NY Proposes Sex Offender Email Registry, MySpace, Facebook Support

The NY attorney general has proposed to create a registry where sex offenders list their emails and online profiles. The idea is to use this registry to prohibit the sex offenders from signing up for social networking services. Much of it seems to ride on the sanctions — you must register as a condition of parole — rather than on the technical ability of the system.

It’ll be possible to check whether these emails are actually being used, instead of being throwaway email addresses. Sending them regular questions, even using CAPTCHAs, can check whether a person is using that address. But this might not verify whether the offender is the person using the address. And further, it also won’t check whether the offender just went ahead and set up an address for social networking use only. In fact, that’s a good practice for all of us: to have more than one email address that is used for different purposes. It helps to protect against spam, helps us to keep our important addresses — the ones we give to friends — from being crowded with other communications.

It looks like the effectiveness of this program will depend on offenders fearing, or otherwise being ignorant of, the rather simple ways to avoid it. Then again, some offenders were on social networking under their actual names and addresses.

Posted: January 30, 2008 in:

Will the FTC Enforce MySpace’s Security Promises?

Recently, Wired revealed a bug in MySpace’s user account security:

A backdoor in MySpace’s architecture allows anyone who’s interested to see the photographs of some users with private profiles — including those under 16 — despite assurances from MySpace that those pictures can only be seen by people on a user’s friends list. Info about the backdoor has been circulating on message boards for months.

The flaw exposes MySpace users who set their profiles to “private” — the default setting for users under 16 — even though MySpace’s account settings page tells users, “Only the people you select will be able to view your full profile and photos.”

A specially constructed URL will display the images, even to those not logged in to MySpace.

In a followup article, it is noted that “MySpace Quietly Fixes Bug that Gave Voyeurs Access to Teens’ Private Photos“:

Barely 24 hours after my story hit the front door of Wired.com, MySpace has, without comment, closed the backdoor, and the websites that were exploiting it are no longer delivering private photos. That seems to leave just two possibilities:

1. MySpace didn’t know this was going on before.

2. MySpace knew about it, but didn’t take action until the press noticed.

From a privacy activist’s perspective though, the question is: what will the Federal Trade Commission do about it? What can they do?

The FTC has the power to prosecute “unfair and deceptive trade practices.” This doctrine has developed to mean they have a role in enforcing privacy promises:

Enforcing Privacy Promises: Section 5 of the FTC Act

A key part of the Commission’s privacy program is making sure companies keep the promises they make to consumers about privacy, including the precautions they take to secure consumers’ personal information. To respond to consumers’ concerns about privacy, many Web sites post privacy policies that describe how consumers’ personal information is collected, used, shared, and secured. Indeed, almost all the top 100 commercial sites now post privacy policies. Using its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, the Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers’ personal information.

It looks like MySpace was promising privacy. And it looks like that promise wasn’t being kept. The FTC has gone after poor security promises before. A listing of their privacy cases includes a few examples:

  • Company Failed to Use Reasonable Security Measures to Protect Consumers’ Data
  • Agency Says Company Failed to Protect Sensitive Customer Data
  • Tens of Millions of Consumer Credit and Debit Card Numbers Compromised
  • Agency Says Lax Security Compromised Thousands of Credit and Debit Cards
  • Security Flaws Allowed Hackers to Access Consumers’ Credit Card Information

But these cases all have harms that involve credit card or other such personal information of a financial type. MySpace involved pictures. Will the FTC recognize MySpace’s breach of image security as a harm?

FTC action in this case would send a clear message to social networking operators to respect security and protect the privacy of the data which users are entrusting to them. That data may not be “sensitive” in the financial sense. But it is “sensitive” in that it is deeply personal.

Posted: January 20, 2008 in: