Twitter settles FTC privacy case

Twitter had been criticised for lax security practices

Twitter has agreed to adopt new security measures that will settle its privacy case with the US Federal Trade Commission (FTC).

The FTC said that the micro-blogging site will now enforce best practice for password selection and control, and submit to regular audits of its security controls.

Twitter will be required to adopt unique non-dictionary passwords not used with other accounts or stored within unencrypted email messages.

The company must also swap out passwords regularly, and protect its administrative controls through a unique log-in page that locks an account after a certain number of failed log-in attempts.

Additionally, Twitter will be required to adjust its notifications to users in order to avoid misleading them about the company's privacy protections.

Twitter general counsel Andrew Macgillivray said in a blog post that the company had already adopted a number of the stipulations in the settlement.

"Even before the agreement, we'd implemented many of the FTC's suggestions, and the agreement formalises our commitment to those security practices," he wrote.

The deal stems from two incidents in 2009 which led to Twitter accounts being compromised and the theft of Twitter corporate data.

The FTC said that the breaches were due to lax security practices, such as using dictionary-based passwords and not limiting the number of log-in attempts on an account.

"When a company promises consumers that their personal information is secure, it must live up to that promise," said David Vladeck, director of the FTC Bureau of Consumer Protection.

"Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations."