The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Senate ‘Malvertising’ Hearing

The Permanent Subcommittee of the Senate Committee on Homeland Security & Governmental Affairs held a hearing last week on the findings of its ‘Online Advertising and Hidden Hazards to Consumer Security and Data Privacy’ report.
In his introductory remark, Senator John McCain (R-AZ) noted that online advertising is now more profitable than broadcast television advertising. Indeed online advertising revenue was $42.8 billion in 2013, almost $3 billion more than television advertising.

At the same time, ‘malvertising’ increased over 200 % in 2013 to over 209,000 incidents generating over 12.4 billion malicious ad impressions (Testimony of Craig D. Spiezle Executive Director & Founder of Online Trust Alliance).

Online advertisements may be used as a vehicle to install malicious software on users’ computers. The software then steal personal information or attack other computers, most of the time without the user even knowing that his computer has been infected.

Online advertisements is a serious security threat for consumers, yet most consumers are not aware of this issue. During the questions sessions, Mr. Spiezle noted that that issue has been kept quiet from several years. Senator McCaskill (D-MI) reminded panelists that online advertising is the backbone of the Internet economy, yet consumers have not been sufficiently informed that their data is what fuels this economy. Maneesha Mithal, Associate Director, Division of Privacy and Identity Protection at the FTC, stated that the FTC informs consumers about online privacy on its OnGuard online site.

Who is Responsible?

What should be the responsibility of online advertising companies such as Google and Yahoo! ? Senator McCain believes that they “have a responsibility to help protect consumers from the potentially harmful effects of the advertisements they deliver.” They do not directly control the advertisements however, and as many as five or six companies can be involved in the process of publishing an ad, which makes finding which companies are responsible for having let the malware being installed quite difficult.

Also, Senator McCain noted that “commercial actors have limited incentives to develop and institute security measures for fear of becoming the liable party if something goes wrong.” However, the representatives of Google and Yahoo! emphasized that their companies have an incentive to fight malvertising in order to retain their customers’ trust.
Senator McCain asked Alex Stamos, Chief Information Security Officer at Yahoo!, if the site was responsible for malware, to which Mr. Stamos answered that Yahoo! takes responsibility for its users’ safety. Pushing further, Senator McCain then asked Mr. Stamos if Yahoo! would reimburse a user whose bank account has been depleted through a malware encountered on a Yahoo! site, but Mr. Stamos did not believe that Yahoo! has such responsibility.

Possible Solutions

George F. Salem, Senior Product Manager at Google, testified that his company has a two-pronged approach to fighting malware: preventing users from even visiting sites invested with malware and disabling ads which have malware. He also noted that consumers should be careful about downloads, always use the latest version of their browser and also install up-to-date antivirus software, a view shared by Ms. Mithal.

Senator Mc Cain also noted that “another problem in the current online advertising industry is the lack of meaningful standards for security” and expressed frustration that Google and Yahoo!, similar companies as they are, could not have the same best practice standards and implement them the same way, as they face the same problems.

Senator Mc Cain asked Ms. Mithal what could be the solutions to malvertising. She answered that increasing consumer education, having more robust industry self-regulations and also more enforcement would be key. Indeed, the FTC has already brought some enforcement actions against companies involved in online advertising for deceptive practices. Ms. Mithal stressed that there should be enforcement against the purveyor of malware but also against third parties which let the purveyor go by.

What’s Next?

Several online advertising companies, including Google and Yahoo, announced a new initiative called Trust in Ads that has as its goal the protection of consumers from malicious online advertisements and deceptive practices.

New legislation may be ahead. Senator Mc Cain asked Ms. Mithal if the FTC would need additional tools to protect consumer’s online privacy and Ms. Mithal mentioned that the FTC has advocated in the past to be given the authority to fine companies that do not maintain reasonable security practices. In her written testimony, Ms. Mithal wrote that the FTC “continues to reiterate its longstanding, bipartisan call for enactment of a strong federal data security and breach notification law.”


Leave a comment

GAO Data Broker Report Calls for Comprehensive Privacy Law

On November 15, 2013, the U.S. Government Accountability Office released a report on the statutory legal protections for consumers with regard to the use of data for marketing purposes by data brokers.

The GAO report canvasses the existing federal consumer legal protections applicable to information resellers and finds them wanting with regard to the use of the data for marketing purposes.  Specifically, the GAO concluded the following:

– “[I]nformation about an individual’s physical and mental health, income and assets, mobile telephone numbers, shopping habits, personal interests, political affiliations, and sexual habits and orientation,” can legally be collected, shared, and used for marketing purposes.  The report notes limits on HIPAA’s applicability to health-related marketing lists used by e-health websites.

– Although some industry participants have stated that current privacy laws are adequate – particularly in light of self-regulatory measures – there are gaps in the current statutory privacy framework that do not fully address “changes in technology and marketplace practices that fundamentally have altered the nature and extent to which personal information is being shared with third parties.”

– Current law is often out of step with the fair information practice principles.

According to the GAO, Congress should therefore consider strengthening the current consumer privacy framework in relation to consumer data used for marketing while not unduly inhibiting the benefits to industry and consumers from data sharing.  In doing so, Congress should consider:

– the adequacy of consumers’ ability to access, correct, and control their personal information in circumstances beyond those currently accorded under FCRA;

– whether there should be additional controls on the types of personal or sensitive information that may be collected and shared;

– changes needed, if any, in the permitted sources and methods for data collection; and

– privacy controls related to new technologies, such as web tracking and mobile devices.

GAO Report at 19, 46-47.

The GAO Report is the most recent expression of support for comprehensive privacy legislation from within the federal government.  In this regard, the report echoes the Obama Administration’s 2012 Privacy Blueprint and the FTC’s 2012 Privacy Report, both of which called for baseline privacy legislation.  The FTC Privacy Report also reiterated the agency’s support for a privacy law targeted to data brokers.  The GAO Report, by contrast, implies that a general privacy law could suffice to address the issues raised by data brokers.


1 Comment

Privacy and Data Protection Impacting on International Trade Talks

European Commission

The European Union and the United States are currently negotiating a broad compact on trade called the Transatlantic Trade and Investment Partnership (“TTIP”). While the negotiations themselves are non-public, among the issues that are reported to be potential obstacles to agreement are privacy and data protection. Not only does the European Union mandate a much stronger set of data protection and privacy laws for its member states than exist in the United States, but recent revelations of U.S. surveillance practices (including of European leaders) have highlighted the legal and cultural divide.

In an October 29, 2013 speech in Washington, D.C., Viviane Reding, Vice-President of the European Commission and EU Justice Commissioner, emphasized that Europe would not put its more stringent privacy rules at risk of weakening as part of the TTIP negotiations. She said in part,

Friends and partners do not spy on each other. Friends and partners talk and negotiate. For ambitious and complex negotiations to succeed there needs to be trust among the negotiating partners. That is why I am here in Washington: to help rebuild trust.

You are aware of the deep concerns that recent developments concerning intelligence issues have raised among European citizens. They have unfortunately shaken and damaged our relationship.

The close relationship between Europe and the USA is of utmost value. And like any partnership, it must be based on respect and trust. Spying certainly does not lead to trust. That is why it is urgent and essential that our partners take clear action to rebuild trust….

The relations between Europe and the US run very deep, both economically and politically. Our partnership has not fallen from the sky. It is the most successful commercial partnership the world has ever seen. The energy it injects into to our economies is measured in millions, billions and trillions – of jobs, trade and investment flows. The Transatlantic Trade and Investment Partnership could improve the figures and take them to new highs.

But getting there will not be easy. There are challenges to get it done and there are issues that will easily derail it. One such issue is data and the protection of personal data.

This is an important issue in Europe because data protection is a fundamental right. The reason for this is rooted in our historical experience with dictatorships from the right and from the left of the political spectrum. They have led to a common understanding in Europe that privacy is an integral part of human dignity and personal freedom. Control of every movement, every word or every e-mail made for private purposes is not compatible with Europe’s fundamental values or our common understanding of a free society.

This is why I warn against bringing data protection to the trade talks. Data protection is not red tape or a tariff. It is a fundamental right and as such it is not negotiable….

Beyond the TTIP talks, the divergence between European and U.S. privacy practices is putting new pressure on an existing legal framework, the Safe Harbor that was adopted after the enactment of the EU Data Protection Directive. A number of EU committees and political groups are either criticizing or recommending revocation of the Safe Harbor, a development that could significantly change the risk management calculus for the numerous companies which move personal information between the United States and Europe.


1 Comment

Rep. Markey Introduces Mobile Device Privacy Act

On September 12, Reps. Markey (D-MA) and DeGette (D-CO) introduced the Mobile Device Privacy Act, H.R. 6377.  If enacted, the bill would place obligations on the mobile phone industry to disclose the use of tracking software, and to obtain consumer consent before the software is downloaded onto a device.

In a press statement introducing the legislation, Rep. Markey – who is co-Chair of the Bipartisan Congressional Privacy Caucus – stated that "Consumers should know and have the choice to say no to software on their mobile devices that is transmitting their personal and sensitive information.  This is especially true for parents of children and teens, the fastest growing group of smartphone users. This legislation will provide greater transparency into the transmission of consumers’ personal information and empower consumers to say no to transmission."  Opponents of the legislation, such as the Software & Information Industry Association, have argued that it "would impose rigid privacy rules on the mobile industry that can only lead to stagnation and a loss of innovative dynamism."

The Markey bill would create new regulatory authority for the Federal Trade Commission to oversee aspects of the mobile industry.  The bill would require the FTC, in consultation with the FCC, to issue rules requiring mobile device manufacturers, service providers, mobile operating system developers, and app developers to make disclosures to users about "monitoring software" installed on a mobile device.  Monitoring software is broadly defined to include all software that "has the capability to monitor the usage" of the device, the user’s geolocation, and to transmit this information elsewhere.  In the same vein, the bill also envisages FTC rules requiring device sellers and app developers to obtain a user’s "express consent" before monitoring or transmitting any information collected.  The bill also envisages that all entities in receipt of monitoring data (i.e. first and third parties) implement information security policies and practices spanning data collection, retention, and disposal.

Enforcement authority under the bill goes primarily to the FTC, with secondary authority being given to the FCC and the states.  The bill does not exclude private enforcement actions by individuals.  Statutory damages for these breaches would vary between $1,000 per unintentional violation, and $3,000 per intentional violation.

The bill will not likely receive further attention from this Congress, which went into recess over the weekend pending the November elections.

 


Leave a comment

Election 2012: Privacy Platforms Compared

The Democratic and Republican Parties unveiled their respective policy platforms at their national conventions this past month. Both platforms address a host of issues related to internet freedoms and security, and differ greatly in some ways and little in others. The starkest contrast lies in the parties’ plans for protecting consumer privacy. However, in other areas such as cybersecurity, the differences seem more imagined than real.

Both party platforms prioritize the civil-liberties aspect of internet freedom but have different prescriptions for achieving achieving it. The Democratic platform envisions information privacy as freedom from private intrusion and public censorship, “protecting an open Internet that fosters investment, innovation, creativity, consumer choice, and free speech, unfettered by censorship or undue violations of privacy.” It later touts the implementation of consumer privacy initiatives taken by the White House as a step in this direction: “That’s why the administration launched the Internet Privacy Bill of Rights and encouraged innovative solutions such as a Do Not Track option for consumers.”

Earlier Secure Times coverage on the White House’s privacy approach and Privacy Bill of Rights is available here.

The Republican platform, on the other hand, specifically promises greater protection of personal data from use by government and law enforcement. In what may be a nod to the holding in United States v. Jones and the ongoing debate over location tracking, the RNC pledges to “ensure that personal data receives full constitutional protection from government overreach.”

The RNC platform goes on to add its support for protection from private actors, such that “individuals retain the right to control the use of their data by third parties.” However, it argues that “the only way to safeguard or improve these systems is through the private sector.”

Both platforms agree on the great importance of cybersecurity. However, the RNC criticizes the Administration for not being proactive enough in its efforts to neutralize new cyberthreats:

The current Administration’s cyber security policies have failed to curb malicious actions by our adversaries, and no wonder, for there is no active deterrence protocol. The current deterrence framework is overly reliant on the development of defensive capabilities and has been unsuccessful in dissuading cyber-related aggression. The U.S. cannot afford to risk the cyber-equivalent of Pearl Harbor.

The platform does not name any specific measures to dissuade rather than defend against cyberthreats, but it goes on to criticize the administration for not enabling enough information-sharing between public and private parties. Nonetheless, the Democratic platform mentions “strengthening private sector and international partnerships” as well.

Both parties roundly agree on the multi-stakeholder policymaking framework. Both statements seem to paraphrase each other. The RNC platform states:
We will resist any effort to shift control away from the successful multi-stakeholder approach of Internet governance and toward governance by international or other in- tergovernmental organizations.

The Secure Times provided earlier coverage of the Multistakeholder Process here.

Links:

National Journal: Dems Part Company With Republicans on Net Neutrality, Online Privacy

2012 Democratic National Platform

2012 Republican National Platform


Leave a comment

FTC Urges Congress to Reauthorize SAFE WEB Act

The House Subcommittee on Commerce, Manufacturing, and Trade held a hearing earlier today to discuss reauthorization of the 2006 "Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders Act", otherwise known as the U.S. SAFE WEB Act.  The subcommittee – which is chaired by Rep. Mary Bono Mack (R. California) – heard testimony from Hugh Stevenson, the FTC’s Deputy Director for International Consumer Protection.

The SAFE WEB Act was enacted in response to growing evidence of cross-border spam, spyware, and fraud on the Internet.  According to FTC 2005 research, an estimated 20 percent of consumer complaints to the agency at that time involved fraud originating outside the United States.  The FTC further estimated that Americans suffered annual losses to foreign operators totaling nearly $220 million as a result of this activity.  The SAFE WEB Act expanded the FTC’s Section 5 authority to tackle this problem by including in its scope "acts or practices involving foreign commerce that (i) cause or are likely to cause reasonably foreseeable injury within the United States; or (ii) involve material conduct occurring within the United States."  The Act also gave additional powers to the FTC to work with foreign Government agencies designed to facilitate cross-border cooperation and information sharing in investigations and law enforcement actions.

According to today’s FTC testimony, the agency estimates that it has conducted more than 100 investigations, and filed more than 50 cases, involving cross-border elements since SAFE WEB’s passage.  The FTC testimony also states that using the tools provided to it under the Act, the agency has stopped frauds costing consumers hundreds of millions of dollars.  For this and other reasons, the FTC submitted in its testimony that "it is critical that Congress reauthorize the law enforcement tools provided by the U.S. SAFE WEB Act."

In her Opening Statement to the hearing, Rep. Bono Mack described SAFE WEB as an "important tool in combating cross-border fraud, spam, and spyware."  She went on to describe the progress made since 2006, as evidenced in a 2009 FTC Report issued pursuant to the Act, and concluded that SAFE WEB  "has been a clear success to date and should be reauthorized before its expiration next year."

The SAFE WEB Act will expire on December 22, 2012 absent reauthorization.  Draft legislation before the House Commerce Committee would reauthorize the Act for an additional 7 years.


Leave a comment

Joint Hearing on “Internet Privacy: The Views of the FTC, the FCC, and NTIA”

The Subcommittee on Commerce, Manufacturing, and Trade and the Subcommittee on Communications and Technology held a joint hearing on Thursday, July 14, 2011 on “Internet Privacy: The Views of the FTC, the FCC, and NTIA.”

In her opening statement, Subcommittee Chairman Mary Bono Mack (R-CA) noted that:

“… as consumers, we willingly dole out this personally identifiable information online – literally bit by bit. This information is then compiled and collated by computers to produce personal profiles used in online behavioral marketing and advertising. This data mining helps to pay the freight for all of the information that we get for free on the Internet. … First and foremost, greater transparency is needed to empower consumers. While it’s still unclear to me whether government regulations are really needed, providing consumers with more transparency is the first step in better protecting Americans.”

In his opening statement, Representative Henry Waxman (D-CA) noted that self-regulation may not be the best way to protect consumer’s online privacy. He cited a recent report by Stanford researcher Jonathan Mayer “Tracking the Trackers” which found that eight members of the self-regulatory group Network Advertising Initiative (NAI) had left cookies in place even after having promised users who chose to opt out to stop tracking them.

What could be the role of the Federal Communications Commission?

Chairman Greg Walden (R-Ore) noted that:

[t]oday’s regime is neither competitively nor technologically neutral. [While] Section 222 of the Communications Act gives the Federal Communications Commission broad authority to implement privacy protections for consumers of wireline and wireless telephone services…[and]specifically calls out location-based services for regulation, [it]…applies that regulation only to carriers and not providers of devices, operating systems, or applications. Other parts of the Communications Act give the Commission authority over cable operators and satellite television providers under a “prior consent” framework. In stark contrast, there are few if any communications privacy regulations governing web-based companies, even those that can access a user’s search queries, emails, voice and video online conversations, web browser, and even operating systems…. Why should a wireless provider that transmits data to and from a smartphone be subject to federal oversight, but not an operating system provider that has access to the exact same data?”

Chairman Julius Genachowski of the Federal Communications Commission (FCC) testified that one of the FCC’s National Broadband Plan findings was that “[p]rivacy concerns are a barrier to broadband adoption.”  He added that “[i]t is clear we need to strike a balance – ensuring that personal information and consumer choice is protected, and at the same time ensuring a climate that encourages new investment and new innovations that will create jobs and improve our quality of life.”

The FCC has, “[t]hrough … rulemakings and enforcement … addressed difficult issues such as when opt-in and opt-out notifications are appropriate, minimum notice standards, data sharing rules, reasonable data security measures, and notification to law enforcement and consumers in the event of data breaches.

What could be the role of the Federal Trade Commission?

 Commissioner Edith Ramirez of the Federal Trade Commission (FCC) stated in her prepared testimony that “the Commission continues to encourage Congress to enact data security legislation that would (1) impose data security standards on companies, and (2) require companies, in appropriate circumstances, to provide notification to consumers when there is a security breach,” referring to a prepared statement of the FCC of its testimony on data security before the Subcommittee on commerce, manufacturing, and trade,  June 15, 2011.

Also, the FTC “enforces the FTC Act and several other laws that require companies to maintain reasonable safeguards for the consumer data they maintain” and “enforces the FCRA, which… prescribes that companies only sell sensitive consumer report information for “permissible purposes,” and not for general marketing purposes.” The FTC is also “active in ensuring that companies engaged in social networking adhere to any promises to keep consumers’ information private,” citing a March 2011 consent order resolving allegations that Twitter deceived its customers by failing to honor their choices after offering  the opportunity to designate certain “tweets” as private.

The FTC “has sought to protect consumers from deceptive practices in the behavioral advertising area”, for instance, when it settled with Chitika Ad Network over a deceptive opt-out mechanism. The FTC also “sought to ensure that data brokers respect consumers’ choices,” for instance when it announced a final order against data broker US Search, that maintained an online service, allowing users to search for information about others.

What could be the role of the National Telecommunication and Information Administration?

Lawrence Strickling, Assistant Secretary for Communications and Information & Administrator, National Telecommunication and Information Administration (NTIA), which acts as principal advisor to the President on communications and information policy, testified that the NTIA “has been working over the last two years with Secretary Locke’s Internet Policy Task Force and colleagues throughout the Executive Branch to conduct a broad assessment of how well our current consumer data privacy policy framework serves consumers, businesses, and other participants in the Internet economy.” The NTIA “supports legislation that would create baseline consumer data privacy protections through a consumer privacy bill of rights.

The NTIA “has recommended legislation with three main characteristics. First, it should establish baseline consumer data privacy protections that would apply in commercial contexts. … Second, we have recommended that legislation provides appropriate incentives for stakeholders in the private sector to develop and adopt enforceable codes of conduct through a multi-stakeholder process…. Third, the Administration supports legislation that strengthens the FTC’s consumer data privacy enforcement authority.”

More, including the hearing webcast, here.