S 5.156 Secure use of Twitter

Initiation responsibility: IT Security Officer, Head of IT, Supervisor

Implementation responsibility: User

Using the micro-blogging service Twitter, registered users can exchange news and information in short messages with a maximum of 140 characters. The users may register as "followers" of other users so that they receive their text messages.

When registering with this Internet service, the first name and surname, a user name and a password, as well as an email address must be entered. The user name is used to create the URL for the corresponding Twitter site of the user: http://twitter.com/user name. The selected password must have a minimum length of 6 characters and there are no further specifications. However, the users are made aware of the fact that they should select passwords that are as complex as possible ("Be tricky!"). In order to prevent identity theft, the usual password rules should be taken into consideration (see also S 2.11 Provisions governing the use of passwords).

The user IDs can be selected freely during registration. This way, it is possible to use false identities. Names of popular, famous persons or organisations can be selected and messages can be sent on their behalf.

The Twitter providers also offer the "Verified Accounts" option in order to mark user IDs, the identity of which has been checked, with a symbol. So far, this option has only rarely been offered, however.

The way Twitter and similar web services are handled should be clearly defined in every organisation. In this respect, there are several variants:

• The organisation might prohibit the use of Twitter in general. Of course, the employees must then be notified of this. In addition, this ban can be supported by technical means, i.e. using filters regarding known web platforms. In this respect, one should be aware of the fact that users can always find new ways to access such services.
• There are also organisations where the use of Twitter is officially approved for official purposes, in order to actively provide information about the organisation's services or products using Twitter for example,.

A government agency or company should establish clear regulations describing:

• whether Twitter may be used for official purposes and, if so, under which general conditions (e.g. for forwarding information, use of pseudonyms, etc.) and
• what employees should take into consideration when using Twitter for private or official purposes.

Just like for all Internet services, the terms and conditions of business should be checked carefully as to whether the mentioned terms and conditions are acceptable from your own perspective before registering as a user. The terms and conditions of business of the Twitter service allow the use of the specified user information for commercial purposes.

Twitter is famous for its quick and widespread disclosure of information. Frequently, information is forwarded via Twitter in such a short space of time that news services had not received it or been able to verify it. Twitter messages are often forwarded without authorisation or verification. Therefore, the verisimilitude of messages should be checked before forwarding or using the messages.

Often, only short URLs are forwarded via Twitter due to the restriction to 140 characters. Short URLs normally have the following format, for example: http://kurzurl.com/d9khqp. The actual link is hidden under this link. This may be problematic, since it is not possible to discern at the first glance where the short URL leads to and users may be lured to websites with malware.

Short URLs may also be used by the so-called spam followers. This term refers to automatically generated accounts generating messages from time to time. Just like accounts of real persons, these are provided with messages and link tips. The links in the various messages suggest varying and interesting link destinations, but link to the same destination site. In order to ensure that users actually click the links, many accounts are created and linked and/or equipped with followers. These accounts follow further real accounts and hope for a large number of clicks to the corresponding links. This way, spam is additionally distributed from active accounts of legitimate Twitter members.

Review questions:

• Has the use of Twitter been clearly regulated in the organisation?