Sector-Specific Laws Won’t Be Erased by National Data Security Proposals, FTC Official Says

The FTC has sent about 200 warning letters to firms selling private consumer records to 3rd parties illegally, Parnes said, and has brought about a dozen pretexting cases. The operations, mostly online, offered details of incoming and outgoing calls on wireless and landline phones, such as numbers called, time and date of calls and origination in some cases, she said. She praised the Electronic Privacy Information Center for filing a complaint about firms in pretexting last year: “I think we understand the value of collaboration” with private groups. The FCC is now prodding carriers to better protect information and state attorneys general are filing their own cases.

Many security breaches happened in the absence of even “reasonable and appropriate measures” to safeguard data, the FTC’s standard for federal compliance, Parnes said. In 3 recent cases, hackers “exploited reasonably foreseeable security risks” to obtain credit and debit card information. But she added that the Commission declined to go after recently-breached firms that took reasonable precautions with sensitive data: “The goal… is not to put another notch on our enforcement belt” but to create a “culture of security,” she said.

Some of the easiest vulnerabilities to correct are simply suspicious applications for data: Citing shady customers who bought ChoicePoint data, she said “these people came in through the front door,” not the “back door” of hacking. ChoicePoint settled FTC charges for $10 million earlier this year. No one security practice will guarantee that the Commission will find a firm’s security practices are reasonable, Parnes said: “You have to look at the whole package,” and “clear and conspicuous disclosures of certain information” is needed in breach disclosures. But she warned about “information overload” in disclosures, saying consumers would ignore repeated notices with vague information.

Parnes said the Commission had just reached a $4.1 million settlement with Seismic Entertainment (WID April 11/05 p3). The company was alleged to use Internet Explorer holes to download spyware to user desktops, hijack home pages, flood users with pop-up ads, and cause computers to slow or crash, Parnes said. The settlement in U.S. Dist. Court, Concord, N.H., is an “important lesson for those who try to exploit advancement in technology for their financial gain,” Parnes said. A settlement with defendants OptinTrade and Jared Lansky, bars the same practices. Lansky, an ad broker who disseminated ads containing Seismic’s spyware, will give up $227,000 in ill-gotten gains, the FTC said. The FTC has brought 6 spyware cases and has ongoing investigations.

The Center for Democracy & Technology (CDT), which complained about Seismic to the FTC, lauded the court’s ruling. “Aggressive enforcement of this sort is absolutely vital if we're to continue our progress in battle against spyware,” CDT Deputy Dir. Ari Schwartz said: “Coupled with meaningful technological and legislative initiatives, harsh judgments like this chip away at the ability of scammers to freely exploit unsuspecting Internet users with unfair and deceptive tricks.”

The court also ordered a halt to another spyware operator’s stealthy downloads and barred the collection of consumers’ personal information, pending trial, FTC said. The 2nd case, in which FTC charged that Odysseus Marketing and its principal Walter Rines, lured consumers to a website by advertising bogus software they claimed would facilitate anonymous peer-to-peer file sharing. According to the FTC, the spyware and other software bundled with it hijacked search engines and reformatted search engine results, placing Rines’ clients first.

The agency recently amended its complaint, alleging that the defendants also distributed spyware by exploiting security holes in Web browsers and that the defendants’ programs captured consumers’ personal data, including their names, addresses, e-mail, phone numbers, Internet browsing and shopping history, and information about their online transactions. The amended complaint alleges the information was then transmitted to defendants’ servers, where they compiled the data into a database and sold access to it. A revised preliminary injunction was issued against Odysseus and Rines that bars them from downloading spyware without consumers’ consent, and from disclosing, using or further obtaining consumers’ personal information, pending trial. The FTC will ask the court to order a permanent halt to their activities and order them to give up their ill-gotten gains, officials said.

“Buried disclosures don’t work with software,” Parnes said of unauthorized installations. Hard-to-find notices of software behavior that might alarm consumers in end user license agreements (EULAs) violate Commission standards, she said. That prompted an audience member to ask whether the FTC was investigating Sony BMG for the spyware-like behavior on some of its copy-protected CDs. Not specifically that company, Parnes responded, but she said “generally that is an issue we're looking at.”

A member of the Internet Governance Project in Q-&-A faulted the FTC for opposing efforts to close the public availability of the Whois database, calling its stance “bordering on the hypocritical” given the agency’s push for consumer privacy. Law enforcement can get the same information in Whois through private channels, he said. “We actually are evaluating… how we need to use this data” in Whois, Parnes said, but other issues plague the database: “Much of the information simply is not accurate” because “fraudsters” don’t include real contact information in their Web registrations. She said she didn’t know if FTC or law enforcement agencies would ever switch their position on the openness of Whois to any Web surfer: “We'll follow up” with concerned parties, she promised.