Twitter, Inc.; Analysis of Proposed Consent Order to Aid Public Comment, 37806-37808 [2010-15827]
Download as PDF
<![CDATA[
37806
Federal Register / Vol. 75, No. 125 / Wednesday, June 30, 2010 / Notices
Kevin F. O’Donnell, Vice President
(Qualifying Individual), Oscar
DeVlaminck, President. Application
Type: New NVO License.
India Maritime Agency LLC (NVO), 25
E. Spring Valley Avenue—Suite 100,
Maywood, NJ 07607. Joseph
Monaghan, President/CEO (Qualifying
Individual). Application Type: New
NVO License.
Montgomery International, Inc. (OFF),
341 Ericson Ave.—P.O. Box 124,
Essington, PA 19029. Ari M. Bobrow,
Export Manager (Qualifying
Individual), Jimmy Montgomery,
President. Application Type: New
OFF License.
Seamaster Logistics, Inc. (NVO), 800
Federal Blvd., Carteret, NJ 07008.
Myles O’Brien, President & CEO,
(Qualifying Individual) Robert
Agresti, CFO & Treasurer. Application
Type: QI Change.
Sooner Solutions LLC (OFF), 33200 E.
Lake Holm Drive SE., Auburn, WA
98092. Jean F. Keller, Member
(Qualifying Individual). Application
Type: New OFF License.
Supreme International Ltd. (OFF), 9204
South Commercial Avenue—Suite
209, Chicago, IL 60617. Bosun A.
Dominic, President & CEO (Qualifying
Individual). Application Type: New
OFF License.
Dated: June 25, 2010.
Karen V. Gregory,
Secretary.
[FR Doc. 2010–15946 Filed 6–29–10; 8:45 am]
BILLING CODE 6730–01–P
FEDERAL TRADE COMMISSION
[File No. 092 3093]
Twitter, Inc.; Analysis of Proposed
Consent Order to Aid Public Comment
Federal Trade Commission.
Proposed Consent Agreement.
AGENCY:
mstockstill on DSKH9S0YB1PROD with NOTICES
ACTION:
SUMMARY: The consent agreement in this
matter settles alleged violations of
federal law prohibiting unfair or
deceptive acts or practices or unfair
methods of competition. The attached
Analysis to Aid Public Comment
describes both the allegations in the
draft complaint and the terms of the
consent order — embodied in the
consent agreement — that would settle
these allegations.
DATES: Comments must be received on
or before July 26, 2010.
ADDRESSES: Interested parties are
invited to submit written comments
electronically or in paper form.
Comments should refer to‘‘Twitter, Inc.,
VerDate Mar<15>2010
16:53 Jun 29, 2010
Jkt 220001
File No. 092 3093’’ to facilitate the
organization of comments. Please note
that your comment — including your
name and your state — will be placed
on the public record of this proceeding,
including on the publicly accessible
FTC website, at (https://www.ftc.gov/os/
publiccomments.shtm).
Because comments will be made
public, they should not include any
sensitive personal information, such as
an individual’s Social Security Number;
date of birth; driver’s license number or
other state identification number, or
foreign country equivalent; passport
number; financial account number; or
credit or debit card number. Comments
also should not include any sensitive
health information, such as medical
records or other individually
identifiable health information. In
addition, comments should not include
any ‘‘[t]rade secret or any commercial or
financial information which is obtained
from any person and which is privileged
or confidential. . . .,’’ as provided in
Section 6(f) of the FTC Act, 15 U.S.C.
46(f), and Commission Rule 4.10(a)(2),
16 CFR 4.10(a)(2). Comments containing
material for which confidential
treatment is requested must be filed in
paper form, must be clearly labeled
‘‘Confidential,’’ and must comply with
FTC Rule 4.9(c), 16 CFR 4.9(c).1
Because paper mail addressed to the
FTC is subject to delay due to
heightened security screening, please
consider submitting your comments in
electronic form. Comments filed in
electronic form should be submitted by
using the following weblink: (https://
public.commentworks.com/ftc/twitter)
and following the instructions on the
web-based form. To ensure that the
Commission considers an electronic
comment, you must file it on the webbased form at the weblink: (https://
public.commentworks.com/ftc/twitter).
If this Notice appears at (https://
www.regulations.gov/search/index.jsp),
you may also file an electronic comment
through that website. The Commission
will consider all comments that
regulations.gov forwards to it. You may
also visit the FTC website at (https://
www.ftc.gov/) to read the Notice and the
news release describing it.
A comment filed in paper form
should include the ‘‘Twitter, Inc., File
No. 092 3093’’ reference both in the text
1 The comment must be accompanied by an
explicit request for confidential treatment,
including the factual and legal basis for the request,
and must identify the specific portions of the
comment to be withheld from the public record.
The request will be granted or denied by the
Commission’s General Counsel, consistent with
applicable law and the public interest. See FTC
Rule 4.9(c), 16 CFR 4.9(c).
PO 00000
Frm 00058
Fmt 4703
Sfmt 4703
and on the envelope, and should be
mailed or delivered to the following
address: Federal Trade Commission,
Office of the Secretary, Room H-135
(Annex D), 600 Pennsylvania Avenue,
NW, Washington, DC 20580. The FTC is
requesting that any comment filed in
paper form be sent by courier or
overnight service, if possible, because
U.S. postal mail in the Washington area
and at the Commission is subject to
delay due to heightened security
precautions.
The Federal Trade Commission Act
(‘‘FTC Act’’) and other laws the
Commission administers permit the
collection of public comments to
consider and use in this proceeding as
appropriate. The Commission will
consider all timely and responsive
public comments that it receives,
whether filed in paper or electronic
form. Comments received will be
available to the public on the FTC
website, to the extent practicable, at
(https://www.ftc.gov/os/
publiccomments.shtm). As a matter of
discretion, the Commission makes every
effort to remove home contact
information for individuals from the
public comments it receives before
placing those comments on the FTC
website. More information, including
routine uses permitted by the Privacy
Act, may be found in the FTC’s privacy
policy, at (https://www.ftc.gov/ftc/
privacy.shtm).
FOR FURTHER INFORMATION CONTACT:
Laura Berger (202-326-2471), Bureau of
Consumer Protection, 600 Pennsylvania
Avenue, NW, Washington, D.C. 20580.
Pursuant
to section 6(f) of the Federal Trade
Commission Act, 38 Stat. 721, 15 U.S.C.
46(f), and § 2.34 the Commission Rules
of Practice, 16 CFR 2.34, notice is
hereby given that the above-captioned
consent agreement containing a consent
order to cease and desist, having been
filed with and accepted, subject to final
approval, by the Commission, has been
placed on the public record for a period
of thirty (30) days. The following
Analysis to Aid Public Comment
describes the terms of the consent
agreement, and the allegations in the
complaint. An electronic copy of the
full text of the consent agreement
package can be obtained from the FTC
Home Page (for June 24, 2010), on the
World Wide Web, at (https://
www.ftc.gov/os/actions.shtm). A paper
copy can be obtained from the FTC
Public Reference Room, Room 130-H,
600 Pennsylvania Avenue, NW,
Washington, D.C. 20580, either in
person or by calling (202) 326-2222.
SUPPLEMENTARY INFORMATION:
E:\FR\FM\30JNN1.SGM
30JNN1
Federal Register / Vol. 75, No. 125 / Wednesday, June 30, 2010 / Notices
mstockstill on DSKH9S0YB1PROD with NOTICES
Public comments are invited, and may
be filed with the Commission in either
paper or electronic form. All comments
should be filed as prescribed in the
ADDRESSES section above, and must be
received on or before the date specified
in the DATES section.
Analysis of Agreement Containing
Consent Order to Aid Public Comment
The Federal Trade Commission has
accepted, subject to final approval, a
consent agreement from Twitter, Inc.
(‘‘Twitter’’).
The proposed consent order has been
placed on the public record for thirty
(30) days for receipt of comments by
interested persons. Comments received
during this period will become part of
the public record. After thirty (30) days,
the Commission will again review the
agreement and the comments received,
and will decide whether it should
withdraw from the agreement and take
appropriate action or make final the
agreement’s proposed order.
Since approximately July 2006,
Twitter has operated (www.twitter.com),
a social networking website that enables
consumers who use Twitter (‘‘users’’) to
send ‘‘tweets’’ – brief updates of 140
characters or less – to their ‘‘followers’’
(i.e., users who sign up to receive such
updates) via email and phone text.
Consumers who use Twitter can follow
other individuals, as well as
commercial, media, governmental, or
nonprofit entities. Twitter offers privacy
settings through which a user may
choose to designate tweets as nonpublic.
In addition, Twitter collects certain
information about its users that it does
not make public (‘‘nonpublic user
information’’). Such information
includes: an email address, Internet
Protocol (‘‘IP’’) addresses, mobile
telephone number (for users who
receive updates by phone), and the
username for any Twitter account that a
user has chosen to ‘‘block’’ from
exchanging tweets with the user. This
nonpublic user information cannot be
viewed by other users or any other third
parties, but – with the exception of IP
addresses – can be viewed after login by
the account owner.
The Commission’s complaint alleges
that Twitter violated Section 5(a) of the
FTC Act by falsely representing to
consumers that it uses at least
reasonable safeguards to protect user
information from unauthorized access.
The complaint further alleges that,
through its statements regarding the
privacy settings it offers to enable users
to keep their tweets private, Twitter
falsely represented that it maintains at
least reasonable safeguards to honor the
privacy choices exercised by users.
VerDate Mar<15>2010
16:53 Jun 29, 2010
Jkt 220001
Despite these representations, Twitter
engaged in a number of practices that,
taken together, failed to provide
reasonable and appropriate security to
prevent unauthorized access to
nonpublic user information and honor
the privacy choices exercised by such
users in designating certain tweets as
nonpublic. Specifically, Twitter failed
to prevent unauthorized administrative
control of the Twitter system, which
includes the ability to: reset a user’s
account password, view a user’s
nonpublic tweets and other nonpublic
user information, and send tweets on
behalf of a user. Among other things,
Twitter failed to:
a. establish or enforce policies sufficient
to make administrative passwords
hard to guess, including policies that:
(1) prohibit the use of common
dictionary words as administrative
passwords; or (2) require that such
passwords be unique – i.e., different
from any password that the employee
uses to access third-party programs,
websites, and networks;
b. establish or enforce policies sufficient
to prohibit storage of administrative
passwords in plain text in personal
email accounts;
c. suspend or disable administrative
passwords after a reasonable number
of unsuccessful login attempts;
d. provide an administrative login
webpage that is made known only to
authorized persons and is separate
from the login webpage provided to
other users;
e. enforce periodic changes of
administrative passwords, such as by
setting these passwords to expire
every 90 days;
f. restrict each person’s access to
administrative controls according to
the needs of that person’s job; and
g. impose other reasonable restrictions
on administrative access, such as by
restricting access to specified IP
addresses.
The complaint alleges that between
January and May 2009, intruders
exploited these failures on two
occasions in order to obtain
unauthorized administrative control of
the Twitter system. Through this
administrative control, the intruders
were able to: (1) gain unauthorized
access to nonpublic tweets and
nonpublic user information, and (2)
reset users’ passwords and send
unauthorized tweets from users’
accounts.
The proposed order applies to
‘‘nonpublic consumer information’’ from
PO 00000
Frm 00059
Fmt 4703
Sfmt 4703
37807
or about an individual consumer.
‘‘Nonpublic consumer information’’ is
defined broadly to mean nonpublic,
individually-identifiable information
from or about an individual consumer,
including, but not limited to, an
individual consumer’s: (a) email
address; (b) Internet Protocol (‘‘IP’’)
address or other persistent identifier; (c)
mobile telephone number; and (d)
nonpublic communications made using
Twitter’s microblogging platform. The
proposed order contains provisions
designed to prevent Twitter from
engaging in the future in practices
similar to those alleged in the
complaint.
Part I of the proposed order prohibits
Twitter from misrepresenting the
security, privacy, confidentiality, or
integrity of any ‘‘nonpublic consumer
information.’’
Part II of the proposed order requires
Twitter to establish and maintain a
comprehensive information security
program in writing that is reasonably
designed to protect the security,
privacy, confidentiality, and integrity of
nonpublic consumer information. The
security program must contain
administrative, technical, and physical
safeguards appropriate to Twitter’s size
and complexity, the nature and scope of
its activities, and the sensitivity of the
nonpublic consumer information.
Specifically, the order requires Twitter
to:
∑ designate an employee or employees
to coordinate and be accountable for
the information security program;
∑ identify reasonably-foreseeable,
material risks, both internal and
external, that could result in the
unauthorized disclosure, misuse, loss,
alteration, destruction, or other
compromise of nonpublic consumer
information or in unauthorized
administrative control of the Twitter
system and assess the sufficiency of
any safeguards in place to control
these risks;
∑ design and implement reasonable
safeguards to control the risks
identified through risk assessment
and regularly test or monitor the
effectiveness of the safeguards’ key
controls, systems, and procedures;
∑ develop and use reasonable steps to
select and retain service providers
capable of appropriately safeguarding
nonpublic consumer information they
receive from respondent, and require
service providers by contract to
implement and maintain appropriate
safeguards; and
∑ evaluate and adjust its information
security program in light of the results
E:\FR\FM\30JNN1.SGM
30JNN1
mstockstill on DSKH9S0YB1PROD with NOTICES
37808
Federal Register / Vol. 75, No. 125 / Wednesday, June 30, 2010 / Notices
of the testing and monitoring, any
material changes to its operations or
business arrangements, or any other
circumstances that it knows or has
reason to know may have a material
impact on the effectiveness of its
information security program.
Part III of the proposed order requires
that Twitter obtain within 180 days, and
on a biennial basis thereafter for ten (10)
years, an assessment and report from a
qualified, objective, independent thirdparty professional, certifying, among
other things, that: it has in place a
security program that provides
protections that meet or exceed the
protections required by Part II of the
proposed order; and its security
program is operating with sufficient
effectiveness to provide reasonable
assurance that the security, privacy,
confidentiality, and integrity of
nonpublic consumer information is
protected.
Parts IV through VIII of the proposed
order are reporting and compliance
provisions. The proposed order requires
Twitter to retain for a period of five (5)
years from the date received, documents
that contradict, qualify, or call into
question its compliance with this order.
Part IV further requires that Twitter
retain all materials relied upon to
prepare the third-party assessments for
a period of three (3) years after the date
that each assessment is prepared. In
addition, Part IV requires that Twitter
retain all ‘‘widely-disseminated
statements’’ that describe the extent to
which it maintains and protects the
security, privacy, confidentiality, or
integrity of any nonpublic consumer
information, along with all materials
relied upon in making or disseminating
such statements, for a period of three (3)
years after the date of preparation or
dissemination, whichever is later. Part
IV also requires Twitter to maintain for
six (6) months from the date received all
consumer complaints directed at
Twitter or forwarded to Twitter from a
third party that relate to the activities
alleged in the proposed complaint.
Finally, Part IV requires that Twitter
maintain for two (2) years from the date
received copies of all subpoenas and
communications with law enforcement,
if such communications relate to
Twitter’s compliance with the order.
Part V requires dissemination of the
order now and in the future to
principals, officers, directors, and
VerDate Mar<15>2010
16:53 Jun 29, 2010
Jkt 220001
managers, and to all current and future
employees, agents, and representatives
having responsibilities relating to the
subject matter of the order. Part VI
ensures notification to the FTC of
changes in corporate status. Part VII
mandates that Twitter submit an initial
compliance report to the FTC and make
available to the FTC subsequent reports.
Part VIII is a provision ‘‘sunsetting’’ the
order after twenty (20) years, with
certain exceptions.
The purpose of the analysis is to aid
public comment on the proposed order.
It is not intended to constitute an
official interpretation of the proposed
order or to modify its terms in any way.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2010–15827 Filed 6–29–10; 1:40 pm]
BILLING CODE 6750–01–S
DEPARTMENT OF HEALTH AND
HUMAN SERVICES
[Document Identifier OS–0990–New; 30-day
notice]
Agency Information Collection
Request; 30-Day Public Comment
Request
Office of the Secretary, HHS.
In compliance with the requirement
of section 3506(c)(2)(A) of the
Paperwork Reduction Act of 1995, the
Office of the Secretary (OS), Department
of Health and Human Services, is
publishing the following summary of a
proposed collection for public
comment. Interested persons are invited
to send comments regarding this burden
estimate or any other aspect of this
collection of information, including any
of the following subjects: (1) The
necessity and utility of the proposed
information collection for the proper
performance of the agency’s functions;
(2) the accuracy of the estimated
burden; (3) ways to enhance the quality,
utility, and clarity of the information to
be collected; and (4) the use of
automated collection techniques or
other forms of information technology to
minimize the information collection
burden.
To obtain copies of the supporting
statement and any related forms for the
proposed paperwork collections
referenced above, e-mail your request,
AGENCY:
PO 00000
Frm 00060
Fmt 4703
Sfmt 4703
including your address, phone number,
OMB number, and OS document
identifier, to
Sherette.funncoleman@hhs.gov, or call
the Reports Clearance Office on (202)
690–5683. Send written comments and
recommendations for the proposed
information collections within 30 days
of this notice directly to the OS OMB
Desk Officer; faxed to OMB at 202–395–
5806.
Proposed Project: Activities to Assess
the Feasibility of Creating and
Maintaining a National Registry of Child
Abuse and Neglect Perpetrators—OMB
No. 0990–NEW—Office of the Assistant
Secretary for Planning and Evaluation.
Abstract: This study will assess the
feasibility of implementing a national
registry of child maltreatment
perpetrators. The study has two
components: a Prevalence Study, and a
Key Informant Survey. The Prevalence
Study will provide national estimates of
the number of persons who have been
found to be substantiated perpetrators of
child maltreatment in more than one
State. The data for this component of
the study will come primarily from
records from the National Child Abuse
and Neglect Data System. These data
will be supplemented with encoded
names and dates of birth of all
substantiated child maltreatment
perpetrators over a five year period in
order to facilitate inter-state record
matching, and will be collected from the
States.
The Key Informant Survey will collect
information in several areas including:
the structure and content of State
repositories of data on child
maltreatment perpetrators; current legal
mandates and policies concerning the
sharing of information on substantiated
perpetrators; existing practices for
sharing information on child
maltreatment perpetrators with other
states; and perceived benefits and costs
to participation in a national registry
that may affect States’ future
participation.
This is a one-time data collection
effort. The affected public consists of
the 50 States, the District of Columbia,
and Puerto Rico. Respondents will
include staff designated by state child
welfare directors including IT staff,
department attorneys, and state child
welfare administrators. The length of
the request is for two years.
E:\FR\FM\30JNN1.SGM
30JNN1
]]>Agencies
[Federal Register Volume 75, Number 125 (Wednesday, June 30, 2010)]
[Notices]
[Pages 37806-37808]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2010-15827]
=======================================================================
-----------------------------------------------------------------------
FEDERAL TRADE COMMISSION
[File No. 092 3093]
Twitter, Inc.; Analysis of Proposed Consent Order to Aid Public
Comment
AGENCY: Federal Trade Commission.
ACTION: Proposed Consent Agreement.
-----------------------------------------------------------------------
SUMMARY: The consent agreement in this matter settles alleged
violations of federal law prohibiting unfair or deceptive acts or
practices or unfair methods of competition. The attached Analysis to
Aid Public Comment describes both the allegations in the draft
complaint and the terms of the consent order -- embodied in the consent
agreement -- that would settle these allegations.
DATES: Comments must be received on or before July 26, 2010.
ADDRESSES: Interested parties are invited to submit written comments
electronically or in paper form. Comments should refer to``Twitter,
Inc., File No. 092 3093'' to facilitate the organization of comments.
Please note that your comment -- including your name and your state --
will be placed on the public record of this proceeding, including on
the publicly accessible FTC website, at (https://www.ftc.gov/os/publiccomments.shtm).
Because comments will be made public, they should not include any
sensitive personal information, such as an individual's Social Security
Number; date of birth; driver's license number or other state
identification number, or foreign country equivalent; passport number;
financial account number; or credit or debit card number. Comments also
should not include any sensitive health information, such as medical
records or other individually identifiable health information. In
addition, comments should not include any ``[t]rade secret or any
commercial or financial information which is obtained from any person
and which is privileged or confidential. . . .,'' as provided in
Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and Commission Rule
4.10(a)(2), 16 CFR 4.10(a)(2). Comments containing material for which
confidential treatment is requested must be filed in paper form, must
be clearly labeled ``Confidential,'' and must comply with FTC Rule
4.9(c), 16 CFR 4.9(c).\1\
---------------------------------------------------------------------------
\1\ The comment must be accompanied by an explicit request for
confidential treatment, including the factual and legal basis for
the request, and must identify the specific portions of the comment
to be withheld from the public record. The request will be granted
or denied by the Commission's General Counsel, consistent with
applicable law and the public interest. See FTC Rule 4.9(c), 16 CFR
4.9(c).
---------------------------------------------------------------------------
Because paper mail addressed to the FTC is subject to delay due to
heightened security screening, please consider submitting your comments
in electronic form. Comments filed in electronic form should be
submitted by using the following weblink: (https://public.commentworks.com/ftc/twitter) and following the instructions on
the web-based form. To ensure that the Commission considers an
electronic comment, you must file it on the web-based form at the
weblink: (https://public.commentworks.com/ftc/twitter). If this Notice
appears at (https://www.regulations.gov/search/index.jsp), you may also
file an electronic comment through that website. The Commission will
consider all comments that regulations.gov forwards to it. You may also
visit the FTC website at (https://www.ftc.gov/) to read the Notice and
the news release describing it.
A comment filed in paper form should include the ``Twitter, Inc.,
File No. 092 3093'' reference both in the text and on the envelope, and
should be mailed or delivered to the following address: Federal Trade
Commission, Office of the Secretary, Room H-135 (Annex D), 600
Pennsylvania Avenue, NW, Washington, DC 20580. The FTC is requesting
that any comment filed in paper form be sent by courier or overnight
service, if possible, because U.S. postal mail in the Washington area
and at the Commission is subject to delay due to heightened security
precautions.
The Federal Trade Commission Act (``FTC Act'') and other laws the
Commission administers permit the collection of public comments to
consider and use in this proceeding as appropriate. The Commission will
consider all timely and responsive public comments that it receives,
whether filed in paper or electronic form. Comments received will be
available to the public on the FTC website, to the extent practicable,
at (https://www.ftc.gov/os/publiccomments.shtm). As a matter of
discretion, the Commission makes every effort to remove home contact
information for individuals from the public comments it receives before
placing those comments on the FTC website. More information, including
routine uses permitted by the Privacy Act, may be found in the FTC's
privacy policy, at (https://www.ftc.gov/ftc/privacy.shtm).
FOR FURTHER INFORMATION CONTACT: Laura Berger (202-326-2471), Bureau of
Consumer Protection, 600 Pennsylvania Avenue, NW, Washington, D.C.
20580.
SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal
Trade Commission Act, 38 Stat. 721, 15 U.S.C. 46(f), and Sec. 2.34 the
Commission Rules of Practice, 16 CFR 2.34, notice is hereby given that
the above-captioned consent agreement containing a consent order to
cease and desist, having been filed with and accepted, subject to final
approval, by the Commission, has been placed on the public record for a
period of thirty (30) days. The following Analysis to Aid Public
Comment describes the terms of the consent agreement, and the
allegations in the complaint. An electronic copy of the full text of
the consent agreement package can be obtained from the FTC Home Page
(for June 24, 2010), on the World Wide Web, at (https://www.ftc.gov/os/actions.shtm). A paper copy can be obtained from the FTC Public
Reference Room, Room 130-H, 600 Pennsylvania Avenue, NW, Washington,
D.C. 20580, either in person or by calling (202) 326-2222.
[[Page 37807]]
Public comments are invited, and may be filed with the Commission
in either paper or electronic form. All comments should be filed as
prescribed in the ADDRESSES section above, and must be received on or
before the date specified in the DATES section.
Analysis of Agreement Containing Consent Order to Aid Public Comment
The Federal Trade Commission has accepted, subject to final
approval, a consent agreement from Twitter, Inc. (``Twitter'').
The proposed consent order has been placed on the public record for
thirty (30) days for receipt of comments by interested persons.
Comments received during this period will become part of the public
record. After thirty (30) days, the Commission will again review the
agreement and the comments received, and will decide whether it should
withdraw from the agreement and take appropriate action or make final
the agreement's proposed order.
Since approximately July 2006, Twitter has operated
(www.twitter.com), a social networking website that enables consumers
who use Twitter (``users'') to send ``tweets'' - brief updates of 140
characters or less - to their ``followers'' (i.e., users who sign up to
receive such updates) via email and phone text. Consumers who use
Twitter can follow other individuals, as well as commercial, media,
governmental, or nonprofit entities. Twitter offers privacy settings
through which a user may choose to designate tweets as nonpublic. In
addition, Twitter collects certain information about its users that it
does not make public (``nonpublic user information''). Such information
includes: an email address, Internet Protocol (``IP'') addresses,
mobile telephone number (for users who receive updates by phone), and
the username for any Twitter account that a user has chosen to
``block'' from exchanging tweets with the user. This nonpublic user
information cannot be viewed by other users or any other third parties,
but - with the exception of IP addresses - can be viewed after login by
the account owner.
The Commission's complaint alleges that Twitter violated Section
5(a) of the FTC Act by falsely representing to consumers that it uses
at least reasonable safeguards to protect user information from
unauthorized access. The complaint further alleges that, through its
statements regarding the privacy settings it offers to enable users to
keep their tweets private, Twitter falsely represented that it
maintains at least reasonable safeguards to honor the privacy choices
exercised by users. Despite these representations, Twitter engaged in a
number of practices that, taken together, failed to provide reasonable
and appropriate security to prevent unauthorized access to nonpublic
user information and honor the privacy choices exercised by such users
in designating certain tweets as nonpublic. Specifically, Twitter
failed to prevent unauthorized administrative control of the Twitter
system, which includes the ability to: reset a user's account password,
view a user's nonpublic tweets and other nonpublic user information,
and send tweets on behalf of a user. Among other things, Twitter failed
to:
a. establish or enforce policies sufficient to make administrative
passwords hard to guess, including policies that: (1) prohibit the use
of common dictionary words as administrative passwords; or (2) require
that such passwords be unique - i.e., different from any password that
the employee uses to access third-party programs, websites, and
networks;
b. establish or enforce policies sufficient to prohibit storage of
administrative passwords in plain text in personal email accounts;
c. suspend or disable administrative passwords after a reasonable
number of unsuccessful login attempts;
d. provide an administrative login webpage that is made known only to
authorized persons and is separate from the login webpage provided to
other users;
e. enforce periodic changes of administrative passwords, such as by
setting these passwords to expire every 90 days;
f. restrict each person's access to administrative controls according
to the needs of that person's job; and
g. impose other reasonable restrictions on administrative access, such
as by restricting access to specified IP addresses.
The complaint alleges that between January and May 2009, intruders
exploited these failures on two occasions in order to obtain
unauthorized administrative control of the Twitter system. Through this
administrative control, the intruders were able to: (1) gain
unauthorized access to nonpublic tweets and nonpublic user information,
and (2) reset users' passwords and send unauthorized tweets from users'
accounts.
The proposed order applies to ``nonpublic consumer information''
from or about an individual consumer. ``Nonpublic consumer
information'' is defined broadly to mean nonpublic, individually-
identifiable information from or about an individual consumer,
including, but not limited to, an individual consumer's: (a) email
address; (b) Internet Protocol (``IP'') address or other persistent
identifier; (c) mobile telephone number; and (d) nonpublic
communications made using Twitter's microblogging platform. The
proposed order contains provisions designed to prevent Twitter from
engaging in the future in practices similar to those alleged in the
complaint.
Part I of the proposed order prohibits Twitter from misrepresenting
the security, privacy, confidentiality, or integrity of any ``nonpublic
consumer information.''
Part II of the proposed order requires Twitter to establish and
maintain a comprehensive information security program in writing that
is reasonably designed to protect the security, privacy,
confidentiality, and integrity of nonpublic consumer information. The
security program must contain administrative, technical, and physical
safeguards appropriate to Twitter's size and complexity, the nature and
scope of its activities, and the sensitivity of the nonpublic consumer
information. Specifically, the order requires Twitter to:
designate an employee or employees to coordinate and be
accountable for the information security program;
identify reasonably-foreseeable, material risks, both internal
and external, that could result in the unauthorized disclosure, misuse,
loss, alteration, destruction, or other compromise of nonpublic
consumer information or in unauthorized administrative control of the
Twitter system and assess the sufficiency of any safeguards in place to
control these risks;
design and implement reasonable safeguards to control the
risks identified through risk assessment and regularly test or monitor
the effectiveness of the safeguards' key controls, systems, and
procedures;
develop and use reasonable steps to select and retain service
providers capable of appropriately safeguarding nonpublic consumer
information they receive from respondent, and require service providers
by contract to implement and maintain appropriate safeguards; and
evaluate and adjust its information security program in light
of the results
[[Page 37808]]
of the testing and monitoring, any material changes to its operations
or business arrangements, or any other circumstances that it knows or
has reason to know may have a material impact on the effectiveness of
its information security program.
Part III of the proposed order requires that Twitter obtain within
180 days, and on a biennial basis thereafter for ten (10) years, an
assessment and report from a qualified, objective, independent third-
party professional, certifying, among other things, that: it has in
place a security program that provides protections that meet or exceed
the protections required by Part II of the proposed order; and its
security program is operating with sufficient effectiveness to provide
reasonable assurance that the security, privacy, confidentiality, and
integrity of nonpublic consumer information is protected.
Parts IV through VIII of the proposed order are reporting and
compliance provisions. The proposed order requires Twitter to retain
for a period of five (5) years from the date received, documents that
contradict, qualify, or call into question its compliance with this
order. Part IV further requires that Twitter retain all materials
relied upon to prepare the third-party assessments for a period of
three (3) years after the date that each assessment is prepared. In
addition, Part IV requires that Twitter retain all ``widely-
disseminated statements'' that describe the extent to which it
maintains and protects the security, privacy, confidentiality, or
integrity of any nonpublic consumer information, along with all
materials relied upon in making or disseminating such statements, for a
period of three (3) years after the date of preparation or
dissemination, whichever is later. Part IV also requires Twitter to
maintain for six (6) months from the date received all consumer
complaints directed at Twitter or forwarded to Twitter from a third
party that relate to the activities alleged in the proposed complaint.
Finally, Part IV requires that Twitter maintain for two (2) years from
the date received copies of all subpoenas and communications with law
enforcement, if such communications relate to Twitter's compliance with
the order.
Part V requires dissemination of the order now and in the future to
principals, officers, directors, and managers, and to all current and
future employees, agents, and representatives having responsibilities
relating to the subject matter of the order. Part VI ensures
notification to the FTC of changes in corporate status. Part VII
mandates that Twitter submit an initial compliance report to the FTC
and make available to the FTC subsequent reports. Part VIII is a
provision ``sunsetting'' the order after twenty (20) years, with
certain exceptions.
The purpose of the analysis is to aid public comment on the
proposed order. It is not intended to constitute an official
interpretation of the proposed order or to modify its terms in any way.
By direction of the Commission.
Donald S. Clark,
Secretary.
[FR Doc. 2010-15827 Filed 6-29-10; 1:40 pm]
BILLING CODE 6750-01-S
