking a Twitter employee's management account, which was not locked down.
As a result, the social networking site provider also promised to tighten up its password policies. To this end, it has promised to adopt unique non-dictionary passwords that are not used with other online accounts and not stored within unencrypted email messages. It must also swap out passwords regularly and protect administrative controls through a unique log-in page that locks accounts after a certain number of failed log-in attempts.
In a blog posting, Twitter's general counsel Andrew Macgillivray said that the firm had already adopted some of the stipulations of the settlement. "Even before the agreement, we'd implemented many of the FTC's suggestions and the agreement formalises our commitment to those security practices," he wrote.
The deal is subject to public comment for 30 days, after which time commissioners will decide whether to make it final.
Share this content
Read more from