FTC TO CREATE GUIDELINES FOR INTERNET PRIVACY

After over a year of silence by the FTC concerning Internet privacy, the Commission has responded to the increasingly loud outcry by privacy advocates and legislators. Earlier this week, the FTC announced that it plans to create guidelines on Internet privacy. A spokeswoman for the FTC stated that the FTC is “examining how social networks collect and share data as part of a project to develop a comprehensive framework governing privacy going forward.” The guidelines will provide a framework for how social networks and others collect, use and share personal data.

The catalyst for this step appeared to be a letter sent by Senator Charles Schumer (D-N.Y.), along with fellow Democratic senators Franken (Minn.), Bennet (Colo.), and Begich (Alaska), to the CEO of Facebook, Mark Zuckerberg, in response to Facebooks’s announcement that it would make data from its users available to third parties unless Facebook users opted out. Schumer’s letter requested Zuckerberg to reverse the policy and expressed concern that the federal government had not stepped up to protect the consumer from misuse of personal information. It called for the FTC to adopt consumer enforcement rules, and to step up consumer protection enforcement. See this Washington Post article.


Specifically, the senators requested Facebook to use an “opt-in” method, as opposed to the “opt-out” method announced by Facebook. Facebook has been pushing the envelope on sharing the personal data of its users for months now, and it was simply a matter of time before it reached the tipping point. With each new step taken by Facebook, privacy advocates denounced the moves more strongly, and criticized the FTC for failing to respond to complaints over Facebook’s changes, as well as the mishap by Google when it launched its own social networking site, Buzz. One thing is certain – this battle will continue to be waged aggressively on both sides. For Facebook, there are millions of dollars in revenue at stake. For the privacy advocates, Facebook is aiming to make itself the center of the internet, without regard to users’ privacy rights or the ability to control their personal data. The FTC has been under increasing pressure to impose a European-style opt in” standard in connection with the use of personal data by social networking sites. CDD FTC Complaint If past experience is any indication, however, it will be months before we know definitively whether the FTC will choose to move in that direction.

(Posted on behalf of Jane Shea)

EPIC Files Interesting Complaint Regarding Google Services

Earlier this month, Google sent out an email admitting to a bug (subsequently fixed) which caused some documents on Google's cloud computing services to be shared without their owners' knowledge or consent (a copy of the email can be found in this blog post). Now, the Electronic Privacy Information Center (EPIC) has filed a complaint with the FTC asking it to investigate Google's procedures, to force Google to revise its terms of service, and to spend $5,000,000 on security research. The complaint also asks that Google be enjoined from offering cloud computing services until "safeguards are verifiably established." The complaint can be found here.

At this point, I actually don't want the complaint to succeed - at least, not to succeed in full, as I use some of the services in question, and I don't want to wait for Google to get its act together on privacy before using them again. However, while I don't want the complaint to succeed, I do think it makes for interesting reading for people who care about, but aren't familiar with, the FTC's role in protecting consumer privacy. Highly recommended reading, at least for that class of reader.

via

Even More Limitations on Private Rights of Action

Previously, I've written about problems with protecting privacy through private civil suits, such as transaction costs, difficulty of proving damages, and a generally hostile court system. However, a recent breach notification by Geeks.com as indicated that even when those factors aren't present, people (or, in this case, businesses) still aren't that interested in enforcing their rights. The story, according to this article from Computer World is that the web site was victimized by an SQL injection attack, and the operators eventually entered into a settlement with the FTC wherein they agreed to undergo audits and not to make any further misleading claims about privacy. So far not particularly notable. However, as the article says, unlike most security breaches:

The breach was notable because the Geeks.com site prominently displayed a "Hacker Safe" seal provided to companies by McAfee Inc. as part of its ScanAlert vulnerability scanning service. However, McAfee officials said at the time that the Hacker Safe certification — since renamed McAfee Secure — had been withdrawn from Geeks.com on multiple occasions during 2007 after scans found vulnerabilities in its systems.

To me this is shocking. Not because a supposedly secure site was compromised, but because they were improperly displaying the "Hacker Safe" seal.

Where was McAfee?

Didn't it care about its good name? I would guess that Geeks.com would have taken down the "Hacker Safe" seal if McAfee simply asked them to. I doubt even a sternly worded letter would have been necessary. Still, if it had been, there are any number of attorneys who could have written it, and who would have been happy to go to court to get the seal removed if Geeks.com wouldn't take it down otherwise. Happily, the FTC stepped up in this case. However, it's a little surprising that they were the ones who ended up doing it, rather than the private actor who one would think would have had both the incentive and opportunity to have taken action earlier.

Red Flag Rules Delayed

Happy news for all organizations which would have been affected by the FTC's red flag rules: the deadline for enforcement of the rules has been pushed back six months from its original date of November 1, 2008. The rule requires that creditors and financial institutions implement identity theft prevention programs, but the FTC found that many companies needed more time to come into compliance. The new enforcement deadline is May 1, 2009. In its statement, the FTC said that the extension does "not affect other federal agencies' enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance."

We (and by we, I mean my colleague Jane Shea) previously wrote about the red flag rules here and here.

What if McCain Defaults?

Yesterday, I wrote about John McCain's presidential campaign pledging its fundraising list as collateral for a loan - the same fundraising list that it said it would never sell to third parties. In that post I asserted that it was unlikely that McCain's campaign could be sued by consumers for violating the privacy policy, and pointed out that it's too early to sue in any case, since McCain's campaign hasn't defaulted on anything, and so the bank hasn't seized the list. However, that rather begs the question: is there anything that would happen if the list was seized? Well, potentially, there is. First, there's the potential breach of contract suit. As I mentioned yesterday, it would be unlikely to succeed, but that doesn't mean that the threat isn't there. There's also potential action by the government (probably more likely if McCain loses the presidential race). Section 5 of the FTC Act (discussed here) prohibits unfair or deceptive trade practices. That prohibition has been interpreted broadly, and has been used to punish companies which sell lists in violation of privacy policies in the past (e.g., this settlement with Gateway Learning, makers of "Hooked on Phonics"). Thus, theoretically, there's a chance that the FTC might take action if the campaign defaulted and the bank seized the list.

Realistically though, the FTC isn't going to go after a political campaign for pledging its fundraising list as collateral, since that would prevent other political campaigns from doing the same thing in the future, and the FTC is controlled by the government (i.e., politicians). Similarly, as I said yesterday, there are real obstacles to a breach of contract action being successfully brought. The bottom line is that the only hit John McCain's campaign is likely to take from pledging its list is political (if that).