Sat December 14, 2013
Tug Of Authority Over Legal Gap In Online Privacy
Originally published on Sat December 14, 2013 4:32 pm
Even the most mundane online tasks require us to hand over sensitive data. Privacy policies pass by with an easy click. Yes, each company has its own legal language about the risks we take on, but the standards for consumer protection are murky.
"There is no one law in the United States that mandates that websites and phone applications have good data security," says law professor Woodrow Hartzog, who focuses on the area of privacy law and online communication.
So if there isn't one set of rules, who's working to keep your personal information safe?
The Federal Trade Commission has stepped in to fill the void and police data security, citing its authority to protect consumers. Since the early 2000s, the FTC has brought close to 50 cases against companies with allegedly lax data security practices that have put consumers at risk.
But this year, one of those companies fought back. Wyndham Worldwide Corp. is challenging the FTC's authority to bring complaints against companies in the first place.
The FTC alleges that the company's "unreasonable data security practices permitted hackers to access its network on three separate occasions over the course of two years," according to the commission's director of consumer protection, Jessica Rich.
Computer servers at the hotel chain were hacked. Hackers exported credit card information from hundreds of thousands of consumers to a Russian domain. This resulted in close to $11 million in fraudulent charges.
Rich claims there were simple steps that could have been taken to prevent the damage.
"Just some examples: Wyndham didn't require complex passwords for systems that managed consumers' payment card information; Wyndham stored credit card information in plain, readable text, making it much more available to hackers," she says.
In a statement, Wyndham said that Congress has not provided the FTC with "the authority to pursue such cases against American businesses."
But Rich says the charges do fall within the FTC's jurisdiction.
"We have authority to bring action against companies that engage in either deceptive or unfair practices," she says. " 'Deceptive practices' means that companies have made misstatements about the level of security they provide; or 'unfairness' basically means putting consumers at unreasonable risk of injury."
What Fits The Crime?
To protect the consumer, the FTC wants companies to take strong measures to prevent personal data from falling into the wrong hands.
"There have been so many breeches of data in recent years," Rich says. "Identity theft has really been on the rise. It's the highest-reported complaint that we get at the Federal Trade Commission — to promote better data security, including by bring action against companies who fail to do so."
When the FTC finds a company has failed to sufficiently protect consumers, it levies penalties. Companies are required to implement a data security program, often for up to 20 years. They must report to the FTC, and there are third-party audit requirements. In some cases, civil penalties also apply.
"And that's a very powerful tool to make sure that the company implements data security in the future," Rich says.
Wyndham Worldwide says it did have substantial security measures in place. The company's statement goes on to say: "To our knowledge, the cybercriminals responsible for the attacks have never been apprehended by law enforcement officials."
"A popular argument is that the FTC is punishing the victim here," says Hartzog, a scholar at the Stanford Center for Internet and Society. But he doesn't buy it. "I think the much better analogy is that the FTC is punishing companies like Wyndham for leaving their door unlocked, but it was someone else's stuff that was in the house," he says.
Rich says the FTC acknowledges the wrongdoing of the hackers, but, she says, "any company that collects sensitive information from consumers and fails to protect it is also at fault. And so to stop these type of breeches, we also believe it's also appropriate to hold the company accountable."
But who should hold the companies accountable is not clear. Congress has never officially passed broad data security policy. Without the FTC in a de facto role, it starts to look a little like there's no sheriff in town.
"If you have health information ... if you have financial information, then you have to provide a certain level of data security. But for the most part, this is largely an unregulated area," Hartzog says. "We've made the decision years ago to try to approach privacy in a fragmented kind of way. Inevitably, what that means is that things fall through the cracks."
When the Internet was first widely adopted, people realized that personal information would be out there, but there was no clear best way to regulate it. So companies started coming up with those disclaimers you have to click on.
Create with Context researches privacy issues from the user perspective. In a study last year, participants downloaded an app that required them to agree to privacy terms before use. "Then we asked them what it said, and 98 percent of people hadn't read it," says CEO Ilana Westerman. "And the reason was ... they weren't ready to read it, the timing wasn't right."
Most people just wanted to explore the app, not read a legal essay.
"As humans, we're just kind of going along, doing what we're doing with our digital devices, and we're not sitting there analyzing what is being collected. We're not going out and investigating it," Westerman says.
But if you skip or skim these agreements, you might be giving up personal information without realizing it. One notorious example that got a lot of attention in the press was the release of Jay-Z's album in July. Samsung Galaxy phone users had the option to get it for free. What some of them didn't realize is that the app requested information, including physical location and phone activity data, in return.
Creating Transparency, Then Monitoring It
Wasserman says it's a "new world" for everyone: "For designers, for developers, for companies, for consumers. And so I think that as people who are creating these type of products for consumers, it's our job to, as much as possible, try to create that transparency for them."
As for the question of whose job it is to police that transparency, the FTC had been doing that unchallenged — until the Wyndham case. All cases before this one have been have ended in settlements. It's usually less expensive to just settle and follow the FTC guidelines.
So, for all of us out there going through the motions and ignoring privacy policies, are we being naive?
Hartzog doesn't think so: "The FTC has come to recognize that it's relatively insane to ask consumers to read and explain all of these agreements, so they're going to act accordingly."
Meanwhile, Wyndham Hotel's case against the FTC drags on in federal court in New Jersey. Oral arguments concluded in early November.
In recent years, several data security bills have been proposed in Congress, but all have languished thus far. But if the FTC loses to Wyndham, the question of who protects the Internet consumer will be getting a lot more attention.