My Cart

Close

GO. FIGHT. WIN.

FTC v Twitter Consent Decree Data Privacy

Donate to Mad Dog

Posted on May 02 2018

originally posted March 2019, Updated May 2, 2018

 

 

Last week was…an interesting week. Given the fall out over Cambridge Analytica, SCL Group and Facebook. I don’t think we’ve reached the end of the road. In my opinion Facebook’s “response”, was underwhelming. Hence why I detailed Facebook’s FTC 20 year Consent Decree and decided to research any FTC action against Twitter.

🚨Per the FTC Press Release circa 2010:

Twitter deceived consumers and put their privacy at risk by failing to safeguard their personal information. The FTC alleged that serious lapses in the company’s data security allowed hackers to obtain unauthorized administrative control of Twitter, including both access to non-public user information and tweets that consumers had designated as private, and the ability to send out phony tweets from any account.”

 

FTC v Twitter DOCKET NO. C-4316 COMPLAINT

 

Most Twitter users are unaware that Twitter has had repeated issues locking their data down, which resulted in numerous complaints. And pretty much forced the FTC to investigate Twitter’s practices. I refer you to Page 2, paragraph # 7, which reads in part:

“From approximately July 2006 until July 2009, Twitter granted almost all of its employees the ability to exercise administrative control of the Twitter system;

 

  • including the ability to: reset a user’s account password,
  • view a user’s nonpublic tweets and other nonpublic user information,
  • and send tweets on behalf of a user.
Such employees have accessed these administrative controls using administrative credentials, composed of a user name and administrative password.”

 

 

Pages 3 & 4, paragraph 11 & 12:

Which reads in part:

“Contrary to the statements above, Twitter has engaged in a number of practices that, taken together, failed to provide reasonable and appropriate security to: prevent unauthorized access to nonpublic user information and honor the privacy choices exercised by its users in designating certain tweets as nonpublic. In particular, Twitter failed to prevent unauthorized administrative control of the Twitter system by, among other things, failing to:

a. establish or enforce policies sufficient to make administrative passwords hard to guess, including policies that:

(1) prohibit the use of common dictionary words as administrative passwords; and

(2) require that such passwords be unique – i.e., different from any password that the employee uses to access third-party programs, websites, and networks;

b. establish or enforce policies sufficient to prohibit storage of administrative passwords in plain text in personal email accounts;

c. suspend or disable administrative passwords after a reasonable number of unsuccessful login attempts;

d. provide an administrative login webpage that is made known only to authorized persons and is separate from the login webpage provided to other users...

You can read the full FTC 5 page March 2011 Complaint, here

 

Twitter’s 2011 FTC Consent Decree & Settlement 

 

There are 3 items in the original 5 page FTC complaint that grabbed my attention:

  • (4) Twitter collects certain information from each user…includes: a user name and profile image, lists of the other Twitter users whom the user follows and is followed by, and, at the user’s option, a website address, location, time zone, and one-line narrative description or “bio.”

 

  • (4). In addition, tweets appear in the user profile for both sender and recipient – and are public – except where users “protect” their tweets or send “direct messages,” as described in paragraph 6, below.

 

  • (6)…”Twitter offers users the ability to send “direct messages” to a specified follower and states that “only author and recipient can view” such messages. Twitter also allows users to click a button labeled “Protect my tweets.” If a user chooses this option, Twitter states that the user’s tweets can be viewed only by the user’s approved followers. Unless deleted, direct messages and protected tweets (collectively, “nonpublic tweets”) are stored in the recipient’s Twitter account.

 

  • (7) m July 2006 until July 2009, Twitter granted almost all of its employees the ability to exercise administrative control of the Twitter system, including the ability to: reset a user’s account password, view a user’s nonpublic tweets and other nonpublic user information, and send tweets on behalf of a user. Such employees have accessed these administrative controls using administrative credentials, composed of a user name and administrative password.

 

 

In March 2011 the FTC entered the following Order & issued a Press Release, stating that Twitter accepted the FTC findings and the Terms and Conditions of the executed Consent Decree. On two separate occasions Twitter was hacked and the hack went undetected for months, leaving its user’s personal data exposed. Twitter is bound to the March 2011 settlement agreement until March 2031, each Violation and subsequent occurrence: $10,000.00 per fine. The order also mandates Twitter must submit to a security audit by a third party every two years for a duration of 10 years. See link to FTC Press Release, here

 

 

 

Link to FTC Consent Decree Order HERE

  • IT IS ORDERED ITEM I …”shall not misrepresent in any manner, expressly or by implication, the extent to which respondent maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information, including, but not limited to, misrepresentations related to its security measures to: (a) prevent unauthorized access to nonpublic consumer information; or (b) honor the privacy choices exercised by users.”

 

  • IT IS FURTHER ORDERED ITEM II;…”shall…establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of nonpublic consumer information…”

 

  • IT IS FURTHER ORDERED ITEM III:…that, in connection with its compliance with Paragraph II of this independent third-party professional, who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such assessments shall be: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute..”
  • IT IS FURTHER ORDERED ITEM IV:  that respondent shall maintain and upon request make available to the Federal Trade Commission for inspection and copying, a print or electronic copy…”
  • This order will terminate on March 2, 2031, or twenty (20) years from the most recent date that the United States or the Commission files a complaint (with or without an accompanying consent decree) in federal court alleging any violation of the order, whichever comes later; provided, however, that the filing of such a complaint will not affect the duration of.“

FTC v Twitter Entire Docket and Case summary, here

 

FTC v Twitter Complete Case/Docket file, here

 

And lastly, if you are one of the thousands who have been doxed and/or relentlessly harassed on Twitter. You need to understand that the FTC is an enforcement agency and Twitter is bound by the aforementioned terms and conditions of the 2011 Consent Decree until 2031. Below are a few friendly steps I took:

  1. Archive every tweet and account who are tweeting your personal identifiable information. No really take the time, create a spreadsheet and plug every single tweet into the internet archive, Wayback Machine, Google Cache et
  2. do NOT respond to these tiny bitter trolls, they are using Twitter’s platform to break the law. So ignore them, do not give them any oxygen, instead quietly capturing all of their tweets.
  3. use the twitter long form to file a “complaint”, we all know twitter wont do anything but this step is paramount.
  4. once you receive an email from twitter giving you a ticket number, save that email and any other subsequent follow up emails.
  5. contact your local law enforcement, BUT understand that filing a police report is subject to FOIA request.
  6. so ask your local law enforcement if they have any type of report you can file that would require a subpoena for the release of that report. 
  7. Once you’ve completed steps 1-6 you are now  ready to file an actual FTC complaint against twitter. (sorry for yelling) 
  8. REFERENCE THE FTC v Twitter FTC MATTER/FILE NUMBER:092 3093 in your Complaint. The FTC link to file a complaint, here 
  9. you will receive an automatic reply with a case #. You may receive additional emails from the FTC, respond to their request 
  10. and then wait...it can take a few weeks up to a few months, but once you have an FTC complaint number, then contact your members of Congress.

Agaiin this can be a painfully slow process but in the end it is worth it. The FTC is required by law to investigate and follow up on any “credible” FTC complaint they receive, but I can not stress enough that you need to reference the FTC v Twitter case number. I hope this information is helpful, Twitter can be a toxic place but that does not give trolls the right to dox you or your family members, -Spicy Out


View on YouTube

While you're here, throw us a bone.

Mad Dog is thrilled to have Spicy in our PAC(k). We are proud to provide a space for her tireless, hard hitting, in-depth investigations. But we can’t do it without you.

Our numbers are growing. Our voices are being heard. Our campaigns are making a difference. Help us, and Spicy, continue to fight the good fight. Consider a donation to help support the work of Mad Dog PAC today.

DONATE