Senate Homeland Security and Governmental Affairs Subcommittee on Investigations Hearing
Federal Information & News Dispatch, Inc. |
I. INTRODUCTION
Chairman Levin, Ranking Member McCain, and members of the Subcommittee, I am
Online advertising offers many benefits to consumers. It helps support a diverse range of online content and services that otherwise might not be available, or that consumers would otherwise have to pay for - services such as blogging, social networking and instant access to newspapers and information from around the world. It also can be used to tailor offers for products and services most relevant to consumers' interests.
But online behavioral advertising, which entails collecting information about consumers' online activities across websites in order to serve them personalized advertising, can also raise a number of consumer protection concerns. For example, some consumers may be uncomfortable with the privacy implications of being tracked across the websites they visit, or may be unaware that this practice is even occurring. And, without adequate safeguards in place, consumer tracking data may fall into the wrong hands or be used for adverse unanticipated purposes, including transmission to other third parties. These concerns are exacerbated when the tracking involves sensitive information about, for example, children, health, or a consumer's finances. Finally, online advertising can be used to deliver spyware and other malware to cause a host of problems to consumers' computers.
As the nation's consumer protection agency, the FTC is committed to protecting consumers in the online marketplace. The Commission is primarily a civil law enforcement agency, and its main operative statute is Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting commerce. n2 A company acts deceptively if it makes materially misleading statements or omissions. n3 A company engages in unfair acts or practices if its practices cause or are likely to cause substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or to competition. n4 The Commission uses its enforcement authority under Section 5 to take action against online advertising companies and others engaged in unfair or deceptive practices. It also educates consumers and businesses about the online environment and encourages industry self-regulation.
This testimony will discuss the Commission's work to address three consumer protection issues affecting the online advertising industry: privacy, malware, and data security. It will then provide some recommendations for next steps in this area.
II. CONSUMER PROTECTION ISSUES AFFECTING THE ONLINE ADVERTISING INDUSTRY
A. PRIVACY
Since online privacy first emerged as a significant issue in the mid-1990s, it has been one of the Commission's highest consumer protection priorities. The Commission has worked to address privacy issues in the online marketplace, particularly those raised by online advertising networks, through consumer and business education, law enforcement, and policy initiatives.
Throughout the last decade, the FTC has examined the privacy implications of online behavioral advertising through a number of workshops and reports. n5 In March of 2012, the Commission released its Privacy Report, which set forth best practices for businesses - including the online advertising industry - to protect consumer privacy while ensuring that companies can continue to innovate. n6 The report called on companies to provide simpler and more streamlined choices to consumers about their data, through a robust universal choice mechanism for online behavioral advertising. n7
The Commission has also engaged in a number of privacy enforcement actions involving the online advertising industry. For example, in its first online behavioral advertising case, the Commission alleged that online advertising network Chitika violated the FTC Act's prohibition on deceptive practices when it offered consumers the ability to opt out of the collection of information to be used for targeted advertising - without telling them that the opt-out lasted only ten days. n8 The Commission's order prohibits Chitika from making future privacy misrepresentations. It also requires Chitika to provide consumers with an effective opt-out mechanism, link to this opt-out mechanism in its advertisements, and provide a notice on its website for consumers who may have opted out when Chitika's opt-out mechanism was ineffective. Finally, the order required Chitika to destroy any data that can be associated with a consumer that it collected during the time its opt-out mechanism was ineffective.
Online ad network ScanScout also settled FTC charges that it deceptively claimed that consumers could opt out of receiving targeted ads by changing their computer's web browser settings to block cookies. n9 In fact, ScanScout used Flash cookies, which browser settings could not block. Under the terms of the order, ScanScout is prohibited from misrepresenting the company's data collection practices and consumers' ability to control collection of their data. It also requires ScanScout to improve disclosure of its data collection practices and to provide a user-friendly mechanism that allows consumers to opt out of being tracked.
Finally, in 2012
B. SPYWARE AND OTHER MALWARE
Spyware and other malware can cause substantial harm to consumers and to the Internet as a medium of communication and commerce. When downloaded without authorization, including through online ads, spyware and other malware can cause a range of problems for computer users, from nuisance adware that delivers pop-up ads, to software that causes sluggish computer performance, to keystroke loggers that capture sensitive information.
The Commission has sought to address concerns about spyware and other malware through law enforcement and consumer education. Since 2004, the Commission has initiated a number of malware-related law enforcement actions, which reaffirm three key principles. The first is that a consumer's computer belongs to him or her, not to the software distributor, and it must be the consumer's choice whether or not to install software. This principle reflects the basic common-sense notion that Internet businesses are not free to help themselves to the resources of a consumer's computer. For example, in FTC v.
The second principle is that buried disclosures of material information necessary to correct an otherwise misleading impression are not sufficient in connection with software downloads, just as they have never been sufficient in more traditional areas of commerce. Specifically, burying material information in an End User License Agreement will not shield a malware purveyor from Section 5 liability. This principle was illustrated in FTC v. Odysseus
The third principle is that, if a distributor puts a program on a computer that the consumer does not want, the consumer should be able to uninstall or disable it. This principle is underscored by the FTC's cases against
In addition to engaging in law enforcement, the FTC has made consumer education on malware issues a priority. The Commission sponsors OnGuard Online, a website designed to educate consumers about basic computer security. n21 OnGuard Online and its Spanish-language counterpart, Alerta en Linea, n22 average more than 2.2 million unique visits per year. The comprehensive web site has general information on online safety, as well as sections with detailed information on a range of topics, including spyware. And, the FTC also has created a number of articles, videos, and games available to consumers on both its website n23 and OnGuard Online to describe the threats associated with spyware and malware as well as provide consumers with information about how to avoid and detect such malicious software.
C. DATA SECURITY
While taking action against the purveyors of malware is important, it is also critical to ensure that companies are taking reasonable steps to ensure that they are not inadvertently enabling third parties to place malware on consumers' computers. To this end, online advertising networks should maintain reasonable safeguards to ensure that they are not displaying advertisements containing malware that can slow down consumers' computers, expose them to unwanted content such as pop-up ads, and gain unauthorized access to their personal information.
The Commission has undertaken substantial efforts for over a decade to promote strong data security practices in the private sector in order to prevent hackers and purveyors of malware from harming consumers. In addition to enforcing Section 5 of the FTC Act, discussed above, the Commission enforces several specific statutes and rules that impose obligations upon businesses to protect consumer data. The Commission's Safeguards Rule, which implements the Gramm-Leach-Bliley Act, for example, provides data security requirements for non-bank financial institutions. n24 The Fair Credit Reporting Act requires consumer reporting agencies to use reasonable procedures to ensure that the entities to which they disclose sensitive consumer information have a permissible purpose for receiving that information, n25 and imposes safe disposal obligations on entities that maintain consumer report information. n26 The Children's Online Privacy Protection Act requires reasonable security for children's information collected online. n27 Reasonableness is the foundation of the data security provisions of each of these laws.
The FTC conducts its data security investigations to determine whether a company's data security measures are reasonable and appropriate in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities. The Commission's 53 settlements with businesses that it charged with failing to provide reasonable protections for consumers' personal information have halted harmful data security practices; required companies to provide strong protections for consumer data; and raised awareness about the risks to data, the need for reasonable and appropriate security, and the types of security failures that raise concerns. n28
In its most recent data security case, the FTC announced a settlement with
The complaint also charges that despite its claims regarding reasonable security, Snapchat failed to adequately secure the Find Friends feature, which led to significant misuse and unauthorized disclosure of consumers' personal information. For example, the complaint alleges that numerous consumers complained that they had sent snaps to someone who impersonated a friend. In fact, because Snapchat failed to verify users' phone numbers during registration, these consumers were actually sending their personal snaps to complete strangers who had registered with phone numbers that did not belong to them. Moreover, in
The FTC also recently entered into settlements with
Credit Karma's mobile app allows consumers to monitor and access their credit scores, credit reports, and other credit report and financial data, and has been downloaded over one million times. Fandango's mobile app allows consumers to purchase movie tickets and has over 18.5 million downloads. According to the complaints, despite claims that the companies provided reasonable security to consumers' data, Credit Karma and Fandango did not securely transmit consumers' sensitive personal information through their mobile apps. In particular, the apps failed to authenticate and secure the connections used to transmit this data, and left consumers' information vulnerable to exposure - including
Finally, the FTC announced a case against
In each of its 53 data security cases, the Commission has examined a company's practices as a whole and challenged alleged data security failures that were multiple and systemic. Through these settlements, the Commission has made clear that reasonable and appropriate security is a continuous process of assessing and addressing risks; that there is no one-size-fits-all data security program; that the Commission does not require perfect security; and that the mere fact that a breach occurred does not mean that a company has violated the law. These principles apply equally to advertising networks. Just because malware has been installed does not mean that the advertising network has violated Section 5. Rather, the Commission would look to whether the advertising network took reasonable steps to prevent third parties from using online ads to deliver malware.
III. RECOMMENDATIONS FOR NEXT STEPS
The Commission shares this Committee's concerns about the use of online advertisements to deliver malware onto consumers' computers, which implicates each of the areas discussed in this testimony - consumer privacy, malware, and data security. We encourage several additional steps to protect consumers in this area.
The first is more widespread consumer education about how consumers can protect their computers against malware. The FTC materials discussed in this testimony are available at www.OnguardOnline.gov and www.ftc.gov. We encourage businesses, advocacy organizations, and other government agencies at the state, local, and federal levels to use these materials and tailor them to their particular constituencies and concerns.
The second is continued industry self-regulation to ensure that ad networks are taking reasonable steps to prevent the use of their systems to display malicious ads to consumers. Just last week,
Finally, the Commission continues to reiterate its longstanding, bipartisan call for enactment of a strong federal data security and breach notification law. Reasonable and appropriate security practices are critical to preventing data breaches and protecting consumers from identity theft and other harm. Despite the threats posed by data breaches, many companies continue to underinvest in data security. For example, the Commission's settlements have shown that some companies fail to take even the most basic security precautions, such as updating antivirus software or requiring network administrators to use strong passwords. With reports of data breaches on the rise, and with a significant number of Americans suffering from identity theft, having a strong and uniform national data security requirement would reinforce the requirement under the FTC Act that companies must implement reasonable measures to ensure that consumers' personal information is protected. Although most states have breach notification laws in place, having a strong and consistent national breach notification requirement would simplify compliance by businesses while ensuring that all consumers are protected.
Among other things, such legislation would supplement the Commission's existing data security authority by authorizing the Commission to seek civil penalties in appropriate circumstances against companies that do not reasonably protect consumers' data. Providing the Commission with authority to seek civil penalties in these cases would help deter unlawful conduct, including using malware to gain access to consumers' personal information - such as through keystroke loggers. Such legislation could provide the Commission with an important consumer protection tool.
VI. CONCLUSION
Thank you for the opportunity to provide the Commission's testimony on consumer protection issues involving the online advertising industry. We look forward to continuing to work with the Subcommittee and
n1 This written statement presents the views of the
n2 15 U.S.C. [Sec.] 45(a). The Commission also enforces numerous specific statutes.
n3 See Federal Trade Commission Policy Statement on Deception, appended to Cliffdale Assocs., Inc., 103 F.T.C. 110, 174 (1984).
n4 See 15 U.S.C. [Sec.] 45(n); Federal Trade Commission Policy Statement on Unfairness, appended to Int'l
n5 See, e.g., FTC Press Release, Staff Proposes Online Behavioral Advertising Policy Principles (
n6 FTC Report, Protecting Consumers in an Era of Rapid Change: Recommendations for Businesses and Policymakers (
n7 In the Privacy Report, the Commission articulated five essential elements of a robust do-not-track mechanism: universal, persistent, easy to find and use, effective, and that the mechanism provide control over the collection of information, not just the delivery of targeted ads. Id. at 53.
n8
n9
n10
n11
n12
n13
n14 FTC v.
n15 FTC v.
n16 FTC v.
n17 FTC v. Odysseus
n18
n19
n20
n21 See http://www.onguardonline.gov.
n22 See http://www.alertaenlinea.gov.
n23 See generally http://www.consumer.ftc.gov.
n24 16 C.F.R. Part 314, implementing 15 U.S.C. [Sec.] 6801(b).
n25 15 U.S.C. [Sec.] 1681e.
n26 Id. at [Sec.] 1681w. The FTC's implementing rule is at 16 C.F.R. Part 682.
n27 15 U.S.C. [Subsec.] 6501-6506; see also 16 C.F.R. Part 312 ("COPPA Rule").
n28 See Commission Statement Marking the FTC's 50th Data Security Settlement,
n29
n30
n31
n32
n33 See generally http://www.trustinads.org.
n34 See generally
Read this original document at: http://www.hsgac.senate.gov/download/?id=4e14bbc1-c651-46a2-8600-f21acfa65a22
Copyright: | (c) 2010 Federal Information & News Dispatch, Inc. |
Wordcount: | 4005 |
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News