Acting Chairman of the Federal Trade Commission, Maureen Ohlhausen, answered questions about the FTC’s current role in data privacy before a crowded audience at the April 2017 IAPP Global Privacy Summit in D.C. Below are some take-aways we wanted to share from Commissioner Ohlhausen’s talk:
- Even if out of ISP oversight, the FTC is actively engaged in data privacy enforcement through its consumer protection role.
Ohlhausen expressed disappointment that FTC had to step out of ISP oversight in 2015, when the FCC reclassified broadband as a common carrier service (the reclassification means the FCC, no longer the FTC, has authority over privacy and data security enforcement of ISPs). But she said that the FTC is still active through holding companies to their data privacy policies and claims: “We enforce promises. We hold companies to their promises, even in technologically advanced areas.” She noted that FTC enforcement actions derive not only from consumer complaints, but that the FTC is getting cases from computer researchers and marketplace competitors.
- FTC to present positive findings from its enforcement actions.
Ohlhausen and her staff are considering changing up what they present publicly on their investigation findings. Normally, the FTC publishes what it has found companies doing wrong, but Ohlhausen believes the public could benefit from what the FTC has found companies doing right. The FTC therefore may be bolstering its public messages on enforcement actions with this positive twist.
- How FCC and FTC oversight of ISPs differs.
Ohlhausen noted that the FCC has ended up with a different approach to data security oversight. For instances, they have taken a different view on what constitutes sensitive data and on what types of opt-ins and opt-outs are permissible. She expressed concern that, with the Open Internet Order, which revoked FTC Privacy Rules, no one is really watching the hen house. She hopes either Congress or the FCC will reconsider the FTC’s role: The FCC could rescind its reclassification or Congress could rescind the FCC’s common carrier authority of broadband services.
- The Privacy Shield and the FTC’s role in working with Europe.
Ohlhausen noted that the current Administration seems committed to the Privacy Shield. She believes that the Privacy Shield meets Europe’s needs and further that the FTC has an important role to fill in (1) ensuring how information is disseminated and (2) enforcement. For instance, the FTC can provide guidance on how to inform EU consumers on the parameters of the Privacy Shield. Moreover, the FTC will enforce Privacy Shield violations—based on deception for failure to comply. She is optimistic that the Shield will withstand court challenges, in contrast to the Safe Harbor, which was negotiated in a different environment.
- Chinese forays into privacy.
Ohlhausen, who was heading to Beijing the day after her IAPP talk, expressed interest in Chinese developments in privacy regulation: where a communist country’s government controls so much, there still can be a real interest in privacy for the consumer. She noted that some international companies have concerns over whether they will be disadvantaged by Chinese privacy laws.
- Privacy and overlap with other areas of law
When asked whether privacy laws, such as anti-discrimination provisions contained in the GDPR, are carrying more water than just privacy, Ohlhausen noted that there is some overlap, such as with the Fair Credit Reporting Act and Civil Rights Act. She took the discussion as an opportunity to highlight the importance of balancing fear of the unknown against the benefits of innovation: it is good to identify the bad things that can happen. But we also need to weigh that against the good things. While consumer protection is important, we also want a competitive marketplace, and want to encourage innovation.
 A side note on the FCC reclassification: a persistent theme in Ohlhausen’s talk was expressing hope that the FTC would get authority back over ISPs.
What a difference two words can make. Just ask the Center for Competitive Politics (CCP) or Americans for Prosperity (AFP), two organizations that filed separate lawsuits against the same defendant, California Attorney General Kamala Harris, over the same issue: whether Harris’s office had the right to access the organizations’ donor information. (The cases are Center for Competitive Politics v. Harris and Americans for Prosperity v. Harris.)
The plaintiffs’ arguments in each case were basically the same: the state’s request to access donor information would violate the first and fourteenth amendments of the U.S. Constitution. But there the similarities stopped: the CCP never got to trial, whereas the AFP did—and won! Was the CCP the victim of a miscarriage of justice? Nah. It all came down to two words: “as applied.”
You know the saying “go big or go home?” Well, unfortunately the CCP did both: it tried to get the court to rule that Harris’s probe of donor information would be unconstitutional for all organizations. The AFP took a different approach: it asked the court to call the probe unconstitutional “as applied” to the AFP alone.
The AFP’s narrower approach enabled the court to provide relief without upsetting Harris’s authority and potentially affecting thousands of other organizations. Courts generally hesitate to invalidate a state’s actions when they can provide individual relief to the plaintiff instead. If the CCP had taken this course, it might have had a flying chance. But now it had the added burden of proving how the state’s actions would adversely affect all organizations subject to the same request.
Meanwhile, the AFP coasted without having to prove any such thing. All it had to show was how the state’s request had already affected the organization and could continue to do so. This was no fun task, though. Several individuals testified that they suffered reprisals, assaults, and even death threats due to their association with the AFP—a strongly conservative organization. Clearly, being publicly linked to the AFP could lead to serious fallout. For her part, Harris tried to argue that the state would keep donor information confidential, but the AFP was able to show how this had failed before, citing over one thousand instances of donor information being improperly disclosed on the AG’s own website!
The AFP showed that the risk of scaring, and therefore discouraging, would-be donors was real. The chilling effect on individuals’ freedom of association would be too steep a price to pay for a nominal benefit to the state.
It was a strong case—unlike the defendant’s. Harris claimed that accessing donor information was in the state’s best interest; reviewing the findings would help uncover potential irregularities tied to fraud, waste, or abuse. Maybe it would—but it doesn’t pass the “exacting scrutiny” test, which requires states to protect their interests by the least restrictive means in situations like this. More importantly, Harris could not produce any evidence or testimony to corroborate her argument that access to donor information was important to state law enforcement. Although several state-employed investigators and attorneys took the stand, none could claim that they needed, or even used, donor information to do their work—and if they did need it, they could generally get it elsewhere. This evidentiary failure undercut Harris’s arguments and called into question the state’s overall scheme.
In the end, it was not a tough decision: with so strong a case by the plaintiff, and so weak one by the state, the court sided plainly with the plaintiff. It could have gone a step further and declared the state’s actions broadly unconstitutional, but instead it judged the state’s actions to be improper as applied to the AFP alone. This was a good idea, because Harris will have a harder time challenging the decision on appeal.
So the AFP trial didn’t set a huge precedent for everyone—but that’s kind of the point. If you’re going to file suit, and there’s a path of least resistance, take it. Those sweeping courtroom victories you see in the movies are rare. In real life, justice takes baby steps.
The post Keep It Short and Prosper appeared first on Crime In The Suites.
Data breaches are as common as the common cold—unfortunately, just as incurable. Run a news search on “data breaches” and you’ll find that all kinds of institutions—major retailers, tech companies, universities, even government agencies—have been vulnerable at some point. Now run a search on “data breaches,” but include the word “lawsuit.” You’ll find that many of these cases are going to court, but ultimately getting dismissed. What’s going on?
First, you should look at some of these lawsuits more closely: are they filed against the alleged perpetrators of the data breach? Many of them aren’t; those perpetrators are usually hackers who live outside the country or are unable to pay a money judgment. (In legal parlance, that’s known as being judgment proof.) Faced by those limitations, individual victims of data breaches frequently settle for the next best thing: going after the institutions that endured the breach.
Often, this isn’t fair—the institutions are victims too. The point here is that although going after the institutions looks like an easy win from “deep pockets,” that seldom turns out to be the case.
It’s with the third and final point—demonstrating injury—that plaintiffs have the most trouble. Why? Because courts view injury in fiscal terms; you need to show that you actually lost something, not simply that you might. So even if you were the victim of a data breach, as long your data hasn’t yet been compromised, it doesn’t really count as injury.
There have been exceptions, when the court greenlit cases based mainly on speculative injury, but these usually ended in a settlement before a legal precedent could be set. (See cases against Home Depot, Target, Adobe, and Sony.) For the most part, the fiscal view of injury has prevailed—reinforced in 2013, when the Supreme Court, weighing in on Clapper vs Amnesty Int’l, determined that a plaintiff cannot proceed with a data breach lawsuit unless he or she can demonstrate actual injury or at least imminent threat of injury, each one measurable in economic loss. Otherwise, mere perception of injury is too tenuous to establish legal standing, which a case requires to go forward, and the lawsuit will probably get tossed.
The challenge of establishing legal standing recently made its way to the Supreme Court in Spokeo v. Robins. In that case, a plaintiff filed suit against the “people search engine” Spokeo for publishing false information about him. The issue before the Court was this central question of how much injury must be shown for a case to go forward. Prospective plaintiffs were optimistic that the high court would affirm a lower court’s decision that speculative injury was indeed enough. Alas, the Supreme Court sidestepped the issue and punted it back to the lower court for further review. The Court nonetheless reinforced the general tenets that, for a plaintiff to have standing to bring a case, he must allege an “injury in fact” that is both “concrete and particularized.” There is still room for the lower court to broaden the approach to what constitutes an injury, but the Supreme Court’s ruling keeps the status quo in place.
For now, individuals whose data has been compromised generally must be satisfied with what the institutions offer them after a breach occurs: free credit checks and/or access to credit monitors. Do checks and monitoring seem inadequate? Not if you think about what type of harm people face after a data breach. Individuals can detect and report problems in the event someone actually misuses their data. If they keep on top of it, their credit scores will not be impacted. Moreover, credit card companies and other financial institutions will bear the cost of any unapproved charges. In the event of further problems, plaintiffs can then take their injury to the legal system and have their day in court. But at this point, the courts are right to keep this type of class action litigation at bay.
The post Data Breach Lawsuits: Challenges Persist After Spokeo v. Robins appeared first on Crime In The Suites.
In March 2015, I wrote about the ongoing dispute between the FTC and LabMD, an Atlanta-based cancer screening laboratory, and looked at whether the FTC has the authority to take enforcement action over data-security practices alleged to be insufficient and therefore “unfair” under section 5(n) of the Federal Trade Commission Act (“FTCA”). On November 13, 2015, an administrative law judge ruled that the FTC had failed to prove its case.
In 2013, the FTC filed an administrative complaint against LabMD, alleging it had failed to secure personal, patient-sensitive information on its computer networks. The FTC alleged that LabMD lacked a comprehensive information-security program, and had therefore failed to (i) implement measures to prevent or detect unauthorized access to the company’s computer networks, (ii) restrict employee access to patient data, and (iii) test for common security risks.
The FTC linked this absence of protocol to two security breaches. First, an insurance aging report containing personal information about thousands of LabMD customers was leaked from the billing manager’s computer onto peer-to-peer file-sharing platform LimeWire, where it was available for download for at least eleven months. Second, Sacramento police reportedly discovered hard copies of LabMD records in the hands of unauthorized individuals. They were charged with identity theft in an unrelated case of fraudulent billing and pleaded no contest.
Incriminating as it all might seem, Administrative Law Judge D. Michael Chappell dismissed the FTC’s complaint entirely, citing a failure to show that LabMD’s practices had caused substantial consumer injury in either incident.
Section 5(n) of the FTCA requires the FTC to show that LabMD’s acts or practices caused, or were likely to cause, substantial injury to consumers. The ALJ held that “substantial injury” means financial harm or unwarranted risks to health and safety. It does not cover embarrassment, stigma, or emotional suffering. As for “likely to cause,” the ALJ held that the FTC was required to prove “probable” harm, not simply “possible” or speculative harm. The ALJ noted that the statute authorizes the FTC’s regulation of future harm (assuming all statutory criteria are met), but that unfairness liability, in practice, applies only to cases involving actual harm.
In the case of the insurance aging report, the evidence showed that the file had been downloaded just once—by a company named Tiversa, which did so to pitch its own data-security services to LabMD. As for the hard copy records, their discovery could not be traced to LabMD’s data-security measures, said the ALJ. Indeed, the FTC had not shown that the hard copy records were ever on LabMD’s computer network.
The FTC had not proved—either with respect to the insurance aging report or the hard copy documents—that LabMD’s alleged security practices caused or were likely to cause consumer harm.
The FTC has appealed the ALJ’s decision to a panel of FTC Commissioners who will render the agency’s final decision on the matter. The FTC’s attorneys argue that the ALJ took too narrow a view of harm, and a substantial injury occurs when any act or practice poses a significant risk of concrete harm. According to the FTC’s complaint counsel, LabMD’s data-security measures posed a significant risk of concrete harm to consumers when the billing manager’s files were accessible via LimeWire, and that risk amounts to an actual, substantial consumer injury covered by section 5(n) of the FTCA.
The Commissioners heard oral arguments in early March and will probably issue a decision in the next several months. On March 20th, LabMD filed a related suit in district court seeking declaratory and injunctive relief against the Commission for its “unconstitutional abuse of government power and ultra vires actions.”
FBI Director James Comey took a rare break from the posturing typical of investigators and prosecutors in the current showdown between Apple and the FBI. While prosecutors argue that Apple’s privacy concerns are a smokescreen to avoid “assist[ing] the effort to fully investigate a deadly terrorist attack,” Comey posted a statement over the weekend in which he took the position that the tension between security and privacy “should not be resolved by corporations that sell stuff for a living. It also should not be resolved by the FBI, which investigates for a living. It should be resolved by the American people deciding how we want to govern ourselves in a world we have never seen before.”
Comey’s statement highlights a crucial problem with the development of privacy law: it often is developed in the context of important criminal cases. This comes at a real cost. We all know that Syed Farook committed a horrific crime, and any rights he once had against government searches are now forfeit. But though Apple may have chosen to serve as a limited proxy for its consumers in the San Bernardino case, often the interests of private citizens are wholly absent from the courtroom (or, often, judge’s chambers) when issues of fundamental privacy are debated.
This leads to a serious imbalance: Apple is talking about the diffuse privacy rights of its consumers and the risks of potential incursions by more restrictive, less democratic governments such as China. On the other hand, Manhattan District Attorney Cyrus Vance can point to 175 Apple devices that he cannot physically access even though those devices may contain evidence helpful to the government.
New York Police Commissioner Bill Bratton and one of his deputies put an even finer point on it in an Op-Ed in The New York Times, citing a specific case of a murder victim in Louisiana (more than one thousand miles outside of Mr. Bratton’s jurisdiction) whose murder is unsolved because officers cannot unlock her iPhone, which is believed to contain her killer’s identity. “How is not solving a murder, or not finding the message that might stop the next terrorist attack, protecting anyone?” asks Bratton.
But in assuming that private citizens have no greater fear than whether the police can investigate and prevent crimes, Bratton begs the question. In reality, citizens may see law enforcement as a threat of itself. Learning that the NSA was engaging in comprehensive warrantless surveillance likely has given many law-abiding Americans a greater incentive to protect their data from being accessed by the government. Indeed, in light of the NYPD’s record over the last few years—including a finding by a federal judge that they were systematically violating the rights of black New Yorkers and a lawsuit over religion-based spying on Muslims—it is not hard to see why citizens might want protection against Bratton’s police force.
But even if the police were the angels they purport to be, opening a door for a white hat can easily allow access to a black one. Less than a year ago, hackers used a “brute force” approach to exploit a flaw in iCloud’s security, and dozens of celebrities had their private photos shared with the world. These sex crimes are all but forgotten in the context of the San Bernardino shootings, even though the security weakness the FBI wants installed in Farook’s iPhone is markedly similar to that exploited with respect to iCloud.
Nor do those who wish for privacy need to invoke hackers or criminals. A private, intimate moment with a spouse or loved one; a half-finished poem, story, or work of art; or even a professional relationship with a doctor or mental health professional cannot exist unless they can remain private. Once these interactions took place in spoken, unrecorded conversations or on easily discarded paper; now many of our daily activities are carried out on our mobile devices. Even if one has nothing to hide, many citizens might balk at the prospect of having to preserve their private conversations in a format readily accessible by the police.
But if Mr. Comey has shown unusual insight, Mr. Bratton’s one-sided, myopic question illustrates the importance of Apple’s position and the inability of law enforcement officials to be objective about the interests at stake. Police and prosecutors are not always your friends or your defenders. Their goals are—and always will be—investigating and solving crimes and convicting suspected criminals. The less an officer knows, the harder it will be to investigate a case. As a result, privacy rights—even when asserted by innocent, law-abiding citizens—make their job more difficult, and many officers see those rights as simply standing in their way.
This is hardly news. Nearly sixty years ago the Supreme Court observed that officers, “engaged in the often competitive enterprise of ferreting out crime,” are simply not capable of being neutral in criminal investigations. For precisely that reason, the Fourth Amendment requires them to seek approval from a “neutral and detached magistrate” before a search warrant may issue.
That is why Mr. Comey’s acknowledgement that the FBI is not a disinterested party is so refreshing. Pro-law-enforcement voices have been clamoring to require Apple to compromise the security it built into the iPhone, invoking their role as public servants to buttress their credibility. But when it comes to privacy, the police do not—and cannot—represent the public interest. As Comey acknowledged, they are “investigators,” and privacy rights will always stand as an obstacle to investigation.
The post Police Make iPhone Public Enemy No. 1 appeared first on Crime In The Suites.