The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Google Spain Decision – July 2 Discussion

On Wednesday, July 2, PRIS and the Media and Technology committees will host a dial-in to discuss the recent Google Spain “right to be forgotten” case.  Please join an expert EU-based panel to learn more about this landmark case and its implications for internet platforms going forward.

When: July 2 at noon ET.

Who: Mark Stephens, UK media law barrister; Professor Judith Rauhofer, privacy scholar; Professor Steve Peers, EU law scholar.

Link to Register: http://www.americanbar.org/content/dam/aba/marketing/20140702_at140702.authcheckdam.pdf

Please feel free to direct any questions – before, during, or after the call – to Gail Slater at lgslater@comcast.net.  Thanks.

 

Earlier this week the Senate Commerce Committee subcommittee with responsibility for consumer protection issues held a hearing to discuss the impact of unwanted robocalls on consumers. Topics discussed included the consumer harm associated with fraudulent robocalls; the effectiveness of regulations and law enforcement in stopping them; and the feasibility of technological solutions to the challenges posed by unauthorized robocalls. The hearing was held not long after the 10th anniversary of the Do Not Call Registry – in the words of humorist Dave Barry “the most popular federal concept since the Elvis stamp.”   The hearing heard testimony from two panels: witnesses on the first panel represented the FTC and FCC, and witnesses on the second panel represented the telecom and ancillary industries.

Two overall themes emerged from the testimony. First, the challenges faced both by regulators and legitimate industry in keeping with up fast-paced technological changes in the robocall industry, and second the increasingly global nature of unauthorized robocalls.

The FTC testimony spoke to the agency’s law enforcement efforts, initiatives to spur technological solutions, and its broad consumer and business outreach in the robocall arena. In the decade since the Telemarketing Sales Rule (TSR) was amended to create the Do Not Call Registry, the agency has brought over 105 enforcement actions, resulting in $126 million in civil penalties and $741 million in redress or disgorgement. Despite these actions, the number of unauthorized robocalls continues to balloon, from 63,000 consumer complaints per month in 2009, to 200,000 complaints per month in 2012.  These numbers were consistent with those presented by the FCC witness who testified that the number of consumer complaints to that agency had doubled in the past two years.

Much of the growth in robocalling is enabled by new technologies such as Voice Over Internet Protocol (VoIP) technology which enables blasting of prerecorded messages over the Internet. VoIP technology not only makes it cheaper to place robocalls when compared to the time and money needed to place a call on the traditional cooper wire, but it also makes identifying the robocall perpetrator more challenging. In the highly regulated copper wire world, the regulated entities are well-known and cannot easily conceal their identities. In contrast, VoIP technology allows businesses to place cheap calls wherever they find an Internet connection, both at home and abroad. For example, one 2012 FTC enforcement action involved billions of calls placed by phone numbers registered to companies with overseas offices in the Northern Mariana Islands, Hong Kong, and the Netherlands.

In October 2012, the Commission hosted a workshop – the Robocall Summit – to explore technological solutions to keep up with the Internet enabled growth in robocalls, (or as then-Chairman Leibowitz described it, “voice blasting technology [] at bargain basement prices.”)  The FTC announced a public contest or “Robocall Challenge” with a $50,000 prize for the individual or small team that could propose a technological solution to help consumers block robocalls on their landlines and mobile phones. In April this year, the agency announced three winning solutions which, if successfully developed could result in “positive results for American consumers.” 

Urging caution, a representative from the USTelecom trade association counseled that technological solutions that “seek to make phone service providers the arbiter of whether a call should – or should not – be permitted to proceed skirt dangerously close to violating the privacy obligations imposed on us by law.”  The witness cited the Wiretap Act provisions protecting the transmission of calls and limiting the rights of universal service providers to intercept them. The witness was not optimistic that a “silver bullet” technological solution to the robocall challenge could be found, and counseled further that “today’s solution could very well turn into tomorrow’s Maginot Line, and could have unintended adverse consequences.”


Leave a comment

FTC Announces Internet of Things Workshop

The FTC recently announced a public workshop to examine the privacy and data security implications of the Internet of Things (IoT). The workshop, which will take place on November 21 this year, indicates a growing interest – both here and in Europe – in the policy issues raised by this rapidly emerging business model. The FTC announcement follows a signal from new FTC Chairwoman Edith Ramirez that she intends to include IoT in her privacy agenda.

The Internet of Things describes a world in which machines can communicate with one another via the Internet without human intervention. The Swedish mobile device vendor Ericsson estimates that around 50 billion devices worldwide will be IoT enabled by 2020.

The business model has many positive applications. Included here are energy efficient smart grids, which have the proven potential to promote energy efficiency. Another interesting IoT application concerns auto insurance. If the key variables used to calculate insurance premiums are distance driven, location, time of day, and driving style, and these variables can be measured with precision using IoT technologies, then drivers and insurance providers may be positioned to better calculate bespoke insurance rates.

These and other IoT applications look set to become more and more ubiquitous as the technologies underpinning them – data storage, mobile data transfer, and cloud computing – look set to come down the cost curve in the coming years. However, as with Internet enabled technologies generally, IoT raises potential privacy and data security concerns. The FTC is therefore requesting public comments on the following issues prior to the November workshop:

• What are the unique privacy and security concerns associated with smart technology and its data? For example, how can companies implement security patching for smart devices? What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
• How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve health-care decision making or to promote energy efficiency? Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances?

FTC staff welcomes submissions to its IoT email account before June 1, 2013.

Meanwhile, on the other side of the Atlantic both the EU and the OECD are tracking IoT from a policy standpoint in general; and a privacy and security standpoint in particular. The EC Commission launched a public consultation similar in nature to the FTC’s in April last year, and recently published its findings. According to the Commission, these findings will be relied on in “future policy initiatives.”


Leave a comment

FTC Brings Data Security Case Against Mobile Device Maker

The Federal Trade Commission announced today that it has settled charges that HTC America – a leading mobile hardware developer – failed to take appropriate steps to secure software it developed and installed on mobile devices running the Android and Windows operating systems.

The 8-page FTC complaint sets out a number of allegations regarding HTC’s security practices.  According to the FTC, much of the conduct relates to HTC’s business decision to tweak or customize the operating systems installed in its devices.  While this customization allowed HTC to differentiate itself from its rivals, it also created security vulnerabilities for consumers. The FTC alleges, among other things, that as consequence of HTC’s actions millions of devices were left open to malware attacks, “all without the user’s knowledge or consent.”   The complaint ultimately concludes that because of the “potential exposure of sensitive information and sensitive device functionality through the security vulnerabilities in HTC mobile devices, consumers are at risk of financial and physical injury and other harm.”

The consent order entered into by HTC requires the company to develop and implement a comprehensive data security program, and prohibits it from making any false or misleading statements about the security and privacy of consumers’ data on HTC devices going forward.  HTC is also ordered to develop and ship software patches to affected consumers to fix software vulnerabilities – a cutting edge remedy.

Also today, the FTC announced a public forum to take place on June 4th to discuss the consumer protection aspects of malware, viruses, and similar threats facing mobile device users.


Leave a comment

FTC Issues Mobile Privacy Staff Report

On February 1, the FTC released a 36-page staff report entitled “Mobile Privacy Disclosures: Building Trust Through Transparency.”  The report followed a one-day FTC public workshop held last May to discuss mobile privacy issues.   The staff report makes several policy recommendations.  Many of these recommendations are consistent with the Commission’s policy regarding online privacy generally, such as offering a Do Not Track (DNT) mechanism for smartphone users.  Other recommendations are more tailored to the mobile ecosystem.  For example, the report discusses the privacy challenges of geolocation technology, as well as small screen privacy notices.  

The report identifies platforms such as Apple and Google as well as smartphone app developers as the major players in mobile privacy, and directs many of its key recommendations toward them.  Platforms are encouraged to use their gatekeeper role between the consumer and an app developer to “provide just-in-time disclosures to consumers and obtain affirmative express consent before allowing apps to access sensitive content like geolocation.”  Another recommendation calls for platforms to consider a “privacy dashboard” approach to allow consumers to review the types of content accessed by the apps they have downloaded.  App developers are encouraged to adopt privacy policies that are easily accessible through the relevant platform’s app store.

In prepared remarks, FTC Chairman Leibowitz described the report as a useful input into an ongoing effort to address the privacy issues raised by the mobile revolution.  In this context, he applauded the ongoing efforts of some platforms and app developer trade associations to self-regulate, and also referenced the Department of Commerce led multi-stakeholder process “to develop a code of conduct on mobile transparency.”

Reps. Barton and Markey – who co-chair the bi-partisan House Privacy Caucus – welcomed the FTC report in a joint release.  The release states “[t]he FTC is correct to point out that more must be done to protect the privacy of mobile device users.”  Rep. Markey introduced the Mobile Device Privacy Act in the last Congress. 

The Association for Competitive Technology (ACT), which represents smaller app developers, also welcomed the FTC report – with two wrinkles.  According to the ACT, the FTC recommendation that platforms take on a gatekeeper role for app privacy “could actually backfire” since “stores may opt to do less or no privacy scanning of apps if they perceive a liability risk created by this report.” “Additionally,” according to the ACT, “the report relies on a technology snapshot and may not represent where the industry appears to be headed: offering better consumer controls and data isolation.”


Leave a comment

FTC Settles Online “History Sniffing” Charges

The FTC announced yesterday that it has settled charges that the online advertising network Epic Marketplace Inc. used “history sniffing” to secretly and illegally gather data from millions of consumers about their interest in sensitive medical and financial issues.

Epic’s online advertising network – which has a presence on 45,000 websites – serves as an intermediary between online content publishers and advertisers.  Although Epic’s privacy policy claimed that it would collect information only about consumers’ visits to sites within its network, according to the FTC complaint this was not in fact the case.  Instead, the complaint alleges that from March 2010 through August 2011 consumers who visited Epic’s network sites received a cookie which tracked consumer site visits outside its ad network, including some sites relating to personal health conditions and finances.  The complaint further alleges that data collected from these cookies enabled Epic to serve targeted ads to these consumers.  The FTC complaint charges that these practices violated 5(a) of the FTC Act by falsely representing to consumers that Epic only collected information on consumers’ visits to websites within the Epic network.

The FTC consent order in the matter bars Epic from using history sniffing and requires that it delete and destroy all data collected using it, among other things.  The order was placed on the public record for thirty days.

The FTC announced the settlement on the eve of today’s “Future of Comprehensive Data Collection” workshop to explore the practices and privacy implications of comprehensive data collection about consumers’ online behavior.


Leave a comment

FTC Urges Congress to Reauthorize SAFE WEB Act

The House Subcommittee on Commerce, Manufacturing, and Trade held a hearing earlier today to discuss reauthorization of the 2006 "Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders Act", otherwise known as the U.S. SAFE WEB Act.  The subcommittee – which is chaired by Rep. Mary Bono Mack (R. California) – heard testimony from Hugh Stevenson, the FTC’s Deputy Director for International Consumer Protection.

The SAFE WEB Act was enacted in response to growing evidence of cross-border spam, spyware, and fraud on the Internet.  According to FTC 2005 research, an estimated 20 percent of consumer complaints to the agency at that time involved fraud originating outside the United States.  The FTC further estimated that Americans suffered annual losses to foreign operators totaling nearly $220 million as a result of this activity.  The SAFE WEB Act expanded the FTC’s Section 5 authority to tackle this problem by including in its scope "acts or practices involving foreign commerce that (i) cause or are likely to cause reasonably foreseeable injury within the United States; or (ii) involve material conduct occurring within the United States."  The Act also gave additional powers to the FTC to work with foreign Government agencies designed to facilitate cross-border cooperation and information sharing in investigations and law enforcement actions.

According to today’s FTC testimony, the agency estimates that it has conducted more than 100 investigations, and filed more than 50 cases, involving cross-border elements since SAFE WEB’s passage.  The FTC testimony also states that using the tools provided to it under the Act, the agency has stopped frauds costing consumers hundreds of millions of dollars.  For this and other reasons, the FTC submitted in its testimony that "it is critical that Congress reauthorize the law enforcement tools provided by the U.S. SAFE WEB Act."

In her Opening Statement to the hearing, Rep. Bono Mack described SAFE WEB as an "important tool in combating cross-border fraud, spam, and spyware."  She went on to describe the progress made since 2006, as evidenced in a 2009 FTC Report issued pursuant to the Act, and concluded that SAFE WEB  "has been a clear success to date and should be reauthorized before its expiration next year."

The SAFE WEB Act will expire on December 22, 2012 absent reauthorization.  Draft legislation before the House Commerce Committee would reauthorize the Act for an additional 7 years.


Leave a comment

UK Investigates Privacy Implications of Email-Hacking by Journalists

The UK communications regulator Ofcom this week announced that it is investigating alleged email-hacking by journalists at Sky News, a satellite news channel controlled by Rupert Murdoch.  The investigation raises interesting issues regarding the role of online privacy in news reporting; in particular whether privacy should trump the public interest in media led investigations into criminal activity.

Ofcom announced its investigation after a Sky News representative admitted to hacking the email accounts of John Darwin, who faked his own death in order to claim life insurance, and later reappeared living abroad.  In addition to email-hacking, Sky News also admitted to posting a hacked voicemail message from Mr. Darwin’s wife on its website.  These hacking admissions were made at the wide-ranging Leveson Inquiry into press ethics and culture, which was prompted by last year’s UK press phone-hacking scandal.

Under UK law, email hacking is a violation of the Computer Misuse Act 1990, and may trigger criminal sanctions.  In addition, Ofcom’s broadcasting code – Rule 8.1 – provides that: "Any infringement of privacy in programs, or in connection with obtaining material included in programs, must be warranted."  The potential sanctions for breach of Ofcom’s code range from a warning, to a fine, to revoking a broadcasting license in the most serious circumstances. 

For its part, Sky News argues that its actions were "editorially justified" since there are rare instances when it is defensible for a journalist to commit an offense in the public interest, in this case the detection of insurance fraud.

An Ofcom spokesperson stated that the agency "is investigating the fairness and privacy issues raised by Sky News’ statement that it had accessed without prior authorization private email accounts during the course of its news investigations." 

The regulator also announced that it will "make the outcome [of its investigation] known in due course." 

 

 

 


Leave a comment

FTC Warns ICANN About Domain Name Expansion

The FTC recently sent a detailed 15 page letter to the Internet Corporation for Assigned Names and Numbers (ICANN) expressing concern that the organization’s plan to expand the domain name system could leave consumers open to online fraud and undermine law enforcers’ ability to track online scammers.  The House Energy and Commerce Committee has also expressed concern about ICANN’s expansion plan.

ICANN has overseen the allocation of Internet domain names since 1998.  The organization intends to expand generic top-level domain names (gTLDs) – currently ".com", ".net", and ".org" – to include many new domain names, such as the name of a company or a business category e.g. ".restaurant."  According to the FTC letter, gTLD expansion could create a "dramatically increased opportunity for consumer fraud." In particular, the letter outlines a concern that "the proliferation of existing scams, such as phishing, is likely to become a serious challenge given the infinite opportunities that scam artists will now have at their fingertips.  Fraudsters will be able to register misspellings of businesses, including financial institutions, in each of the new gTLDs, create copycat websites, and obtain sensitive consumer data with relative ease before shutting down the site and launching a new one."  The FTC letter urges ICANN to take additional steps before rolling out new domain names, and suggests that a pilot program be implemented by ICANN before proceeding with a full expansion.

The FTC received support from the 400 member Association of National Advertisers which hoped that the letter would help "convince ICANN that it must stop [the] initiative and build true consensus with the many constituencies that depend upon a responsibly managed Internet domain naming process."

The House Energy and Commerce Committee has also expressed opposition to ICANN’s expansion plan.  The House Subcommittee on Communications and Technology held a recent hearing to examine the issue, and the full Committee followed up with a bipartisan letter describing domain name expansion as a "worthy goal", while expressing concern "that there is significant uncertainty in this process for business, non-profit organizations, and consumers."  The letter urges ICANN to delay its plan, which is set to go live on January 12, 2012.


Leave a comment

EU Data Protection Reforms Outlined

The EU Commissioner responsible for data protection recently outlined the growing contours of EU data protection reform legislation expected to issue early next year.  In a November 28 speech to the American Chamber of Commerce, Viviane Reding, Vice President of the EC Commission, and EU Justice Commissioner, spoke of her determination to deliver "a strong, consistent and future-proof framework for data protection, with consistent rules across all Member States and across all Union policies."

Commissioner Reding began her speech by outlining the challenges currently facing businesses operating under the EU’s 1995 data protection legislation.  First, EU data protection laws are fragmented between 27 EU member states, leading to varying legal interpretations and enforcement regimes.  Reding estimated that this fragmentation costs businesses €2.3 billion a year.  Second, fragmentation is inconsistent with the EU’s goal to unify its 27 member states in a single market by "making it difficult to sell or shop cross-border." Third, according to EU survey data, existing data protection rules do not have the confidence of consumers, thus inhibiting the adoption of new technologies such as cloud computing.

According to Commissioner Reding, the need for data protection has grown exponentially since 1995 "when the full potential of the Internet had not yet been realized.  In 1993 the Internet carried only 1% of all telecommunicated information.  By 2007, the figure was more than 97%."

Commissioner Reding went on to detail some specific regulatory reforms impacting businesses including: increased coordination between member state data protection authorities (DPAs); eliminating the requirement to notify data processing to DPAs; a single point of contact for companies dealing with multiple EU DPAs; and mutual recognition by DPAs of binding corporate rules approved by another DPA.  The Commissioner also outlined the individual data protection safeguards in the reform proposal, such as timely notification of data protection breaches to consumers.

Reding included in her remarks her position on the role of industry self-regulation.  According to the Commissioner, self-regulation "has an important, complementary role to play in this reform.  But let me be clear: self-regulation is not a fig-leaf for non-compliance; self-regulation only works if there is strong, legally binding regulation in the first place."