An investigation that the Federal Trade Commission launched into Twitter's allegedly lax security practices following two high-profile hacking incidents last year has been settled, the company announced Thursday.
Twitter general counsel Alexander MacGillivray, who joined the company last summer after serving as a member of Google's legal team, posted an entry on the company blog Thursday explaining the situation. "Early in 2009, when Twitter employed less than 50 people, we faced two different security incidents that impacted a small number of users," the post explained. "Put simply, we were the victim of an attack and user accounts were improperly accessed."
In January and April of 2009, Twitter was subjected to first a hack that targeted celebrities' accounts and then a data breach that made private information (including internal Twitter documents) accessible to the attackers. The FTC claimed that these security breaches highlighted the fact that Twitter wasn't implementing adequate measures to protect its users: requiring hard-to-guess passwords, requiring employees to change their passwords every few months, and restricting internal access to potentially sensitive data, among other charges.
A release from the FTC on Thursday explained that Twitter will form an "independently audited information security program" as a result of the settlement, which must be assessed by a third party every other year, and that for 20 years it's barred "from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information."
Keeping a company on its toes with regard to transparency about user security sounds like a no-brainer. But some independent critics think the FTC may be going too far.
"The FTC's complaint against Twitter makes reference to a number of password protection practices that the FTC would consider to be best practices," explained Paul Bond, an attorney with law firm Reed Smith who specializes in data privacy and digital-media security. "However, those practices are not in fact explicitly mandated by any federal law or regulation. The FTC is essentially regulating through consent order without going through the normal channels of rulemaking."
The burden on Twitter, which is still a relatively small company with around 300 employees, could make a big impact.
"This very entrepreneurial company will be essentially under the FTC's microscope," Bond explained, "and therefore it's going to require Twitter to devote a significant amount of resources to make sure that they're complying not just with the law but with the FTC's evolving rules of what's fair and unfair in consumer privacy."
Twitter, meanwhile, says that it was stepping up its security arsenal already: "Even before the agreement, we'd implemented many of the FTC's suggestions and the agreement formalizes our commitment to those security practices," MacGillivray's post read.
The PR embarrassment over fake tweets coming from celebrity accounts with tens of thousands of followers may have, in fact, been enough.