FTC Budget Justification Requests More Privacy, Security, New Media Staff

The Federal Trade Commission’s Fiscal Year 2011 budget request asked Congress for 40 additional Full-Time Equivalent (FTE) staff.  Several of these would be in the area of privacy, data security, and new media:

2 FTE for data security enforcement and rulemakings related to data security, breach notice and consumer access to information in certain databases, and other opportunities to provide greater clarity regarding data security principles.

2 FTE to protect consumers in the mobile  marketplace and new media by addressing the privacy, security, and other risks of consumer harms associated with these new technologies.

3 FTE for the FTC Regional Offices to respond to  growing law enforcement challenges in fraud targeting vulnerable Americans and financial services fraud, and provide outreach to close information gaps in the areas of new media, privacy, and health, including 1 FTE for Spanish-speakers to combat illegal practices targeting Hispanic consumers.

2 FTE for economic analysis and support of the Consumer Protection area, including the FACTA study, advertising to children, and consumer financial services.

1 FTE for General Counsel for litigation and legal counsel to cover the rapidly increasing workload on privacy and information security issues.

Posted: February 10, 2010 in:

BBC Creates Data-Mining Facebook Application

I earlier blogged about the civil liberties dangers that law enforcement Facebook applications pose. The problem: by default, applications have access to much of your and your friends’ data.

The BBC has written an application that shows how easy data collection can be.

We wrote an evil data mining application called Miner, which, if we wanted, could masquerade as a game, a test, or a joke of the day. It took us less than three hours.

But whatever it looks like, in the background, it is collecting personal details, and those of the users’ friends, and e-mailing them out of Facebook, to our inbox.

When you add an application, unless you say otherwise, it is given access to most of the information in your profile. That includes information you have on your friends even if they think they have tight security settings.

Did you know that you were responsible for other people’s security?

Facebook responded:

Users are strongly encouraged to report any suspected misuse of information to Facebook. Additionally, users can block individual applications from accessing any of their data, block all applications, or block individual types of information.

We have sophisticated technology and a dedicated team to address inappropriate activity by applications. Access by applications to Facebook user data is strictly regulated and if we find that an application is in violation of our terms and policies, we take appropriate action to bring it into compliance or remove it entirely.

I hope this means that Facebook has some automated processes for detecting when applications are accessing too much data, and that this causes them to be reviewed. But overall I don’t see how users can be careful when adding an application. They have no way of knowing what it does.

Posted: May 2, 2008 in:

Sources for Social Networking Privacy

It seems like it is not sometimes known what the privacy interests are that one has when using social networking sites. There seems to sometimes be this idea, which has been referred to as the “secrecy paradigm,” that things which are “posted on a public website” cannot be the subject of “privacy.” That’s not really all that there is to privacy. For example, Alan Westin considered it:

Privacy is the claim of individuals, groups, or institutions to determine for themselves when, how and to what extent information about them is communicated to others.

So how does this get expressed in the world of social networking? Two recent publications give a good , though I suspect not exhaustive, overview. The European Network and Information Security Agency (ENISA) prepared a position paper on “Security Issues and Recommendations for Online Social Networks” (pdf). The International Working Group on Data Protection in Telecommunications, composed mainly of European privacy officials, has issued a “Report and Guidance on Privacy in Social Network Services” (pdf) A few examples from these highlight the idea that privacy is more than just secrecy.

ENISA

ENISA identifies the problem of “Digital Dossier Aggregation.” Data can easily be taken from social networks and placed in a different context — it can be easy to build a profile of a person that is not controlled by that person. Further, social networks collect your browsing information — who you click on, who you interact with — and often don’t discuss what uses they put this information to. These are both common privacy issues: that users may lose control of their data and that data is being collected and put to secondary uses.

ENISA also identifies two risks which I had not considered previously. Facial recognition algorithms will be able to be deployed on social networks, and allow automatic identification of individuals and linking of several profiles. Semi anonymous online dating profiles will be able to be automatically matched with non-anonymous images elsewhere online. Extracting other information from images will allow algorithms to determine what people are doing (such as drinking) and maybe even where.

Lastly, ENISA also identifies the difficulty of account deletion as a privacy risk. Facebook users have complained about how difficult deletion can be. This is another way in which controlling your data is important. ENISA even goes one step further, and proposing that social networks make profiles “portable” so that users can easily move from one network to another — promoting competition and user control, and alleviating the other threats which come from the centralization of data.

The report contains other issues, such as stalking, spam, and even corporate espionage. Read the whole thing.

Working Group on Data Protection in Telecoms

The Working Group notes some of the security concerns that ENISA focuses on, but also mentions other privacy issues. The first is that online data is usually permanent — it is hard to erase. Even once the data subject deletes the data they control, cached copies may exist, or other services may have duplicated the data. Secondly, the intimacy of the relationships online may be illusory — and sometimes exclude key players. One’s “friends” on social networking sites are not necessarily real friends. I’ll add that the social nature of the site, as well as its communications (talking about your friends, your networks, and who can see your data) covers up the fact that the service operates as a Big Brother, watching and collecting all your activity online.

This data collection — of your browsing history and other activity — raises other issues, as this data may be accessible to law enforcement and intelligence services. The data will also be used for marketing and other secondary uses that may not be clearly specified by the social networking service. Further uses may be employers or others interested in researching the reputation of individuals.

Lastly, a new development is the creation of application programming interfaces, or APIs. These allow even more third party access to data, often in a way that is hidden. I’ve previously blogged about the privacy and civil liberties issues with law enforcement created applications. You can read there for the specific problems on the Facebook platform. But the general problem is that third party access is being increased in ways which are not transparent to users.

Guidelines and Recommendations

The discussion above should clarify what people mean when they talk about social networking privacy. It is not just a matter of “keep things secret.” For some steps on how to deal with these issues, I again recommend you check out the two publications.

Report and Guidance on Privacy in Social Network Services” (pdf).

Security Issues and Recommendations for Online Social Networks” (pdf).

Posted: April 24, 2008 in:

Will the FTC Enforce MySpace’s Security Promises?

Recently, Wired revealed a bug in MySpace’s user account security:

A backdoor in MySpace’s architecture allows anyone who’s interested to see the photographs of some users with private profiles — including those under 16 — despite assurances from MySpace that those pictures can only be seen by people on a user’s friends list. Info about the backdoor has been circulating on message boards for months.

The flaw exposes MySpace users who set their profiles to “private” — the default setting for users under 16 — even though MySpace’s account settings page tells users, “Only the people you select will be able to view your full profile and photos.”

A specially constructed URL will display the images, even to those not logged in to MySpace.

In a followup article, it is noted that “MySpace Quietly Fixes Bug that Gave Voyeurs Access to Teens’ Private Photos“:

Barely 24 hours after my story hit the front door of Wired.com, MySpace has, without comment, closed the backdoor, and the websites that were exploiting it are no longer delivering private photos. That seems to leave just two possibilities:

1. MySpace didn’t know this was going on before.

2. MySpace knew about it, but didn’t take action until the press noticed.

From a privacy activist’s perspective though, the question is: what will the Federal Trade Commission do about it? What can they do?

The FTC has the power to prosecute “unfair and deceptive trade practices.” This doctrine has developed to mean they have a role in enforcing privacy promises:

Enforcing Privacy Promises: Section 5 of the FTC Act

A key part of the Commission’s privacy program is making sure companies keep the promises they make to consumers about privacy, including the precautions they take to secure consumers’ personal information. To respond to consumers’ concerns about privacy, many Web sites post privacy policies that describe how consumers’ personal information is collected, used, shared, and secured. Indeed, almost all the top 100 commercial sites now post privacy policies. Using its authority under Section 5 of the FTC Act, which prohibits unfair or deceptive practices, the Commission has brought a number of cases to enforce the promises in privacy statements, including promises about the security of consumers’ personal information.

It looks like MySpace was promising privacy. And it looks like that promise wasn’t being kept. The FTC has gone after poor security promises before. A listing of their privacy cases includes a few examples:

  • Company Failed to Use Reasonable Security Measures to Protect Consumers’ Data
  • Agency Says Company Failed to Protect Sensitive Customer Data
  • Tens of Millions of Consumer Credit and Debit Card Numbers Compromised
  • Agency Says Lax Security Compromised Thousands of Credit and Debit Cards
  • Security Flaws Allowed Hackers to Access Consumers’ Credit Card Information

But these cases all have harms that involve credit card or other such personal information of a financial type. MySpace involved pictures. Will the FTC recognize MySpace’s breach of image security as a harm?

FTC action in this case would send a clear message to social networking operators to respect security and protect the privacy of the data which users are entrusting to them. That data may not be “sensitive” in the financial sense. But it is “sensitive” in that it is deeply personal.

Posted: January 20, 2008 in: