FTC Still Seems More Interested In Making Headlines Than Really Protecting Privacy

from the picking-on-the-headline-winners dept

So, the FTC got some press today for announcing a high profile "settlement" with social networking startup Path. You might think that this is entirely about the news that came out a year ago, about Path uploading entire user address books to its server. If you don't recall, that story got a lot of press coverage. Basically, Path, like tons of social networks and mobile apps, had a feature which was "see if your existing friends already use this app and connect to them." But, to do that, it needed to know who your friends are. The process it used to do this was to upload your address book in the background and then compare it to their user base. This was, certainly, a somewhat questionable practice on privacy grounds, but it was something that lots of companies did, because it was a simple way to use the "find your friends" feature.

Of course, as soon as the story about Path went viral, most companies who were doing this very, very quickly dropped the practice, and figured out other, less privacy-invasive ways to connect you to your friends. That's a good thing. So, does the company need to be punished? It seems like negative publicity and the market took care of everything.

Well... if you look at the details of the Path "settlement," it wasn't even really about that issue at all. Yes, Path agreed to have outside privacy audits for the next 20 years (which is the FTC's go to "punishment" plan), but the hyped up $800,000 payment actually had nothing whatsoever to do with the uploading address books. Instead, it dealt with a different issue. During the investigation, the FTC also found that Path likely violated COPPA, the silly and misguided law that basically means most sites put in their terms that they don't allow anyone under 13 to use it. Of course, in practice this has significant unintended consequences, including not letting perfectly reasonable services be available to kids and (more likely) parents teaching their kids to lie about their age.

It turned out that for a brief period of time, Path did not exactly follow the COPPA rules, and actually let a few thousand kids under the age of 13 sign up. So, they may have violated the rule. But... Path had discovered and fixed this well before the FTC investigation began. The company claims it was just an oversight that their system did not automatically reject users under the age of 13.

So... the company made a mistake, caught it and fixed it, without having the FTC get involved at all. And there's no evidence, at all, that it misused the data it collected here. And yet it needs to pay $800,000? Why? For a big company, $800,000 may be small beans, but for a startup, that's significant money.

Oh, and even more bizarre: as noted earlier, lots of companies did similar things to Path, but the FTC only went after Path. When asked why they only went after Path, outgoing FTC boss Jon Leibowitz gave a non-answer, saying that they're just a small agency and so they have to "pick and choose which malefactors you want to go after." So they chose the one most likely to create headlines -- and forced them to cough up $800,000 over a "violation" that was the result of an accident, which the company had already discovered and fixed, and for which no abuse was found. That doesn't seem like good policy. It seems like vindictive choices by the FTC focused on the maximum potential to create headlines, rather than actually protect people's privacy.

Filed Under: coppa, ftc, grandstanding, headlines, privacy
Companies: path

FTC's Overzealous Attempts To 'Protect The Children' May Do Serious Harm To The Internet

from the we-don't-need-the-ftc-to-act-as-our-parents dept

Earlier this year, we were reasonably worried about the FTC's plan to expand COPPA. COPPA -- the Childrens Online Privacy Protection Act -- is one of those laws that appears to have the best of intentions. Who doesn't want to protect the privacy of children, right? But as with so many things, the unintended consequences of overprotection often outweigh the benefits. In practice, the existing COPPA, which puts significant additional burdens on sites that target children under 13, has meant that lots of websites simply ban children under 13 entirely. The end result isn't that children under 13 are more protected, but that parents teach their kids it's okay to lie and to sign up for sites when they're "underage." At the same time, this drives away lots of services that could be really helpful to children -- especially educational sites.

And yet... the FTC wants to expand COPPA, rather than fix its problems. While the new proposals are not as bad as some ideas that had originally been floated, there are still some significant problems with them. As CDT notes, the unintended consequences of the broad definitions could raise significant First Amendment issues:

...we are concerned that the updated definition of when a website is “directed to children” could expand COPPA's reach to general audience sites and confuse website owners as to whether these new rules apply to them. This uncertainty will likely prompt more sites to take advantage of the Commission’s new age-screening safe harbor, which could lead to many more sites demanding age or identifying information from all users before allowing access. Requiring age verification from every user runs counter to the First Amendment right to access information anonymously and increases the collection of potentially sensitive information generally. The new rule's uncertainty is magnified for third party plug-in operators, who may now be liable for the decisions of publishers to embed their plug-in on sites directed to children

Similarly, TechFreedom notes some related potential problems with the new rules.

To start, by deeming persistent identifiers as personal information per se, the FTC's new rule runs contrary to established U.S. privacy law: federal courts have unanimously decided that IP addresses do not allow the contacting of a specific individual.

Further, as Commissioner Ohlhausen's dissent notes, the COPPA statute does not allow the FTC to impose liability on sites that do not collect children's information merely because the operator may somehow benefit from an ad network or plug-in operator collecting information—provided the third party neither targets children nor shares information with the site operator.

If a third party becomes liable once a single employee "recognizes the child-directed nature" of a website—whatever that means—COPPA will become the worst kind of notice-and-takedown system: Would a single complaint—or tweet—from a parent or activist group create "knowledge?" Faced with the impossible task of predicting how the FTC might characterize each of the millions of sites on which ads or plug-ins might appear, operators will have to try to block advertising or plug-ins on sites that appears to be child-oriented. If they can't do that effectively, this potential liability may effectively kill behavioral advertising on any site that can't prove it isn't child-oriented—in other words, on small sites.

Thus, COPPA will now impact adult sites, denying publishers revenue and adult users the functionality that is increasingly provided by embeds. Thus, the FTC invites not only a statutory challenge but also a constitutional challenge similar to that which led the Child Online Protection Act (COPA) to be struck down.

Finally, we've got law professor Eric Goldman, who doesn't hold back his thoughts:

Yesterday, the U.S. Federal Trade Commission (the FTC) promulgated new rules (effectively July 1, 2013) interpreting the Children’s Online Privacy Protection Act (COPPA), and the new rules are a real mess. They are riddled with innumerable ambiguities and questionable policy choices, and I could spend a decade or two trying to figure out how the new rules apply to different factual situations.

That's not a good thing -- unless you're a lawyer. As he notes, once again, the intentions may have been good, but the implementation is a disaster:

The FTC wanted to crack down on these COPPA workarounds, but in typical FTC fashion, it did so in a ham-fisted and marble-mouthed way.

Basically, we're talking about the usual "unintended consequences" of going overboard in trying to "protect the children!" It's a noble goal, obviously. But, speaking as a parent as well as someone who's aware of how these kinds of rules tend to limit innovation, I'd much prefer that the FTC actually stay out of the parenting business and leave that to me.

Filed Under: children, coppa, ftc, overprotection

FTC's Attempt To Broadly Expand Misguided Child Protection Law Will Chill Innovation

from the well-meaning,-but-bad-policy dept

We've written a few times about the Childrens Online Privacy Protection Act (COPPA) and how it was put in place without any data and without much concern for unintended consequences. As danah boyd has shown in her research, COPPA hasn't necessarily done much to protect children. Instead, it's made parents teach their kids it's okay to lie about their age. It's also why so many websites have seemingly arbitrary restrictions on kids under the age of 13. It's one of those "think of the children" laws that people want to like because it sounds good, and no one wants to support big businesses preying on children. But, the reality is that it has tremendous problems -- unintended consequences that limit various services -- and does little to actually protect children.

And, of course, the FTC wants to expand it even further.

They're asking for comments on the proposed changes in the rules, and if you develop websites or apps, you might want to speak up. CDT has put together a letter people can sign if they don't want to write up some comments themselves. They also have explained many of the problems with the new proposals. For example, it expands what COPPA applies to in very broad ways, potentially creating liability for developers without them even realizing it:

The FTC plans to put COPPA obligations on plugin developers if they “know or have reason to know” that their plugin has been installed on a children’s site. “Plugins” include analytics providers, advertising networks, social media plugins, embedded videos, or anyone else who provides third-party code for websites. Under the FTC's proposed change, if plugin developers receive a user’s IP address through a plugin that’s been installed on a children’s site, they could face legal liability for collecting children’s personal information.

It’s unclear how a plugin or platform like Twitter is supposed to “know or have reason to know” that someone has cut and pasted a line of their code into a children’s site. The FTC says that plugin developers “will not be free to ignore credible information brought to their attention.” But the FTC doesn’t say what counts as “credible.” Would developers have to assume every random e-mail is a credible tip that could saddle them with legal liability? Even if the FTC did provide clarity, though, it would still be extraordinarily burdensome to place legal obligations on plugin developers based on the actions of others.

The end result would almost certainly involve those companies putting a lot more limits on their apps, and create a huge cost (and potential liability) for all sorts of plugin and app writers. But there's an even bigger problem. While COPPA was clearly limited at sites directed at children, the FTC seems to think this wasn't enough, because other sites not directed at children might still attract children... and so they want this problematic rule to expand to sites who don't even cater to children:

Things get worse with the FTC’s second major proposal: expanding the scope of sites deemed “directed to children” from sites aimed primarily at a very young audience to include sites and services that are “likely to attract an audience that includes a disproportionately large percentage of children under 13 as compared to the percentage of such children in the general population.”

This convoluted standard raises a number of serious issues. Not only is it difficult for site operators to gauge what proportions of their audience fall into arbitrary age buckets, but the FTC also gives operators no sense of what it means for an audience to be “disproportionately” composed of children in comparison to the general population. If a site’s audience is 20 percent children, is it disproportionately composed of children? What about at 30 percent? It’s not clear from the language, and it won’t be clear to website operators trying to run their sites while staying within the bounds of the law.

In fact, as CDT notes, this change almost certainly will do the exact opposite of what the rule intends. That is, it will make sites feel they need to collect more data about who is accessing their sites to make sure that they know if their audience includes kids, in which case they'll have to take steps. But that means they'll be... collecting more data about kids -- which is exactly what COPPA is supposed to stop.

The FTC folks who support COPPA are certainly well meaning, but they seem to have little concern or interest about the real impact of the law and their specific rules around it, and how it not only fails to help protect children, but puts a serious damper on innovation as well.

Filed Under: apps, coppa, ftc, plugins, privacy, unintended consequences

The Unintended Consequences Of Trying To Overprotect Children From The Internet

from the they-lie-and-new-services-aren't-developed dept

A few months ago, we mentioned the ridiculousness of the the Children's Online Privacy Protection Act, which has strict rules for any sites that target services to children under the age of 13. It's one of those "for the children!" laws that are so popular with politicians, but which never seem to have any basis in evidence, and never seem to consider the unintended consequences. Under the law, as we noted, any site that wants to target kids has to meet certain very high standards, requiring permission from parents. In theory (and in a total vacuum) perhaps this sounds good. But the real impact is that very few sites look to create useful internet services for kids... and kids learn pretty early in their youth how to lie about their age online.

Jeff Jarvis recently was on a conference call about COPPA where he asked an FTC attorney some questions about COPPA, the actual research behind it, and the unintended consequences -- and seemed to get back the conference call equivalent of a blank stare:

I asked Mamie Kresses, senior attorney for the FTC’s Division of Advertising Practices, whether there had been any study about how truthful children are reporting their ages online. They have no such research, she said. I asked whether the FTC had any data about how often parents use the means of notice and consent COPPA provides. None, she said.

The most disturbing unintended consequence of the regulation, I think, is the chill it likely puts on serving children online. In the early days of the web, I started the Yuckiest Site on the Internet — about goo, bugs, and science — to serve young readers at the local news sites I ran. After COPPA, my employer decided the risk in serving young people and even inadvertently recording a child’s name or targeting an ad was too great.

We don’t know how many sites have not been started to serve children online. Isn’t this the group we should be serving best? I asked Kresses whether the FTC had done research on the extent of a chill. No, she said.

Finally, I asked whether the FTC had revisited the reasons for COPPA. What harm are we trying to prevent by restricting identity online — and is it effective? She responded with circular logic: They are giving parents the opportunity of notice and consent regarding children’s information.

From there, he points out that we shouldn't base our entire policy on the assumption that the worst case scenario will happen to all kids. As he notes, kids are still kidnapped, but we still let them play outside. This doesn't mean we should let them run wild online -- just like we don't let kids run wild outside, either. But the rules, as set today, effectively say that children can only run outside in a few very inconvenient parks. We're overprotecting. And, as Jarvis notes, the ability to play online is important:

Children need to play online, too. They should create and get credit for their creativity. They should be able to establish a relationship with an educational site where they can track their own progress. Technology and the net don’t just present danger; they afford opportunity. But by focusing only on the former, we can risk losing sight of the latter.

Filed Under: coppa, ftc, privacy, protect the children, under 13

On the Internet, Google+ Knows You're A TOS-Violating 10-Year-Old Dog

from the unintended-consequences dept

theodp writes

"In its tear-jerker 'Dear Sophie' Google Chrome ad, a father creates a Gmail account (dear.sophie.lee@gmail.com) for his just-born daughter to preserve memories of her childhood. So, how does that work out in real life? Not so good, at least in the case of 10-year-old Alex Sutherland, who the WSJ reports was reduced to tears after being notified that the Gmail account his father created on his behalf two years earlier would be deleted because the Google+ Profile Alex created triggered a Google Terms of Service age violation. 'You made my son cry, Google,' wrote blogger Martin Sutherland. 'I'm not inclined to forgive that.' Not to pile on, but Alex may also be persona non grata at Khan Academy, where learning under the age of 13 can also constitute a TOS violation."

To be fair, the "under 13" age issue is not something that should be blamed on Google, Khan Academy or any other site (and, really, if theodp wanted to be accurate, he could list most of the top sites on the internet, who all have this same restriction). It's (of course!) the result of poorly thought out legislation. Namely, the Children's Online Privacy Protection Act -- another one of these "for the children" laws that politicians love to pass without thinking about the unintended consequences. Here, as in many cases, the intentions may be good: to prevent websites from collecting too much info from children who don't quite recognize what they're doing, but the actual results are that most sites simply put in their terms of service that the site is not for people under 13, even if everyone assumes that those under 13 still use those sites.

Of course, even bringing up how silly this is can lead to backlash. When Mark Zuckerberg recently suggested that perhaps the law needed some rethinking to make it more reasonable for those under 13 to use useful parts of the internet, it was dubbed "controversial", and he had to clarify his remarks to make clear that he wasn't trying to get under 13 kids on the site any time soon.

Either way, it does seem silly for Google to put out a commercial in which a father creates an email address for someone under 13... when it's taking away accounts from others who do the same thing...

Filed Under: coppa, terms of service, under 13
Companies: google, khan academy