Privacy Report Word Cloud Fun

The Federal Trade Commission (FTC) and Commerce Department have each recently released reports and requests for comments on consumer privacy issues. Much attention is expected to be paid to the similarities and differences between the reports. The FTC has a consumer protection and law enforcement mission, while Commerce’s mission is  “to foster, promote, and develop the foreign and domestic commerce” of the United States. To contribute to the discussion, I’ve prepared these word clouds of the Executive Summaries of each of the reports.

The FTC’s December 2010 Report, Protecting Consumer Privacy in an Era of Rapid Change:

Commerce’s report, Commercial Data Privacy and Innovation in the Internet Economy: A Dynamic Policy Framework

The differences are striking. The subject matter — privacy, data and information — is the same. But the FTC seems particularly concerned with consumers (and “consumer”), companies and practices. Commerce’s report appears to be more about policy, and commercial concerns. The data subjects — consumers —  the ones with an interest in the data, are barely visible in the Commerce report word cloud. I can’t find them there.

UPDATE: At the suggestion of a reader, I’ve created two new ones. These are meant to tease out the differences more. As suggested, I’ve removed the large common words (“privacy” “data” and “information”). I’ve also collapsed the words “consumers” and “consumer” together.

The FTC’s Report

The Commerce Report

Consumers are now visible in the Commerce report, but the differences in  focus — Commercial vs. Consumers — is made clearer. It appears as if the FTC is concerned with consumers and companies’ practices.  While Commerce approaches this from the point of view of commercial policy.

Posted: December 16, 2010 in:

Misleading On Interactive Advertising

The Federal Trade Commission has posted the comments in their ongoing review of the Child Online Privacy Protection Act (COPPA). The act provides privacy rules that, among other things, require parental consent for the collection of data from children or from users of online services directed at children.

One particular statement stands out. The Interactive Advertising Bureau comments (pdf) included this description of their members’ activities:

The delivery of online advertisements involves no more “contact” with an individual by a network advertiser than the advertising department of a city newspaper has with its subscribers as a result of including inserts tailored for locals residing in particular suburban neighborhoods.

Their goal is trying to make sure that their data collection and use practices do not qualify as an online service that collects personal information under COPPA.

They are misleading the Federal Trade Commission. Interactive advertisers tout abilities to track and contact consumers throughout the web. They build profiles based on this tracking and augment these profiles with data from other sources.

Here’s how IAB member AudienceScience describes their capability:

The Audience Gateway for Advertisers Enables Marketers To:

  • Engage with customers based on their behaviors and interests
  • Reach target audiences wherever they go across the Web
  • Send prospects relevant messages based on where they are in the buy cycle

Here’s how IAB member Google describes their retargeting techniques:

After driving traffic to your site with search ads, you can then remarket to those users who reach your site by showing them tailored ads on sites throughout the Google Content Network.

Here’s an example of how it works. Let’s say you’re a basketball team with tickets that you want to sell. You can put a piece of code on the tickets page of your website, which will let you later show relevant ticket ads (such as last minute discounts) to everyone who has visited that page, as they subsequently browse sites in the Google Content Network. In addition to your own site, you can also remarket to users who visited your YouTube brand channel or clicked your YouTube homepage ad.

You can also run a number of remarketing campaigns at the same time. For example, you could offer discount game tickets to users who’ve previously visited your tickets page, advertise VIP hospitality packages to users who clicked on your “How to get to the arena” page, and advertise a sale on team merchandise to users who previously visited your YouTube brand channel.

IAB Member OwnerIQ describes its abilities as:

OwnerIQ enables advertisers to target consumers based on what they own, what they have expressed an interest in owning (“Intenders”)… or both!

[W]e use our proprietary MostIQ Advertising Platform to reach consumers who have the appropriate Ownership Signals as they travel the web — on over 250,000 web sites, with creative designed to appeal to the Target Segments.

Their retargeting page explains, using a neat graphic, the 4 steps:

  1. Shoppers visit your site
  2. They leave your site and travel the web
  3. OwnerIQ identifies your prospect and presents them your message
  4. Your prospect is brought back to your site

IAB member Criteo also has a retargeting product:

Retargeting allows you to find your previous website visitors across the Internet and display relevant banners to lead them back to your website to complete their transaction. Bringing ready-to-buy users back to your website after they have left should be a key part of your customer acquisition and conversion strategy.

This is not contact like your newspaper delivery targeting your neighborhood.

Posted: July 15, 2010 in:

FTC Settles Key Stalkerware Case [UPDATED]

The FTC and  Cyberspy, the purveyor of the Remotespy stalkerware program, recently settled a case over the sale and distribution of that spyware program. [UPDATE: The FTC press release is here].  The settlement limits the Trojan-like features of the software, and forbids Cyberspy from training its users in how to use the software to infect other people’s PCs. Importantly, the settlement also forces Cyberspy to disable the monitoring in all current installations. However,  Remotespy will be able to keep selling the modified software.  The settlement is available from the court website, and has not yet been posted to the FTC’s page on the case. [UPDATE: The settlement is now available on the FTC website.]

Previous marketing for the Remotespy stalkerware program

Previous marketing for the Remotespy stalkerware program

The FTC filed the case in 2008 following a complaint from EPIC.  The EPIC complaint detailed several practices by providers of stalkerware, including Cyberspy. The complaint noted that:

these companies promote illegal surveillance targets; promote the use of “Trojan Horse” email attacks; and fail to warn their customers of the legal risks of the improper use of this software.

The FTC followed up on that complaint, and investigated Cyberspy. In it’s filing, the FTC alleged that Cyberspy engaged in several unfair and deceptive trade practices:

  • Unfair Sale of Spyware
  • Unfair Collection and Disclosure of Consumer’s Personal Information
  • Providing the Means and Instrumentalities to Install Spyware and Access Consumer’s Personal Information
  • Providing the Means and Instrumentalities to Engage in Deception

Cyberspy provided the Remotespy program via its website. There were several indications that the software was not a legitimate monitoring tool, but was instead a harmful and malicious product. The Remotespy program functioned as a keylogger, making a record of every key typed. It also regularly took screenshots of the victim’s PC. Cyberspy taught users how to disguise the software as an innocuous email to be sent to the victim.  One the software was installed, the victim received no notice of it. The software sent the captured information — without encryption — from the victim’s machine to Cyberspy’s servers.  The purchaser could then log in to Cyberspy’s website and view the information. Cyberspy would organize the information for the snoop, including identifying websites, and which username/password pairs the victim used to access those sites.

The settlement prohibits several key activities. Cyberspy can no longer teach the purchaser about disguising the software.  This includes counseling them how to the hide the executable as an innocuous image, or in a word file, as well as barring Cyberspy from recommending the use of an anonymous email service. Further, the software can no longer function as a Trojan horse unless the purchaser shows they have administrative access to the machine.  Without administrative access, the software has to function more like a normal program:  showing a splash screen upon installation and installing desktop and task bar icons. These must have branding and naming similar to that used to sell the software.  The purchaser must also receive notices that only a computer owner or one with permission may use the program. These notices should come on the Remotespy website, when the software is purchased, and when the remote deployment is configured.  Cyberspy also has to control more tightly the reinstallation of its product — apparently the FTC believed that Cyberspy wasn’t enforcing its licenses, and was allowing more victimization.  Cyberspy will also have to encrypt, or otherwise render unreadable, the data that it collects.  Previous versions of the software transmitted this sensitive information without any encryption.  Lastly, Cyberspy and its affiliates can no longer sell old versions of the software, and existing installations must be disabled.

Some matters still remain.  The software is still being marketed as being able to “spy” — which is not how a legitimate monitoring tool would be marketed. The software still organizes the data in a way that would be useful to someone engaged in sniffing passwords. The order is silent in how the software interacts with anti-spyware and firewalls.  A legitimate user of a computer thus would have no way of knowing whether Remotespy is on their machine, or be guaranteed that an anti-spyware tool would block it.

Posted: May 10, 2010 in:

FTC Budget Justification Requests More Privacy, Security, New Media Staff

The Federal Trade Commission’s Fiscal Year 2011 budget request asked Congress for 40 additional Full-Time Equivalent (FTE) staff.  Several of these would be in the area of privacy, data security, and new media:

2 FTE for data security enforcement and rulemakings related to data security, breach notice and consumer access to information in certain databases, and other opportunities to provide greater clarity regarding data security principles.

2 FTE to protect consumers in the mobile  marketplace and new media by addressing the privacy, security, and other risks of consumer harms associated with these new technologies.

3 FTE for the FTC Regional Offices to respond to  growing law enforcement challenges in fraud targeting vulnerable Americans and financial services fraud, and provide outreach to close information gaps in the areas of new media, privacy, and health, including 1 FTE for Spanish-speakers to combat illegal practices targeting Hispanic consumers.

2 FTE for economic analysis and support of the Consumer Protection area, including the FACTA study, advertising to children, and consumer financial services.

1 FTE for General Counsel for litigation and legal counsel to cover the rapidly increasing workload on privacy and information security issues.

Posted: February 10, 2010 in:

Complaint Against Amateur Spyware Purveyors Filed

Today my project at EPIC filed a complaint before the Federal Trade Commission against several purveyors of amateur spyware. I’ve previously blogged about the uses of spyware to intercept the communications of spouses.

The complaint alleges unfair and deceptive practices by these companies. Specifically, these companies promote illegal surveillance targets; promote the use of “Trojan Horse” email attacks; and fail to warn their customers of the legal risks of the improper use of this software.

Click on this thumbnail for a view of what the marketing looks like:

Remote Spy

There are many more examples of the marketing in the complaint.

The FTC does pay attention to spyware. But this is a new beast for them to take on. I suspect that software like this is used in many situations of abuse, but that it goes relatively undetected, unpunished and in general unreported. Undetected because people do not know to look for it. Unpunished because it is difficult to get an otherwise busy police force to focus on the computer forensics needed to effectively prosecute. And unreported because there really is not much data collection going on with these products. We have inklings that the problem is growing, but not much hard data. I hope this also spurs more organizing around this topic and we get a better sense of the malicious uses of this software.

I suspect this is a growing industry, and there will soon be malicious payloads being offered for delivery to your target’s cell phones, iPhones, and other devices, not just PCs. Lets hope the FTC moves and nips it in the bud.

Posted: March 6, 2008 in:

Will the FTC Enforce MySpace’s Security Promises?

Recently, Wired revealed a bug in MySpace’s user account security:

A backdoor in MySpace’s architecture allows anyone who’s interested to see the photographs of some users with private profiles — including those under 16 — despite assurances from MySpace that those pictures can only be seen by people on a user’s friends list. Info about the backdoor has been circulating on message boards for months.

The flaw exposes MySpace users who set their profiles to “private” — the default setting for users under 16 — even though MySpace’s account settings page tells users, “Only the people you select will be able to view your full profile and photos.”

A specially constructed URL will display the images, even to those not logged in to MySpace.

In a followup article, it is noted that “MySpace Quietly Fixes Bug that Gave Voyeurs Access to Teens’ Private Photos“:

Barely 24 hours after my story hit the front door of, MySpace has, without comment, closed the backdoor, and the websites that were exploiting it are no longer delivering private photos. That seems to leave just two possibilities:

1. MySpace didn’t know this was going on before.

2. MySpace knew about it, but didn’t take action until the press noticed.

From a privacy activist’s perspective though, the question is: what will the Federal Trade Commission do about it? What can they do?

The FTC has the power to prosecute “unfair and deceptive trade practices.” This doctrine has developed to mean they have a role in enforcing privacy promises:

Enforcing Privacy Promises: Section 5 of the FTC Act

A key part of the Commission’s privacy program is making sure companies keep the promises they make to consumers about privacy, including the precautions they take to secure consumers’ personal information. To respond to consumers’ concerns about privacy, many Web sites post privacy policies that describe how consumers’ personal information is collected, used, shared, and secured. Indeed, almost all the top 100 commercial sites now post privacy policies. Using its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, the Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers’ personal information.

It looks like MySpace was promising privacy. And it looks like that promise wasn’t being kept. The FTC has gone after poor security promises before. A listing of their privacy cases includes a few examples:

  • Company Failed to Use Reasonable Security Measures to Protect Consumers’ Data
  • Agency Says Company Failed to Protect Sensitive Customer Data
  • Tens of Millions of Consumer Credit and Debit Card Numbers Compromised
  • Agency Says Lax Security Compromised Thousands of Credit and Debit Cards
  • Security Flaws Allowed Hackers to Access Consumers’ Credit Card Information

But these cases all have harms that involve credit card or other such personal information of a financial type. MySpace involved pictures. Will the FTC recognize MySpace’s breach of image security as a harm?

FTC action in this case would send a clear message to social networking operators to respect security and protect the privacy of the data which users are entrusting to them. That data may not be “sensitive” in the financial sense. But it is “sensitive” in that it is deeply personal.

Posted: January 20, 2008 in:

“Do Not Track” lists and registries

Several consumer groups have proposed a do not track list in response to the problem of behavioral profiling online. The idea is that domains which use technologies that track users via the internet register with the Federal Trade Commission. Internet users who do not want to be tracked can then download this list to block the tracking technologies. This would be accomplished with a browser extension, plugin or some other technical method on the user end. The groups have provided a pdf image that describes how the system works.

The idea is not without its critics. Declan McCullagh writes:

The pro-regulation lobbyists and activists are most upset about behavioral advertising, meaning computer-generated ads that are based on pages a visitor previously viewed. Someone who spends a lot of time reading a newspaper’s Asia travel articles may see ads for trips to China even when perusing sports scores. Quelle horreur!


I think some of the messaging on this is a bit off. At least, it gives people the wrong idea as to how this works. Note this Washington Post article:

Privacy, consumer and technology groups yesterday proposed the creation of a Do Not Track list similar to the Do Not Call phone list, allowing people to prevent companies from tracking which Web sites they visit.

Under Do Not Call, you sign up your number for a list. Telemarketers are then prohibited from using this list. Likening this recent proposal to do not call gives people the idea that they have to sign up for a do-not-track list. That someone will be keeping track of all the people that don’t want to be tracked. Thats not quite how this works. This works more like an sex offender registry — the people we are on the lookout for (the trackers/sex offenders) are the ones that are tracked. Not the consumers.

Of course it is problematic messaging to compare servers that track online consumers to sex offenders. But it does describe the interaction better: users are not signing up with the government, they’re using the government list to know who to avoid.


The system does have some limitations. It doesn’t address all the data collection and use practices out there. One major item left off the list is data collection by search engines. That’s data that can be used for behavioral profiling. Specially since search engines like google keep individually identified information.

It’s also basically an opt-out system. I’ve talked about the problems with opt-out before. And also how opt-in is better.

But it does mitigate some problems with opt-out. Under opt-out, the data collector has no incentive to explain its data collection practices to the users. In fact, the incentive is to not explain it. Also under opt-out, the consumer has to go to each place and opt-out of that one place. Burdensome. This proposal fixes those problems by legislating the incentive on to the collector to disclose. It also allows one easy opt-out, rather than many.

It basically complements and facilitates many self-defense measures that are out there. I’m quite tech savvy. I use adblock, I manage my cookies. I block most third party scripts on the sites I visit. It seems like it would be more efficient to let all users simply make one choice — be tracked or not — than to have to make each choice like I do. And it would make it easier if the law facilitated this, by mandating that trackers disclose this information to the FTC. Investors make decisions based on mandated disclosures. Consumers should be able to as well.

Posted: November 4, 2007 in: