FTC and Unethical Privacy Practices

Early morning, you sit in front of your laptop to open a news website, from the moment you click on the website to the time the first news is displayed on your screen hundreds of companies would have already tracked your action and would present you with advertisements/suggestions based on your activity. In this digital age the whole process takes less than a fraction of a second.

As users, we move through our Internet experiences unaware of the churning subterranean machines powering our web pages with their cookies and pixel trackers, their tracking code and databases. What companies are doing to gather all this information is nothing but a glorified spyware activity. “What we called spyware in the past has become a standard business practice on the internet today”. Google finds itself in the middle of the same controversy, the question arises whether this act in unintentional or if companies indeed are making use of technology and sneaking into user privacy. In the past Facebook has been accused multiple times of using cookies to track users even after they log out of the service.

Never before in the history of mankind has so much private data been gathered about the people for the sole purpose of advertising and gathering statistics.

In the past, privacy used to mean security. These days, it has obtained an entirely new meaning. Modern technologies affect privacy in whole new ways by making information collection cheap, searchable, sortable, and aggregatable. The ubiquity of personal information available on the internet via social media sites like Facebook and Twitter has changed the value of such information. To better accomodate these changes, there should be mechanisms in place for people to control the authorization chain on information about themselves in concert with institutional policies.  In addition lawmakers need to define clear legal boundaries around information privacy and security.

We cannot apply moral ethics to information; however, institutions like FTC are there to enforce policies that promote greater cooperation and penalties that drive less defection.

The regulations laid out by FTC have been formulated keeping in mind, the importance of user information security and because of this it is necessary for the companies to follow them strictly before creating or modifying any of their business practices. However, most of the internet industry makes profits by providing space to e-marketers and advertisers on their website. Customizing advertisements according to the users’ browsing preferences and keywords leads to a higher probability of users looking at these advertisements. In order to know the user’s’ browsing patterns, search engines need to track their cookies and collect their data. Certain companies take advantage of the fact that tracking of this data is not visible to the user unless the user changes certain browser settings. As per the FTC regulations on Data Security, providing sensitive user information to clients is not permissible without the consent of the user. Thus, there is a trade-off between company profits and protecting user data.

However, for certain companies that do not follow business practices laid out by the FTC policies on deception and data security, profits take higher precedence than protection of user data and hence there is a gap between practices and procedures. Companies thrive on profits so it is not necessarily the company’s fault in this case but the nature of the Internet industry is such that companies are compelled to choose between profits and user data protection.

Although the FTC works hard to “prevent fraudulent, deceptive and unfair business practices in the marketplace and to provide information to help consumers spot, stop, and avoid them”, there were many incidents of data breaches ever since electronic transactions became the norm of running a business. (http://online.wsj.com/article/SB10001424052702303816504577313411294908868.html). Credit card information is a common goal of hackers. Because this data includes digitized personal information, and more importantly monetary information, it is highly exposed to potential attacks. Data breaches at card payment processors turn millions of consumer into victims of identity theft. Many instances of these breaches result in personal information becoming available for sale.

(http://bits.blogs.nytimes.com/2011/05/03/card-data-is-stolen-and-sold/). Identity thieves can open a credit card, get a loan, or even get a job using your credit. There are several ways consumers can protect themselves. By monitoring bank and credit card statements consumers can track abnormal activity. Free credit reports are available to keep track of one’s credit. “Paying it Safe” section of the FTC’s “A Consumer’s Guide to E-Payments” helps individuals become aware of safe online shopping practices. (http://www.ftc.gov/bcp/edu/pubs/consumer/tech/tec01.shtm) (http://www.ftc.gov/bcp/edu/pubs/consumer/idtheft/idt05.shtm)

Still, the root of the problem is companies that deceive consumers and prey on lack of technological understanding. In the recent years, the FTC has approved settlements for three major social media companies, such as MySpace, Facebook, and Google. This was caused by the deceptive practice of online service providers that engaged in privacy practices that deviate from their written privacy policies. By this action, the FTC conveyed a clear message regarding the significance of transparency of what companies say they do and what they actually do.  Neither Google or Facebook or any other company is under any obligation to provide detailed information about their privacy guidelines. However, making the effort to provide such information is exactly the sort of forward thinking on transparency that the FTC is encouraging.

Despite the clear FTC message that companies need to be responsible and accountable for the deviation from their written guidelines, it is questionable how the message will be perceived by companies; especially after the Google most expensive settlement. Unfortunately, looking at the current FTC settlements, companies may think that their public privacy policies are better off being vague and unclear.  Also, Congress’s reluctance to pass legislation in this arena, great potential harm if the legislation is done in the wrong way, plus the privacy area’s rapidly evolving nature coupled with the human behavior and consumer expectations makes it harder on companies to do a right thing while minimizing the risk and supporting its business.

At the same time there are dishonest companies who are intentionally causing privacy harms to people and making money off of such abuses.  While there are important policy grey areas to resolve, sometimes by bringing cases, going after willful aggressive abusers with malicious intent who caused actual privacy harms would be a much more appropriate use of the FTC’s time and limited resources.