A Little Bird Says That the FTC Finalized the Twitter Privacy-Breach Settlement, Google Got “Buzzed,” Ashton Kutcher Got Twitter-Punk’d & Your E-Mail Address May Have Been Stolen
Robert J. McGuire
In March 2011, the five Commissioners of the Federal Trade Commission (FTC) unanimously voted to finalize a settlement with the social networking site, Twitter, regarding the FTC’s charge that defects in Twitter’s security measures had permitted hackers to gain administrative control over the site on two occasions in 2009. The hackers were able to access non-public user information and tweets that consumers had designated as private. The hackers also had the ability to send out phony tweets from any account.
To gain access on the first occasion, the hackers used a “brute force hacking tool,” which tries various combinations of words or numbers from a preset “library” of terms and phrases until a valid password is entered. To gain access the second time, the hackers apparently used a much more basic and disquieting method – they simply guessed correctly an administrator’s password. The accounts to which the hackers had theoretical access ranged from then-President-elect Barack Obama to Kim Kardashian. (Ms. Kardashian recently claimed that her Twitter account had actually been hacked in February 2011, blocking her from logging into her Twitter account from her home computer.) The FTC’s draft complaint against Twitter stated that a phony tweet had been sent from President-Elect Obama’s account, offering his followers a chance to win $500 in free gasoline. The Complaint also claimed that at least one false tweet was sent from the account of Fox News.
The Federal Trade Commission Act (FTC Act), 15 U.S.C. § 41 et seq., empowers the FTC to take certain actions to promote consumer protection and to curb harmful anti-competitive business practices. The claims against Twitter were based on the FTC’s power under Section 5 of the FTC Act, 15 U.S.C. § 45, which states that “unfair methods of competition in or affecting commerce, and unfair or deceptive acts or practices in or affecting commerce, are hereby declared unlawful” and permits the FTC to investigate and prevent such practices. If the FTC investigates a business and concludes that unlawful conduct has occurred, the FTC may: (1) seek the business’s voluntarily compliance, (2) file an administrative complaint; or (3) initiate litigation in the federal courts. Section 5 also permits the FTC to impose civil penalties for knowing violations of FTC rules or for violation of a consent order between a business and the FTC. See 15 U.S.C. § 45(l) and (m). Under recent changes to the applicable regulations, the FTC may impose civil penalties up to $16,000 for each knowing violations of Section 5 or each failure to comply with a final consent order regarding alleged violations of that section. See 16 CFR § 1.98
In this case, the FTC charged that Twitter “deceived consumers and put their privacy at risk by failing to safeguard their personal information” in violation of Section 5(a) of the FTC Act. The FTC had reached a preliminary settlement with Twitter in June 2010. This final settlement is a “consent agreement,” meaning that, in entering the settlement, Twitter did not admit that it had violated any laws. Under the settlement, Twitter will be barred for twenty years from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers.” Twitter also must establish and maintain a comprehensive information security program “reasonably designed to protect the security, privacy, confidentiality, and integrity of nonpublic information.” Twitter must also ensure that any service providers it employs maintain appropriate data security safeguards. Further, it must designate one of more employees to coordinate and be accountable for the company’s information security program. Twitter’s security measures will be assessed by an independent auditor every other year for 10 years. The FTC may fine Twitter up to $16,000 for every violation of the consent agreement. (The FTC’s final decision and order)
The settlement was finalized shortly after another high-profile incident of alleged Twitter account hacking on March 3, 2011 – this one featuring Ashton Kutcher, one of the first celebrities to exploit Twitter as a promotional tool (he has over six million Twitter followers) and himself known for his celebrity-prank television show Punk’d. On that date, the following tweet was posted from Kutcher’s feed: “Ashton, you’ve been Punk’d. This account is not secure. Dude, where’s my SSL?” (“SSL” is short for “Secure Sockets Layer,” a security technology that establishes an encrypted link between a web server and a browser and that ensures the privacy of data passed between a web server and browsers.)
Above: The tweet posted by a hacker on Ashton Kutcher’s Twitter account on March 3, 2011.
Some speculate that Kutcher’s account may have been hacked when he used an unencrypted link at a WiFi hotspot. Most people do not realize that, because many free WiFi hotspots employ unsecured networks, information transmitted from those hotspots is typically not secure unless a user is: (1) connected to a virtual private network (VPN), (2) remotely connected to a computer network through a service like LogMeIn or GoToMyPC, (3) using an SSL connection, or (4) encrypting transmissions. At an unsecured WiFi hotspot, it is very easy for someone sitting nearby, using certain readily-available technology, to “hitch a ride” into another person’s wireless connection. The “hitcher” thereby can gain access to the user’s Facebook or Twitter session, or can capture other information shared during that WiFi session, including user names and passwords. (If you have to ask whether you have been using a VPN or an SSL connection while on the WiFi connection at your local coffee shop, you almost certainly are not.) Because of the lack of security at such free WiFi hotspots, it is wise not to send or receive sensitive e-mails, or to transmit personal data (especially user names and passwords) or financial data from those locations.
At the end of March, the FTC also reached a landmark settlement with Google with respect to Google’s social networking site, Google Buzz, after the FTC accused Google of engaging in “deceptive tactics” and breach of user privacy because the site made available information regarding users’ most frequently-used contacts. The FTC did not impose a fine, but Google agreed to institute a “comprehensive privacy program;” to undergo regular, independent privacy audits once every two years for the next 20 years; and to secure users’ "affirmative consent" before making any future changes in Google’s practices regarding the sharing of users’ personal data with third parties.
Another massive security breach was revealed on April Fools Day, when Epsilon, an e-mail marketing firm that serves numerous high-profile companies (including Target, Best Buy, TiVo, the Home Shopping Network, Hilton Hotels, Marriott for its “Marriott Rewards” program, and Walgreens), revealed that the names and e-mail addresses of many of customers of the companies who used Epsilon’s had been hacked. The Epsilon incident should be of particular concern to anyone who conducts online commerce with one of Epsilon’s clients and uses a “weak” password (those of you who use “password” or “12345678” as your password, this means you). In light of this data breach, consumers should be especially vigilant and skeptical of any communication that requests that the user provide personal financial or identifying information, even if that communication seemingly comes from a legitimate business.
The lesson to be taken from these recent news items is one that has often been repeated of late – consider carefully what you transmit electronically, where you do it, and how you do it.
Rob McGuire is Counsel to the firm of Sterns & Weinroth in Trenton, New Jersey. His practice includes commercial and products liability litigation, professional liability defense, insurance coverage, and data security and privacy issues.