The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

Yesterday at FTC, President Obama Announced Plans for new data privacy and security laws: Comprehensive Data Privacy Law, Consumer Privacy Bill of Rights, and Student Digital Privacy Act

Yesterday afternoon, President Barak Obama gave a quip-filled speech at the Federal Trade Commission where he praised the FTC’s efforts in protecting American consumers over the past 100 years and unveiled his plans to implement legislation to protect American consumers from identity theft and to protect school children’s personal information from being used by marketers.   These plans build upon past legislative efforts and the Administration’s focus on cybersecurity, Big Data, and Consumer Protection.  Specifically, On February 23, 2012, the White House released “Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy” (the “Privacy Blueprint”) and in January 2014, President Obama asked his Counselor, John Podesta, to lead a working group to examine Big Data’s impact on government, citizens, businesses, and consumers.  The working group produced Big Data: Seizing Opportunities, Preserving Values on May 1, 2014.

In his speech, the President highlighted the need for increased privacy and security protections as more people go online to conduct their personal business—shop, manage bank accounts, pay bills, handle medical records, manage their “smart” homes, etc.—stating that “we shouldn’t have to forfeit our basic privacy when we go online to do our business”.  The President referenced his “Buy Secure” initiative that would combat credit card fraud through a “chip-and-pin” system for credit cards and credit-card readers issued by the United States government.  In that system, a microchip would be imbedded in a credit card and would replace a magnetic strip since microchips are harder than magnetic strips for thieves to clone.   A pin number would also need to be entered by the consumer into the credit card reader just as with an ATM or debit card.  The President praised those credit card issuers, banks, and lenders that allowed consumers to view their credit scores for free.   He also lauded the FTC’s efforts in the efforts to help identity theft victims by working with credit bureaus and by providing guidance to consumers on its website, identitytheft.gov.

The first piece of legislation the President discussed briefly was a comprehensive breach notification law that would require companies to notify consumers of a breach within 30 days and that would allow identity thieves to be prosecuted even when the criminal activity was done overseas. Currently, there is no federal breach notification law and many states have laws requiring companies to notify affected consumers and/or regulators depending on the type of information compromised and the jurisdiction in which the organization operates.  The state laws also require that breach notification letters to consumers should include certain information, such as information on the risks posed to the individual as a result of the breach along with steps to mitigate the harm.   This “patchwork of laws,” President Obama noted, is confusing to customers and costly for companies to comply with.  The plan to introduce a comprehensive breach notification law adopts the policy recommendation from the Big Data Report that Congress pass legislation that provides for a single national data breach standard along the lines of the Administration’s May 2011 Cybersecurity legislative proposal.  Such legislation should impose reasonable time periods for notification, minimize interference with law enforcement investigations, and potentially prioritize notification about large, damaging incidents over less significant incidents.

The President next discussed the second piece of legislation he would propose, the Consumer Privacy Bill of Rights.  This initiative is not new.  Electronic Privacy Bills of Rights of 1998 and 1999 have been introduced.  In 2011, Senators John Kerry, John McCain, and Amy Klobucher introduced S.799 – Commercial Privacy Bill of Rights Act of 2011.   The Administration’s  Privacy Blueprint of February 23, 2012 set forth the Consumer Privacy Bill of Rights and, along with the Big Data Report, directed The Department of Commerce’s The National Telecommunications and Information Administration (NTIA) to seek comments from stakeholders in order to develop legally-enforceable codes of conduct that would apply the Consumer Privacy Bill of Rights to specific business contexts.

The Big Data Report of May 1, 2014 recommended that The Department of Commerce seek stakeholder and public comment on big data developments and how they impact the Consumer Privacy Bill of Rights draft and consider legislative text for the President to submit to Congress.  On May 21, 2014, Senator Robert Menendez introduced S.2378 – Commercial Privacy Bill of Rights Act of 2014.  The Consumer Privacy Bill of Rights set forth seven basic principles:

1) Individual control – Consumers have the right to exercise control over what information data companies collect about them and how it is used.

2) Transparency – Consumers have the right to easily understandable and accessible privacy and security practices.

3) Respect for context – Consumers expect that data companies will collect, use, and disclose the information they provided in ways consistent with the context it was provided.

4) Security – consumers have the right to secure and responsible handling of personal data.

5) Access and accuracy – Consumers have the right to access and correct their personal data in usable formats in a manner that is appropriate to the data’s sensitivity and the risk of adverse consequences if the data is not accurate.

6) Focused Collection – Consumers have the right to reasonable limits on the personal data that companies collect and retain.

7) Accountability – Consumers have the right to have companies that collect and use their data to have the appropriate methods in place to assure that they comply with the consumer bill of rights.

The President next discussed the third piece of legislation he would propose, the Student Digital Privacy Act.  The President noted how new educational technologies including tailored websites, apps, tablets, digital tutors and textbooks transform how children learn and help parents and teachers track students’ progress.  With these technologies, however, companies can mine student data for non-educational, commercial purposes such as targeted marketing.  The Student Privacy Act adopts the Big Data Report’s policy recommendation of ensuring that students’ data, collected and gathered in an educational context, is used for educational purposes and that students are protected against having their data shared or used inappropriately.  The President noted that the Student Digital Privacy Act would not “reinvent the wheel” but mirror on a federal level state legislation, specifically the California law to take effect next year that bars education technology companies from selling student data or using that data to target students with ads.   The current federal law that protects student’s privacy is the Family Educational Rights and Privacy Act of 1974, which does not protect against companies’ data mining that reveals student’s habits and profiles for targeted advertising but rather protects against official educational records from being released by schools. The President highlighted current self-regulation, the Student Privacy Pledge, signed by 75 education technology companies committing voluntary not to sell student information or use education technologies to send students targeted ads.  It has been discussed whether self-regulation would work and whether the proposed Act would go far enough.  The President remarked that parents want to make sure that children are being smart and safe online, it is their responsibility as parents to do so but that structure is needed for parents to ensure that information is not being gathered about students without their parents or the kids knowing about it.  This hinted at a notification requirement and opt-out for student data mining that is missing from state legislation but is a requirement of the Children’s Online Privacy Protection Act of 1998.  Specifically, COPPA requires companies and commercial website operators that direct online services to children under 13, collect personal information from children under 13, or that know they are collecting personal information from children under to children under 13 to provide parents with notice about the site’s information-collection practices, obtain verifiable consent from parents before collecting personal information, give parents a choice as to whether the personal information is going to be disclosed to third parties, and give parents access and the opportunity to delete the children’s personal information, among other things.

President Obama noted that his speech marked the first time in 80 years—since FDR—that a President has come to the FTC.   His speech at the FTC on Monday was the first of a three-part tour leading up to his State of the Union address.  Next, the President also planned to speak at the Department of Homeland Security on how the government can collaborate with the private sector to ward off cyber security attacks.  His final speak will take place in Iowa, where he will discuss how to bring faster, cheaper broadband access to more Americans.


Leave a comment

FTC v. Wyndham Update, Part 3

In earlier updates, we’ve provided background and tracked the progress (and the unique circumstances) of FTC v. Wyndham Worldwide Corp., et al. On April 7, a highly anticipated opinion was issued by New Jersey District Court Judge Esther Salas in a case that will likely have broad implications in the realms of privacy and data security. Through a motion to dismiss, Wyndham argued that the FTC had no authority to assert a claim in the data security context, that the FTC must first formally promulgate data security regulations before bringing such a claim, and that the FTC’s pleadings of consumer harm were insufficient to support their claims. The Wyndham court sided with the FTC on all of these arguments, and dismissed Wyndham’s motion to dismiss.

Continue reading


Leave a comment

New COPPA Compliance Mechanisms Now Available

FTC recently approved a new COPPA safe harbor program and a new method for obtaining parental consent, providing flexibility to companies striving to comply with COPPA obligations.

The revisions to the COPPA rule that took effect July 2013 expanded COPPA provisions in several ways, including by expanding the definition of “personal information” and clarifying that third party operators are also subject to COPPA compliance obligations.  The revised rules also imposed stricter requirements for companies wishing to provide COPPA safe harbor certification and created a mechanism through which companies could submit approval for new methods of obtaining parental consent.

Safe Harbor.   Websites that participate in an FTC-approved COPPA safe harbor program will generally be subject to review and disciplinary actions under the program guidelines rather than be subject to a formal FTC investigation and enforcement action.  In the amended Rule, the FTC imposed stricter requirements for companies wishing to provide safe harbor certification programs. A potential safe harbor program provider must now provide extensive documentation about the program’s requirements and the organization’s capability to oversee the program during the approval process and, after approval, the program must submit annual reports to the FTC.

On February 12, the FTC announced its approval of the kidSAFE Seal Safe Harbor program, which is designed for child-friendly websites and applications, including kid-targeted games, educational sites, virtual worlds, social networks, mobile apps, tablet devices and other similar interactive services and technologies.

The FTC approved the kidSAFE seal safe harbor program after determining that it had (1) a requirement that participants in the safe harbor program implement substantially similar requirements that provide the same or greater protection for children as those contained in the COPPA Rule; (2) an effective, mandatory mechanism for independent assessment of the safe harbor program participants’ compliance with the guidelines; and (3) disciplinary actions for noncompliance by safe harbor participants.

The kidSAFE Seal program as the first safe harbor program approved under the amended version of the rule.  The program joins five other safe harbor certifications previously approved by the FTC: the Children’s Advertising Review Unit of the BBB, the Entertainment Software Rating Board, TRUSTe, Privo Inc. and Aristotle International, Inc. 

Parental Verification MethodsThe FTC recently approved a new authentication method proposed by Imperium, LLC for verifying the identity of parents who consent to the collection of their children’s data.  Imperium proposed a “knowledge-based authentication system,” for its identify verification system ChildGuardOnline, which verifies a user’s identity by asking a series of out-of-wallet challenge questions (e.g., questions which cannot be determined merely by looking in a person’s wallet).  Knowledge-based authentication systems are already used by entities that handle sensitive information like financial institutions and credit bureaus. The FTC found this was a reliable method of verification because the questions were sufficiently difficult that a child age 12 and under in the parent’s household could not reasonably ascertain the answers and noted that knowledge-based authentication has already proven reliable in the market place in other contexts.

Previously, the FTC had rejected an application by AssertID Inc. for its ConsentID product, which proposed to verify parental identify by asking that “friends” on the parent’s social media sites vouch for the parental-child relationship. The FTC found that this method was not “reasonably calculated in light of available technology” to ensure the person providing consent was the child’s parent and that the process could easily be circumvented by children who create fake social media accounts.  To date, the Imperium methodology of parental consent verification is the only method approved by the FTC that was not in the text of the Rule itself.  The other methods for verifying parental consent as provided in the text of the Rule are (a) requesting such consent be provided by written form returned by mail, fax or scanned email; (b) requesting a credit or debit card in connection with a monetary transaction; (c) requesting parent call a toll-free phone number, (d) connect with parent via video-conference, or (e) check a form of ID against a government database.

The FTC recently closed its public comment period for another proposed verification system submitted by iVeriFly. The iVeriFly methodology combines a knowledge-based authentication system similar to the method imposed by Imperium, wherein the program scans non-FCRA consumer databases to generate out-of-wallet questions for the parent to answer. If the parent answers the questions correctly, the iVeryFly system then places a call to the parent requesting that consent be provided through a series of telephone key presses.


1 Comment

FTC v. Wyndham Update

Edit (Feb. 5, 2014): For a more recent update on this case, please see this post.

On November 1, Maureen Ohlhausen, a Commissioner at the Federal Trade Commission (FTC), held an “ask me (almost) anything” (AMAA) session on Reddit. There were no real surprises in the questions Commissioner Ohlhausen answered, and the AMAA format is not well-suited to lengthy responses. One interesting topic that did arise, however, was the FTC’s complaint against Wyndham Worldwide Corporation, and Wyndham’s subsequent filing of a motion to dismiss the FTC action against them. Commissioner Ohlhausen declined to discuss the ongoing litigation, but asserted generally that the FTC has the authority to bring such actions under Section 5 of the FTC Act, 15 U.S.C. § 45. While there were no unexpected revelations in the Commissioner’s response, I thought it presented an excellent opportunity to bring everyone up to speed on the Wyndham litigation.

On June 26, 2012, the Federal Trade Commission (FTC) filed a complaint in Arizona Federal District Court against Wyndham Worldwide Corporation, alleging that Wyndham “fail[ed] to maintain reasonable security” on their computer networks, which led to a data breach resulting in the theft of payment card data for hundreds of thousands of Wyndham customers, and more than $10.6 million in fraudulent charges on customers’ accounts.  Specifically, the complaint alleged that Wyndham engaged in deceptive business practices in violation of Section 5 of the FTC Act by misrepresenting the security measures it undertook to protect customers’ personal information. The complaint also alleged that Wyndham’s failure to provide reasonable data security is an unfair trade practice, also in violation of Section 5.

On August 27, 2012, Wyndham  responded by filing a motion to dismiss the FTC’s complaint, asserting, inter alia, that the FTC lacked the statutory authority to “establish data-security standards for the private sector and enforce those standards in federal court,” thus challenging the FTC’s authority to bring the unfairness count under the FTC Act. In their October 1, 2012 response, the FTC asked the court to reject Wyndham’s arguments, stating that the FTC’s complaint alleged a number of specific security failures on the part of Wyndham, which resulted in two violations of the FTC Act. The case was transferred to the Federal District of New Jersey on March 25, 2013, and Wyndham’s motions to dismiss were denied. On April 26, Wyndham once again filed motions to dismiss the FTC’s complaint, again asserting that the FTC lacked the legal authority to legislate data security standards for private businesses under Section 5 of the FTC Act.

At stake in this litigation is the FTC’s ability to bring enforcement claims against companies that suffer data breach due to a lack of “reasonable security.” What is unique in this case is Wyndham’s decision to fight the FTC action in court rather than make efforts to settle the case, as other companies have done when faced with similar allegations by the FTC. For example, in 2006, the FTC hit ChoicePoint Inc. with a $10 million penalty over data breach where over 180,000 payment card numbers were stolen. The FTC has also gone after such high-profile companies as Twitter, HTC, and Google based on similar facts and law. These actions resulted in out-of-court settlements.

If Wyndham’s pending motions to dismiss are denied, and the FTC ultimately prevails in this case, it is likely that the FTC will continue to bring these actions, and businesses will likely see an increased level of scrutiny applied to their network security. If, however, Wyndham succeeds and the FTC case against them is dismissed, public policy questions regarding data security will likely fall back to Congress to resolve.

Oral argument for the pending motions to dismiss are scheduled for November 7. No doubt many parties will be following these proceedings with great interest.


Leave a comment

Recent FTC Actions and Statements Show Continuing Focus on Privacy

The Federal Trade Commission has long taken a lead role in issues of privacy and data protection, under its general consumer protection jurisdiction under Section 5 of the FTC Act (15 U.S.C. §45) as well as specific legislation such as the Children’s Online Privacy Protection Act of 1998 (“COPPA“) (which itself arose out of FTC reports). The FTC continues to bring legal actions against companies it believes have improperly collected, used or shared consumer personal information, including the recent settlement of a complaint filed against Aaron’s, Inc., a national rent-to-own retail chain based in Atlanta, GA. In its October 22, 2013 press release announcing the settlement, the FTC described Aaron’s alleged violations of Section 5:

Aaron’s, Inc., a national, Atlanta-based rent-to-own retailer, has agreed to settle FTC charges that it knowingly played a direct and vital role in its franchisees’ installation and use of software on rental computers that secretly monitored consumers including by taking webcam pictures of them in their homes.

According to the FTC’s complaint, Aaron’s franchisees used the software, which surreptitiously tracked consumers’ locations, captured images through the computers’ webcams – including those of adults engaged in intimate activities – and activated keyloggers that captured users’ login credentials for email accounts and financial and social media sites….

The complaint alleges that Aaron’s knew about the privacy-invasive features of the software, but nonetheless allowed its franchisees to access and use the software, known as PC Rental Agent. In addition, Aaron’s stored data collected by the software for its franchisees and also transmitted messages from the software to its franchisees. In addition, Aaron’s provided franchisees with instructions on how to install and use the software.

The software was the subject of related FTC actions earlier this year against the software manufacturer and several rent-to-own stores, including Aaron’s franchisees, that used it. It included a feature called Detective Mode, which, in addition to monitoring keystrokes, capturing screenshots, and activating the computer’s webcam, also presented deceptive “software registration” screens designed to get computer users to provide personal information.

The FTC’s Consent Order Agreement with Aaron’s includes a prohibition on the company using keystroke- or screenshot-monitoring software or activating the consumer’s microphone or Web cam and a requirement to obtain express consent before installing location-tracking technology and provide notice when it’s activated. Aaron’s may not use any data it received through improper activities in collections actions, must destroy illegally obtained information, and must encrypt any transmitted location or tracking data it properly collects.

The FTC is also continuing its efforts to educate and promote best practices about privacy for both consumers and businesses. On October 28, 2013, FTC Commissioner Julie Brill published an opinion piece in Advertising Age magazine entitled Data Industry Must Step Up to Protect Consumer Privacy. In the piece, Commissioner Brill criticizes data collection and marketing firms for failing to uphold basic privacy principles, and calls on them to join an initiative called “Reclaim Your Name” which Commissioner Brill announced earlier this year.

Brill writes in AdAge:

The concept is simple. Through creation of consumer-friendly online services, Reclaim Your Name would empower the consumer to find out how brokers are collecting and using data; give her access to information that data brokers have amassed about her; allow her to opt-out if a data broker is selling her information for marketing purposes; and provide her the opportunity to correct errors in information used for substantive decisions.

Improving the handling of sensitive data is another part of Reclaim Your Name. Data brokers that participate in Reclaim Your Name would agree to tailor their data handling and notice and choice tools to the sensitivity of the information at issue. As the data they handle or create becomes more sensitive — relating to health conditions, sexual orientation and financial condition, for example — the data brokers would provide greater transparency and more robust notice and choice to consumers.

For more information on the FTC’s privacy guidance and enforcement, see the privacy and security section of the FTC Web site.


Leave a comment

Upcoming 1 Hour Teleseminar on the Amended COPPA Rule – Tomorrow, Wednesday, October 30

Please register for a one-hour teleseminar entitled:

The Amended COPPA Rule:  Adapting to the Final Implementation

Wednesday, October 30, 2013
12:00 – 1:00 p.m. EST

Click HERE to register

In July 2013, the amended Children’s Online Privacy Protection Act (COPPA)
Rule went into effect. How is the industry is dealing with the new and revised
COPPA provisions such as the new definition of personal information, mixed
audience sites, liability for third party plug ins?  What are the expectations
of regulators?  Our expert panelists will offer different perspectives on key
provisions and implementation of the revised rule, including compliance,
enforcement, and education.  We will also cover traps for the unwary and best
practices regarding the collection and use of children’s personal
information.

Panelists:
Kristin Cohen, Federal Trade Commission, Washington, D.C.
Elizabeth Blumenfeld, Crowell & Moring LLP, Washington, D.C.
Phyllis Spaeth, Children’s Advertising Review Unit of the Council of Better Business Bureaus, New York, NY

Moderator:
Erika Brown Lee, Norton Rose Fulbright LLP, Washington, D.C.


Leave a comment

FTC Issues Consumer Advice re: Hacked Email and Social Networking Accounts

On August 1, the FTC provided consumers with a new resource, Hacked Email,  to help them identify a hacked email or social media account, recover their account from a hack, and prevent it from happening again.  The need for such guidance is highlighted by statistics such as these:

  • Over 60,000 compromised account logins occur every day on Facebook, according to Sophos.  
  • 62 percent of users with compromised email accounts were unaware of how their accounts had been compromised, according to a study by Commtouch, State of Hacked Email Accounts.
  • Of the third of users who noticed their account was compromised, 50 percent did not know until their friends told them. (id)

Given over half of all hacked accounts are used to send spam to promote a product (according to Commtouch) and many others are used to promote scams and spread malware resulting in loss of personal information, security credentials and financial assets, the FTC has a vested interest in protecting consumers from hacked accounts. Here are ways it suggests consumers can start tackling the problem:

  • To identify a hacked account, users should pay attention to:messages they did not send (or social media posts they did not write) but appear to originate from their account; an empty sent-mail folder (indicating a hacker sent multiple emails from the account then deleted the sent-mail folder’s contents or set it to not save emails in order to cover his or her tracks); or email from other accounts, which the user cannot open.
  • To remediate a hacked account, users should ensure their security software is up to date and delete malware; change their passwords (tips for creating strong passwords are included); contact their account service provider for account-specific advice on account restoration; check account settings to ensure messages are not being forwarded to an unfamiliar address or no new “friends” have been added to a social networking account; and inform friends and family so they don’t run the risk of getting hacked themselves by opening emails from the user’s hacked account. By going above and beyond just telling users to change their account password, these tips are likely to be useful to consumers, as, according to Commtouch, most users (42%) do nothing to solve the problem except change their password and 23 percent do nothing at all.
  • To avoid getting hacked again in the future, users should employ unique passwords for financial and other important sites; use two-factor authentication when available; not click on links or open attachments from unknown users; and only download free software from known, trusted sites.  The FTC also gives guidance around using safely using public computers and wi-fi networks.

While the tips are useful to consumers, businesses can also benefit from leveraging the FTC’s consumer-facing tips to educate their employees and customers. For example, given that 29 percent of breaches involved social tactics like phishing (getting employees to click on fake emails) according to the Verizon 2013 Data Breach Investigations Report, one of the FTC’s tips of particular use is that users should avoid clicking on links or open attachments from unknown users.

Hacked Email is one of a series of educational materials consumers can leverage to protect themselves, available at www.onguardonline.gov, which is managed by the FTC in partnership with the Department of Homeland Security and the National Institute of Standards and Technology. Guidance on avoiding identity theft, scams and other issues touching on consumer privacy and security is provided on the site.


1 Comment

New York Senator Asks FTC to Allow Consumers to Opt Out of Store Tracking Programs

Senator Charles Schumer (D-NY) held a press conference last Sunday in Manhattan and called on the Federal Trade Commission (FTC) to allow consumers to opt out of being tracked while visiting retail stores.

Senator Schumer suggested that the FTC should require retailers to inform consumers about their opt-out option by sending an electronic notice to their smartphones before starting to track them.

Senator Schumer also sent a letter to Edith Ramirez, the FTC chairwoman, asking the FTC to investigate this practice which he called unfair and deceptive.

Indeed, The New York Times reported this month that some brick-and-mortar stores track shoppers during store visits. The article explained how Nordstrom had tested a new technology which allowed the retailer to use Wi-Fi signals to track customers’ shopping habits.

Nordstrom stopped the experience following customers’ complaints, but the department store is not the only retailer interested in these new tracking technologies. American Apparel and Benetton are among retailers tracking their customers inside their stores.

CBS reported that Nordstrom used a company named Euclid for its tracking experiment. The Euclid web site explains how retailers may track consumers. Its system senses consumers’ smartphones when they come into a store and records the “ping” sent to the store’s Wi-Fi systems. The system scrambles the MAC address of each phone by using one-way hashing algorithms, and then data is processed, analyzed, and stored in the cloud, although it is unclear how long. Euclid calls this data “anonymous foot-traffic” and states on its privacy page that “[n]o personally identifiable data is ever collected or used.”

But privacy advocates know that rendering data anonymous may not be a fool-proof way to safeguard the privacy of data subjects. Therefore, it is welcome that Euclid is one of the companies which will participate in a Future of Privacy Forum group to develop best practices for companies in the business of retail location analytics.

Jules Polonetsky, Director of the Future of Privacy Forum, is quoted saying that “[c]ompanies need to ensure they have data protection standards in place to de-identify data, to provide consumers with effective choices to not be tracked and to explain to consumers the purposes for which data is being used.”

It remains to be seen if the issue will be tackled by a set of best practices, regulation, or both.

Earlier this week the Senate Commerce Committee subcommittee with responsibility for consumer protection issues held a hearing to discuss the impact of unwanted robocalls on consumers. Topics discussed included the consumer harm associated with fraudulent robocalls; the effectiveness of regulations and law enforcement in stopping them; and the feasibility of technological solutions to the challenges posed by unauthorized robocalls. The hearing was held not long after the 10th anniversary of the Do Not Call Registry – in the words of humorist Dave Barry “the most popular federal concept since the Elvis stamp.”   The hearing heard testimony from two panels: witnesses on the first panel represented the FTC and FCC, and witnesses on the second panel represented the telecom and ancillary industries.

Two overall themes emerged from the testimony. First, the challenges faced both by regulators and legitimate industry in keeping with up fast-paced technological changes in the robocall industry, and second the increasingly global nature of unauthorized robocalls.

The FTC testimony spoke to the agency’s law enforcement efforts, initiatives to spur technological solutions, and its broad consumer and business outreach in the robocall arena. In the decade since the Telemarketing Sales Rule (TSR) was amended to create the Do Not Call Registry, the agency has brought over 105 enforcement actions, resulting in $126 million in civil penalties and $741 million in redress or disgorgement. Despite these actions, the number of unauthorized robocalls continues to balloon, from 63,000 consumer complaints per month in 2009, to 200,000 complaints per month in 2012.  These numbers were consistent with those presented by the FCC witness who testified that the number of consumer complaints to that agency had doubled in the past two years.

Much of the growth in robocalling is enabled by new technologies such as Voice Over Internet Protocol (VoIP) technology which enables blasting of prerecorded messages over the Internet. VoIP technology not only makes it cheaper to place robocalls when compared to the time and money needed to place a call on the traditional cooper wire, but it also makes identifying the robocall perpetrator more challenging. In the highly regulated copper wire world, the regulated entities are well-known and cannot easily conceal their identities. In contrast, VoIP technology allows businesses to place cheap calls wherever they find an Internet connection, both at home and abroad. For example, one 2012 FTC enforcement action involved billions of calls placed by phone numbers registered to companies with overseas offices in the Northern Mariana Islands, Hong Kong, and the Netherlands.

In October 2012, the Commission hosted a workshop – the Robocall Summit – to explore technological solutions to keep up with the Internet enabled growth in robocalls, (or as then-Chairman Leibowitz described it, “voice blasting technology [] at bargain basement prices.”)  The FTC announced a public contest or “Robocall Challenge” with a $50,000 prize for the individual or small team that could propose a technological solution to help consumers block robocalls on their landlines and mobile phones. In April this year, the agency announced three winning solutions which, if successfully developed could result in “positive results for American consumers.” 

Urging caution, a representative from the USTelecom trade association counseled that technological solutions that “seek to make phone service providers the arbiter of whether a call should – or should not – be permitted to proceed skirt dangerously close to violating the privacy obligations imposed on us by law.”  The witness cited the Wiretap Act provisions protecting the transmission of calls and limiting the rights of universal service providers to intercept them. The witness was not optimistic that a “silver bullet” technological solution to the robocall challenge could be found, and counseled further that “today’s solution could very well turn into tomorrow’s Maginot Line, and could have unintended adverse consequences.”


Leave a comment

FTC Announces Internet of Things Workshop

The FTC recently announced a public workshop to examine the privacy and data security implications of the Internet of Things (IoT). The workshop, which will take place on November 21 this year, indicates a growing interest – both here and in Europe – in the policy issues raised by this rapidly emerging business model. The FTC announcement follows a signal from new FTC Chairwoman Edith Ramirez that she intends to include IoT in her privacy agenda.

The Internet of Things describes a world in which machines can communicate with one another via the Internet without human intervention. The Swedish mobile device vendor Ericsson estimates that around 50 billion devices worldwide will be IoT enabled by 2020.

The business model has many positive applications. Included here are energy efficient smart grids, which have the proven potential to promote energy efficiency. Another interesting IoT application concerns auto insurance. If the key variables used to calculate insurance premiums are distance driven, location, time of day, and driving style, and these variables can be measured with precision using IoT technologies, then drivers and insurance providers may be positioned to better calculate bespoke insurance rates.

These and other IoT applications look set to become more and more ubiquitous as the technologies underpinning them – data storage, mobile data transfer, and cloud computing – look set to come down the cost curve in the coming years. However, as with Internet enabled technologies generally, IoT raises potential privacy and data security concerns. The FTC is therefore requesting public comments on the following issues prior to the November workshop:

• What are the unique privacy and security concerns associated with smart technology and its data? For example, how can companies implement security patching for smart devices? What steps can be taken to prevent smart devices from becoming targets of or vectors for malware or adware?
• How should privacy risks be weighed against potential societal benefits, such as the ability to generate better data to improve health-care decision making or to promote energy efficiency? Can and should de-identified data from smart devices be used for these purposes, and if so, under what circumstances?

FTC staff welcomes submissions to its IoT email account before June 1, 2013.

Meanwhile, on the other side of the Atlantic both the EU and the OECD are tracking IoT from a policy standpoint in general; and a privacy and security standpoint in particular. The EC Commission launched a public consultation similar in nature to the FTC’s in April last year, and recently published its findings. According to the Commission, these findings will be relied on in “future policy initiatives.”