Twitter To Establish Information Security Program 72
An anonymous reader writes "Twitter has agreed to settle Federal Trade Commission charges that it deceived consumers and put their privacy at risk by failing to safeguard their personal information, marking the 30th case the FTC has brought targeting faulty data security, and the agency's first such case against a social networking service. Under the terms of the settlement, Twitter will be barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers."
Message in the Bottle (Score:4, Insightful)
Twitter must also donate five nickels to five charities. At least three of those charities must be entirely independent of Twitter. Maybe the message is: if you marginally screw with the President, we marginally screw with you.
Re:Message in the Bottle (Score:5, Insightful)
I don't know 20 years seems like an awful long time to be barred from doing something illegal...
Barred for 20 years? (Score:5, Insightful)
Re: (Score:1, Interesting)
And they should have been permanently barred from the moment they started offering a service?
Re: (Score:1)
I agree this sounds weird.
A suspended sentence is essentially a ban on committing further crimes, perhaps this is somehow similar?
Re: (Score:1)
Re: (Score:2)
Guess which side has donated more towards campaign funds?
Re: (Score:1)
Wow, iphone users now brag that their beloved iphone doesn't have horrible flaws? Geez, talk about low standards.
Re: (Score:2)
This is the US government meting out punishment. "Permanently barred from misleading their customers" is an unnatural concept to them.
Re:Barred for 20 years? (Score:5, Funny)
Hell, in half that time no one will be admitting that they were a "Twit."
Kinda like how it is now with Friendster.
Re: (Score:2)
We're talking about Twitter...a 20 years barring is permanent.
No kidding, that's like 4 consecutive life sentences for Twitter.
Re: (Score:1, Troll)
What? I Never watched that show! You can't prove anything! I have no idea what Jennifer Aniston looks like!
Re: (Score:3, Funny)
She's got a certain flair.
Re: (Score:2)
I think GP's point was more that misleading people should NEVER be allowed, by ANY business.
Re: (Score:2)
Re: (Score:1)
WTF? (Score:5, Funny)
Well, gee, I'm glad they'll be able to resume misleading consumers in 2030.
Re: (Score:2)
They'll get time off for good behaviour.
Re: (Score:2)
'I recently broke a mirror. I got stuck with 7 years of bad luck. But my Lawyer feels that He can get it down to 3.'
--Steven Wright
Re:WTF? (Score:5, Informative)
http://techcrunch.com/2010/06/24/ftc-twitter-privacy-settlement/ [techcrunch.com]
Re: (Score:1, Informative)
just to add a snippet from that (for those too lazy to click):
It may sound silly to bar Twitter from “misleading consumers” for 20 years, but that is essentially the life of the order and gives the FTC the ability to fine Twitter for future security breaches to the tune of $16,000 per incident. Without this order and the settlement, the FTC does not have what is known as civil penalty authority.
Re: (Score:2, Insightful)
To employ Godwin's law: Hitler, we have all gotten together and we agree... No more Holocausts for 10 years, okay? Thanks Adolf.
Re:The hell? (Score:5, Insightful)
Re:The hell? (Score:5, Funny)
Comment removed (Score:5, Insightful)
FACEBOOK (Score:4, Insightful)
I was just about comment about how they should be hounding Facebook for all shit they pull.
Constantly changing options and putting them by default onto the most open setting? That's maliciously hoping that people are either too lazy or stupid to change them back.
Hiding the delete option for FB accounts and implementing it in such a fucking retarded way, forcing the account holders to search out and delete every comment, photo, tag, and other info they put in instead of just having a delete button? Utter bullshit.
Re:FACEBOOK (Score:4, Informative)
Re: (Score:3, Funny)
Re: (Score:1)
More seriously, Facebook will be immune for the same reasons that AT&T and the other big telecoms already are...
Re: (Score:2)
Kinda like consecutive life sentences... (Score:4, Interesting)
Re:Kinda like consecutive life sentences... (Score:5, Interesting)
They don't, and they don't care. This is just a further example of the way in which corporate personhood results in a fundamentally broken and inequitable legal system.
When a corporation misappropriates the secrets of hundreds of thousands of users, they get told the equivalent of "We know you stole a hundred thousand VCRs, but we're going to let you off with probation. We'll check back on you in a year, and we'd better not see a bunch of stolen VCRs when we do. But if we do, we'll check back in another year. Oh, and your punishment is that you're not allowed to steal VCRs again for twenty years."
By contrast, if an individual steals just a couple of secrets from one corporation and leaks them to the press, the police raid the person's house and confiscate the person's equipment, and the person spends time in jail and usually ends up not being able to use the Internet for 20 years.
All I ask is for the same punishment to apply to Twitter. Is that really so much to ask? Shouldn't corporations' privacy violations be punished just as severely as an individual committing a hundred thousand acts of corporate espionage? Seems pretty straightforward to me.
Re:Kinda like consecutive life sentences... (Score:4, Informative)
Comment removed (Score:5, Funny)
For twenty years? (Score:1)
So Twitter is barred for twenty years from misleading customers, after which.... ?
Re: (Score:2)
So Twitter is barred for twenty years from misleading customers, after which.... ?
After which someone can register the expired domain name and get all nostalgic about how people got so worked up over such a stupid concept.
Twitter will be barred for 20 years from misleadin (Score:1, Redundant)
Twitter will be barred for 20 years from misleading consumers
What kind of a deal is that? It seems to be saying that after the twenty year period it will be OK for them to mislead customers. And if it is not saying that, then what is the point of the 20 years or the deal in the first place? How does a company that betrays public trust get away with saying "OK, for our punishment we agree to follow the law for a limited period of time" ???
Re:Twitter will be barred for 20 years from mislea (Score:4, Informative)
It's legal language. They aren't saying they were permitted before or permitted afterwards. They're saying that Twitter is basically on probation for the next 20 years, and now if they do it again the FTC can fine them since they've now warned them.
It'd be like say (ignore all other laws for a moment), a store advertising 20$ iPhones and they're 400$ when you get in the store. They would be told that they can't mislead customers for another 20 years, or else face heavy fines.
Re: (Score:2)
I think it's misleading language.
This doesn't make sense (Score:5, Insightful)
The FTC’s complaint against Twitter charges that serious lapses in the company’s data security allowed hackers to obtain administrative control of Twitter,
The privacy policy posted on Twitter’s website stated that “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access.”
Does NOT seem to be a misrepresentation. If they employ any measures at all.
it failed to take reasonable steps to prevent unauthorized administrative control of its system, including:
The FTC's ideas of what "reasonable steps" are sure does make me laugh... I am sure as hell glad the FTC's job is NOT to dictate proper IT security policies. They are clearly carrying around some pretty whacky notions of what security measures are basic and reasonable.
Requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks
Wait. "Hard to guess" and "Not used for other programs" are separate criteria.
It is not necessary to require that last bit, to have strong security against intruders. It is not reasonable to expect that users of a computer network memorize a separate strong password for each service, change it frequently. The whole notion of "strong password" is a direct contradiction of "remembered (but not written) password". Any password that is not weak, by current security standards, is not able to be memorized by a human.
Enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days
It is well demonstrated that this does not improve security. Instead, it encourages people to choose weaker passwords, or write them down. Password expiration only helps if an account has been compromised, but (for some reason) the hacker has not used the password yet.
The likelihood of this is slim, the security improvement is practically ZERO, and the cost is very high.
Prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts
It is not necessary to 'prohibit employees from storing admin passwords in plain text'. To have security
Your admins must know better. Chances are your company doesn't have a specific policy that says "Admins may not write their passwords on giant signs and carry them down the hall. At a certain point, it's just ridiculous (and doesn't improve security) to say "But you didn't prohibit X?!"
Suspending or disabling administrative passwords after a reasonable number of unsuccessful login attempts
This does not improve security. Actually, it increases the chance that an administrative account could be disabled by an attacker, making it more difficult to determine the nature of or respond to an ongoing attack.
A strong password will be secure, even in the face of a brute force attack. A brute force attack can be mitigated using less disruptive techniques, such as automatically banning any IP address for 10 minutes, if a certain number of failed logins are attempted.
Providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users
This is only more secure, if you assume that an administrative login is known, and compromised.
An additional web page for admin logins just creates another potential point of exposure to attack, has to be secured separately from the main login page, and the result is likely a less overall secure system.
Compromise of individual users' Twitter accounts leaks private information, just as badly as a compromise of an administrative login...
Particularly if the use of administrative logins is monitored carefully, and a co
Re:This doesn't make sense (Score:4, Interesting)
The statement "any password that is easy to memorize is not strong" is not true.
The best way to create a strong easy to remember password is via a phrase.
Iwearcoolshoes!638
dobbinisanicehorse.112
ponyslikejonty6eatcarrots?
With respect to administrative controls, it is very easy to segment control and access in a system. I run a social media monitoring service, we have 3 basic types of user (Admin, Coordinator, Agent) but each one can have up to 30 options that define the precise controls and access they have. I am amazed that Twitter have not implemented a similar system.
If my team (3 guys) can implement this, anyone can. It is reasonable to expect. In fact it's totally sensible.
Compromise of individual accounts does not leak information as badly as administration - there is a host of stuff an admin could do that an individual couldn't.
With respect to limiting access by IP address, again you are talking complete nonsense. It is feasible to do this on a whitelist that would enable access from anywhere, but would require an email or a phone call to set up. Hardly difficult, and again, why not segregate the machines to enable moderation (fAor example) from a browser or using ssh but locking the database away somewhere where no one can get to?
Actually I agree that ssh is functionally strong enough to rely on - if that breaks all our games are up!
Re: (Score:1)
Compromise of individual accounts does not leak information as badly as administration - there is a host of stuff an admin could do that an individual couldn't.
Every action an admin can do should be logged. Excessively unusual admin activity should set off alerts -- there should be traps designed to quickly catch any admin abusing their access.
With respect to limiting access by IP address, again you are talking complete nonsense. It is feasible to do this on a whitelist that would enable access from an
Ummm... excuse me.... (Score:1, Redundant)
So in 20 years they'll again be permitted to mislead consumers?
I think I need to RTFA. That can't be right.
barred for 20 years from misleading?? (Score:2)
Twitter will be barred for 20 years from misleading consumers
Ummm shouldn't that be a given? Why only 20 years? Why is it even in question?
Legal Stuffs (Score:5, Informative)
Re: (Score:2, Insightful)
IANALBIFWI
...What did you call my mother?
As you read this article (and others) (Score:2)
Oops (Score:1)
Privacy at risk (Score:2, Funny)
obviously (Score:1)
Well, obviously now they do it, that the Russian president got an account with them [kcra.com] and Obama said that from now on that's how they'll communicate [sfgate.com]!
Unlike the majority of companies in IT... (Score:1)
Re: (Score:2)
Yeah, but they're only paying in PBR and black-framed Buddy Holly glasses.