The Consumer Financial Protection Bureau filed a complaint and proposed consent order against PayPal in U.S. District Court in Greenbelt, Maryland, Tuesday, for “illegally signing up tens of thousands of consumers for its online credit product, PayPal Credit,” formerly known as Bill Me Later, CFPB Director Richard Cordray said about the complaint. CFPB alleges PayPal “lured in consumers to this product with deceptive advertising, signed up people without them knowing it, and then mishandled billing disputes when they arose,” Cordray said, which violates the Dodd-Frank Act. “This kind of conduct has no place in the consumer financial marketplace,” he said. Under the proposed consent order, PayPal would pay $15 million in consumer redress, a $10 million penalty and be required to improve disclosures and procedures, a CFPB news release said. Online shopping and the financial products that make it possible are great, but financial services providers need to ensure people are treated fairly and according to the law, Cordray said. "PayPal Credit takes consumer protection very seriously," a PayPal spokeswoman said. "We continually improve our products and enhance our communications to ensure a superior customer experience," she said. "Our focus is on ease of use, clarity and providing high-quality products that are useful to consumers and are in compliance with applicable laws."

Senate Intelligence Chairman Richard Burr, R-N.C., should listen to constituents who are “loud and clear that they not only want [Section 215 of the Patriot Act] to end, but that they are also incredibly dubious about the NSA’s collection practices,” wrote Electronic Frontier Foundation Legislative Analyst Mark Jaycox in a blog post Monday. Burr’s “reliance on the program being effective ignores the conclusions of two independent investigations tasked with looking at the calling records program,” Jaycox said: “The Director of National Intelligence and the Attorney General have written a letter expressing the need to reform the authorities, and essentially end the current program as it currently is.” Jaycox said “if the Executive branch, the Judicial branch, and two independent commissions can't convince Senator Burr, then maybe their fellow lawmakers can.”

The FTC wants the court-appointed consumer privacy ombudsman in RadioShack’s bankruptcy case to recommend against the sale of personal customer data as a stand-alone asset, Consumer Protection Director Jessica Rich told the ombudsman, an agency news release said. RadioShack obtained personal data, including consumers’ names, addresses, email addresses and purchase histories from tens of millions of consumers, Rich said. RadioShack had extensive privacy promises it made to consumers online and in stores, including the promise to not sell consumers’ information or the company’s mailing lists, Rich said. Consumer information should be sold only to another entity that's substantially in the same line of business as RadioShack and that buyer should be bound by the RadioShack privacy policies that were in place when the consumers’ data was collected, Rich said. The buyer should also give consumers notice their data was bought and obtain affirmative consent if the data is to be used in a manner that differs from promises RadioShack made, she said. Rich pointed to FTC intervention in the bankruptcy case of the online retailer Toysmart, which sought to sell customers’ information despite promises made in its privacy policies, as an example of how conditions successfully can be put on the sale of data both to allow the company to divest assets and to protect consumers’ information, the release said. RadioShack’s privacy policy had said (see 1504020032) that “we will not sell or rent your personally identifiable information to anyone at any time.”

Reddit administrators and users are unhappy with harassing behavior on its site, so the site has updated its practices to better curb harassment, an administrators' blog post said Thursday. “For the past six months we have been examining and reviewing reddit’s community policies and practices, collecting and analyzing data, defining our own goals, and making some hard decisions,” reddit said. “We value privacy, freedom of expression, open discussion, and humanity, and we want to make sure that we uphold these principles for all kinds of people,” they said. Some changes have already been made, such as an annual transparency report showing when private information was shared with law enforcement and when content was taken down in response to legal demands or for privacy reasons, the administrators said. In March, reddit’s privacy policy was updated to address revenge porn, and on Wednesday, additional changes were made to be “even more transparent about content that reddit removes for legal reasons,” they said. Reddit announced on Thursday administrators have been looking “closely at the conversations on reddit and at personal safety.” Reddit values freedom of expression and relies on volunteer moderators to determine and uphold rules for subreddits, allowing administrators to step in only when “we see threats to our values of privacy and safety,” they said. As use of the Internet and information available evolves, reddit said, it has seen more harassment and different types of harassment emerge, such as posting links to private information on other sites. “Instead of promoting free expression of ideas, we are seeing our open policies stifling free expression; people avoid participating for fear of their personal and family safety,” reddit said. “Because of this, we are changing our practices to prohibit attacks and harassment of individuals through reddit with the goal of preventing them,” they said. Harassment is defined as: “Systematic and/or continued actions to torment or demean someone in a way that would make a reasonable person (1) conclude that reddit is not a safe platform to express their ideas or participate in the conversation, or (2) fear for their safety or the safety of those around them,” the administrators said.

To ensure law enforcement uses body cameras in a way that enhances civil rights, New America’s Open Technology Institute and 35 other privacy and civil rights organizations and advocates Friday released principles they embraced. They would among other things require law enforcement agencies implementing cameras to: develop camera policies in public; commit to a set of narrow and well-defined purposes for cameras; specify clear operational policies for recording, retention and access; make footage available to promote accountability, an OTI news release said. The principles were spearheaded by the Leadership Conference on Civil & Human Rights. Other groups that supported the principles include the American Civil Liberties Union, Center for Democracy & Technology, Electronic Frontier Foundation and Public Knowledge.

The non-profit Technology Business Management Council established a Commission on IT Cost Opportunity, Strategy and Transparency (IT COST) Wednesday to “define a set of recommendations and best practices for Federal departments and agencies to transparently measure and communicate their IT costs so that Federal CIOs [chief information officers] are better equipped to govern their IT spending and support agency missions with limited resources,” a news release said. The federal government spends more than $78 billion on technology per year, but each agency uses its own standards to measure, benchmark and communicate the value of its technology investments, the release said. Lack of standardization creates numerous challenges and complications, it said. CIOs from the departments of Health, Transportation, Interior, Commerce and Agriculture are participating in the first IT COST Commission meeting, to be held in June. CIOs from Cisco, Hewlett-Packard and DirecTV are also participating. The goal is to release a report in early 2016 outlining a series of recommendations to reduce waste and increase efficiency, demonstrate cost, quality and value of IT spend, and aid in the implementation of the new Federal IT Acquisition Reform Act, the release said.

The FTC launched IdentityTheft.gov Thursday, in hopes of making it easier for identity theft victims to report and recover from identity theft, a news release said. The new website has an interactive checklist for those who learn their identity is stolen and has advice for those notified their personal information was exposed in a data breach. A Spanish version of the site is available at RobodeIdentidad.gov.

The Mozilla Foundation released security updates Tuesday to address vulnerabilities in Firefox, Firefox ESR and Thunderbird, said a notice from the U.S. Computer Emergency Readiness Team. U.S.-CERT said the vulnerabilities in Firefox may have let a remote hacker “cause a denial-of-service condition or steal sensitive information." Adobe also released security updates Tuesday for Acrobat, Flash Player and Reader, a U.S.-CERT notice said. It said exploitation of Adobe vulnerabilities may let an attacker take control of an affected system.

The Department of Commerce Internet Policy Task Force extended the comment deadline on identifying substantive cybersecurity issues from May 18 to May 27, said a notice in Wednesday's Federal Register. Comments may be submitted via email or mail.

The Online Trust Alliance is welcoming experts from private and public industry to join its initiative to develop a security, privacy and sustainability trust framework for IoT devices, it said in a Wednesday news release. OTA said the framework is intended to provide clarity and confidence to consumers as they shop and use connected devices, with an initial focus on the connected home and wearable/fitness technologies. OTA hopes the framework will be used as a basis for a potential certification program for IoT devices and applications, it said. A draft will be shared in a panel at the TRUSTe IoT privacy summit June 17, it said. “With the rapid introduction of Internet of Things products into the market, we must ensure that security and privacy best practices are integrated to maximize consumer protection,” said OTA Executive Director Craig Spiezle. “According to preliminary data from OTA’s forthcoming Online Trust Audit, 14 percent of leading IoT products did not have a discoverable privacy policy for consumers to review prior to purchase,” Spiezle said. “We welcome industry leaders to join in the multi-stakeholder effort to raise the bar and make security, privacy and sustainability key product attributes.” OTA’s next full working group meeting is June 16 in Mountain View, California. Leaders in the security and privacy community, app developers, manufacturers and international retailers were invited to provide input. TRUSTe CEO Chris Babel welcomed OTA’s initiative to extend the work of the IoT Privacy Tech Working Group to include the security and sustainability issues arising out of the explosion of data collection from connected devices, he said. “Considering that 79 percent of U.S. consumers are concerned about data collected by connected devices, we urge companies to join this important endeavor to develop clear standards for privacy and security in the Internet of Things.”