Copyright © 2010 Chip Cooper

In June, 2010, the Federal Trade Commission (FTC) settled charges that Twitter's micro-blogging site had engaged in lax security practices that amounted to "unfair and deceptive trade practices".

While previous cases brought by the FTC for lax security procedures focused on lax electronic controls, the Twitter case focused on lax administrative controls. Webmasters of SaaS and ecommerce sites who fail to learn and apply the critical lessons of the Twitter case do so at their peril.

Twitter Case Facts - Two Hacks

The FTC's complaint against Twitter alleged that lax administrative controls for data security permitted at least two hackers to acquire administrative control of Twitter resulting in access to private personal information of users, private tweets, and most surprising - the ability to send out phony tweets.

Here's how the hackers got access to Twitter. According to the FTC, hacker no. 1 was able to hack in by using an automated password guessing tool that sent thousands of guesses to Twitter's login form. The hacker found an administrative password that was a weak, lowercase, common dictionary word, and with it the hacker was able to reset several user passwords which the hacker posted on a website that others could access and use to send phony tweets.

Hacker no. 2 compromised the personal email account of a Twitter employee and learned of the employee's passwords that were stored in plain text. With these passwords, the hacker was then able to guess the similar Twitter administrative passwords of the same employee. Once into Twitter, the hacker reset a user's password and was able to access the user information and tweets for any Twitter user.

Twitter Settlement Lessons

The FTC noted that Twitter's website privacy policy promised: "We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access."

Focusing on Twitter's administrative controls (more accurately on the lack thereof), the FTC alleged that Twitter failed to take reasonable steps to:

* require employees to use hard-to-guess administrative passwords that they did not use for other programs, websites, or networks; * prohibit employees from storing administrative passwords in plain text within their personal e-mail accounts;

* suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;

* provide an administrative login webpage that is made known only to authorized persons and is separate from the login page for users;

* enforce periodic changes of administrative passwords, for example, by setting them to expire every 90 days;

* restrict access to administrative controls to employees whose jobs required it; and impose other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

* The FTC settlement included (among other things) the requirement that Twitter set up and manage a comprehensive data security policy that will be reviewed by an independent auditor periodically for ten years.

Conclusion

The FTC represents consumer interests to prevent fraudulent, deceptive, and unfair business practices. Privacy and data security have been high-priority issues for the FTC, as evidenced by the 30 cases brought over the last few years for lax data security practices.

In its investigations of data security cases, the FTC looks at 2 standards:

* what the FTC considers as "standard, reasonable" security procedures, and

* what a website's privacy policy promises to consumers regarding data security.

If the website's actual data security practices do not measure up to either of these standards (a worst-case scenario would be the failure to measure up to both), the FTC concludes that the website has engaged in lax security practices that amount to "unfair and deceptive trade practices". A complaint and costly lawsuit may follow.

The reason that the FTC publishes the results of its settlements is to provide lessons to others regarding what the FTC regards as an "unfair and deceptive trade practice".

Do you know if your site measures up to the two standards?