FTC Forces Twitter to Shape Up Security

NEW YORK -- Microblogging service Twitter has agreed to a settlement with the U.S. Federal Trade Commission over charges it put its customers privacy at risk by failing to safeguard their personal information.

The settlement announced by the FTC Thursday stems from a series of attacks last year on Twitter, the three-year old phenomenon that lets people send short text messages to groups of followers. Under the terms of the agreement, Twitter is creating an independently audited security program, among other measures.

The FTC said serious lapses in Twitter's security allowed hackers to send out phony tweets pretending to be from U.S. President Barack Obama and Fox News. Hackers also managed to take administrative control of Twitter and gain access to private tweets, or short text messages of 140 characters or less.

Between January and May 2009, hackers were "able to view nonpublic user information, gain access to direct messages and protected tweets, and reset any user's password" and send tweets from any user account, according to the FTC complaint.

Twitter acknowledged 45 accounts were accessed by hackers in January last year and 10 in April 2009 "for short periods of time."

It said the January attack resulted in "unauthorized joke tweets" from nine accounts. The hackers may also have accessed data such as email addresses and phone numbers, the privately held company said.

In the April incident, Twitter said it cut off the hacker's administrative access within 18 minutes of the attack and quickly informed affected users.

The FTC said Twitter was exposed to these attacks because it "failed to take reasonable steps" to prevent unauthorized administrative control of its system.

"When a company promises consumers that their personal information is secure, it must live up to that promise," David Vladeck, director of the FTC's Bureau of Consumer Protection, said in a statement. And if a company allows consumers to designate their information as private, it must use reasonable security to support that designation, he said.

Under the terms of the settlement, Twitter will be barred for 20 years from "misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information."

Twitter must also establish a comprehensive security program that "will be assessed by a third party every year for ten years," according to the FTC.

Twitter said it already made many of the changes suggested in the settlement, which comes less than two months after another popular social site, Facebook, suffered its own security breaches.

The agreement will be subject to public comment for 30 days, starting Thursday and continuing through July 26, 2010, after which the FTC will make a final decision.