Showing 9 of 95 Publications in Data Security

Comments, Sharing Economy Workshop, FTC

Regulatory Comments "We commend the Federal Trade Commission for holding this workshop, and for its recent advocacy of ride-sharing services like Uber, Lyft and Sidecar with transportation regulators in the District of Columbia, Chicago, Colorado and Alaska..."

Summary

“We commend the Federal Trade Commission for holding this workshop, and for its recent advocacy of ride-sharing services like Uber, Lyft and Sidecar with transportation regulators in the District of Columbia, Chicago, Colorado and Alaska. Such efforts represent the FTC at its best, advocating on behalf of consumers against laws that protect monopolies and the politically powerful by choking new entrants into traditionally stagnant markets. If anything, we believe that the FTC should do far more “advocacy” work — and that the “sharing economy” is, indeed, the lowest fruit to pick – the best cluster of issues around which to build a revived, and sustainable long-term advocacy program.”

Continue reading
Innovation & the New Economy

The Dark Side of the FTC’s Latest Privacy Case, In the Matter of Nomi Technologies

Popular Media Last week, the FTC announced its complaint and consent decree with Nomi Technologies for failing to allow consumers to opt-out of cell phone tracking while . . .

Last week, the FTC announced its complaint and consent decree with Nomi Technologies for failing to allow consumers to opt-out of cell phone tracking while shopping in retail stores. Whatever one thinks about Nomi itself, the FTC’s enforcement action represents another step in the dubious application of its enforcement authority against deceptive statements.

In response, Geoffrey Manne, Ben Sperry, and Berin Szoka have written a new ICLE White Paper, titled, In the Matter of Nomi, Technologies, Inc.: The Dark Side of the FTC’s Latest Feel-Good Case.

Nomi Technologies offers retailers an innovative way to observe how customers move through their stores, how often they return, what products they browse and for how long (among other things) by tracking the Wi-Fi addresses broadcast by customers’ mobile phones. This allows stores to do what websites do all the time: tweak their configuration, pricing, purchasing and the like in response to real-time analytics — instead of just eyeballing what works. Nomi anonymized the data it collected so that retailers couldn’t track specific individuals. Recognizing that some customers might still object, even to “anonymized” tracking, Nomi allowed anyone to opt-out of all Nomi tracking on its website.

The FTC, though, seized upon a promise made within Nomi’s privacy policy to provide an additional, in-store opt out and argued that Nomi’s failure to make good on this promise — and/or notify customers of which stores used the technology — made its privacy policy deceptive. Commissioner Wright dissented, noting that the majority failed to consider evidence that showed the promise was not material, arguing that the inaccurate statement was not important enough to actually affect consumers’ behavior because they could opt-out on the website anyway. Both Commissioners Wright’s and Commissioner Ohlhausen’s dissents argued that the FTC majority’s enforcement decision in Nomi amounted to prosecutorial overreach, imposing an overly stringent standard of review without any actual indication of consumer harm.

The FTC’s deception authority is supposed to provide the agency with the authority to remedy consumer harms not effectively handled by common law torts and contracts — but it’s not a blank check. The 1983 Deception Policy Statement requires the FTC to demonstrate:

  1. There is a representation, omission or practice that is likely to mislead the consumer;
  2. A consumer’s interpretation of the representation, omission, or practice is considered reasonable under the circumstances; and
  3. The misleading representation, omission, or practice is material (meaning the inaccurate statement was important enough to actually affect consumers’ behavior).

Under the DPS, certain types of claims are treated as presumptively material, although the FTC is always supposed to “consider relevant and competent evidence offered to rebut presumptions of materiality.” The Nomi majority failed to do exactly that in its analysis of the company’s claims, as Commissioner Wright noted in his dissent:

the Commission failed to discharge its commitment to duly consider relevant and competent evidence that squarely rebuts the presumption that Nomi’s failure to implement an additional, retail-level opt out was material to consumers. In other words, the Commission neglects to take into account evidence demonstrating consumers would not “have chosen differently” but for the allegedly deceptive representation.

As we discuss in detail in the white paper, we believe that the Commission committed several additional legal errors in its application of the Deception Policy Statement in Nomi, over and above its failure to adequately weigh exculpatory evidence. Exceeding the legal constraints of the DPS isn’t just a legal problem: in this case, it’s led the FTC to bring an enforcement action that will likely have the very opposite of its intended result, discouraging rather than encouraging further disclosure.

Moreover, as we write in the white paper:

Nomi is the latest in a long string of recent cases in which the FTC has pushed back against both legislative and self-imposed constraints on its discretion. By small increments (unadjudicated consent decrees), but consistently and with apparent purpose, the FTC seems to be reverting to the sweeping conception of its power to police deception and unfairness that led the FTC to a titanic clash with Congress back in 1980.

The Nomi case presents yet another example of the need for FTC process reforms. Those reforms could ensure the FTC focuses on cases that actually make consumers better off. But given the FTC majority’s unwavering dedication to maximizing its discretion, such reforms will likely have to come from Congress.

Find the full white paper here.

Filed under: consumer protection, data security, federal trade commission, international center for law & economics, technology Tagged: cell phone tracking, consumer protection, Deception, Federal Trade Commission, ftc, joshua wright, Materiality, Nomi Technologies, privacy

Continue reading
Antitrust & Consumer Protection

The FTC's Misguided Notion of a “Common Law” of Data Security

Scholarship "Commissioner Brill and a few academics have described the FTC’s data security settlements as developing a “common law” of data security. It is not readily apparent, however, that the over 50 independent complaints and settlement agreements between the FTC and particular companies amounts to what is traditionally understood as the common law.

Summary

“Commissioner Brill and a few academics have described the FTC’s data security settlements as developing a “common law” of data security. It is not readily apparent, however, that the over 50 independent complaints and settlement agreements between the FTC and particular companies amounts to what is traditionally understood as the common law. Moreover, because the FTC’s enforcement and adjudication process differs so substantially from traditional civil adjudication, even if the FTC’s data security settlements have certain common law characteristics, it is likely that the content of the FTC’s data security law differs substantially from what would emerge from – and what would be desirable in – in a traditional common law process.

As it happens, however, we do have an actual common law of data security — that is, data security cases adjudicated in civil courts — with which to compare the FTC’s process and settlements.

Those who defend the notion of an FTC data security common law identify the shortcomings of common law in civil courts—alleging, in essence, a sort of “market failure”—and they suggest that the FTC’s common law approach can and should correct this market failure, in part because the FTC does have a common law process. These claims are often largely descriptive, but, as suggested, there must be a normative preference inherent in the “common law” conclusion – or else, who cares?

This paper attempts to analyze this alleged administrative “common law” with reference to the actual common law baseline of data security developing in federal courtrooms. We consider the dynamics in both processes, and assess to what extent they comport with the attributes of common law, and whether they likely further the desirable aspects of a common law process.”

 

Continue reading
Data Security & Privacy

Comments, Effects of Big Data on Low Income & Underserved Communities, FTC

Regulatory Comments "To the American ear, there is perhaps no uglier word than “discrimination.” The mere mention brings to mind Bull Connor, turning police dogs and fire hoses onto Martin Luther King, Jr.’s non violent demonstrators against Jim Crow in Birmingham, back in the 1962..."

Summary

“To the American ear, there is perhaps no uglier word than “discrimination.” The mere mention brings to mind Bull Connor, turning police dogs and fire hoses onto Martin Luther King, Jr.’s non violent demonstrators against Jim Crow in Birmingham, back in the 1962. Or perhaps subtler manifestations of racism.We all want America to be that nation King spoke of, where everyone “will not be judged by the color of their skin, but by the content of their character.” Yet this is precisely what “Big Data” offers: by studying correlations in larger data sets, “data scientists” can craft algorithms that distinguish better between superficial attributes like race, sex, and sexual orientation and deeper attributes like reliability, honesty, credit-worthiness and other aspects of the “content of our character.””

Yet this is precisely what “Big Data” offers: by studying correlations in larger data sets, “data scientists” can craft algorithms that distinguish better between superficial attributes like race, sex, and sexual orientation and deeper attributes like reliability, honesty, credit worthiness and other aspects of the “content of our character.” In short, Big Data may mean less of  the Bull Connor kind of discrimination and more of the kind that would have seemed natural to Jane Austen’s readers (Merriam Webster’s second definition). This is precisely what credit scoring did: replacing the old system where bankers made!lending decision! based on the banker’s personal judgment — and biases — with one that discriminated between good and bad credit risks, regardless of superficial attributes or the simple social proximity between banker and borrower…”

Continue reading
Data Security & Privacy

Comments, Big Data and Consumer Privacy in the Internet Economy

Regulatory Comments "...A serious assessment of the need for new privacy legislation, and the right way to frame it, would not begin by assuming the premise that a particular framework is necessary..."

Summary

“…A serious assessment of the need for new privacy legislation, and the right way to frame it, would not begin by assuming the premise that a particular framework is necessary.
Specifically, before recommending any new legislation, the NTIA should do – or ensure that someone does – what the Federal Trade Commission has steadfastly refused to do: carefully
assess what is and is not already covered by existing U.S. laws…”

“Existing laws might well be inadequate to deal with some of the specific the challenges raised by Big Data. But until they are more carefully examined, we will not know where the
gaps are. Even those who might insist that there would be no harm to redundancy should agree that we must learn from the lessons of past experience with these laws. Moreover, it
is essential to understand what existing law covers because either (a) it will co-exist with any future privacy law, in which case companies will have potentially conflicting…”

Continue reading
Data Security & Privacy

Bringing Antitrust’s Limits to the FTC’s Consumer Protection Authority

Scholarship The FTC oversees nearly every company in America. It polices competition by enforcing the antitrust laws. It tries to protect consumers by punishing deception and practices it deems “unfair.”

Summary

The FTC oversees nearly every company in America. It polices competition by enforcing the antitrust laws. It tries to protect consumers by punishing deception and practices it deems “unfair.” It’s the general enforcer of corporate promises made in privacy policies and codes of conduct generated by industry and multi-stakeholder processes. It’s the de facto regulator of the media, from traditional advertising to internet search and social networks. It handles novel problems of privacy, data security, online child protection, and patents, among others.

But perhaps most importantly, the Federal Trade Commission has become, for better or worse, the Federal *Technology* Commission, and technology creates a special problem for regulators.

Inherent limitations on anyone’s knowledge about the future nature of technology, business, and social norms caution skepticism as regulators attempt to predict whether any given business conduct will, on net, improve or harm consumer welfare. In fact, a host of factors suggests that even the best-intentioned regulators may tend toward overconfidence and the erroneous condemnation of novel conduct that benefits consumers in ways that are difficult for regulators to understand.

One thing is certain: A top-down, administrative regulatory model of regulation is ill-suited for technology, and this technocratic model of regulation is inconsistent with the regulatory humility required in the face of fast-changing, unexpected—and immeasurably valuable—technological advance.

In assessing the FTC, three themes emerge as being crucial to the Agency’s continued success: humility, institutional structure, and economic rigor. Together these three elements serve the essential function of restraining this powerful Agency’s discretion.

This essay discusses how these constraints have operated (or failed to operate) in the past, and offers some suggestions for reform to improve their operation in the future.

 

Continue reading
Antitrust & Consumer Protection

The Law and Economics of Data and Privacy in Antitrust Analysis

Scholarship While several scholars and policymakers have proposed that threats to privacy and competition from concentration of data be incorporated into antitrust analysis, no one has yet articulated a coherent theory as to how degrading privacy or aggregating data can be anticompetitive...

Summary

While several scholars and policymakers have proposed that threats to privacy and competition from concentration of data be incorporated into antitrust analysis, no one has yet articulated a coherent theory as to how degrading privacy or aggregating data can be anticompetitive — nor even what, precisely, privacy harms are in this context. In this paper, we survey and evaluate the various attempts to incorporate privacy concerns into antitrust’s domain. We find that those more skeptical of antitrust law’s ability to deal with privacy concerns have the better of the argument.

We approach the question by applying law and economics insights, including the error cost framework associated with antitrust scholars such as Frank Easterbrook, Joshua Wright, and Douglas Ginsburg. This is the first paper in the literature to evaluate all of the proposed approaches in a systematic way. While there have been a few skeptics of incorporating privacy into antitrust, we complement those papers by considering the literature arguing the aggregation of data can itself be a privacy harm that has developed since their publication.

We highlight several problems with the theories advanced thus far. First, some of the theories rely on outdated economic models that assume big is bad, rather than on modern consumer welfare analysis. Second, none of the proposed approaches adequately defines the market for data. Third, none of the proposed approaches adequately explains how concentrations of data alter a firm’s ability or incentive to degrade privacy, nor why such degradations would amount to anticompetitive conduct. Fourth, the theories of harm identified by advocates of including privacy in antitrust analysis are inconsistent with one another: Some of the competitive harms identified have little to do with privacy, and some of the privacy harms identified are not antitrust-relevant, or at least not of the type normally condemned by antitrust law. Finally, there are no reasonable or antitrust-relevant remedies available for alleged anticompetitive harms arising from data or the privacy threats supposedly posed by increased data aggregation.

Insofar as privacy harms need a public policy response, common law remedies of tort and contract supplemented by the FTC’s ongoing enforcement of consumer protection law are a better alternative to antitrust law. There are pro-competitive reasons for allegedly privacy-invasive practices like data collection, analysis, behavioral advertising, and even price discrimination. Applying an error cost framework suggests that barring such activity outright will lead to a decrease in consumer welfare. Targeted enforcement against anti-consumer abuses through common law and consumer protection law could preserve the benefits of data collection and analysis while ameliorating and deterring privacy harms.

This paper is an outgrowth of a presentation given by Geoffrey Manne at the George Mason Law Review’s Symposium on Privacy Regulation and Antitrust on January 17, 2013.

Continue reading
Data Security & Privacy

The FTC’s Data Security Cases: What LabMD & Wyndham Mean for Internet Regulation

Popular Media WATCH: Video

https://www.youtube.com/watch?v=MqfcDmBJgvc

Continue reading
Antitrust & Consumer Protection

“A Line in the Sand on the Calls for New Patent Legislation,” by Wayne Sobon

Popular Media Over at the blog for the Center for the Protection for Intellectual Property, Wayne Sobon, the Vice President and General Counsel of Inventergy, has posted an . . .

Over at the blog for the Center for the Protection for Intellectual Property, Wayne Sobon, the Vice President and General Counsel of Inventergy, has posted an important essay that criticizes the slew of congressional bills that have been proposed in Congress in recent months. 

In A Line in the Sand on the Calls for New Patent Legislation, Mr. Sobon responds to the heavy-handed rhetoric and emotionalism that dominates the debate today over patent licensing and litigation. He calls for a return to the real first principles of the patent system in discussions about patent licensing, as well as for more measured thinking and analysis about the costs of uncertainty created by never-ending systemic changes from legislation produced by heavy lobbying by interested parties.  Here’s a small taste:

One genius of our patent system has been an implicit recognition that since its underlying subject matter, innovation, remains by definition in constant flux, the scaffolding of our system and the ability of all stakeholders to make reasonably consistent, prudent and socially efficient choices, should remain as stable as possible.  But now these latest moves, demanding yet further significant changes to our patent laws, threaten that stability.  And it is in fact systemic instability, from whatever source, that allows the very parasitic behaviors we have termed “troll”-like, to flourish.

It is silly and blindly ahistoric to lump anyone who seeks to license or enforce a patent right, but who does not themselves make a corresponding product, as a “troll.” 

Read the whole thing here. Mr. Sobon’s essay reflects similar concerns expressed by Commissioner Joshua Wright this past April on the Federal Trade Commission’s investigation of what the FTC identifies as “patent assertion entities.”

Filed under: intellectual property, licensing, patent, politics Tagged: Center for the Protection of Intellectual Property, Josh Wright, PAE, patent assertion entity, patent licensing, patent reform, patent troll, Patents, SHIELD Act, wayne sobon

Continue reading
Intellectual Property & Licensing