Forgot your password?
typodupeerror
Privacy Communications Security Social Networks The Courts IT Your Rights Online

Twitter To Establish Information Security Program 72

Posted by timothy
from the only-tell-longer-secrets dept.
An anonymous reader writes "Twitter has agreed to settle Federal Trade Commission charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information, marking the 30th case the FTC has brought targeting faulty data security, and the agency's first such case against a social networking service. Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers."
This discussion has been archived. No new comments can be posted.

Twitter To Establish Information Security Program

Comments Filter:
  • by Rotworm (649729) * on Thursday June 24, 2010 @07:59PM (#32685556) Homepage Journal

    The company also must establish and maintain a comprehensive information security program, which will be assessed by a third party every other year for 10 years.

    Twitter must also donate five nickels to five charities. At least three of those charities must be entirely independent of Twitter. Maybe the message is: if you marginally screw with the President, we marginally screw with you.

  • by Mothinator (1103295) on Thursday June 24, 2010 @08:03PM (#32685592)
    Shouldn't they be permanently barred from misleading their customers?
  • Why Twitter? (Score:5, Insightful)

    by Psx29 (538840) on Thursday June 24, 2010 @08:07PM (#32685654)
    Twitter doesn't seem to hide the fact that pretty much everything you do on the site is public. Why don't they go after facebook for deceiving people and constantly changing their privacy policy?
  • FACEBOOK (Score:4, Insightful)

    by GrumblyStuff (870046) on Thursday June 24, 2010 @08:17PM (#32685736)

    I was just about comment about how they should be hounding Facebook for all shit they pull.

    Constantly changing options and putting them by default onto the most open setting? That's maliciously hoping that people are either too lazy or stupid to change them back.

    Hiding the delete option for FB accounts and implementing it in such a fucking retarded way, forcing the account holders to search out and delete every comment, photo, tag, and other info they put in instead of just having a delete button? Utter bullshit.

  • Re:The hell? (Score:5, Insightful)

    by Toonol (1057698) on Thursday June 24, 2010 @08:39PM (#32685908)
    Fortunately, there is absolutely zero chance that twitter will be a relevant company or technology twenty years from now.
  • by mysidia (191772) on Thursday June 24, 2010 @08:46PM (#32685954)

    The FTC’s complaint against Twitter charges that serious lapses in the company’s data security allowed hackers to obtain administrative control of Twitter,

    The privacy policy posted on Twitter’s website stated that “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”

    Does NOT seem to be a misrepresentation. If they employ any measures at all.

    it failed to take reasonable steps to prevent unauthorized administrative control of its system, including:

    The FTC's ideas of what "reasonable steps" are sure does make me laugh... I am sure as hell glad the FTC's job is NOT to dictate proper IT security policies. They are clearly carrying around some pretty whacky notions of what security measures are basic and reasonable.

    Requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks

    Wait. "Hard to guess" and "Not used for other programs" are separate criteria.

    It is not necessary to require that last bit, to have strong security against intruders. It is not reasonable to expect that users of a computer network memorize a separate strong password for each service, change it frequently. The whole notion of "strong password" is a direct contradiction of "remembered (but not written) password". Any password that is not weak, by current security standards, is not able to be memorized by a human.

    Enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days

    It is well demonstrated that this does not improve security. Instead, it encourages people to choose weaker passwords, or write them down. Password expiration only helps if an account has been compromised, but (for some reason) the hacker has not used the password yet.

    The likelihood of this is slim, the security improvement is practically ZERO, and the cost is very high.

    Prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts

    It is not necessary to 'prohibit employees from storing admin passwords in plain text'. To have security

    Your admins must know better. Chances are your company doesn't have a specific policy that says "Admins may not write their passwords on giant signs and carry them down the hall. At a certain point, it's just ridiculous (and doesn't improve security) to say "But you didn't prohibit X?!"

    Suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts

    This does not improve security. Actually, it increases the chance that an administrative account could be disabled by an attacker, making it more difficult to determine the nature of or respond to an ongoing attack.

    A strong password will be secure, even in the face of a brute force attack. A brute force attack can be mitigated using less disruptive techniques, such as automatically banning any IP address for 10 minutes, if a certain number of failed logins are attempted.

    Providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users

    This is only more secure, if you assume that an administrative login is known, and compromised.

    An additional web page for admin logins just creates another potential point of exposure to attack, has to be secured separately from the main login page, and the result is likely a less overall secure system.

    Compromise of individual users' Twitter accounts leaks private information, just as badly as a compromise of an administrative login...

    Particularly if the use of administrative logins is monitored carefully, and a co

  • Re:WTF? (Score:2, Insightful)

    by FlyMysticalDJ (1660959) on Thursday June 24, 2010 @10:27PM (#32686500)
    So the punishment from misleading consumers is a ban on misleading consumers. Does that mean if they mislead consumers again they get another ban? Or would they actually get a real punishment.

    To employ Godwin's law: Hitler, we have all gotten together and we agree... No more Holocausts for 10 years, okay? Thanks Adolf.
  • by Peach Rings (1782482) on Thursday June 24, 2010 @10:42PM (#32686564) Homepage

    I don't know 20 years seems like an awful long time to be barred from doing something illegal...

  • Re:Legal Stuffs (Score:2, Insightful)

    by Genocaust (1031046) on Friday June 25, 2010 @07:46AM (#32688716)

    IANALBIFWI

    ...What did you call my mother?

C'est magnifique, mais ce n'est pas l'Informatique. -- Bosquet [on seeing the IBM 4341]

Working...