Why the FTC should not be the responsible for privacy regulation in the United States.
In the previous blog post, I've talked at length of the possible ramifications of the Federal Trade Commission interfering in YouTube and YouTube's community of content creators. When I finished that blog post, I took some time to consider what other aspects of surveillance and privacy the FTC failed at. The FTC is more focused on keeping trade competitive rather than protecting privacy rights. That being said, the question that loomed over my mind was whether or not the FTC should be in charge of privacy. When did the FTC make the shots for consumers' privacy? In fact, what does trade regulation have to do with citizen's privacy?
There is a problem with the fact that the FTC being the one to decide if a privacy breach is broken, the way they handle breaches, and the failure of their oversight being too punishing on one hand while being too lenient on the other. The FTC should not be the ones to make this call and a different entity should be the ones to prioritize and champion their constituents privacy.
How the FTC was put in charge of privacy, and why that is strange
On the FTC website, the agency came to oversee consumer's privacy since the 1970s, with the Fair Credit Reporting Act being one of the first privacy laws. This act governs how exactly credit bureaus can take a customer's information, how long they can hold on to that information, who can have access to that information. This style of governance has stayed consistent throughout the years, as the FTC themselves takes pride in that fact. However, the fact that the website states plainly that the goal is to protect privacy in the market place and not privacy in general is what the problem is.
Court cases recently against tech. companies in particular is baffling because of how little the FTC actually moves to protect individual privacy. Back in June of 2019, the FTC won a settlement with Facebook for $5 billion dollars for violating the privacy of their users. But this isn't a win for the users that Facebook damaged. While Facebook also had to change their privacy settings and tweak phrases here and there, no amount of money actually made it into the hands of the users. On an article from Fortune, all $5 billion dollars found its way into the U.S. Treasury - and the money's use will vary. However it may vary, one of the uses will not be back to the consumer. In fact, this move isn't really to change the model of digital business at all. It's more of an incentive, like punishing the class trouble-maker to make an example to the rest of the digital class a reason not to push for the same stunts. However, trying to curve behavior from distance like this doesn't work, as Google and YouTube breaks COPPA rules a few months later (link to that blog post here). So, the FTC, a federal entity created to protect consumer's, finds itself not changing the landscape of the digital market and unable to really protect any customer's privacy because many users are unaware of the lawsuit or receive little to no compensation.
The Equifax Leak and its consequences
There was one case however, where compensation was issued out by the FTC. Once again, however, the FTC made decisions that didn't really benefit the privacy of users or curb the rampant surveillance of its users. Back in 2017, Equifax announced that hackers may have breached their servers and have the information of its users. Equifax is one of the three largest credit consumer reporting agencies, with over 800 million users individual consumers. Equifax announced in 2017 that over 143 million American users information was leaked.
The FTC managed to have Equifax pay a settlement of $575 million dollars, have Equifax provide free credit monitoring and identity theft services, and strong data security requirements. The main diffrence form this settlement is that Equifax is to pay out $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the CFPB in civil penalties. Equifax would also have to compensate to the users directly, which would be great strides for people's privacy. That would be the case, if it wasn't messed up with the necessity of bureaucracy. To receive compensation of getting user data - which includes home address, social security number, and account numbers - users would have to log in to an Equifax web page, the same service that didn't have proper counter measures the first time protect people's data, and type in information like a social security number to receive compensation. To make matters worse, compensation is only $125 dollars per users affected by the breach. It appears, at worst, the FTC only views a person's data to equal this amount. At best, the FTC does not prioritize user data to the same severity as physical property. If either is the case, then the FTC should not be responsible for user safety and user privacy.
FTC and their 'other' agenda?
Seeing how the FTC handles violations against consumer privacy, given the two previous cases, it is really not that surprising. Considering the penalties they give out to corporations being monetary, there is no other incentive for tech. companies to "do the right thing". All these companies like Facebook and Google, who've profited off user data to the tune of billions of dollars a year, have to do to avoid any real trouble is pay a small fine every other year and pretend to follow the rules the FTC demands. In reality, the FTC does not have any real authority in this field. The FTC articles keep ringing out about how "this suit against this tech company is the largest payout", but nothing actually happens. Companies like Facebook pay the fine like its rent, skirts the rulings government agencies give them and proceed with new ways to steal and manipulate data. A powerful entity is one that has the authority to punish, but doesn't need to to get what they want. The FTC in actuality is under the thumb of the tech. companies.
Or, possibly, the FTC is playing at a different game. Maybe the agency isn't as ignorant as the hypothesis above would propose. All the money from the fines are brought in to the United States Treasury. This is simple speculation, but it may be possible the FTC is turning a blind eye to cash in on the missteps of technology companies. The FTC sets up the rules for customer privacy, so then why do the largest tech companies keep stepping out of line? The current committee on the FTC is filled with intelligent men and women, most notably lawyers, so it is strange that they have not set up to fill in the loops that these companies keep either finding or making. (Link to the FTC committee members) The FTC could find ways to impose actual jail time. The leaders of these tech. companies have money. That much is a fact. Mark Zuckerberg is valued at $73 billion dollars. A fine against him or his trillion dollar company would do nothing to change the landscape. By having the government consider jail time with no bail for massive privacy breaches, maybe the scene at the executives offices might change. But, change probably isn't something the FTC wants. Doing something "out of lane" requires a massive amount of work and time. It's better to the things that look like you did your job while doing the bare minimum for consumers.
Conclusion
The problem, as it appears, is the fact the FTC's goals are to protect "consumer" privacy and not "citizen" privacy. Their job is to protect the "peaceful" environment of the US market, and having sweeping changes that actually protects user data would mean disrupting that balance. Their job isn't to oversee that data is protected, but to make sure companies don't break anti-trust. Privacy was something they decided to tack on to their obligations in the '70s, and have no real necessity to actively look for a way to improve privacy - they only want to preserve the current privacy environment. Since no privacy laws actually exist, since the FTC only make these moves as they deal with business (meaning at the federal level privacy only exist as an extension of business dealings, and privacy isn't something people actually have independent of other rights), no legislation will protect the Right to Privacy as it doesn't exist. The U.S. is in desperate need of of legislation that can make the Right to Privacy an actual code to defend. The FTC should not be the standard bearer for privacy. The FTC should focus on anti-trust and leave privacy to a group that will actively seek to protect it.
Sources:
Kagan, Julia. “Fair Credit Reporting Act (FCRA).” Investopedia, Investopedia, 1 Dec. 2019, https://www.investopedia.com/terms/f/fair-credit-reporting-act-fcra.asp.
“Protecting Consumer Privacy and Security.” Federal Trade Commission, 28 Aug. 2019, https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy-security.
“FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook.” Federal Trade Commission, 25 July 2019, https://www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions.
Roberts, Jeff John. “Here's How Facebook's $5 Billion Fine Will Be Spent-And Where It Should Go Instead.” Fortune, Fortune, 24 July 2019, https://fortune.com/2019/07/20/facebook-5-billion-ftc/.
“Commissioners.” Federal Trade Commission, 27 Sept. 2019, https://www.ftc.gov/about-ftc/commissioners.
“Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach.” Federal Trade Commission, 31 July 2019, https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related.
“What Is Equifax and Why Does It Have My Financial Information?” U.S. News & World Report, U.S. News & World Report, https://money.usnews.com/money/personal-finance/banking-and-credit/articles/2017-09-19/what-is-equifax-and-why-does-it-have-my-financial-information.
Tyko, Kelly. “Consumers Must Deal with More Red Tape to Get Cash from Equifax Settlement.” USA Today, Gannett Satellite Information Network, 10 Sept. 2019, https://www.usatoday.com/story/money/2019/09/10/equifax-data-breach-settlement-new-step-added-get-cash/2276645001/.
There is a problem with the fact that the FTC being the one to decide if a privacy breach is broken, the way they handle breaches, and the failure of their oversight being too punishing on one hand while being too lenient on the other. The FTC should not be the ones to make this call and a different entity should be the ones to prioritize and champion their constituents privacy.
How the FTC was put in charge of privacy, and why that is strange
On the FTC website, the agency came to oversee consumer's privacy since the 1970s, with the Fair Credit Reporting Act being one of the first privacy laws. This act governs how exactly credit bureaus can take a customer's information, how long they can hold on to that information, who can have access to that information. This style of governance has stayed consistent throughout the years, as the FTC themselves takes pride in that fact. However, the fact that the website states plainly that the goal is to protect privacy in the market place and not privacy in general is what the problem is.
Court cases recently against tech. companies in particular is baffling because of how little the FTC actually moves to protect individual privacy. Back in June of 2019, the FTC won a settlement with Facebook for $5 billion dollars for violating the privacy of their users. But this isn't a win for the users that Facebook damaged. While Facebook also had to change their privacy settings and tweak phrases here and there, no amount of money actually made it into the hands of the users. On an article from Fortune, all $5 billion dollars found its way into the U.S. Treasury - and the money's use will vary. However it may vary, one of the uses will not be back to the consumer. In fact, this move isn't really to change the model of digital business at all. It's more of an incentive, like punishing the class trouble-maker to make an example to the rest of the digital class a reason not to push for the same stunts. However, trying to curve behavior from distance like this doesn't work, as Google and YouTube breaks COPPA rules a few months later (link to that blog post here). So, the FTC, a federal entity created to protect consumer's, finds itself not changing the landscape of the digital market and unable to really protect any customer's privacy because many users are unaware of the lawsuit or receive little to no compensation.
The Equifax Leak and its consequences
There was one case however, where compensation was issued out by the FTC. Once again, however, the FTC made decisions that didn't really benefit the privacy of users or curb the rampant surveillance of its users. Back in 2017, Equifax announced that hackers may have breached their servers and have the information of its users. Equifax is one of the three largest credit consumer reporting agencies, with over 800 million users individual consumers. Equifax announced in 2017 that over 143 million American users information was leaked.
The FTC managed to have Equifax pay a settlement of $575 million dollars, have Equifax provide free credit monitoring and identity theft services, and strong data security requirements. The main diffrence form this settlement is that Equifax is to pay out $175 million to 48 states, the District of Columbia and Puerto Rico, as well as $100 million to the CFPB in civil penalties. Equifax would also have to compensate to the users directly, which would be great strides for people's privacy. That would be the case, if it wasn't messed up with the necessity of bureaucracy. To receive compensation of getting user data - which includes home address, social security number, and account numbers - users would have to log in to an Equifax web page, the same service that didn't have proper counter measures the first time protect people's data, and type in information like a social security number to receive compensation. To make matters worse, compensation is only $125 dollars per users affected by the breach. It appears, at worst, the FTC only views a person's data to equal this amount. At best, the FTC does not prioritize user data to the same severity as physical property. If either is the case, then the FTC should not be responsible for user safety and user privacy.
FTC and their 'other' agenda?
Seeing how the FTC handles violations against consumer privacy, given the two previous cases, it is really not that surprising. Considering the penalties they give out to corporations being monetary, there is no other incentive for tech. companies to "do the right thing". All these companies like Facebook and Google, who've profited off user data to the tune of billions of dollars a year, have to do to avoid any real trouble is pay a small fine every other year and pretend to follow the rules the FTC demands. In reality, the FTC does not have any real authority in this field. The FTC articles keep ringing out about how "this suit against this tech company is the largest payout", but nothing actually happens. Companies like Facebook pay the fine like its rent, skirts the rulings government agencies give them and proceed with new ways to steal and manipulate data. A powerful entity is one that has the authority to punish, but doesn't need to to get what they want. The FTC in actuality is under the thumb of the tech. companies.
Or, possibly, the FTC is playing at a different game. Maybe the agency isn't as ignorant as the hypothesis above would propose. All the money from the fines are brought in to the United States Treasury. This is simple speculation, but it may be possible the FTC is turning a blind eye to cash in on the missteps of technology companies. The FTC sets up the rules for customer privacy, so then why do the largest tech companies keep stepping out of line? The current committee on the FTC is filled with intelligent men and women, most notably lawyers, so it is strange that they have not set up to fill in the loops that these companies keep either finding or making. (Link to the FTC committee members) The FTC could find ways to impose actual jail time. The leaders of these tech. companies have money. That much is a fact. Mark Zuckerberg is valued at $73 billion dollars. A fine against him or his trillion dollar company would do nothing to change the landscape. By having the government consider jail time with no bail for massive privacy breaches, maybe the scene at the executives offices might change. But, change probably isn't something the FTC wants. Doing something "out of lane" requires a massive amount of work and time. It's better to the things that look like you did your job while doing the bare minimum for consumers.
Conclusion
The problem, as it appears, is the fact the FTC's goals are to protect "consumer" privacy and not "citizen" privacy. Their job is to protect the "peaceful" environment of the US market, and having sweeping changes that actually protects user data would mean disrupting that balance. Their job isn't to oversee that data is protected, but to make sure companies don't break anti-trust. Privacy was something they decided to tack on to their obligations in the '70s, and have no real necessity to actively look for a way to improve privacy - they only want to preserve the current privacy environment. Since no privacy laws actually exist, since the FTC only make these moves as they deal with business (meaning at the federal level privacy only exist as an extension of business dealings, and privacy isn't something people actually have independent of other rights), no legislation will protect the Right to Privacy as it doesn't exist. The U.S. is in desperate need of of legislation that can make the Right to Privacy an actual code to defend. The FTC should not be the standard bearer for privacy. The FTC should focus on anti-trust and leave privacy to a group that will actively seek to protect it.
Sources:
Kagan, Julia. “Fair Credit Reporting Act (FCRA).” Investopedia, Investopedia, 1 Dec. 2019, https://www.investopedia.com/terms/f/fair-credit-reporting-act-fcra.asp.
“Protecting Consumer Privacy and Security.” Federal Trade Commission, 28 Aug. 2019, https://www.ftc.gov/news-events/media-resources/protecting-consumer-privacy-security.
“FTC Imposes $5 Billion Penalty and Sweeping New Privacy Restrictions on Facebook.” Federal Trade Commission, 25 July 2019, https://www.ftc.gov/news-events/press-releases/2019/07/ftc-imposes-5-billion-penalty-sweeping-new-privacy-restrictions.
Roberts, Jeff John. “Here's How Facebook's $5 Billion Fine Will Be Spent-And Where It Should Go Instead.” Fortune, Fortune, 24 July 2019, https://fortune.com/2019/07/20/facebook-5-billion-ftc/.
“Commissioners.” Federal Trade Commission, 27 Sept. 2019, https://www.ftc.gov/about-ftc/commissioners.
“Equifax to Pay $575 Million as Part of Settlement with FTC, CFPB, and States Related to 2017 Data Breach.” Federal Trade Commission, 31 July 2019, https://www.ftc.gov/news-events/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related.
“What Is Equifax and Why Does It Have My Financial Information?” U.S. News & World Report, U.S. News & World Report, https://money.usnews.com/money/personal-finance/banking-and-credit/articles/2017-09-19/what-is-equifax-and-why-does-it-have-my-financial-information.
Tyko, Kelly. “Consumers Must Deal with More Red Tape to Get Cash from Equifax Settlement.” USA Today, Gannett Satellite Information Network, 10 Sept. 2019, https://www.usatoday.com/story/money/2019/09/10/equifax-data-breach-settlement-new-step-added-get-cash/2276645001/.
Comments
Post a Comment