FTC nails Twitter for deceiving users about privacy and security

An important milestone that should compel all  social networks to be much more diligent about preserving  privacy and providing robust security was established by federal regulators today.

The Federal Trade Commission barred Twitter from misleading consumers about privacy at any point in the next  20 years. The FTC also ordered the company to establish a comprehensive  security program, subject to government monitoring for the next 10 years.

Twitter agreed to those terms in exchange for the FTC not pursuing a civil lawsuit against the company. It was the agency’s  first-ever privacy enforcement action against a social network.

“When a company promises consumers that their personal information is secure, it must live up to that promise,” says David Vladeck, head of the FTC’s Bureau of Consumer Protection. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations.

“Patrons of social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure,” he says.

Global regulatory scrutiny rising

The FTC’s bold step comes at a time when regulatory scrutiny of social networks is on the rise globally:

  • Privacy regulators in Canada, Germany, Britain, France and several other nations are investigating Google’s past practice of collecting citizens’ data transmitted over open Wi-Fi systems.
  • The FTC is reviewing a complaint accusing Facebook of sending personal information to online advertising companies without its users’ consent.
  • The FBI is investigating the breach of 114,000 e-mail addresses from AT&T subscribers to Apple iPad wireless accounts, including many high profile celebrities, athletes and politicos.

“To have the U.S. government make this strong of an opinion about a privacy breach is a huge wake up call for American-based companies in this space,” says Sophos security analyst Chet Wisniewski.

Invigorated FTC

The enforcement action “is part of a newly reinvigorated FTC under Obama that is beginning to tackle cutting edge privacy and digital marketing issues,” says Jeffrey Chester, executive director of the Center for Digital Democracy. “It signals that the FTC is examining privacy threats from social media and other under-the-radar online consumer protection concerns.”

Chester anticipates that the FTC will also begin to “rein in abusive digital marketing practices that place privacy at risk–or treat consumers unfairly.”

A young Frenchman, Francois Cousteix, 23, aka Hacker-Croll, has been arrested and tried in connection with a January 2009 caper in which a hacker gained access to the Twitter account of then-President-elect Barack Obama, using Obama’s legit account to Tweet bogus offers for $500 in free gasoline to more than 150,000 of his followers.

Then in April 2009, a hacker compromised a Twitter employee’s personal e-mail and gained access to private user information and Tweets for any Twitter user. For the FTC’s official, detailed descriptions of how comparatively easy it was to pull off these hacks click here.

Holding social networks accountable

Twitter spokesman Alexander Macgillivray said in a blog post that the company has already implemented many security upgrades called for by the FTC. At the time of the breaches, Twitter employed fewer than 50 people and was dealing with “unprecedented user growth,” he says.

Security and legal experts said the enforcement action signals that FTC will hold social websites strictly accountable for preserving privacy  and delivering secure online services.

“It’s a warning to any player in social networking that the FTC is taking its enforcement powers seriously and will be scrutinizing them,” says former USDOJ prosecutor Alexander Southwell, who is now a partner at Gibson, Dunn & Crutcher. “You now have a regulatory body looking over your shoulder whenever you’re dealing with customers personal information and private communications. It constrains, to some degree, what these companies can do.”

Hopefully, the threat of hands-on government oversight will stir the top social networks to do what they should have done at the start: lock down security, says Tom Kellermann, vice president of security awareness at Core Securities Technologies.

By creating an all-comers communications medium and promoting it as secure, when it really isn’t, Twitter essentially created a “hot zone” ripe for spreading viral  attacks, says Kellermann. He adds:

When people clicked on links they implicitly trusted Twitter’s communications systems, but the company did not actually build the security into the system, so they put the community at large at risk. The mentality that if-you-build-it, they-will-come is the problem. These wonderful online meeting places we’ve created don’t attract only the righteous. Miscreants and predators also congregate in these new online civilizations,  same as they did in ancient civilizations.

By Byron Acohido

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone