The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Recent FTC Actions and Statements Show Continuing Focus on Privacy

The Federal Trade Commission has long taken a lead role in issues of privacy and data protection, under its general consumer protection jurisdiction under Section 5 of the FTC Act (15 U.S.C. §45) as well as specific legislation such as the Children’s Online Privacy Protection Act of 1998 (“COPPA“) (which itself arose out of FTC reports). The FTC continues to bring legal actions against companies it believes have improperly collected, used or shared consumer personal information, including the recent settlement of a complaint filed against Aaron’s, Inc., a national rent-to-own retail chain based in Atlanta, GA. In its October 22, 2013 press release announcing the settlement, the FTC described Aaron’s alleged violations of Section 5:

Aaron’s, Inc., a national, Atlanta-based rent-to-own retailer, has agreed to settle FTC charges that it knowingly played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers including by taking webcam pictures of them in their homes.

According to the FTC’s complaint, Aaron’s franchisees used the software, which surreptitiously tracked consumers’ locations, captured images through the computers’ webcams – including those of adults engaged in intimate activities – and activated keyloggers that captured users’ login credentials for email accounts and financial and social media sites….

The complaint alleges that Aaron’s knew about the privacy-invasive features of the software, but nonetheless allowed its franchisees to access and use the software, known as PC Rental Agent. In addition, Aaron’s stored data collected by the software for its franchisees and also transmitted messages from the software to its franchisees. In addition, Aaron’s provided franchisees with instructions on how to install and use the software.

The software was the subject of related FTC actions earlier this year against the software manufacturer and several rent-to-own stores, including Aaron’s franchisees, that used it. It included a feature called Detective Mode, which, in addition to monitoring keystrokes, capturing screenshots, and activating the computer’s webcam, also presented deceptive “software registration” screens designed to get computer users to provide personal information.

The FTC’s Consent Order Agreement with Aaron’s includes a prohibition on the company using keystroke- or screenshot-monitoring software or activating the consumer’s microphone or Web cam and a requirement to obtain express consent before installing location-tracking technology and provide notice when it’s activated. Aaron’s may not use any data it received through improper activities in collections actions, must destroy illegally obtained information, and must encrypt any transmitted location or tracking data it properly collects.

The FTC is also continuing its efforts to educate and promote best practices about privacy for both consumers and businesses. On October 28, 2013, FTC Commissioner Julie Brill published an opinion piece in Advertising Age magazine entitled Data Industry Must Step Up to Protect Consumer Privacy. In the piece, Commissioner Brill criticizes data collection and marketing firms for failing to uphold basic privacy principles, and calls on them to join an initiative called “Reclaim Your Name” which Commissioner Brill announced earlier this year.

Brill writes in AdAge:

The concept is simple. Through creation of consumer-friendly online services, Reclaim Your Name would empower the consumer to find out how brokers are collecting and using data; give her access to information that data brokers have amassed about her; allow her to opt-out if a data broker is selling her information for marketing purposes; and provide her the opportunity to correct errors in information used for substantive decisions.

Improving the handling of sensitive data is another part of Reclaim Your Name. Data brokers that participate in Reclaim Your Name would agree to tailor their data handling and notice and choice tools to the sensitivity of the information at issue. As the data they handle or create becomes more sensitive — relating to health conditions, sexual orientation and financial condition, for example — the data brokers would provide greater transparency and more robust notice and choice to consumers.

For more information on the FTC’s privacy guidance and enforcement, see the privacy and security section of the FTC Web site.

Leave a comment

H.R. 2221–The Data Accountability and Trust Act Passes in the House

On December 8, 2009, the United States House of Representatives passed H.R. 2221, the Data Accountability and Trust Act.  The bill has now been referred to the Senate Committee on Commerce, Science, and Transportation.
H.R. 2221 would require an entity, which owns or possess personal consumer information, to enact data protection security policies and to notify individuals if a security breach occurs.  The Federal Trade Commission would be required to promulgate rules regarding data breach notification and protection standards.  The bill would also preempt similar state laws.

Leave a comment

Are you sure that hard drive is clean?

Two related stories relate to data being recovered from hard drives.

This WSJ blog post relates the story of data being recovered from an improperly erased hard drive, and suggests that criminal charges relating to theft of the data will be dismissed, since the subject didn’t improperly acquire the data.

The second story concerns the recovery of data from the damaged hard drive of the Columbia space shuttle.

Leave a comment

German “E-Puzzler” machine unshreds communist era secret police documents

Shredding may not be as secure as we thought.
As this article relates, an "E-Puzzler" pattern-recognition machine reassembles the pieces of documents that the East German STASI sought to destroy in the waning days of communist East Germany. Their shredding machines broke down, and when they tried to burn the documents instead, the local citizens broke in and stopped them, so they set about doing it by hand. But of course, they only got so far.
Yes, the E-Puzzler has other uses, so far, in helping Chinese archaeologists reconstruct smashed Terracotta warriors found in the tomb of Emperor Qin.
In addition to the article below, here is a link to a PBS interview on the topic.