The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Paul Ohm to Join FTC as Senior Advisor on Internet, Privacy, and Mobile Markets

On August 27, Professor Paul Ohm, Associate Professor at the University of Colorado Law School, will join the FTC as a senior policy advisor for consumer protection and competition issues affecting the Internet and mobile markets.  Ohm specializes on topics that include information privacy and cyberlaw issues.  He has authored numerous law review articles and essays that address the impact of technology on consumer privacy and he is a frequent blogger and contributor to FTC roundtables and industry conferences.

Ohm will join the FTC’s Office of Policy Planning, which focuses on the development and implementation of long-range competition and consumer protection policy initiatives, and advises staff on cases raising new or complex legal or policy issues.  This will be the second time that Ohm has served the government in a privacy-focused capacity.  He previously served as a federal prosecutor for the U.S. Department of Justice’s Computer Crime and Intellectual Property Section.

A press release on Ohm’s new role is available here.

Leave a comment

Federal Trade Commission Announces Privacy Settlement with Myspace

The FTC has reined another tech giant, albeit a waning one, into a settlement agreement over alleged privacy violations. On May 8, the FTC announced a consent decree with Myspace LLC that forbids it from misrepresenting its privacy policies and requires it to institute a comprehensive privacy policy and submit to biennial audits for compliance for twenty years. This is the third settlement that the FTC has achieved with a major tech company in the social networking arena– the agency reached similarly structured settlement agreements with Google and Facebook last year.

The FTC’s Allegations

The FTC’s allegations stem from a gap between Myspace’s privacy policy and its practices from January 2009 until June 2010. In its policy, Myspace promised that it would not share a user’s personally identifiable information (defined as name, email, mailing address, phone number or credit number) without notice and user consent; that its means for delivering customized ads and sharing browsing data with advertisers; and that it complied with the U.S.-E.U. Safe Harbor framework for data protection.

However, when Myspace displayed ads from certain unaffiliated third parties to logged-in users, Myspace provided the advertiser or its affiliate with the viewer’s “Friend ID,” which is a persistent unique numerical identifier assigned to each Myspace user. This left third parties a few clicks away from accessing a host of other information about the user. For most users, the Friend ID could be used to get the users’ full name and any other information designated as public in the users’ settings. The public information could then be combined with additional information harvested by the advertiser’s tracking cookie and by any other means.

According the FTC, the representations that Myspace made in its privacy policies were thus false and misleading statements and constituted deceptive acts or practices in violation of Section 5 of the FTC Act. The agency also alleged that Myspace misrepresented its compliance with the US-EU Safe Harbor framework: to transfer personal data lawfully from the E.U. to the U.S., companies must self-certify that they meet certain privacy principles about collection and use of uder data, including Notice and Choice. According to the FTC, Myspace also misrepresented its compliance – although it did not make the offending statements about Safe Harbor compliance until December 2010, after the time period of its other deceptive practices.

Settlement Terms

The order forbids Myspace from misrepresenting its privacy practices, including collection, disclosure and third-party sharing, of all “covered information.” This includes a user’s name, address, e-mail address or chat screen name, phone number, photos and videos, IP address, device ID or other permanent identifier, contact list or physical location. Like the Google and Facebook settlements, the order requires Myspace to establish and maintain a comprehensive privacy program and submit to biennial assessments of its privacy programs by an independent auditor for 20 years. Myspace must also retain a plethora of related documents for five years, including all “widely disseminated statements” about Myspace’s privacy practices, complaints or communications with law enforcement about the order, or any documents that call into question Myspace’s compliance.

The 20-year timeframe, which has been the standard in FTC’s previous privacy consent decrees, has raised some snickers among commentators about Myspace’s longevity, given the site’s declining market share. Founded in 2003, the site was acquired by News Corp. for $580 million in 2005 and for a while dwarfed Facebook’s number of users. However, it was sold to Specific Media for $35 million last year and its number of unique users is less than half of its 2008 peak.

The agreement will be subject to public comment until June 8, after which the Commission will decide whether to make the proposed consent order final.


Leave a comment

House Passes CISPA

Last week, the U.S. House of Representatives passed the Cyber Intelligence Sharing and Protection Act (CISPA).  CISPA would authorize Internet service providers and other companies to share customer communications and other personal information with governmental agencies.  The intent of the bill is to enhance information sharing for data security purposes, however, many organizations such as the Center for Democracy and Technology and the ACLU strongly oppose the bill, and President Obama has threatened to veto it.

Critics of CISPA state that the bill is overbroad and does not contain appropriate privacy, confidentiality or civil liberties safeguards.  According to the White House’s statement, "the bill would allow broad sharing of information with governmental entities without establishing requirements for both industry and the Government to minimize and protect personally identifiable information."  For example, CISPA could allow companies to give email communications to the government with no judicial oversight if the emails contained cyber threat information.  Supporters argue that this information sharing is necessary in order to prevent cyber attacks.  Initially internet companies appeared to have supported the bill, although this week Mozilla announced its opposition to the bill and Microsoft has expressed concern over the bill’s impact on personal privacy.

In addition to privacy concerns, an interesting article on Slate had another take on CISPA – that it will effectively overwhelm the government with more data than it can handle, noting that "analyzing the world’s data to identify potential cyberthreats has gone from difficult to impossible.  The volume of digital information has become far too large." 

CISPA now moves to the Senate for consideration, where it will compete with at least two other cyber security bills.