Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy Communications Security Social Networks The Courts IT Your Rights Online

Twitter To Establish Information Security Program 72

An anonymous reader writes "Twitter has agreed to settle Federal Trade Commission charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information, marking the 30th case the FTC has brought targeting faulty data security, and the agency's first such case against a social networking service. Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers."
This discussion has been archived. No new comments can be posted.

Twitter To Establish Information Security Program

Comments Filter:
  • by Rotworm ( 649729 ) * on Thursday June 24, 2010 @06:59PM (#32685556) Homepage Journal

    The company also must establish and maintain a comprehensive information security program, which will be assessed by a third party every other year for 10 years.

    Twitter must also donate five nickels to five charities. At least three of those charities must be entirely independent of Twitter. Maybe the message is: if you marginally screw with the President, we marginally screw with you.

  • by Mothinator ( 1103295 ) on Thursday June 24, 2010 @07:03PM (#32685592)
    Shouldn't they be permanently barred from misleading their customers?
    • Re: (Score:1, Interesting)

      by Anonymous Coward

      And they should have been permanently barred from the moment they started offering a service?

    • I agree this sounds weird.

      A suspended sentence is essentially a ban on committing further crimes, perhaps this is somehow similar?

    • by msauve ( 701917 )

      Shouldn't they be permanently barred from misleading their customers?

      This is the US government meting out punishment. "Permanently barred from misleading their customers" is an unnatural concept to them.

    • by luckymutt ( 996573 ) on Thursday June 24, 2010 @09:01PM (#32686412)
      We're talking about Twitter...a 20 years barring is permanent.
      Hell, in half that time no one will be admitting that they were a "Twit."
      Kinda like how it is now with Friendster.
      • We're talking about Twitter...a 20 years barring is permanent.

        No kidding, that's like 4 consecutive life sentences for Twitter.

      • Re: (Score:1, Troll)

        Kinda like how it is now with Friendster.

        What? I Never watched that show! You can't prove anything! I have no idea what Jennifer Aniston looks like!

      • We're talking about Twitter...a 20 years barring is permanent.

        I think GP's point was more that misleading people should NEVER be allowed, by ANY business.

    • Shouldn't every company be barred from misleading their customers?
    • by zkp ( 1634437 )
      If they mislead customers again during the next 20 years then they will again be barred from misleading customers.
  • WTF? (Score:5, Funny)

    by Anonymous Coward on Thursday June 24, 2010 @07:03PM (#32685610)

    Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information

    Well, gee, I'm glad they'll be able to resume misleading consumers in 2030.

    • They'll get time off for good behaviour.

      • 'I recently broke a mirror. I got stuck with 7 years of bad luck. But my Lawyer feels that He can get it down to 3.'

        --Steven Wright

    • Re:WTF? (Score:5, Informative)

      by adiemus ( 10712 ) on Thursday June 24, 2010 @07:58PM (#32686032) Homepage
      • Re: (Score:1, Informative)

        by Anonymous Coward

        just to add a snippet from that (for those too lazy to click):

        It may sound silly to bar Twitter from “misleading consumers” for 20 years, but that is essentially the life of the order and gives the FTC the ability to fine Twitter for future security breaches to the tune of $16,000 per incident. Without this order and the settlement, the FTC does not have what is known as civil penalty authority.

    • Re: (Score:2, Insightful)

      So the punishment from misleading consumers is a ban on misleading consumers. Does that mean if they mislead consumers again they get another ban? Or would they actually get a real punishment.

      To employ Godwin's law: Hitler, we have all gotten together and we agree... No more Holocausts for 10 years, okay? Thanks Adolf.
  • Comment removed (Score:5, Insightful)

    by account_deleted ( 4530225 ) on Thursday June 24, 2010 @07:07PM (#32685654)
    Comment removed based on user account deletion
    • FACEBOOK (Score:4, Insightful)

      by GrumblyStuff ( 870046 ) on Thursday June 24, 2010 @07:17PM (#32685736)

      I was just about comment about how they should be hounding Facebook for all shit they pull.

      Constantly changing options and putting them by default onto the most open setting? That's maliciously hoping that people are either too lazy or stupid to change them back.

      Hiding the delete option for FB accounts and implementing it in such a fucking retarded way, forcing the account holders to search out and delete every comment, photo, tag, and other info they put in instead of just having a delete button? Utter bullshit.

      • Re:FACEBOOK (Score:4, Informative)

        by Locke2005 ( 849178 ) on Thursday June 24, 2010 @07:37PM (#32685884)
        Hiding the delete option for FB accounts and implementing it in such a fucking retarded way, forcing the account holders to search out and delete every comment, photo, tag, and other info they put in instead of just having a delete button? Utter bullshit. You've obviously never tried to terminate an AOL account. Most ex-AOLers decided it was easier to just cancel their credit card.
      • Re: (Score:3, Funny)

        I can only assume that Facebook will be effectively immune from prosecution for anything short of building its own nuclear arsenal, just as soon as the old judges and politicians die off, and are replaced by ones whose law school years are documented on Zuckerberg's giant voyeurism datastore...
        • I can only assume that Facebook will be effectively immune from prosecution

          More seriously, Facebook will be immune for the same reasons that AT&T and the other big telecoms already are...

  • by Locke2005 ( 849178 ) on Thursday June 24, 2010 @07:30PM (#32685836)
    Barred for 20 years? Reviewed after 10 years? Twitter is a fad that will be passé by 2012... what the hell makes them think Twitter will still exist as a viable company in 20 years?!?
    • by dgatwood ( 11270 ) on Thursday June 24, 2010 @08:14PM (#32686160) Homepage Journal

      They don't, and they don't care. This is just a further example of the way in which corporate personhood results in a fundamentally broken and inequitable legal system.

      When a corporation misappropriates the secrets of hundreds of thousands of users, they get told the equivalent of "We know you stole a hundred thousand VCRs, but we're going to let you off with probation. We'll check back on you in a year, and we'd better not see a bunch of stolen VCRs when we do. But if we do, we'll check back in another year. Oh, and your punishment is that you're not allowed to steal VCRs again for twenty years."

      By contrast, if an individual steals just a couple of secrets from one corporation and leaks them to the press, the police raid the person's house and confiscate the person's equipment, and the person spends time in jail and usually ends up not being able to use the Internet for 20 years.

      All I ask is for the same punishment to apply to Twitter. Is that really so much to ask? Shouldn't corporations' privacy violations be punished just as severely as an individual committing a hundred thousand acts of corporate espionage? Seems pretty straightforward to me.

      • by Locke2005 ( 849178 ) on Thursday June 24, 2010 @08:36PM (#32686292)
        I'd think you were being paranoid, but the Supreme Court today gutted the "honest services" law: "All nine justices agreed that public officials and corporate executives cannot be convicted of defrauding the public unless they enriched themselves by taking a bribe or a kickback. Secret deals or conflicts of interest are not a crime unless they involve a direct payoff." So, as long as they are committing fraud to enrich the company, which then is more profitable and pays them more money, and not taking the money directly themselves, it's ok?!? WTF?!? Sounds like all that matters is the interests of the shareholders, and the customers are irrelevant.
    • by account_deleted ( 4530225 ) on Thursday June 24, 2010 @08:27PM (#32686250)
      Comment removed based on user account deletion
  • So Twitter is barred for twenty years from misleading customers, after which.... ?

    • So Twitter is barred for twenty years from misleading customers, after which.... ?

      After which someone can register the expired domain name and get all nostalgic about how people got so worked up over such a stupid concept.

  • Twitter will be barred for 20 years from misleading consumers

    What kind of a deal is that? It seems to be saying that after the twenty year period it will be OK for them to mislead customers. And if it is not saying that, then what is the point of the 20 years or the deal in the first place? How does a company that betrays public trust get away with saying "OK, for our punishment we agree to follow the law for a limited period of time" ???

    • by fyrewulff ( 702920 ) on Thursday June 24, 2010 @08:52PM (#32686384)

      It's legal language. They aren't saying they were permitted before or permitted afterwards. They're saying that Twitter is basically on probation for the next 20 years, and now if they do it again the FTC can fine them since they've now warned them.

      It'd be like say (ignore all other laws for a moment), a store advertising 20$ iPhones and they're 400$ when you get in the store. They would be told that they can't mislead customers for another 20 years, or else face heavy fines.

      • It seems to be saying that after the twenty year period it will be OK for them to mislead customers.

        It's legal language.

        I think it's misleading language.

  • by mysidia ( 191772 ) on Thursday June 24, 2010 @07:46PM (#32685954)

    The FTC’s complaint against Twitter charges that serious lapses in the company’s data security allowed hackers to obtain administrative control of Twitter,

    The privacy policy posted on Twitter’s website stated that “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”

    Does NOT seem to be a misrepresentation. If they employ any measures at all.

    it failed to take reasonable steps to prevent unauthorized administrative control of its system, including:

    The FTC's ideas of what "reasonable steps" are sure does make me laugh... I am sure as hell glad the FTC's job is NOT to dictate proper IT security policies. They are clearly carrying around some pretty whacky notions of what security measures are basic and reasonable.

    Requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks

    Wait. "Hard to guess" and "Not used for other programs" are separate criteria.

    It is not necessary to require that last bit, to have strong security against intruders. It is not reasonable to expect that users of a computer network memorize a separate strong password for each service, change it frequently. The whole notion of "strong password" is a direct contradiction of "remembered (but not written) password". Any password that is not weak, by current security standards, is not able to be memorized by a human.

    Enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days

    It is well demonstrated that this does not improve security. Instead, it encourages people to choose weaker passwords, or write them down. Password expiration only helps if an account has been compromised, but (for some reason) the hacker has not used the password yet.

    The likelihood of this is slim, the security improvement is practically ZERO, and the cost is very high.

    Prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts

    It is not necessary to 'prohibit employees from storing admin passwords in plain text'. To have security

    Your admins must know better. Chances are your company doesn't have a specific policy that says "Admins may not write their passwords on giant signs and carry them down the hall. At a certain point, it's just ridiculous (and doesn't improve security) to say "But you didn't prohibit X?!"

    Suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts

    This does not improve security. Actually, it increases the chance that an administrative account could be disabled by an attacker, making it more difficult to determine the nature of or respond to an ongoing attack.

    A strong password will be secure, even in the face of a brute force attack. A brute force attack can be mitigated using less disruptive techniques, such as automatically banning any IP address for 10 minutes, if a certain number of failed logins are attempted.

    Providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users

    This is only more secure, if you assume that an administrative login is known, and compromised.

    An additional web page for admin logins just creates another potential point of exposure to attack, has to be secured separately from the main login page, and the result is likely a less overall secure system.

    Compromise of individual users' Twitter accounts leaks private information, just as badly as a compromise of an administrative login...

    Particularly if the use of administrative logins is monitored carefully, and a co

    • by sgt101 ( 120604 ) on Friday June 25, 2010 @09:44AM (#32690696)

      The statement "any password that is easy to memorize is not strong" is not true.

      The best way to create a strong easy to remember password is via a phrase.

      Iwearcoolshoes!638
      dobbinisanicehorse.112
      ponyslikejonty6eatcarrots?

      With respect to administrative controls, it is very easy to segment control and access in a system. I run a social media monitoring service, we have 3 basic types of user (Admin, Coordinator, Agent) but each one can have up to 30 options that define the precise controls and access they have. I am amazed that Twitter have not implemented a similar system.

      If my team (3 guys) can implement this, anyone can. It is reasonable to expect. In fact it's totally sensible.

      Compromise of individual accounts does not leak information as badly as administration - there is a host of stuff an admin could do that an individual couldn't.

      With respect to limiting access by IP address, again you are talking complete nonsense. It is feasible to do this on a whitelist that would enable access from anywhere, but would require an email or a phone call to set up. Hardly difficult, and again, why not segregate the machines to enable moderation (fAor example) from a browser or using ssh but locking the database away somewhere where no one can get to?
      Actually I agree that ssh is functionally strong enough to rely on - if that breaks all our games are up!

      • by mysidia ( 191772 )

        Compromise of individual accounts does not leak information as badly as administration - there is a host of stuff an admin could do that an individual couldn't.

        Every action an admin can do should be logged. Excessively unusual admin activity should set off alerts -- there should be traps designed to quickly catch any admin abusing their access.

        With respect to limiting access by IP address, again you are talking complete nonsense. It is feasible to do this on a whitelist that would enable access from an

  • "Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers."

    So in 20 years they'll again be permitted to mislead consumers?

    I think I need to RTFA. That can't be right.
  • Twitter will be barred for 20 years from misleading consumers

    Ummm shouldn't that be a given? Why only 20 years? Why is it even in question?

  • Legal Stuffs (Score:5, Informative)

    by bv728 ( 943505 ) on Thursday June 24, 2010 @08:34PM (#32686278)
    IANALBIFWI, "Twitter will be barred for 20 years ..." does NOT mean that twenty years from now they have the right to mislead. It means that if the Government finds out they're misleading within the next 20 years it does not need to have a trial to take action - they can just slam them as violating the existing ruling. This is, functionally, a suspended sentence (thus third party review of their new security measures).
  • you need to be aware that the business interests behind Twitter, Facebook, et al, are playing with the public perception of their "services". Be concerned. Be aware.
  • Dang, i should have known. The signs were there. My co-workers often knew word-by-word what i published on twitter.
  • Does this mean they are hiring?

If all else fails, lower your standards.

Working...