How a Grad Student Scooped the Government and Uncovered One of the Biggest Internet Privacy Scandals
Continued from previous page
Vladeck would not bend.
"We don't trust anybody," he said.
Current and former FTC officials say the labs are the size of suburban living rooms, with computers and accessories that do not look much different from what would be seen at a Kinko's. "There's nothing special there," Soghoian said. "It looks like a computer room in a public library or middle school."
Vladeck's appointment, in 2009, was welcomed by consumer-rights activists because of the nearly three decades he worked as a crusading lawyer for Public Citizen, which was founded by Ralph Nader; Vladeck has advocated long and hard for better government regulation. A conversation with Vladeck, who has argued four cases before the U.S. Supreme Court and won three of them, is akin to a combative courtroom session. He often leans across the table and speaks in a high-pitched bellow. During an interview in his office, he said that when he arrived at the FTC, "We weren't geared up for this battle." That's partly because the Bush-era FTC was not terribly aggressive on privacy but also because data mining has particularly taken off in the past few years.
"No regulator is ever going to tell you that he or she is satisfied with the resources," Vladeck said. "Would I like more resources? Of course, and I think I could put them to good use. But let me toot our own horn. We've gotten an enormous amount done in three years. I think we are sending a strong signal to the industry — you've got to straighten up and do the right thing."
Since he arrived, the FTC has reached privacy settlements with the some of the largest tech firms, including Facebook, Google and Twitter, though in each case, there were no fines, because the FTC's authority to issue fines on a first offense is limited. The agency is like a runner with two sprained ankles, because in addition to its narrow legal power, it has a surprisingly small staff to pursue its legal cases.
Staffing at the Division of Privacy and Identity Protection, which does the bulk of the FTC's privacy work and is under Vladeck's control, slid from 51 in 2011 to 50 in 2012, even though the data mining industry it oversees has rapidly expanded; it now employs more than 100,000 people and has revenues close to $5 billion, according to industry analyst and newsletter publisher Gregory Piatetsky-Shapiro. There are about 20 lawyers working on privacy cases at the FTC. "The bottlenecks are the lawyers for the most part," Soghoian said. And the FTC has another problem: Republican Rep. John Mica, chairman of the House Committee on Transportation and Infrastructure, is trying to evict the agency from its headquarters, which is on a prime block of Pennsylvania Avenue.
Vladeck has improvised. He described his strategy as similar to highway cops — the point isn't to catch every car that breaks the speed limit, but enough to signal to the others that they can't get away with much. He goes after the shiniest cars.
Yet those cases demonstrated the FTC's limits, too. The agency was created in 1914 to prevent unfair and deceptive practices in commerce. Unfairness is harder to prove in privacy — what's inappropriate data collection to one person might be fair and harmless to another — so the FTC is focusing enforcement efforts on deception. That means a company has to say one thing about its data-collection practices and do another. But many companies have privacy policies that say very little — in which case, they aren't deceiving consumers if they do things that might be untoward.