jump to navigation

Twitter settles with FTC for privacy breach June 24, 2010

Posted by jonathanpenn in privacy.
add a comment

Organizations continue to face risk for security breaches. Normally, we talk about the risk of security breaches being fines and other costs around loss of PII, per California Senate Bill 1386 and similar laws in 45-or-so other states.

What’s interesting about Twitter’s settlement today with the FTC is that it had to do with a breach of information that is not protected under these kinds of laws. This isn’t the kind of data breach that the FTC normally delves into. My sense is that the oversight must have appeared to the FTC to be so lax as to be in violation of Twitter’s privacy policy – that is the kind of thing that it would and does pursue. Of course, having someone crack into Barak Obama’s account on your service is certainly going to raise the profile of the incident. (So why isn’t the FTC looking into the breach of Sarah Palin’s Yahoo! Mail account? Where’s the right-wing/tea-party outrage? 😉 )

The FTC specifically identified these practices (among others) that constituted insufficient care:

  • Requiring employees to use hard-to-guess administrative passwords that are not used for other programs, websites, or networks
  • Prohibiting employees from storing administrative passwords in plain text within their personal e-mail accounts;
  • Providing an administrative login webpage that is made known only to authorized persons and is separate from the login page for users (that seems to disqualify the use of SSO for those administrative accounts)
  • Enforcing periodic changes of administrative passwords by, for example, setting them to expire every 90 days;
  • Imposing other reasonable restrictions on administrative access, such as by restricting access to specified IP addresses.

I wonder how many companies – especially private ones, like Twitter – can claim to satisfy all these requirements?

As a result of the FTC investigation and settlement, Twitter is “barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent authorized access to information and honor the privacy choices made by consumers.” It also “must establish and maintain a comprehensive information security program, which will be assessed by a third party every other year for 10 years” and is “barred for 20 years from misleading consumers about the extent to which it maintains and protects the security, privacy and confidentiality of nonpublic consumer information” (does that mean that everyone else is allowed to mislead consumers about this??).

The oversight framework is a familiar MO for FTC to take on this. It is not dissimilar from the settlements several years ago with Eli Lily (FTC File No. 012 3214) and Guess, Inc. (FTC File No. 022 3260).

This trend in expanded scope for breach liability is growing, and organizations should brace themselves and prepare for increased oversight and exposure to liability as it pertains to private (but not personally identifiable) information. CISOs need to work more closely with Chief Privacy Officers (anyone with a social network or any kind of Web 2.0 presence, however modest, should really have one) and with the head of enterprise risk (which spans physical security, information security, compliance, legal, insurance, and privacy).


What Facebook and Google can learn from Avast! and AVG May 17, 2010

Posted by jonathanpenn in client security, privacy.
add a comment

The latest string of privacy fiascos from Google and Facebook lead me wonder if they will ever learn to respect their consumer users. For both companies, I think one of the dynamics behind this is the fact that their these consumers aren’t the ones from whom the companies collect revenue, the incorrect conclusions the founders and executives derived from that, and the cultures they developed within their companies as they grew based on these erroneous assumptions.

Google has an almost innate ability to develop applications and services that unleash the power of the Internet to transform people’s lives. Yet the engineering culture that drives such stellar technical achievements is what hinders Google in their relationships with consumers. Google doesn’t have what it takes to run a consumer business: it’s just not in their DNA. This is how we can hear on the one hand about how Android is a smashing success from an engineering perspective and is purportedly is now outselling the iPhone in the US, while learning the same week that Google is going to stop selling Nexus One direct to consumers.

To succeed with consumer products would require Google to have more polish and quality assurance beyond the core engineering challenge (versus relegating some services to the purgatory of perpetual beta), development of consumer customer support services (a la the Nexus One), and of course a more respectful approach to users (see: privacy).

It would be a shame if the lesson Google took from the Nexus One would be to forgo future efforts at selling direct to consumers. Having a deeper relationship with consumers and being accountable to them as paying customers would teach Google to be more sensitive to their concerns. It’s same thing with Facebook: it, too, would have a completely different attitude and approach to privacy changes if consumers paid for their accounts.

It doesn’t have to be that way. Some companies that don’t get revenues from their consumer users approach them with understanding and respect just the same. I just spent a few days in Prague, where I met with the AV companies Avast! and AVG. At each of these companies, the vast majority of users are running the free version of their products. But the difference between Avast! and AVG on the one hand, and Google and Facebook on the other, in their attitudes towards their non-paying users cannot be more stark. Avast! and AVG exhibit the utmost deference and sensitivity in dealing with their non-paying consumer users. They are fully aware that the future of their companies depends on their ability retain and expand upon these relationships. As they explore ways to monetize these relationships, it’s by delivering more value and developing stronger bonds of trust. The Google and (especially) Facebook approach seem to be through exploitation and indifference.

One of the Heartland lawsuits dismissed December 10, 2009

Posted by jonathanpenn in privacy.
add a comment

See the news article here.

This was the shareholder lawsuit, not the consumer/victim lawsuit, so different issues apply. But it’s still interesting. Somewhere down the road, such a case will win…likely because of a smoking gun email by IT security staff. That calls for greater communication and accountability around security, which smells like GRC to me.

DataLossDB.org maps stock price showing when the data breach occurred. Here’s the chart for Heartland.

Stock price isn’t always affected, even in big breaches. DSW stock kept rising after its breach of 1.4 million records. TJX stock didn’t seem affected either, after its big breach.

Google’s Achilles heel November 24, 2009

Posted by jonathanpenn in privacy.
add a comment

Sure, people trust Google to come out with cool technology. But do they trust Google with their data and their privacy? Many don’t. Worse, many fear what Google does or could do with the data it aggregates.

I’ll let Google itself tell the story. If you do a Google search on “Google” and “big brother” you’ll get a whopping 58.9 million hits. Doing the same for “Microsoft” and “big brother” yields only 7.1 million. Even more surprising, a search on “government” and “big brother” results in just 13.4 million hits. Using search results as a rough proxy: people are more than 4 times more concerned that Google, rather than the government, is amassing too much information about us.

I see a lot of parallels between Google today and Microsoft circa 1999. What security was to Microsoft (but to Microsoft’s credit, isn’t any longer), privacy is to Google: a looming threat of customer dissatisfaction that could result in a mass migration of users and their eyeballs away from Google’s applications and search engine. And the friction for such a diaspora from Google’s web-based services and add-on applications is far lower than from Microsoft’s Windows or Office.

Google’s reputation is suffering, and it’s brand value is eroding. In 2008, Google dropped off the top 20 list of the Ponemon Institute-TRUSTe survey of most trusted companies, after coming in at #11 in 2007. It remains off the top 20 list for 2009.

Hopefully, this is something Google will recognize as an issue and start to address before it gets worse.

Consumers want privacy, not anonymity October 29, 2009

Posted by jonathanpenn in privacy.
add a comment

I recently came across two posts about online privacy with quite different viewpoints. The first was from Eugene Kaspersky on the Kaspersky-run security news site Threatpost. In it, he talks about the loss of anonymity on the Internet (or, if we never had it, our inability to acquire it). It’s a thoughtful piece, but I don’t see anonymity as something Internet users (consumers) truly seek.

The second post was an article on CNET interview with Bruce Schneier. When CNET asked: “What do you think are the most serious legitimate threats to consumer privacy?”, Schneier responded: “Marketing. The legal collection, storage, resale, and reuse of personal information. Information brokers are doing more to hurt consumer privacy than anything criminals or the government can do.”

Now, most consumers don’t do a good job of articulating their concerns or needs. But then again, Bruce Schneier is not most consumers. He’s dead on: the issue isn’t about keeping information to yourself (anonymity). It’s about the rights of consumers and responsibilities of coprporations when consumers divulge information. This could be data we specifically entrust to organizations (bank account info, passwords, etc). But it’s also about the kind of information that is collected without your active consent: search engine terms you entered, sites you visited, items you shop for. These are not actively given to anyone, but passively acquired through our interactions with Google, the use of third party cookies and other tracking mechanisms, and use of shopping tools to find the lowest prices.

I wrote about this in a Forrester report earlier this year, “Consumers Turn To Freeware As Their Security Concerns Deepen“. When we asked US online consumers “What personal information are you willing to have in the public domain?”, more people were willing to have their PII exposed than their web browsing and purchasing activity.


Very few people truly seek anonymity; what most of seek is privacy: protections that only certain data is collected, that it is used only for intended purposes, that it is not shared beyond reasonable use and our consent, and that it is destroyed or deleted when the intended purposes are satisfied.

And, by the way: did anyone notice Bruce’s subtle endorsement of freeware AV among the advice he gives friends to protect themselves online: “[A]cquire and install a good antivirus program (there are good free ones), and configure your OS and router to protect you.

A real world example of the privacy risks behind social apps October 20, 2009

Posted by jonathanpenn in identity, privacy.

For the past few months I had become an accidental crusader against the site myspaceprofiles.org (I’m not linking to it for a long list of reasons, as you’ll no doubt intuit from this post). First off, let’s clearly state that myspaceprofiles.org is not affiliated with the social site MySpace – and therein lies one of the problems. It appears to be a dating site, but the people on its site are not willing “members”: they are MySpace users whose personal information, posts, pictures (including copyrighted material) have been sucked out of MySpace by an application on that social network and posted to a site that looks like a dating service.

The privacy risks of applications on social networks like MySpace or Facebook have been known and written about for a while now (eg, here and here and here), but I’ve never seen such hard evidence of the abuse before. For some of the MySpace victims, these results show up pretty high on the list when they’re Googled, and that can be a big embarrassment, if not a problem, or at least an embarrassment.

I’m not even sure this is that huge a deal in the scheme of things. But when I hear from an effected twenty-something “I’ll never put up any data on the Web again”, I gotta think this is an issue worth looking at.

Serendipitously, I learned about all this right as I was getting briefed by the Public Internet Registry (who runs .ORG top level domain) about their efforts “advocating for a safer global Internet community.” After an initial briefing, and fantastically responsive and helpful follow up by PIR’s Sr. Marketing Communications Manager Thuy LeDinh , I learned that there are limits to how safe, secure, and trusted .ORG can be – and the other TLDs are a lot worse of course.

But the short of it was that despite this being a scummy site, a violation of the developer’s agreement with MySpace, uncountable copyright violations, general misrepresentation of the people on the dating site, ignoring opt-out requests that it had set up on those pages, and even popping up pornography ads (adding insult to the victims’ injury!) — there’s nothing .ORG can seemingly do about this because the site isn’t engaged in illegal activity.

I consider myself a big believer that the Internet should be a place for free speech and free expression. But the fact that these poor people have no recourse seems somehow to fly in the face of other ideals I have about what’s just and giving people practical avenues through which their grievances can be addressed.

So I’m left with a few questions:

  1. Many people have discussed the folly of putting up embarrassing information. But now it seems like simply using these sites and posting innocuous information can still lead to embarrassment. Given that social networks are becoming such an ingrained fact of life – will we all come to regret it?
  2. Can anyone police the Internet at all? Or is that a fool’s errand?
  3. And why doesn’t MySpace go after a site like this?