InfoAdvocate

Today my project at EPIC filed a complaint before the Federal Trade Commission against several purveyors of amateur spyware. I’ve previously blogged about the uses of spyware to intercept the communications of spouses.

The complaint alleges unfair and deceptive practices by these companies. Specifically, these companies promote illegal surveillance targets; promote the use of “Trojan Horse” email attacks; and fail to warn their costumers of the legal risks of the improper use of this software.

Click on this thumbnail for a view of what the marketing looks like:

There are many more examples of the marketing in the complaint.

The FTC does pay attention to spyware. But this is a new beast for them to take on. I suspect that software like this is used in many situations of abuse, but that it goes relatively undetected, unpunished and in general unreported. Undetected because people do not know to look for it. Unpunished because it is difficult to get an otherwise busy police force to focus on the computer forensics needed to effectively prosecute. And unreported because there really is not much data collection going on with these products. We have inklings that the problem is growing, but not much hard data. I hope this also spurs more organizing around this topic and we get a better sense of the malicious uses of this software.

I suspect this is a growing industry, and there will soon be malicious payloads being offered for delivery to your target’s cell phones, iPhones, and other devices, not just PCs. Lets hope the FTC moves and nips it in the bud.

Bookmark to

Recently, Wired revealed a bug in MySpace’s user account security:

A backdoor in MySpace’s architecture allows anyone who’s interested to see the photographs of some users with private profiles — including those under 16 — despite assurances from MySpace that those pictures can only be seen by people on a user’s friends list. Info about the backdoor has been circulating on message boards for months.
…
The flaw exposes MySpace users who set their profiles to “private” — the default setting for users under 16 — even though MySpace’s account settings page tells users, “Only the people you select will be able to view your full profile and photos.”

A specially constructed URL will display the images, even to those not logged in to MySpace.

In a followup article, it is noted that “MySpace Quietly Fixes Bug that Gave Voyeurs Access to Teens’ Private Photos“:

Barely 24 hours after my story hit the front door of Wired.com, MySpace has, without comment, closed the backdoor, and the websites that were exploiting it are no longer delivering private photos. That seems to leave just two possibilities:

1. MySpace didn’t know this was going on before.

2. MySpace knew about it, but didn’t take action until the press noticed.

From a privacy activist’s perspective though, the question is: what will the Federal Trade Commission do about it? What can they do?

The FTC has the power to prosecute “unfair and deceptive trade practices.” This doctrine has developed to mean they have a role in enforcing privacy promises:

Enforcing Privacy Promises: Section 5 of the FTC Act

A key part of the Commission’s privacy program is making sure companies keep the promises they make to consumers about privacy, including the precautions they take to secure consumers’ personal information. To respond to consumers’ concerns about privacy, many Web sites post privacy policies that describe how consumers’ personal information is collected, used, shared, and secured. Indeed, almost all the top 100 commercial sites now post privacy policies. Using its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, the Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers’ personal information.

It looks like MySpace was promising privacy. And it looks like that promise wasn’t being kept. The FTC has gone after poor security promises before. A listing of their privacy cases includes a few examples:

• Company Failed to Use Reasonable Security Measures to Protect Consumers’ Data
• Agency Says Company Failed to Protect Sensitive Customer Data
• Tens of Millions of Consumer Credit and Debit Card Numbers Compromised
• Agency Says Lax Security Compromised Thousands of Credit and Debit Cards
• Security Flaws Allowed Hackers to Access Consumers’ Credit Card Information

But these cases all have harms that involve credit card or other such personal information of a financial type. MySpace involved pictures. Will the FTC recognize MySpace’s breach of image security as a harm?

FTC action in this case would send a clear message to social networking operators to respect security and protect the privacy of the data which users are entrusting to them. That data may not be “sensitive” in the financial sense. But it is “sensitive” in that it is deeply personal.

Bookmark to

Several consumer groups have proposed a do not track list in response to the problem of behavioral profiling online. The idea is that domains which use technologies that track users via the internet register with the Federal Trade Commission. Internet users who do not want to be tracked can then download this list to block the tracking technologies. This would be accomplished with a browser extension, plugin or some other technical method on the user end. The groups have provided a pdf image that describes how the system works.

The idea is not without its critics. Declan McCullagh writes:

The pro-regulation lobbyists and activists are most upset about behavioral advertising, meaning computer-generated ads that are based on pages a visitor previously viewed. Someone who spends a lot of time reading a newspaper’s Asia travel articles may see ads for trips to China even when perusing sports scores. Quelle horreur!

Messaging

I think some of the messaging on this is a bit off. At least, it gives people the wrong idea as to how this works. Note this Washington Post article:

Privacy, consumer and technology groups yesterday proposed the creation of a Do Not Track list similar to the Do Not Call phone list, allowing people to prevent companies from tracking which Web sites they visit.

Under Do Not Call, you sign up your number for a list. Telemarketers are then prohibited from using this list. Likening this recent proposal to do not call gives people the idea that they have to sign up for a do-not-track list. That someone will be keeping track of all the people that don’t want to be tracked. Thats not quite how this works. This works more like an sex offender registry — the people we are on the lookout for (the trackers/sex offenders) are the ones that are tracked. Not the consumers.

Of course it is problematic messaging to compare servers that track online consumers to sex offenders. But it does describe the interaction better: users are not signing up with the government, they’re using the government list to know who to avoid.

Limitations

The system does have some limitations. It doesn’t address all the data collection and use practices out there. One major item left off the list is data collection by search engines. That’s data that can be used for behavioral profiling. Specially since search engines like google keep individually identified information.

It’s also basically an opt-out system. I’ve talked about the problems with opt-out before. And also how opt-in is better.

But it does mitigate some problems with opt-out. Under opt-out, the data collector has no incentive to explain its data collection practices to the users. In fact, the incentive is to not explain it. Also under opt-out, the consumer has to go to each place and opt-out of that one place. Burdensome. This proposal fixes those problems by legislating the incentive on to the collector to disclose. It also allows one easy opt-out, rather than many.

It basically complements and facilitates many self-defense measures that are out there. I’m quite tech savvy. I use adblock, I manage my cookies. I block most third party scripts on the sites I visit. It seems like it would be more efficient to let all users simply make one choice — be tracked or not — than to have to make each choice like I do. And it would make it easier if the law facilitated this, by mandating that trackers disclose this information to the FTC. Investors make decisions based on mandated disclosures. Consumers should be able to as well.

Bookmark to