Categories
Privacy

FTC probing whether Facebook violated consent decree, report

In Nov. 2011, Facebook settled charges by the Federal Trade Commission that it deceived consumers by advising them they could keep their information on the social network private and then allowing it to be shared and made public.

In the wake of the revelations about Cambridge Analytica, the FTC reportedly is examining whether Facebook violated the terms of the settlement.

Cambridge Analytica, a voter-profiling firm, derived data from more than 50 million Facebook profiles that it accessed via a third-party app. A data scientist at Cambridge University harvested the data starting in June 2014.

That may have contravened the 2011 settlement. Among the charges by the FTC that led to the settlement:

Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.

The FTC further charged:

Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.

The settlement barred Facebook from misrepresenting the privacy or security of users’ personal information.

Categories
News

FTC ends probe of data breach at Morgan Stanley, offers guidance to businesses

If they haven’t already, companies that handle customers’ personal information should read a letter released recently by the Federal Trade Commission that concludes an investigation by the agency into data security practices at Morgan Stanley.

The probe by the FTC followed Morgan Stanley’s firing in January of a financial adviser who downloaded and took home with him details for the accounts of 350,000 of the firm’s roughly 3.5 million wealth-management clients. Morgan Stanley later discovered some of the information on Pastebin, a file-sharing site.

Though the information reportedly included account names and numbers, account values and states of residence, the bank said that no clients incurred financial harm as a result of the breach. Law-enforcement officials later investigated whether hackers obtained the information from the adviser’s computer and posted the details online.

Two factors influenced the FTC’s decision to end its investigation without charging Morgan Stanley with failing to secure the information in violation of federal law, which prohibits unfair or deceptive acts or practices by businesses.

First, the FTC found that Morgan Stanley maintained “comprehensive policies designed to protect against insider theft of personal information.” According to the agency, the firm limits access by employees to data for which they have a business need, monitors data transfers by employees, prohibits use of USB flash drives and other devices that can be used to remove data, and blocks access by employees to websites the firm regard as high-risk.

Second, although the adviser was able to obtain a “narrow set of reports” for which Morgan Stanley had configured controls improperly, the company fixed the problem quickly after the breach came to its attention.

“We continue to emphasize that data security is an ongoing process,” the FTC wrote. “As risks, technologies, and circumstances change over time, companies must adjust security practices accordingly. As employees increasingly use personal websites and a host of online applications, companies should deploy appropriate controls to address the potential risks of broad access to such resources on work devices.”

Categories
Privacy Tech

The Internet of Things marks an anniversary for privacy

This September marks two years since the Federal Trade Commission ordered TRENDnet, a California-based maker of surveillance cameras and networking devices, to refrain from misrepresenting the security of its devices after feeds from hundreds of consumers’ cameras became public on the Internet.

According to the FTC, the company failed to use reasonable security to design and test software for its SecurView cameras. The omission allowed hackers to obtain feeds for roughly 700 cameras that showed babies asleep in their cribs, children playing, and adults coming and going.

The case, which TRENDnet settled by agreeing to strengthen digital security in its products and to implement a program that reduces risks to privacy, represented the first enforcement action by the FTC involving a consumer device that sends and receives data over the Internet, also known as the Internet of Things (IoT).

From mattresses that measure whether we toss and turn at night, to refrigerators that tell the grocer when it’s time to restock, to fitness trackers that encircle our wrists, the IoT represents a networking of everyday devices to improve—in theory, at least—how we live and work. The IoT includes meters that allow electric utilities to measure usage, monitors that give doctors access to our health data 24/7, and carpets and walls that detect when someone has fallen.

Though estimates vary, there are roughly 4.9 billion connected devices in the world, up 30% from 2014, according to Gartner, which projects 25 billion such devices by 2020. Data from mobile devices alone reached 2.5 exabytes per month (that’s one billion gigabytes) last year, up 69 percent from a year earlier, and is expected to exceed 24.3 exabytes per month by 2019, according to Cisco.

Or, as a character on the HBO series “Silicon Valley” exclaims: “Ninety-two percent of the world’s data has been created in the last two years alone!”

Devices can be difficult to secure. Seventy percent of the most common ones that constitute the IoT contain serious vulnerabilities, a study last year by Hewlett-Packard found. But what matters as much if not more is safeguarding the flood of data itself and ensuring that consumers know the terms of the exchange. Dominique Guinard, co-founder and and chief technical officer of Evrythng, a maker of platforms that tie devices together, observed recently in AdvertisingAge:

“In the data-driven world of IoT, the data that gets shared is more personal and intimate than in the current digital economy. For example, consumers have the ability to trade protected data such as health and medical information through their bathroom scale, perhaps for a better health insurance premium. But what happens if a consumer is supposed to lose weight, and ends up gaining it instead? What control can consumers exert over access to their data, and what are the consequences?”

Guinard envisions contracts between consumers and manufacturers that adjust over time and address what happens when data becomes unfavorable to the consumer. The FTC has discussed similar approaches. In a report published last January, the agency presented results of a workshop at which participants examined security for the IoT as measured by Fair Information Practices, a code established in 1973 by the U.S. Department of Health, Education and Welfare and later adopted by the Organization for Economic Cooperation and Development that has provided a framework for thinking about privacy since.

At the workshop the FTC and participants focused on the application of four practices as they pertain to the IoT: security, data minimization, notice, and choice. Participants stressed the benefit of so-called security by design, which holds that companies build security into devices at the outset rather than as an afterthought. Minimization refers to companies imposing reasonable limits on collection and retention of data. Less is more, you might say.

Notice refers to how a company describes its privacy practices, including what information the company collects from consumers. Choice addresses the ability of consumers to specify how such information may be used, disclosed and shared.

The meaningfulness of both notice and choice turn in part on consumers’ expectations. Among scenarios posited by the FTC:

“Suppose a consumer buys a smart oven from ABC Vending, which is connected to an ABC Vending app that allows the consumer to remotely turn the oven on to the setting, ‘Bake at 400 degrees for one hour.’ If ABC Vending decides to use the consumer’s oven-usage information to improve the sensitivity of its temperature sensor or to recommend another of its products to the consumer, it need not offer the consumer a choice for these uses, which are consistent with its relationship with the consumer. On the other hand, if the oven manufacturer shares a consumer’s personal data with, for example, a data broker or an ad network, such sharing would be inconsistent with the context of the consumer’s relationship with the manufacturer, and the company should give the consumer a choice.”

Technology may help. The Future of Privacy Forum, a Washington-based think tank that advocates for responsible data practices, suggested in comments to the FTC that companies tag data with permissible uses so that software can identity and flag unauthorized uses. Microsoft envisioned a manufacturer that offers more than one device using a consumer’s preference for one to determine a default preference for others.

As the proposals suggest, notice and choice can be a challenge to achieve when our appliances collect data while we go about our lives. But as the FTC observed, “giving consumers information and choices about their data… continues to be the most viable [approach] for the IoT in the foreseeable future.”

Categories
Law Privacy

Wyndham ruling reinforces FTC authority to regulate privacy practices

A hotel chain’s repeated failure to protect customers from hackers constitutes an unfair practice that subjects the company to a lawsuit by the Federal Trade Commission, a federal appeals court in Philadelphia has ruled in a decision that reinforces the agency’s authority to protect consumers from companies that backtrack on promises about privacy.

Wyndham Worldwide Corporation, which licenses its brand to roughly 90 independently owned hotels that use the company’s computerized property management system, cannot contend that federal law or the FTC’s interpretations of it failed to put the company on notice that lapses in cybersecurity on its part could lead to legal liability, according to the court.

The FTC sued Wyndham, which also franchises more than 7,600 hotels worldwide, in June 2012, charging the company with failing to protect consumers in violation of Section 5 the Federal Trade Commission Act, a century-old law that authorizes the FTC to proscribe “unfair or deceptive acts or practices” in commerce.

Three breaches of Wyndham’s property management system over two years starting in 2008 resulted in hackers obtaining payment-card information from more than 619,000 consumers and at least $10.6 million in losses from fraud, the FTC charged.

According to the FTC, Wyndham failed to use encryption, firewalls and other procedures to safeguard customers’ names, payment card account numbers, expiration dates and security codes stored in the system, notwithstanding the company’s privacy notice, which advised customers that Wyndham safeguards their personally identifiable information using industry-standard practices.

Before trial, Wyndham sought to dismiss the FTC’s claims, charging the agency with failing to support a finding of unfairness. Congress reshaped Section 5 to exclude cybersecurity, according to Wyndham, which also charged the FTC with failing to notify companies what standards to follow. U.S. District Judge Esther Salas denied Wyndham’s motion but allowed the company to appeal the ruling.

The appeals court sided with Salas. “A company does not act equitably when it publishes a privacy policy to attract customers who are concerned about data privacy, fails to make good on that promise by investing inadequate resources in cybersecurity, exposes its unsuspecting customers to substantial financial injury, and retains the profits of their business,” wrote Judge Thomas Ambro for a three-judge panel of the U.S. Court of Appeals for the 3rd Circuit.

The government’s charges, which ranged from Wyndham’s allowing company-branded hotels to store payment card information in clear readable text, to permitting the use of easily guessed passwords to protect the property management system, to failing to restrict access to the system by third parties, embody unfairness as defined by both the FTC and Congress, the court noted.

In 1994, Congress codified a definition of unfairness adopted by the FTC 14 years earlier that defines the term as an act or practice that “causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”

Apart from the term’s plain meaning as defined by the FTC, Congress specifically declined to enumerate specific unfair practices in the law, choosing instead to leave its development to the FTC as technology and the marketplace evolve, Ambro explained.

The approach makes sense, according to Omer Tene, a professor at the College of Management School of Law in Rishon Le Zion, Israel and a visiting scholar at the Center for Internet and Society at Stanford Law School, who wrote following the ruling:

“In what could serve as a valuable lesson for European lawmakers as they mull over the details of the voluminous General Data Protection Regulation, Congress had the foresight back then to understand the futility of exhaustively listing every unreasonable practice that might arise. Firewalls, passwords and secure cloud transactions were hardly foreseeable in 1914.”

The court also rejected a claim by Wyndham that a business does not treat its customers unfairly when the business itself is victimized by hackers, a situation the company argued would be akin to allowing the government to sue a supermarket that was “sloppy about sweeping up banana peels.”

“The argument is alarmist to say the least,” wrote Ambro. “And it invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under [Section 5.]”

The court further rejected Wyndham’s contention that it lacked notice of what specific security procedures a business must take to avoid liability. According to the court, the FTC has published enforcement actions and consent decrees that have the effect of notifying companies whether their practices treat consumers fairly. The FTC says it has settled 53 cases against companies related to data security, including Snapchat, Reed Elsevier and Credit Karma.

Ambro noted that in Wyndham’s case the facts failed to create a close call:

“As the FTC points out in its brief, the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points, did not restrict specific IP addresses at all, did not use any encryption for certain customer files, and did not require some users to change their default or factory-setting passwords at all. Wyndham did not respond to this argument in its reply brief.” (citations omitted, emphasis in original)

Whether Wyndham realized the risks to security it faced when the first breach occurred, the company had notice by the second and third cyberattacks, Ambro noted. By now Wyndham knows, too. In its latest annual securities filing, the company described risks it faces in the realm of privacy and security:

“The legal, regulatory and contractual environment surrounding information security and privacy is constantly evolving and the hospitality industry is under increasing attack by cyber-criminals operating on a global basis. Our information technology infrastructure and information systems may also be vulnerable to system failures, computer hacking, cyber-terrorism, computer viruses, and other intentional or unintentional interference, negligence, fraud, misuse and other unauthorized attempts to access or interfere with these systems and our personal and proprietary information.”

According to experts, the ruling is significant in part because it represents the first time a company has challenged the FTC’s authority to hold companies accountable for unfair practices pursuant to Section 5.

“It’s the first Court of Appeals decision on the issue and should be viewed and taken by companies that this is a potential area of exposure,” Eric Hochstadt, a partner at Weil, Gotshal & Manges in New York, told Bloomberg. “This is definitely an area of growing concern as the underlying misconduct, data breaches, is growing in scope.”

For its part, Wyndham vows to continue the fight. “Once the discovery process resumes, we believe the facts will show the FTC’s allegations are unfounded,” spokesman Michael Valentino said in a statement.

The FTC welcomed the ruling. “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data,” said Chairwoman Edith Ramirez. “It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”