Bitter Twitter Boilerplate

Here's a short, innocuous sounding paragraph from the Privacy Policy Twitter had in place for a couple of years:

"Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical and electronic measures designed to protect your information from unauthorized access."

Reassuring, yes? But vague enough to cover anything a company might do, or get around to doing, whenever user security got to be a high enough priority. Startups have lots of "priorities" competing for attention in the early months.

Evil_twitter_bird_2 It sounds like pretty good boilerplate you might consider cutting and pasting into your own privacy policy, if only to "cover the bases" while you figure out how you are actually going to protect sensitive user information!

But not so fast. You might be better off making no statement about user security, no express or implied reassurance at all (not even say that you care!), than say something without substance.

That would seem to be the lesson from the settlement Twitter recently reached with the Federal Trade Commission.

In a complaint (link is to short pdf) against Twitter, the FTC alleged that the two sentences quoted above, and other statements on Twitter's site, were false or misleading, because, reading them, a user would assume that "[Twitter] uses reasonable and appropriate security measures to honor the privacy choices exercised by users."

Because Twitter in fact did not have such security measures in place, the FTC said, Twitter had engaged in "deceptive acts or practices" in violation of federal consumer protection law.

The terms of the settlement (link is to pdf; settlement not yet officially final) impose costs on Twitter. According to a post on by William B. Baker, "If the consent decree [settlement] is approved, Twitter will have to live with the oversight that accompanies an FTC consent decree for 20 years (or more than four times the length of time that the company has existed)."

Learning from Twitter's Mistakes

The FTC complaint alleged a number of acts and omissions by which Twitter "failed to prevent unauthorized administrative control of the Twitter system."

Working backward from this list, we can make an affirmative checklist of presumptively "good practices" that might help a startup with an expanding user base stay out of regulatory trouble (the following language closely tracks the FTC complaint):

  • Establish and enforce policies to make administrative passwords hard to guess, including policies that prohibit the use of common dictionary words and that require that passwords be different from those an employee uses to access third-party sites and programs.
  • Prohibit storage of administrative passwords in plain text in personal email accounts.
  • Disable administrative passwords after a reasonable number of unsuccessful login attempts.
  • Provide an administrative login webpage known only to authorized persons and separate from the login webpage provided to users.
  • Enforce periodic changes of administrative passwords, such as by setting them to expire every 90 days.
  • Restrict access to administrative controls according to the needs of a person’s job.
  • Restrict access to specified IP addresses.

Image credit: Chip O'Toole's Blog.

blog comments powered by Disqus