Hacking now receives significant media coverage, as mainstream networks have covered the "lulzsec" and "anon" activities. Even the Sony PlayStation Network scandal was well publicized, even though it was contained within the PS3 network. The coverage drops, however, once the system has been restored, but what actually happens to the users who are hacked?
One possible remedy is an FTC case. According to the stipulated facts, on January 4, 2009, a brute force password guessing program was able to break into a Twitter users administrative account. Once accomplished, the hacker had access to every Twitter users profile, account settings, and both protected and public Tweets. This user, among other things, sent messages from Barack Obama's account offering free gasoline cards.
|Disabling webcams doesn't have the same criminal panache as a good ol' fashioned ski mask.|
The FTC challenged Twitter on two counts, the first that Twitter represented that it had taken reasonable security steps to protect information when it had in fact not, and that it represented to users that it would honor the privacy of a users settings.
The FTC entered into a consented order with Twitter to resolve the case (as expected). The settlement included several very specific steps Twitter must take to ensure compliance.
The first was to designate an employee or employees to be responsible for Twitter's information security plan.
The second was to identify reasonably foreseeable risks, both internal and external, that could create risk of intrusion. These risks included the areas of employee training and management, information systems including network and software design, and prevention, detection, and response to attacks. Twitter was also required to design and implement a plan to address these risks.
There also was a separate sub paragraph directing Twitter to maintain the privacy of user information, not just from outside sources but also internally. The FTC gave an outline of possible sources of verification and testing of the security and correctness of these implementations.
There are a few takeaways from this case. First, you clearly do not want to FTC to have reason to issue such a complaint against your company. As a part of this agreement, Twitter does have some strict and onerous requirements. However, the order also makes it clear that Twitter had incredibly lax security policies. The cracked password was a short, all lowercase, dictionary word that was guessed by a brute force program, that simply guessed basic words, submitted them, and then tried again. The FTC noted also that Twitter did not have a policy of expiring passwords, of assessing password strength, or even of locking out users from repeatedly guessing.
Secondly, it appears that Twitter opened itself up to some liability in the realm of privacy. The FTC noted that Twitter repeatedly asserted that direct messages and protected tweets were private, when in fact every single Twitter employee had access to them. Although not explicitly stated, it does appear that if Twitter had disclosed that employees could access private user content, there would have not been a case.