Posted on March 27 2019
FTC issued seven Orders to ISP
Data and Privacy
After the protracted Facebook, Twitter, Google and Cambridge Aanalytica, by all appearances the enforcement agencies appear to be stepping up their enforcement activity and are starting to be (slightly) aggressive, as it relates to Consumer Privacy.
I am old enough to remember when you had to dialtone to “connect” to the “World-Wide-Web” and I’m also old enough to remember the telecommunications industry, specifically service providers and content providers struggled with data privacy. The dirty little secret that has always been hiding in plain sight, statutorily speaking laws and law makers continue to lag behind the explosive technologies.
In the past I’ve discussed what a critical the role enforcement agencies play in to protecting consumers. Given the FTC entered into multiple consent decrees with Facebook Twitter, Google, do to completely lax data privacy policies,
FTC v Google:
Unless otherwise noted each of the following FTC Consent Decree have a twenty year term, coupled with mandatory audits and reporting. FTC v Google, entry found here, in which I embedded multiple Orders from 2011, 2012, 2016 and 2018 respectively. I also linked to the various Fines, and noted the monopoly of their ad business.
Incidentally last week the EU Commission levied a €1.49 billion fine, stating that Google’s advertising “monopoly”, impermissible and a violation of the EU’s “anti-trust” policies. The EU determination reads in part:
“...Google has cemented its dominance in online search adverts and shielded itself from competitive pressure by imposing anti-competitive contractual restrictions on third-party websites. This is illegal under EU antitrust rules. The misconduct lasted over 10 years and denied other companies the possibility to compete on the merits and to innovate - and consumers the benefits of competition.”
You can read the full EU Commission Anti-Trust €1.45 fine here
FTC v Twitter
Last year I wrote about the FTC v Twitter 20 year consent decree. I discussed how Twitter’s platform had been hacked, twice. That nearly “all twitter” employees had access to user’s DMs, draft tweets as well as the email and phone numbers associated with said Twitter account. I have periodically updated, as warranted. You can re-read my Twitter Friend or Foe Series Part I here, Part II here Part III here. Congressional Testimony found here.
FTC v Facebook
You can read the FTC v Facebook consent decree here, here (it includes the March 2018 update). Facebook’s annual audits (pursuant to their FTC consent decred) found here. It has always bothered me that Facebook’s PWC Audits were never discussed at length. I could be wrong but the premise of the FTC consent decree was to force Facebook to execute tighter controls on data and user Privacy. Meaning one could and should infer that the annual audits should have detected unauthorized extraction of user data by a third party. It’s not like I didn’t link to the FTC Facebook FOIA docket that contains all their audits. So in case you missed the previously embedded link, you can pull the audits down via this (public) link.
The Federal Trade Commission issued seven orders U.S. Based Internet Services Providers, as listed below and who cumulatively serve close to 475 million:
- AT&T, Inc
- AT&T Mobility Inc
- Comcasr Cable Communications dba Xfinity
- Google Fiber Inc
- T-mobile US
- Verizon Communications
- Cello Partnership dba Verizon Wireless
Oh dear...the “and related entities” that is super curious because one could infer that this is the FTC’s telegraphing that they plan is to look at this in a wholistic way versus a one off or (worse) piece-meal. The FTC’s specific “and their devices” has so many avenues of inquiry that I am genuinely excited. Which runs a close second to the later part of this paragraph. You’ll want to read it carefully
...seeking to compile data concerning the privacy policies, procedures, and practices of Internet Service Providers and related entities, including the method and manner by which they collect, retain, use, and disclose information about consumers and their Devices. The Special Report will assist the Commission in conducting a study of such policies, practices, and procedures. (emphasis added)
Your report is required to be subscribed and sworn by an official of the
Company who has prepared or supervised the preparation of the report from books, records, correspondence, and other data and material in Your possession.
The FTC’s scope is not only broad but incredibly thorough. The areas of focus appear to be exhaustive. Again I would encourage you to read the 8 page order, specifically pages 2 & 3 and the Attachment
The categories of personal information collected about consumers or their devices, including the purpose for which the information is collected or used; the techniques for collecting such information; whether the information collected is shared with third parties; internal policies for access to such data; and how long the information is retained;
Whether the information is aggregated, anonymized or deidentified;
Copies of the companies’ notices and disclosures to consumers about their data collection practices;
Whether the companies offer consumers choices about the collection, retention, use and disclosure of personal information, and whether the companies have denied or degraded service to consumers who decline to opt-in to data collection; and
Procedures and processes for allowing consumers to access, correct, or delete their personal information.
I think there’s a reasonable expectation that you as the consumer should have significant control over your data, or at the very minimum at least your consent to use your data for other means, and/or enetitlement to some kind of compensation. It is bad enough when your (former) friend or social media trolls dox or redox you but I think it is equally worse when you as a customer have no idea that your ISP has monetized your personal identifiable information...hence the weaponization Of Information can be both dangerous and clearly profitable.
Before I forget the reason I’m suggesting that you read Attachment A, is this gives you a itemized list of what the FTC expects from the ISP who received the Order. As the saying goes: the devil is in the details...
“Device” means (a) any computing device that operates using an operating system, including smartphone, tablet, wearable, sensor, television, set-top box, cable box, router, or any periphery of any portable computing device; and (b) the software used to access, operate, manage, or configure a device subject to part (a) of this definition, including, but not limited to, the firmware, web or mobile applications, and any related online services.
“Electronically Stored Information” or “ESI” means the complete original and any non-identical copy (whether different from the original because of notations, different metadata, or otherwise), regardless of origin or location, of any writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations stored in any electronic medium from which information can be obtained either directly or, if necessary, after translation by You into a reasonably usable form. This includes, but is not limited to, electronic mail, instant messaging, videoconferencing, and other electronic correspondence (whether active, archived, or in a deleted items folder), word processing files, spreadsheets, databases, and video and sound -, whether stored on: cards, magnetic or electronic tapes, disks, computer hard drives, network shares or servers, or other drives, cloud-based platforms, cell phones, PDAs, computer tablets, or other mobile devices, or other storage
I personally found page 2 of Attachment A the most informative, the reason “definitions” are required is this leaves zero ambiguity for the FTC or ISP with respect to what data the FTC requires production of in yesterday’s FTC Order:
“Personal Information” means information about a specific consumer or device, including: (a) first and last name; (b) home or other physical address, including street name and name of city or town, or other information about the location of the individual, including but not limited to location from cellular tower information, fine or coarse location, or GPS coordinates; (c) email address or other online contact information, such as an instant messaging user identifier or screen name; (d) telephone number; (e) a persistent identifier, such as a customer number held in a “cookie,” a static Internet Protocol (“IP”) address, a device identifier, a device fingerprint, a hashed identifier, or a processor serial number; (f) nonpublic communications and content, including, but not limited to, e-mail, text messages, photos, videos, audio, or other digital images or audio content; (g) Internet browsing history, search history, or list of URLs visited; (h) video, audio, cable, or TV viewing history; (i) biometric data; or (j) health or medical information.
🌶SpicyFiles Sidebar🌶 in a semi-related matter concerning the storage of data, one of the issues I recently ran in to with a certain “content” provider, is the requested I upload a government issued Given the issue at hand I wasn’t entirely comfortable giving this “provider” additional personal information. They sent me an “encrypted link” to upload various documents. I requested a copy of their data retention policy and specifically asked them “what they do to protect the sensitive data”. To wit this provider sent me a second “more encrypted link” and stated they would not move forward with my complaint if I didn’t provide the additional information. Given this company’s long documented track record of doing nothing when PII is uploaded to their platform. I asked a few lawyers (I happen to know a lot...snort) for guidance on; 1) how to comply, and 2) how to further protect my privacy rights. I ultimately gave that company the “official government issued ID” but I did so with the assistance of local law enforcement and an attorney, who also involved the FTC.
Long story short even if you file a complaint to have your PII removed that provider is required to give you their data retention policy and it is nonsensical that in order to get your PII removed you, that “provider” needs more PII. But I digress.
Returning back to the FTC’s announcement, the agency explains the reason for this study and data from these seven ISPs:
The FTC is initiating this study to better understand Internet service providers’ privacy practices in light of the evolution of telecommunications companies into vertically integrated platforms that also provide advertising-supported content.
Under current law, the FTC has the ability to enforce against unfair and deceptive practices involving Internet service providers.
Oddly the FTC did not issue any Order to the following ISPs. I have taken the liberty of sourcing the estimated total customers for the following ISPs, unless otherwise noted the aggregate numbers are strictly for American customers:
- Cox Communications, approximately 20 million customers.
- Sprint, approximately 280 million customers.
- Charter Spectrum approximately 22 million customers.
- Century-Link blended DSL & fiber approximately 51.9 customers
Again you can read yesterday’s FTC press release here. If I were to make an educated guess: this recent FTC inquiry/study is part of a much larger picture. Meaning the FTC has data, on a semi rolling basis with multiple content providers/platform (Facebook, Twitter, Google), now they have turned their focus to the transport medium/network, as in the ISP networks that “transport” the content. I would keep an eye one this given that the FTC 45 day clock starts on the day in which the ISP receives their FTC Order. Also going forward you’ll want to bookmark the FTC website and search for: “Resolution Directing Use of Compulsory Process to Collect Information Regarding ISP Privacy,” or FTC No P195402. The ISP’s Special Report(s) ETA May 13, 2019 +/- 3 days.
Also in yet another related matter regarding Data and Privacy, yesterday the FTC Director, Bureau of Consumer Protection testified before the House Oversight Committee.
You can read Mr Smith’s written testimony here, although this particular passage of his testimony pretty much sums it up as to the totality and regulatory and enforcement authority granted to the FTC:
“data security enforcement agency, litigating or settling more than 60 data security cases. The Commission is the nation’s primary data security regulator and enforces several statutes and rules that impose data security requirements on companies across a wide spectrum of industries...”
And in conclusion you might find NTCA’s website helpful to understand the future and muxing of the Internet and Television, this association may have unintended bias as it relates to regulatory changes but their data on the future of these two technologies blending is a worthwhile read. But again remember that this association has a vested interest in the least restrictive regulatory and enforcement actions. NTCA’s Industry Data and slidedeck can be found here.
Also ICYMI, yesterday the GAO publicly released their findings as it relates to the CRA data breaches.It’s not good, it’s actually pretty bad and no I am not kidding when I rhetorically asked Zuck it he’s scared. Because metadata doesn’t lie and Facebook seems to think the FTC is their only issue.
Nope. Hypothetically speaking if you as a public company file multiple federally mandated reports and those reports are not entirely “accurate”... your problems will only get worse. Also I have no idea why Twitter is allowed to use Facebook like a human shield...but that deserves a much longer discussion
Whaddup Zuck?— 👁🌶👁Account to Expire soon-ish... (@MaddogSpicy) March 26, 2019
You scared yet?
I’m curious did you ever come clean about the API and/or private data extracted from the CRA breaches?
How’s the multiBILLION FTC settlement going?
Cough - FTC via FCRA
Cough SEC soon
👇🏻Newly released👇🏻https://t.co/3G0cbxbRlF pic.twitter.com/9z3LxLMK09
-SpicyFiles Out...for now.
While you're here, throw us a bone.
Mad Dog is thrilled to have Spicy in our PAC(k). We are proud to provide a space for her tireless, hard hitting, in-depth investigations. But we can’t do it without you.
Our numbers are growing. Our voices are being heard. Our campaigns are making a difference. Help us, and Spicy, continue to fight the good fight. Consider a donation to help support the work of Mad Dog PAC today.