The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

59th Antitrust Law Spring Meeting: Zeroing in on Behavioral Targeting

The ABA Antitrust Section spring meeting began March 30, 2011, and features a number of programs focusing on privacy and data security issues. In the “Zeroing in on Behavioral Targeting” program, panelists from the Federal Trade Commission (“FTC”), the Washington state attorney general’s office, and law firm privacy experts discussed current issues and legal actions involving online behavioral targeting.

Panelists included Becky Burr of WilmerHale; Tina Kondo, Deputy Attorney General with the Washington State Office of the Attorney General; Maneesha Mithal, Associate Director of the FTC’s Division of Privacy and Identity Protection; and David Parisi with Parisi & Havens, LLP.

Continue reading

Leave a comment

It’s Spring Meeting Time!

The 59th Antitrust Law Spring Meeting is underway in Washington, DC, and will continue through this Friday afternoon.  The Secure Times will be providing live blogging of several sessions that touch on data security and privacy issues.  Also, check out our series "Inside the Session" for previews and background information on several sessions. 

Leave a comment

Google Agrees to Settle FTC Charges and Will Implement a “Comprehensive Privacy Program”

The Federal Trade Commission (“FTC”) announced today that Google has agreed to settle FTC charges that it used deceptive tactics and violated its privacy promises when launching Google’s Buzz in 2010. Google will have to implement a “comprehensive privacy program,” as laid out in the proposed consent order. The  agreement is subject to public comment through May 1, 2011, after which the FTC will decide whether to make the proposed consent order final.

The proposed consent order refers to both the FTC Act and to the US-EU Safe Harbor Framework, a reference that is likely to be well appreciated in the European Union.

Agreement containing consent order available here.

Complaint available here.

The 2010 complaint

Google launched in February 2010 a social network within Gmail, Google Buzz (“Buzz”). Gmail users were sometimes set up with followers automatically, and without prior notice (Complaint at 7). These followers were the persons they emailed and chatted with the most in Gmail (Complaint at 8). Even if Gmail users chose to opt out of Buzz, they could nevertheless be followed by other Buzz users, and their public profile, if they had indeed created one, would then appear on their follower’s Google public profiles (Complaint at 8 and at 9).

The FTC complaint alleged that Google had violated the FTC Act, when it represented to consumers signing up for a Gmail account that Google would only use their information to provide them this webmail service, whereas Google also used this information to sign them up to Buzz automatically and without their consent. Also, Google represented that consumers would be able to control whether their information would be made public or not.

The complaint also alleged that Google did not adhere to the Safe Harbor Framework Privacy Principles of Notice and Choice, as Google did not give notice to users before using their personal information for a purpose different that than the one for which the data was originally collected. Also, Gmail users were not given a choice when Google used their information for a purpose incompatible for the purpose for which it was originally collected (Complaint at 25).

The complaint alleged that Google did not communicate “adequately” that “certain previously private information would be shared publicly by default,” and that the controls allowing users to change the defaults were “confusing and difficult to find” (Complaint at 9). Also, certain personal information was shared without Gmail users’ permission (Complaint at 10). For instance, individuals blocked by a Gmail user were not blocked in Buzz, and could be thus be a follower on Buzz (Complaint at 10).  Even more puzzling, it was not possible to block a follower who did not have a public Google profile, and the Gmail user could not even know this follower’s real identity (Complaint at 10).  Also, Buzz offered an @reply function which sometimes led to private mail addresses of contacts to be exposed to every followers, and could thus be found by search engines.

Google made some changes following widespread criticism and thousands of customer complaints. Users were given the ability to disable Buzz. Followers were no longer added automatically based on Gmail contacts, but merely suggested. Users could also block any follower, and Buzz users were given the option not to show their followers’ list on their public profile. The @reply function would no longer make private addresses public.

However, the FTC nevertheless issued a complaint in 2010, and Google has now agreed to settle.  

A comprehensive privacy program

The Buzz settlement is particularly interesting as it is the first time that an FTC settlement order requires a company to implement a comprehensive privacy program to protect the privacy of consumer data.

Indeed, the proposed consent order requires Google to implement a “comprehensive privacy program,” documented in writing, which must “(1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of covered information” (proposed consent order p. 4). This program must designate which employees are responsible for the program. It must identify the reasonably foreseeable risks, external or internal, of Google collecting, using, or disclosing personal information without authorization, and put safeguards in place to prevent these risks. It must also design and implement “reasonable privacy controls and procedures, and regularly monitor the efficiency of privacy controls.” The program must also select service providers in charge of protecting personal data privacy, and enter into contracts with them. This comprehensive privacy program will be evaluated and adjusted if necessary, in light of its results (proposed consent order p. 4-5).

Also, Google will have to obtain from a qualified third-party professional an initial assessment, and then biennial assessments and reports, setting forth the specific privacy controls implemented by Google, explaining why such controls are appropriate, and explaining how they have been implemented. The third-party professional will also certify that such controls are effective (proposed consent order p. 5-6).

It will be interesting to see if U.S. companies will start to use the comprehensive privacy program framework as a reference for their own privacy programs,  and if EU Data Protection Agencies will require U.S. organizations that have self-certified to the U.S.-EU Safe Harbor Framework to implement such a privacy program to be deemed compliant.


Leave a comment

Massachusetts AG Announces $110,000 Settlement in Restaurant Data Breach

Yesterday, that Massachusetts Attorney General’s Office announced a settlement with the Briar Group LLC, which operates several restaurants and bars including The Lenox, MJ O’Connor’s, Ned Devine’s, The Green Briar, and The Harp in the Boston area, to resolve allegations that the Briar Group failed to take reasonable steps to protect its patrons’ personal information. 

The complaint alleges that the restaurant group suffered a data breach in April 2009.  Hackers were able to access customers’ credit and debit card information, including names and account numbers, through malcode that was installed on the Briar Group’s computer systems.  The malcode was not removed until December 2009.  The complaint also alleges that the Briar Group had insufficient security protections in place, such as allowing multiple employees to share commons usernames and passwords and failing to properly secure its wireless network.

The settlement requires (1) a payment to the Commonwealth of $110,000 in civil penalties; (2) compliance with Massachusetts data security regulations; (3) compliance with Payment Card Industry Data Security Standards; and (4) the establishment and maintenance of an enhanced computer network security system.

Leave a comment

Inside the Session: Tara Koslov on Technology and Privacy Issues at the 59th Antitrust Law Spring Meeting




st1\:*{behavior:url(#ieooui) }

/* Style Definitions */
{mso-style-name:”Table Normal”;
mso-padding-alt:0in 5.4pt 0in 5.4pt;
font-family:”Times New Roman”;

Editor’s Note:  Inside the Session” is a sneak preview of the privacy and information security-related sessions that will take place at the 59th Antitrust Law Spring Meeting.  For more information on the conference, visit the ABA’s page on the event. 


The Chair’s Showcase on “Competition and Consumer Protection in the Web 3.0 World” promises to be a fast-paced and exciting event.  Two separate panels will explore the nexus between privacy and competition, highlighting cutting-edge technology as well as legal and social policy issues.  The Secure Times recently spoke with Tara Koslov, who will serve as co-moderator of the technology panel.  Tara has been with the Federal Trade Commission for 14 years, and is currently the Deputy Director of the FTC’s Office of Policy Planning.  Tara also serves as Editorial Co-Chair of the Antitrust Law Journal.  She gave us a sneak preview of what to expect from the session on Thursday, March 31st, from 10am-12pm.

Continue reading

Leave a comment

Privacy – Transparency and the Push to Convert the U.S. Government to the “Cloud”

Have you thought about how many government agencies are transitioning to cloud computing, and what that means for privacy concerns?  The White House released a “25 Point Implementation Plan to Reform Federal Information Technology Management” in December 2010 that advocates a shift to a “cloud first” policy for all agencies. This is after the GAO observed in June 2010 that although “OMB launched a cloud computing initiative in 2009” it “does not yet have an overarching strategy or implementation plan.” The OMB IT Dashboard suggests that numerous federal agencies (perhaps over 100) are pushing to build in cloud computing functions, including. the General Services Administration and the  Department of Health and Human Services.
In contrast to the hype surrounding the cloud, NIST’s recently published draft Guidelines on Security and Privacy for government use that provides detailed commentary on key cloud computing concerns, including: cloud system complexity; the shared multi-function environment; and internet-exposure that increases vulnerability to internet attacks such as botnets. Notably, the NIST reported that although the city of Los Angeles made news in 2009 (see, e.g. articles here, here, and here and mention in this report) when it announced it was shifting its email servers to Google’s cloud, the system has not lived up to the hype. As of early 2011 the city was running both its legacy and the cloud systems – hardly a model of cost-efficiency. The police functions had not been successfully outsourced because of security concerns and the report stated that Los Angeles will have to shut down the operation in June 2011 if the situation isn’t resolved. Could Los Angeles be the canary in the coal mine to show that that “cloud first” may not result in dramatic cost savings?
Perhaps most troubling is the loss of control over data: According to the draft NIST report “a characteristic of many cloud computing services is that detailed information about location of the data is unavailable or not disclosed to the service subscriber. This situation makes it difficult to ascertain whether sufficient safeguards are in place and whether legal and regulatory compliance requirements are being met.” Translation: outsourcing data to the clouds means that often organizations (including the US government) won’t know and/or have any control over where that data is stored or transferred, despite state and federal laws prohibiting transfer of data overseas. Enabling third party service providers to dictate where data flows may not be worth whatever cost-savings may be generated by the new “cloud first” policies.

Leave a comment

Privacy Events: ABA Antitrust Spring Meeting: March 30-April 1, 2011

The Annual Antitrust Spring Meeting is next week in Washington DC! This year’s Chair’s Showcase Session highlights privacy issues in the Web 3.0 world. Here is a list of privacy-related presentations:
Wednesday, March 30
            – 8:45-10:30. Fundamentals of Consumer Protection. (Nat’l Press Club)
            – 9:00-10:30. Data Privacy and Consumer Protection Issues for U.S. Distribution Systems. (Salon IV)
            – 2:00-3:30 A New Paradigm: The Consumer Financial Protection Bureau and Antitrust     Enforcement
            – 3:15-5:15. Zeroing in on Behavioral Targeting (Salon IV)
            – 3:45-5:15. Cross-National Perspectives on Consumer Protection (Salon III)
Thursday, March 31
            – 8:15-9:45. Consumer Protection Regulatory Round-Up. Insights from the Enforcers. (Salon IV)
            – 10:00-noon    Chair’s Showcase Session: Competition and Consumer Protection in a Web 3.0 World. Panel 1 – Technology and Privacy Issues; Panel 2, Legal and Social Policy Issues. (Grand Ballroom)
Friday, April 1
            – 8:15-9:45. National Privacy Policies as Barriers to Entry in International Competition. (Ballroom – Nat’l Press Club)