The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Google Spain Decision – July 2 Discussion

On Wednesday, July 2, PRIS and the Media and Technology committees will host a dial-in to discuss the recent Google Spain “right to be forgotten” case.  Please join an expert EU-based panel to learn more about this landmark case and its implications for internet platforms going forward.

When: July 2 at noon ET.

Who: Mark Stephens, UK media law barrister; Professor Judith Rauhofer, privacy scholar; Professor Steve Peers, EU law scholar.

Link to Register: http://www.americanbar.org/content/dam/aba/marketing/20140702_at140702.authcheckdam.pdf

Please feel free to direct any questions – before, during, or after the call – to Gail Slater at lgslater@comcast.net.  Thanks.

 

Earlier this week the Senate Commerce Committee subcommittee with responsibility for consumer protection issues held a hearing to discuss the impact of unwanted robocalls on consumers. Topics discussed included the consumer harm associated with fraudulent robocalls; the effectiveness of regulations and law enforcement in stopping them; and the feasibility of technological solutions to the challenges posed by unauthorized robocalls. The hearing was held not long after the 10th anniversary of the Do Not Call Registry – in the words of humorist Dave Barry “the most popular federal concept since the Elvis stamp.”   The hearing heard testimony from two panels: witnesses on the first panel represented the FTC and FCC, and witnesses on the second panel represented the telecom and ancillary industries.

Two overall themes emerged from the testimony. First, the challenges faced both by regulators and legitimate industry in keeping with up fast-paced technological changes in the robocall industry, and second the increasingly global nature of unauthorized robocalls.

The FTC testimony spoke to the agency’s law enforcement efforts, initiatives to spur technological solutions, and its broad consumer and business outreach in the robocall arena. In the decade since the Telemarketing Sales Rule (TSR) was amended to create the Do Not Call Registry, the agency has brought over 105 enforcement actions, resulting in $126 million in civil penalties and $741 million in redress or disgorgement. Despite these actions, the number of unauthorized robocalls continues to balloon, from 63,000 consumer complaints per month in 2009, to 200,000 complaints per month in 2012.  These numbers were consistent with those presented by the FCC witness who testified that the number of consumer complaints to that agency had doubled in the past two years.

Much of the growth in robocalling is enabled by new technologies such as Voice Over Internet Protocol (VoIP) technology which enables blasting of prerecorded messages over the Internet. VoIP technology not only makes it cheaper to place robocalls when compared to the time and money needed to place a call on the traditional cooper wire, but it also makes identifying the robocall perpetrator more challenging. In the highly regulated copper wire world, the regulated entities are well-known and cannot easily conceal their identities. In contrast, VoIP technology allows businesses to place cheap calls wherever they find an Internet connection, both at home and abroad. For example, one 2012 FTC enforcement action involved billions of calls placed by phone numbers registered to companies with overseas offices in the Northern Mariana Islands, Hong Kong, and the Netherlands.

In October 2012, the Commission hosted a workshop – the Robocall Summit – to explore technological solutions to keep up with the Internet enabled growth in robocalls, (or as then-Chairman Leibowitz described it, “voice blasting technology [] at bargain basement prices.”)  The FTC announced a public contest or “Robocall Challenge” with a $50,000 prize for the individual or small team that could propose a technological solution to help consumers block robocalls on their landlines and mobile phones. In April this year, the agency announced three winning solutions which, if successfully developed could result in “positive results for American consumers.” 

Urging caution, a representative from the USTelecom trade association counseled that technological solutions that “seek to make phone service providers the arbiter of whether a call should – or should not – be permitted to proceed skirt dangerously close to violating the privacy obligations imposed on us by law.”  The witness cited the Wiretap Act provisions protecting the transmission of calls and limiting the rights of universal service providers to intercept them. The witness was not optimistic that a “silver bullet” technological solution to the robocall challenge could be found, and counseled further that “today’s solution could very well turn into tomorrow’s Maginot Line, and could have unintended adverse consequences.”


Leave a comment

FTC Announces Internet of Things Workshop

The FTC recently announced a public workshop to examine the privacy and data security implications of the Internet of Things (IoT). The workshop, which will take place on November 21 this year, indicates a growing interest – both here and in Europe – in the policy issues raised by this rapidly emerging business model. The FTC announcement follows a signal from new FTC Chairwoman Edith Ramirez that she intends to include IoT in her privacy agenda.

The Internet of Things describes a world in which machines can communicate with one another via the Internet without human intervention. The Swedish mobile device vendor Ericsson estimates that around 50 billion devices worldwide will be IoT enabled by 2020.

The business model has many positive applications. Included here are energy efficient smart grids, which have the proven potential to promote energy efficiency. Another interesting IoT application concerns auto insurance. If the key variables used to calculate insurance premiums are distance driven, location, time of day, and driving style, and these variables can be measured with precision using IoT technologies, then drivers and insurance providers may be positioned to better calculate bespoke insurance rates.

These and other IoT applications look set to become more and more ubiquitous as the technologies underpinning them – data storage, mobile data transfer, and cloud computing – look set to come down the cost curve in the coming years. However, as with Internet enabled technologies generally, IoT raises potential privacy and data security concerns. The FTC is therefore requesting public comments on the following issues prior to the November workshop:

• What are the unique privacy and security concerns associated with smart technology and its data? For example, how can companies implement security patching for smart devices? What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
• How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve health-care decision making or to promote energy efficiency? Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances?

FTC staff welcomes submissions to its IoT email account before June 1, 2013.

Meanwhile, on the other side of the Atlantic both the EU and the OECD are tracking IoT from a policy standpoint in general; and a privacy and security standpoint in particular. The EC Commission launched a public consultation similar in nature to the FTC’s in April last year, and recently published its findings. According to the Commission, these findings will be relied on in “future policy initiatives.”


Leave a comment

FTC Brings Data Security Case Against Mobile Device Maker

The Federal Trade Commission announced today that it has settled charges that HTC America – a leading mobile hardware developer – failed to take appropriate steps to secure software it developed and installed on mobile devices running the Android and Windows operating systems.

The 8-page FTC complaint sets out a number of allegations regarding HTC’s security practices.  According to the FTC, much of the conduct relates to HTC’s business decision to tweak or customize the operating systems installed in its devices.  While this customization allowed HTC to differentiate itself from its rivals, it also created security vulnerabilities for consumers. The FTC alleges, among other things, that as consequence of HTC’s actions millions of devices were left open to malware attacks, “all without the user’s knowledge or consent.”   The complaint ultimately concludes that because of the “potential exposure of sensitive information and sensitive device functionality through the security vulnerabilities in HTC mobile devices, consumers are at risk of financial and physical injury and other harm.”

The consent order entered into by HTC requires the company to develop and implement a comprehensive data security program, and prohibits it from making any false or misleading statements about the security and privacy of consumers’ data on HTC devices going forward.  HTC is also ordered to develop and ship software patches to affected consumers to fix software vulnerabilities – a cutting edge remedy.

Also today, the FTC announced a public forum to take place on June 4th to discuss the consumer protection aspects of malware, viruses, and similar threats facing mobile device users.


Leave a comment

FTC Issues Mobile Privacy Staff Report

On February 1, the FTC released a 36-page staff report entitled “Mobile Privacy Disclosures: Building Trust Through Transparency.”  The report followed a one-day FTC public workshop held last May to discuss mobile privacy issues.   The staff report makes several policy recommendations.  Many of these recommendations are consistent with the Commission’s policy regarding online privacy generally, such as offering a Do Not Track (DNT) mechanism for smartphone users.  Other recommendations are more tailored to the mobile ecosystem.  For example, the report discusses the privacy challenges of geolocation technology, as well as small screen privacy notices.  

The report identifies platforms such as Apple and Google as well as smartphone app developers as the major players in mobile privacy, and directs many of its key recommendations toward them.  Platforms are encouraged to use their gatekeeper role between the consumer and an app developer to “provide just-in-time disclosures to consumers and obtain affirmative express consent before allowing apps to access sensitive content like geolocation.”  Another recommendation calls for platforms to consider a “privacy dashboard” approach to allow consumers to review the types of content accessed by the apps they have downloaded.  App developers are encouraged to adopt privacy policies that are easily accessible through the relevant platform’s app store.

In prepared remarks, FTC Chairman Leibowitz described the report as a useful input into an ongoing effort to address the privacy issues raised by the mobile revolution.  In this context, he applauded the ongoing efforts of some platforms and app developer trade associations to self-regulate, and also referenced the Department of Commerce led multi-stakeholder process “to develop a code of conduct on mobile transparency.”

Reps. Barton and Markey – who co-chair the bi-partisan House Privacy Caucus – welcomed the FTC report in a joint release.  The release states “[t]he FTC is correct to point out that more must be done to protect the privacy of mobile device users.”  Rep. Markey introduced the Mobile Device Privacy Act in the last Congress. 

The Association for Competitive Technology (ACT), which represents smaller app developers, also welcomed the FTC report – with two wrinkles.  According to the ACT, the FTC recommendation that platforms take on a gatekeeper role for app privacy “could actually backfire” since “stores may opt to do less or no privacy scanning of apps if they perceive a liability risk created by this report.” “Additionally,” according to the ACT, “the report relies on a technology snapshot and may not represent where the industry appears to be headed: offering better consumer controls and data isolation.”


Leave a comment

FTC Settles Online “History Sniffing” Charges

The FTC announced yesterday that it has settled charges that the online advertising network Epic Marketplace Inc. used “history sniffing” to secretly and illegally gather data from millions of consumers about their interest in sensitive medical and financial issues.

Epic’s online advertising network – which has a presence on 45,000 websites – serves as an intermediary between online content publishers and advertisers.  Although Epic’s privacy policy claimed that it would collect information only about consumers’ visits to sites within its network, according to the FTC complaint this was not in fact the case.  Instead, the complaint alleges that from March 2010 through August 2011 consumers who visited Epic’s network sites received a cookie which tracked consumer site visits outside its ad network, including some sites relating to personal health conditions and finances.  The complaint further alleges that data collected from these cookies enabled Epic to serve targeted ads to these consumers.  The FTC complaint charges that these practices violated 5(a) of the FTC Act by falsely representing to consumers that Epic only collected information on consumers’ visits to websites within the Epic network.

The FTC consent order in the matter bars Epic from using history sniffing and requires that it delete and destroy all data collected using it, among other things.  The order was placed on the public record for thirty days.

The FTC announced the settlement on the eve of today’s “Future of Comprehensive Data Collection” workshop to explore the practices and privacy implications of comprehensive data collection about consumers’ online behavior.


Leave a comment

FTC Urges Congress to Reauthorize SAFE WEB Act

The House Subcommittee on Commerce, Manufacturing, and Trade held a hearing earlier today to discuss reauthorization of the 2006 "Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders Act", otherwise known as the U.S. SAFE WEB Act.  The subcommittee – which is chaired by Rep. Mary Bono Mack (R. California) – heard testimony from Hugh Stevenson, the FTC’s Deputy Director for International Consumer Protection.

The SAFE WEB Act was enacted in response to growing evidence of cross-border spam, spyware, and fraud on the Internet.  According to FTC 2005 research, an estimated 20 percent of consumer complaints to the agency at that time involved fraud originating outside the United States.  The FTC further estimated that Americans suffered annual losses to foreign operators totaling nearly $220 million as a result of this activity.  The SAFE WEB Act expanded the FTC’s Section 5 authority to tackle this problem by including in its scope "acts or practices involving foreign commerce that (i) cause or are likely to cause reasonably foreseeable injury within the United States; or (ii) involve material conduct occurring within the United States."  The Act also gave additional powers to the FTC to work with foreign Government agencies designed to facilitate cross-border cooperation and information sharing in investigations and law enforcement actions.

According to today’s FTC testimony, the agency estimates that it has conducted more than 100 investigations, and filed more than 50 cases, involving cross-border elements since SAFE WEB’s passage.  The FTC testimony also states that using the tools provided to it under the Act, the agency has stopped frauds costing consumers hundreds of millions of dollars.  For this and other reasons, the FTC submitted in its testimony that "it is critical that Congress reauthorize the law enforcement tools provided by the U.S. SAFE WEB Act."

In her Opening Statement to the hearing, Rep. Bono Mack described SAFE WEB as an "important tool in combating cross-border fraud, spam, and spyware."  She went on to describe the progress made since 2006, as evidenced in a 2009 FTC Report issued pursuant to the Act, and concluded that SAFE WEB  "has been a clear success to date and should be reauthorized before its expiration next year."

The SAFE WEB Act will expire on December 22, 2012 absent reauthorization.  Draft legislation before the House Commerce Committee would reauthorize the Act for an additional 7 years.