How a Grad Student Scooped the Government and Uncovered One of the Biggest Internet Privacy Scandals

Continued from previous page

Ironically, the best way for a company to avoid privacy tussles with the FTC is to not say much about their privacy practices. On the other side of things, many companies protect themselves from prosecution by fully disclosing their policies in dense legal jargon that few consumers bother to read or, when they do, they have a hard time understanding that their personal data will be collected and shared in nearly infinite ways. Companies that follow these strategies — and many do — are difficult targets for the FTC.

Big firms like Google and Facebook, which depend on consumers using their services, cannot get away with having no policy at all or hiding behind legal hieroglyphics. They are the shiny cars that the FTC pulls over when it can. The agency pounced when Google introduced its Buzz social network because Gmail users were more or less swept into Buzz without their consent, even though Google had previously said it would not take unilateral action of that sort. The agency can take companies to court, but its overworked lawyers don't really have the time to go the distance against the bottomless legal staffs in Silicon Valley. The FTC settled the Buzz case with Google, which agreed to annual privacy audits for 20 years and promised to not lie to consumers about what the company does with their data. If Google violates the settlement, it then faces financial penalties that could be quite large — this is akin to a two-strike rule.

The settlement process is time-consuming, however. Due to the agency's small legal staff, some settlements take years to complete, and by the time they're done, the targeted companies are not what they used to be. Last month, the FTC announced a privacy settlement with Myspace, which it accused of disclosing user information to third parties despite pledging not to do that. The investigation was opened in 2009, when Myspace was already a fading giant; by the time it was concluded in May, Myspace was all but a museum artifact. On Twitter, reaction to the suit included jokes to the effect of, "You mean Myspace still exists?"

Although the agency has some sway with Google and other companies that are sensitive to reputational issues — an FTC settlement might not hurt Google's bottom line but the bad press could — it has less influence over data mining firms like LexisNexis, Choicepoint and RapLeaf, whose revenues come mostly from businesses rather than consumers. This is a major hole in the government's effort to protect consumers from privacy violations, and the FTC has all but thrown up its hands in futility. The privacy report it issued earlier this year called on Congress to pass legislation that would set guidelines on acceptable practices by data miners. The odds of that happening are quite long, because of industry opposition to government oversight and the difficulty of getting agreement in Congress on what should and should not be allowed.

***

Even though he lives in university housing, Jonathan Mayer is a star in the world of digital privacy; he is the mop-haired kid who busted Google in his spare time. Silicon Valley companies seek him out to learn what he's up to. Mayer, being clever, uses these encounters to learn about the companies. What are they thinking about the most? What do they fear the most? He has made another discovery.

"The FTC doesn't strike fear into the heart of tech companies," he says. "They know that as long as they stay within lax boundaries, it's unlikely the FTC will bring enforcement actions against them."