Twitter security risks, popularity spark regulatory concerns

Twitter can be used for social good, business and journalism, but the potential for exploitation by cybercriminals and noncompliance with regulatory requirements is real and growing.

Twitter continues to grow in popularity in global communications -- and in importance. The popular microblogging service recently showed what it can do by communicating election information out of Iran. Still, with nagging concerns over Twitter security risks, privacy threats and regulatory compliance, people are asking, "Is using Twitter always right for the enterprise, or is it a risk to a business?"

More social media resources
Month of Twitter Bugs project to document Twitter flaws

Twitter worm attack highlights social network flaws

Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert

"Social media provides a huge difference in the scale in risks to enterprises and personally identifiable information," said Glenn Manishin, a Washington, D.C.-based technology lawyer in attendance this week at Jeff Pulver's 140 Characters Conference in New York. "If a corporate employee puts out information in a tweet that's IP or private, anyone in the world can see it. In some networks, it's only particular friends. In Twitter, a tweet will be archived -- and the consequences are potentially much more significant."

John Kindervag, a senior analyst at Forrester Research Inc., said, "Right now, people just think it's fun but don't consider its security risks sufficiently. Cybercriminals will exploit it. They will be the drivers of the technology and protections that are needed to address that risk."

The substantive concerns over Twitter security risks, privacy threats and compliance have businesses considering how to address and plan for Twitter adoption, including policies for employees who establish personal accounts.

Regulatory compliance concerns

Hadley Stern, vice president of Fidelity Labs Inc., said his company considers "regulatory concerns, then privacy and security" when choosing what to post. "We wouldn't want our customers tweeting their passwords," he said. Hadley brought up GM as an example: "It doesn't matter who the person is or where they sit in the company: The regulatory issues still apply."

It's not surprising that Stern and Fidelity are well-aware of the regulatory concerns for financial entities: For those entrusted with maintaining enterprise security, regulatory compliance requires that the C-suite assess and address risk before, during and after social media adoption.

Forrester's Kindervag noted the growth rate of Twitter and other social networking platforms. "Compliance is a little bit behind on the curve in terms of dealing with this kind of Web 2.0 content," he said. "We need to be worried about issues of data leakage through Twitter or loss of intellectual property, along with inappropriate content."

The increasing use of Twitter to share data about the stock market could also bring regulatory scrutiny that investors would be well advised to consider. The fact that enthusiasts of the @stocktwits group have publicly tweaked the Securities and Exchange Commission (SEC) over the use of Twitter to share financial information on individual securities may bring that oversight soon.

"Twitter allows us to say f--- you to the SEC," Howard Lindzon said. Lindzon said he meant that Twitter is empowering investors and entrepreneurs, but real-time transmission of stock tips and information will have significant potential to draw the attention of the SEC.

"The SEC probably needs to make some sort of guidance about how companies and compliance officers can use their tools," said Manishin, though he added that he doesn't see insider trading as the primary issue. In his view, "true insider things happen on golf courses, however, not over the Internet, where it can never be traced back.

"Every public corporation, regardless of where they are listed, anyone subject to SEC regulation, is also subject to [fair disclosure] regulation -- and if they're large enough, SOX," Manishin noted. "Anyone inside tempted to post information about stock information on Twitter could be in serious violation."

Hadley noted that prior innovations in technology have been addressed by regulators: "In our industry, a lot of it is driven by regulation, though it's been figured out with email and IM. Confidentiality of customer information is a big deal."

Will regulation be forthcoming that specifically addresses Twitter? Is Twitter compliance going to be on the mouths of security officers next month? Professor Jonathan Ezor said he isn't so sure.

"No new rules are needed to cover Twitter, in terms of client communications," said the assistant professor of law and technology and director of the Institute for Business, Law and Technology at the Touro Law Center. "The financial services industry is already heavily regulated."

Log management concerns

Ezor said one of the primary regulations that has been an issue for instant messaging (IM) is the obligation to log and archive all client communication. "On the Twitter website, there's no logging capability.

"If a financial services company is going to enable Twitter, it needs to deal with the logging issues," Ezor said. That requirement could be met by pushing all relevant tweets through an email system or standardizing a business on a third-party client that includes logging functionality. "As clients discover that their brokers or advisors are on Twitter personally and ask 'Can I get your attention? Can I trade X?,' that needs to be logged."

Twitter threats
• Data leakage
• Inappropriate content
• Lack of IT control
• Loss of IP
• Privacy
• SEC regulation
• Security

Ezor said he see another regulatory hurdle: confidentiality. "Some types of communication must be kept protected, like medical information," he said. "In law, we are generally required to keep information confidential."

And, when it comes to a client who wants to maintain the attorney-client privilege, there are serious concerns. For instance, as Ezor explained, "Are Twitter communications protected by the privilege? Would an @ message be, or a DM?"

Manishin said he sees similar tensions. "Industries that are regulated -- like financial services or healthcare -- have three rationales for the regulation underlying them: Safety and soundness, privacy and security," he said. "If you work in an industry where your product is subject to approval by a government regulator -- like new drug trials -- and where that information is extremely valuable to speculators or extremely damaging to patients -- there's going to be an issue with using Twitter."

Manishin suggested that businesses think carefully, right now, about how employees are using social media. "Do you have a social media policy? Your employees are likely to be using Facebook or Twitter already. Do they know the risks?"

Walking around with data

Another Twitter issue is the use of mobile devices. Walking around with client information or organizational data is a serious exposure, as repeated data breaches due to the theft or loss of laptops has shown. That's why the Massachusetts data protection law included a provision that required encryption of mobile storage media, including smartphones.

"If you have a nonpassword-protected device or one that can't be remotely wiped, it's a risk," Ezor said.

He noted one other additional risk: telegraphing business deals, investments or projects. "Consider the casual nature of Twitter and Facebook, neither of which encourages a business voice. You can slip up, especially outside of the office," Ezor said. "If you tweet 'I'm on my way to a meeting with x company,' you've just revealed a business relationship."

And, in fact, that risk isn't theoretical. In a "Twitter Code of Conduct," Doug MacMillan wrote about the situation that the CEO of interactive ad agency Tocquigny was confronted with when a visiting executive from a large energy company learned that the agency was "wooing one of his company's competitors." How did he learn about it? One of Tocquigny's employees tweeted about the potential relationship.

Twitter the 'now' media

The issues with Twitter and the enterprise go far beyond regulatory compliance, however, as there are substantial -- and growing -- security risks posed by the service. Twitter's combination of lightweight information sharing and near-instant propagation of information provides considerable utility to journalists, publishers or any other entity that wants to offer an easy way for interested parties to subscribe to a feed.

The speed with which information can propagate is what led conference organizer Jeff Pulver to describe Twitter as "now media," the latest and perhaps most important platform for the real-time Web. That same speed, however, means that a tweet that is damaging to a company's reputation or, potentially worse, leaks proprietary or personally identifiable information, can travel around the globe in seconds.

"As a security person, you spend your entire career trying to bottle everything up. Now it's all exposed. Privacy concerns are being self-defeated by these tools," Kindervag said. "There is a real potential for abuse here, in terms of people who are being stalked or those who have restraining orders."

Kindervag cited the example of a family who twittered that they were going on vacation and subsequently robbed. Coincidence? In a story in CNET, "Twitter user says vacation tweets led to burglary," it appears precisely this issue occurred. "If you're a criminal, or a husband separated from his wife, you're monitoring those things," he said.

"The bigger issue is that we may not have the terms available to deal with it, or the legal precedents, but should we block Twitter? Probably, but should we? The new generation may decide to leave the company if they can't use these things. How do you balance employee retention with security?"

Initially, security experts simply recommended that users of social networks shouldn't add any personal info.

Kindervag said he believes that "there are a lot of other abilities for abuse. Spam through Twitter, links to malware -- there's a trust that cybercriminals can quickly exploit."

New security tools emerging


Tools that can help users assess the safety of following accounts are emerging. Likely prompted by a suit from baseball legend Tony LaRussa, Twitter recently introduced verified accounts, addressing concerns around fake celebrity accounts. Reputation-based antispam solutions may be adapted to Twitter's service in the future.

Social media provides a huge difference in the scale of risks to enterprises and personally identifiable information.
Glenn Manishin
technology lawyer

As Rob Westervelt has reported for, the information security community is working collectively toward resolution, introducing a "Month of Twitter Bugs Project" to highlight the Twitter security issues that put millions of users at risk. According to Westervelt, next month "security researcher Aviv Raff will document cross-site scripting (XSS) flaws and other errors."

Such efforts come at a critical time for security and Twitter, given a recent Twitter worm attack that highlighted social network flaws. As noted by a Kaspersky expert, trust in social media platforms is eroding as social engineering attacks climb in 2009.

What's the bottom line? Twitter can absolutely be used for social good, business, journalism, art or music -- but the potential for exploitation by cybercriminals and noncompliance with regulatory requirements are real and growing. Businesses are well-advised to assess risk, establish policies for rational, sensible use of Twitter and other social media services and disseminate them to every employee.


Let us know what you think about the story; email: Alexander B. Howard, Associate Editor

Dig Deeper on Risk management and governance

Cloud Computing
Mobile Computing
Data Center
and ESG