FTC's Privacy Settlement With Facebook Gets Pretty Much Everything Backwards; Probably Helps Facebook

from the guys-come-on dept

So, as was leaked a couple of weeks ago, the FTC has now made its $5 billion settlement with Facebook official. There's quite a bit that's interesting in the stipulated order that is worth reading. I'm actually glad to see that this wasn't just about Cambridge Analytica, where I think the "breach" issue was much less concrete. Instead, it does include a bunch of other very real violations by Facebook, including:

1. Storing passwords in plaintext
2. Using phone numbers that were provided for security (two factor authentication) for advertising (a massively dangerous and stupid practice by Facebook)
3. It's questionable use of facial recognition without consent
4. Sucking up logins to other services.

Frankly, all of those are much more serious breaches than what happened with Cambridge Analytica.

Separately, as I discussed two weeks ago, if you're mad at the size of the fine, you're missing the point. This is, by far, the largest fine the FTC has ever issued, and goes way beyond anything that it's done before. The real problem is that this is basically all that the FTC can do. That's the only weapon it has and it's never going to be enough because the FTC isn't really set up to handle modern privacy questions like this -- and that would require a new mandate from Congress. This is in Congress's court.

That said, my bigger concern, as always, is that everyone's obsession over "protecting privacy" is going to mean significantly less competition. I raised this issue last year, soon after everyone freaked out about Cambridge Analytica, noting that I feared what would happen is that Facebook would be driven to lock down everyone's data rather than making it more accessible to third party and competing services.

There are significant and important trade-offs here. For years now I've been talking about the real way to create more competition on the internet, and much of it involves pressuring the big internet companies into opening up. Have them create APIs that allow others to build services on top of their data so that we're not so locked into the giant platforms. Enable more competition at the service level, rather than the data collection level.

But this agreement does the opposite. It is basically giving up and saying that the FTC and regulators now think that Facebook will be the dominant platform for ages, and therefore it needs to better police data and better lock it down. This is not a good solution (except if you're Facebook). As former Facebook CSO Alex Stamos points out in a very thoughtful thread, while this is a slap on the wrist regarding Facebook's problematic privacy practices, it actually helps stop future competition:

The real threat to the tech giants is competition, not regulation, and everybody is missing what really happened today: Facebook paid the FTC $5B for a letter that says "You never again have to create mechanisms that could facilitate competition."

Facebook already has ~2.5B users. It has the world's second largest ad network. It never again needs data from anybody else to make money or third parties to facilitate growth. This order doesn't include the word competition or include any balancing tests. It's fantastic for FB.

"You need to allow for 3rd party clients."

Sorry, mean FTC won't let us.

"Other companies can build on your graph."

Sorry, mean FTC won't let us.

"You need a real data export feature that allows users to move."

Sorry, mean FTC won't let us.

I can't believe Facebook didn't pay more for this. If the FTC offered to "order" Amazon to help consumers save money by offering house branded options in every top category, Bezos would leap across the table with a $10B check and a massive grin. This is a natural consequence of the shallow nature of the "techlash". The US doesn't have a substantive privacy law, and the FTC has to base work on what they consider unfair or misleading practices. If critics don't understand the equities balance, they can't balance equities. This isn't binding on other companies, but it will be interesting to see if they use this as a reason to reduce APIs and favor their own apps. The data stolen and exported to the cloud (GPS, SMS, contacts, mail, calendar) from Android/iOS dwarfs SCL/CA.

This is part of the problem I keep trying to highlight. When your only focus is on punishing big tech companies like Facebook, be careful about how you do so, because there are so many important tradeoffs, that if you don't pay attention to what you're doing, all you really end up doing is locking them in as the dominant platforms.

And that's really what's happening there. Our lack of understanding about privacy or about data and "ownership" will lead people to a very dangerous place, where we make short term decisions -- such as what happened here -- that are focused on "punishing" one particular set of companies for one particular set of actions (many of which were really bad). But the end result is even worse. You've set up the system such that the only logical and reasonable way out of this bad situation is foreclosed.

The best way out of Facebook's dominance is to have it give up total control over the data it collects. But, here, the FTC has done the reverse. It has given Facebook more control over the data it collects in the name of "protecting" privacy. This is backwards. Rather than saying that Facebook shouldn't be the one protecting all that data, the FTC is just saying "protect it better, and don't let any other service be allowed to come in and do anything." And that includes the kinds of competitive services that are necessary to eat away at Facebook's position.

I know a lot of people are mad the fine wasn't larger, but the fine doesn't matter. All that really matters is whether or not competitive services are enabled or not, and this agreement forecloses the best way to actually chip away at Facebook's market position. And that's the real shame.

Filed Under: apis, competition, fines, ftc, openness, privacy, regulations, settlement, sharing
Companies: facebook

FTC's YouTube Privacy Settlement Pisses Everyone Off; Perhaps We're Doing Privacy Wrong

from the friday-news-dumps dept

It's becoming a tradition. A week ago, we wrote about a Friday evening news "leak" (almost certainly from Facebook) about the FTC approving a settlement with Facebook over privacy violations. And, this past Friday evening, there was a similar news dump about a similar settlement with YouTube (though at a much lower dollar amount). In both cases, the Friday evening news dump was almost certainly on purpose -- in the hopes that by Monday, something bigger will have caught the news cycles' attention. Thankfully, we don't work that way.

Let's cut to the chase, though. No one (outside of, perhaps, YouTube/Google/Alphabet execs) is "happy" with this. Pretty much everyone will point out, accurately, that a "multi-million dollar" fine is effectively meaningless to YouTube. No one believes that this will magically lead to a world in which internet companies take privacy more seriously. No one believes this will lead to a world in which anyone's privacy is better protected.

And while I'm sure some people will complain about the amount (pocket change for Google), I'm not sure the amount really makes much of a difference. Remember, last week's angry response to the $5 billion that the FTC is allegedly getting from Facebook. That's a much higher amount (by a massive margin) the largest the FTC has ever gotten from a company.

Perhaps there's a larger issue here: this system of expecting private companies and overworked/understaffed federal (or state) agencies to somehow manage our privacy for us does not work -- no matter what your viewpoint on all of this is. Perhaps we should be looking for solutions where users themselves get better direct control over their data, and aren't reliant on giant fines or government bureaucrats "protecting" it for them. Because if we're just going to go through this charade over and over and over again, it's not clear what the benefit is for anyone.

If you don't trust Google/Facebook, then no fine is going to be enough. If you do trust them to hold onto the data they collect, then this whole thing feels like a bit of privacy theater. No one ends up happy about it, and nothing is actually done to protect privacy. I've been pointing out for a while now that we're bad at regulating privacy because most people don't understand privacy, and I think these kinds of things are a symptom of that. There's this amorphous concept out there of "privacy," and people -- egged on by media stories that aren't always accurate -- have a concern that the companies don't do a very good job protecting our privacy. And they're right about that. But, there's no agreement on what privacy means or how you actually "protect" it. And the only tools in the toolbox right now are fines or crazy, confusing, misguided regulations that seem to only lock in large players and hand them an even more dominant position (allowing them to do more things that people are uncomfortable with).

There needs to be a better approach -- and it has to be one that starts more from first principles about what it is that we're actually trying to accomplish here, and what will actually get us there. What we have now is not that.

Filed Under: fines, ftc, privacy, youtbe
Companies: google, youtube

The FTC And Facebook: Why The $5 Billion Fine Is Both Too Little And Too Much

from the pointless-gestures dept

By now, you've certainly heard the news that was very likely leaked by Facebook late on Friday that the FTC, by a narrow 3 to 2 party line vote, had approved a $5 billion fine for Facebook for violating its earlier consent decree in the way it allowed an app to suck up lots of data that eventually ended up in Cambridge Analytica's hands. Most of the reaction to this fine (by far, the largest in the FTC's history) is anger.

Many people focused on one key point to argue that the fine wasn't enough: Facebook's stock jumped upwards after the news broke, to the point that Facebook's valuation probably went up more than the amount of the fine itself (never mind the difference between the value of equity and actual cashflow...). However, I wouldn't read too much into the stock jump. After all, Facebook had already said back in April that it was expecting a $5 billion fine, meaning that Wall Street had already priced in exactly that. If the $5 billion fine had come out of the blue it might have been a different story. The bump, then, could be explained by investors reacting to the end of any uncertainty and the fear that the fine might have been larger.

That said, there are good arguments for why this is a really significant fine. And for that, I'll turn to the former acting-CTO of the FTC, Neil Chilson, who knows a thing or two about how the FTC works, and points out that this sort of thing is extremely aggressive (and this part is important): given the FTC's mandates and powers. As he notes:

The FTC is using an extremely general law intended to stop or redress practices that harm consumers. It is reportedly getting a settlement that is 225x larger than the prev. record. And it got this for practices where AFAIK no consumer lost a penny. Laws have meaning. There is only so far an agency can push the commands of Congress before a court will slap them back (as has happened to the FTC a few times recently.) This settlement is, I think, probably at the bleeding edge of the FTC's litigation risk. If you're angry about this settlement, calling the FTC a "co-conspirator" is ridiculous. The FTC has been an aggressive privacy enforcer using a statute that isn't specifically intended to protect privacy. That's on Congress. If you don't like it, talk to your lawmaker.

In short, given the FTC's powers and the details of what happened with Cambridge Analytica, where the "harms" are not directly quantifiable (you can argue harms against democracy, but that would require a bit more actual evidence and is not the FTC's mandate...), a $5 billion fine is quite a lot. So, frankly, attacking it as "an embarrassing joke" or "a tap on the wrist" or even "a victory for Facebook" seems to be missing the point.

That said, what I think all this anger is getting at -- and which I mostly agree on -- is that we still have not figured out a way to adequately deal with privacy in a digital age. And people are (partly reasonably, partly irrationally) very mad at Facebook for that. Part of the problem here, however, is expecting that a single FTC action is somehow magically going to fix all of that. It can't. No amount would have done that, and it's quite unlikely that any restrictions the FTC puts forth as part of this agreement are going to fix that either. So, I can totally understand the anger and annoyance at this particular settlement -- but it's not as if anything the FTC would have done here would have satisfied most people.

And, of course, this one FTC action is hardly the end of the line. The EU and other countries are still likely to come down hard on Facebook, and the company is still facing antitrust questions as well. And, then there's Congress. At some point, Congress will put forth various privacy bills (and various states may follow California's dubious lead in doing so as well).

In short: this is a significant fine, given the FTC's mandate and the issue at hand. And if you think it's "not enough" because it won't hobble Facebook, well, then you're correct. But the FTC's mandate isn't to randomly hobble companies because people are angry at them.

Facebook is going to be facing a long line of angry regulator and legislators, and that seems unlikely to change as a result of this fine (indeed, it appears to have inspired many to increase their efforts to "do something").

Filed Under: consumer harms, data, fines, ftc, privacy, punishment
Companies: facebook

D-Link Settles With FTC, Agrees To Fix Its Shoddy Router Security

from the slowly-getting-the-message dept

While the shoddy Internet of Things sector gets ample heat for being a security and privacy dumpster fire, the traditional network gear sector has frequently been just as bad. A few years ago, for example, hardware vendor Asus was dinged by the FTC for offering paper-mache grade security on the company's residential network routers. The devices were frequently being shipped with easily guessable default usernames and passwords, and contained numerous, often obvious, security vulnerabilities.

In 2017, the FTC also filed suit against D-Link, alleging many of the same things. According to the FTC, the company's routers and video cameras, which the company claimed were "easy to secure" and delivered "advanced network security," were about as secure as a kitten-guarded pillow fort. Just like the Asus complaint, the FTC stated that D-Link hardware was routinely shipped with easily-guessable default usernames and passwords, making it fairly trivial to compromise the devices and incorporate them into DDoS botnets (or worse).

Like any good company, D-Link at the time professed its innocence, insisting there was nothing wrong with its products and that the FTC claims were "vague and unsubstantiated." Fast forward to this week, when the company struck a settlement with the FTC, and, according to an FTC press release, has agreed to fix security flaws it previously had claimed didn't exist:

“We sued D-Link over the security of its routers and IP cameras, and these security flaws risked exposing users’ most sensitive personal information to prying eyes,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Manufacturers and sellers of connected devices should be aware that the FTC will hold them to account for failures that expose user data to risk of compromise.”

It has taken a while, but router manufacturers have started to finally get the message that their routers' installation process should prompt users to pick a unique username and password before finalizing device setup. As part of D-Link's agreement, it not only has to implement new and comprehensive security testing protocols, it's required every two years to obtain independent third-party assessments of its software security programs.

Granted, whether we're talking about routers or the latest IoT doodad, there are far too many security vulnerabilities out there for the FTC to police them all right now. Which is why efforts by Consumer Reports and others to begin standardizing the inclusion of security and privacy weaknesses in product reviews are going to be so important in educating consumers.

Filed Under: ftc, privacy, routers, security
Companies: d-link

If 'Big Tech' Is a Huge Antitrust Problem, Why Are We Ignoring Telecom?

from the ill-communication dept

Over the last week or so, Google, Amazon, and Apple have all taken a significant beating on Wall Street amidst rumblings of looming antitrust investigations by the DOJ and FTC. Google, we're told, is subject of a looming antitrust probe by the DOJ. Amazon, we've learned, is facing growing scrutiny from the FTC. Apple stock also did a nose dive on the news that it too may soon be subject to a significant new antitrust probe.

On its surface, many of these actions aren't all that surprising. After all, experts have noted for a decade than US antitrust enforcement has grown toothless and frail, and our definitions of monopoly power need updating in the Amazon era. Facebook's repeated face plants on privacy (and basic transparency and integrity) have only added fuel to the fire amidst calls to regulate "big tech."

Oddly missing from coverage from these probes is the fact that much of this behavior by the Trump administration may (*gasp*) not be driven by a genuine interest in protecting markets and consumer welfare. For one, it's hard to believe that an administration that has shown it's little more than a rubber stamp for sectors like telecom is seriously worried about monopoly power. Two, it's hard to believe an administration obsessed with nonexistent censorship is going to come at these inquiries with integrity, and not, say, as a vessel to pursue a pointed partisan persecution complex.

I've been arguing for a while that while many of the calls to regulate big tech are driven by genuine worries about monopoly power, a lot of it is being driven by the telecom sector. For years now, telecom lobbyists and policy folks have been using the anger over Facebook to covertly call for heavier regulation of Silicon Valley. You see, these telecom lobbyists, who just got done convincing the Trump administration to neuter FCC oversight of their own natural monopolies, are looking for any advantage they can get as they try to compete with companies like Google in the online ad space.

This is how former FCC boss turned cable lobbyist Michael Powell put it at a recent conference:

"Our governmental authorities need to get a handle on what kind of market power and harm flow from companies that have an unassailable hold on large pools of big data, which serve as barriers to entry, allowing them to dominate industries throughout the economy. For years, big tech companies have been extinguishing competitive threats by buying or crushing promising new technologies just as they were emerging. They dominate their core business, and rarely have to foreclose competition by buying their peers. Competition policy must scrutinize more rigorously deals that allow dominant platforms to kill competitive technologies in the cradle."

If you've watched as telecom giants have crushed every and any competitive threat by buying state and federal government, this entire paragraph should be fairly amusing to you. Powell's clients couldn't care less about anti-competitive behavior. What they do want is, again, for government to erect regulatory barriers that hamper the Silicon Valley companies whose ad revenues giants like AT&T and Comcast have drooled over for the better part of the last fifteen years. In the Trump administration they've finally found a vessel for this agenda.

The problem, of course, is there's enough legitimate bipartisan worry about the power of big tech that this little telecom sector lobbying gambit has been able to fly under the radar as the real driver of this new Trump administration push. Even with former Verizon lawyers now at the head of the DOJ (Bill Barr) and the Trump FCC (Ajit Pai). But there's a reason the Trump administration ignores telecom's monopoly and privacy issues while amplifying Silicon Valley's, and I'd argue it has a lot more to do with protectionism than a genuine worry about healthy markets.

If you were remotely serious about addressing the US' monopoly and antitrust problems, there's no way you'd simply ignore telecom. Giants like AT&T and Comcast already enjoy natural monopolies over the on ramp to the internet. They've then increasingly hoovered up countless media companies as they also position themselves to dominate the media flowing over those connections. This conflict and the potential for anticompetitive behavior sits at the heart of the net neutrality debate. Now, giants like AT&T want to become the next Google, with data harvesting plans every bit as problematic if not more so.

Yet again, notice how telecom gets a free pass by the Trump administration? Notice how Silicon Valley is demonized, but telecom's surveillance and anti-competitive gambits see zero backlash? I don't think it's happenstance that this new Trump "big tech" antitrust push comes as big telecom has asked for just such a push to aid its own competitive agenda. A lot of folks on both sides of the political aisle who'd like to see more done to rein in "big tech" seem a touch oblivious to the possibility that this new antitrust push may not be entirely in good faith.

There's a good chance these antitrust inquiries into Google, Facebook, and Apple are little more than partisan fever dreams co-driven by telecom lobbyists, yet a lot of outlets and experts are acting as if market health and consumer welfare are genuine motivators. It's entirely unclear what the Trump administration did to suddenly earn this blanket trust, but as the net neutrality fracas and trade wars have made pretty clear, it sure as hell isn't its several year track record on coherent tech policy.

Filed Under: antitrust, broadband, competition, doj, ftc, monopoly, telcos
Companies: amazon, apple, facebook, google

Nielsen Using Patent Monopolies To Act Like A Monopolist

from the seems-a-bit-questionable dept

For many years, we've highlighted how patents are monopolies and they provide monopolistic power. Indeed, the founders of the US recognized this. James Madison was quite skeptical:

"But grants of this sort can be justified in very peculiar cases only, if at all; the danger being very great that the good resulting from the operation of the monopoly, will be overbalanced by the evil effect of the precedent; and it being not impossible that the monopoly itself, in its original operation, may produce more evil than good."

Jefferson was similarly dubious of the need for patents:

... generally speaking, other nations have thought that these monopolies produce more embarrassment than advantage to society; and it may be observed that the nations which refuse monopolies of invention, are as fruitful as England in new and useful devices.

Eventually, Jefferson was convinced to support such a system -- and even reluctantly ran it for a while -- but he did so with great concern about how these "monopolies" could hinder actual innovation.

Fast forward a couple centuries, and let's look at the case of Nielsen. You know, the company that "measures" freaking everything. Once synonymous with television ratings and "Nielsen homes," it has expanded into other entertainment measuring markets over time -- and has certainly had something resembling a monopoly during much of that period -- and it has often used patents to retain that monopoly. And this goes back a very, very long time.

In the 1940s, Nielsen worried about a competitor taking away its "exclusive" market and used patents to kill it off:

The challenge to Nielsen's meter monopoly was too real to be taken lightly. Charles Wolcott, a top executive of A.C. Nielsen wrote to Mr. Nielsen: "I fail to see how we can turn our backs on the possibility that RADOX could complicate our situation--that is, if RADOX continues to develop, we are no longer exclusively the proud possessors of measurement by electronic means." It did not take Nielsen long to move. RADOX was vulnerable on two fronts--patent and finance--and each front was quickly attacked. Regarding patents, it turned out that both parties had patents pending, and the U.S. Patent Office ultimately declared "interference" existed. Nielsen's major thrust, Sindlinger maintained, was to use the cloudy patent situation to chill the interest of the investor group in any financing help for RADOX.

Years later, Nielsen's son more or less admitted that his father talked investors out of supporting Sindlinger and the RADOX system:

A man by the name of Ralph Bard Sr. who lived in Chicago and had been Secretary of the Navy called on my father. He was considering investing in Sindlinger’s operation and asked my father for his opinion of the company. My father wrote him a letter concluding that Sindlinger’s device would not be a success. In short, in my father’s opinion, this would not prove to be a good business.

A little over a decade later, the FTC actually had to go after Nielsen for using its patents to pressure competitor Arbitron, leading to a consent decree:

A patent infringement suit brought by Nielsen also arguably deflected ARB from competing head-to-head with Nielsen in network television ratings with its Arbitron instantaneous audience measurement system in the late 1950s. More recently, to deal with measurement of cross-platform viewing, Nielsen has used acquisition to build its intellectual property portfolio and continues to use litigation to slow down its competitors.

While the outcome of patent disputes may be uncertain, litigation or licensing undertaken to protect and/or monetize patents does not itself present unusual legal reisk to the patent holder. Such risk does adhere, however, if the patent was fraudulently acquired or was leveraged to extend beyond its rightful metes and bounds. The FTC found Nielsen guilty of such misconduct leading to a 1963 consent decree. Two of Nielsen's business practices that violated the FTC Act were (1) the systematic use of patent proceedings "to discourage potential and actual competitors from developing and using... devices for... measuring... audiences... and has attempted to impede and sabotage the financing of these competitive efforts.

So what does something that happened more than 50 years ago have to do with today? It appears that Nielsen has continued to leverage this particular playbook. First, Nielsen freely admits that it holds a monopoly in the ratings game:

Neither party disputes that Nielsen exercises monopoly power over the television audience measurement services industry, both nationally, for the United States as a whole, and for 210 local markets

And it's still using patent claims to stifle competition. Back in 2016, Nielsen bought Gracenote for $560 million just three years after it had been sold for $170 million. Just what could have represented so much value for Nielsen? Well, just a couple months before Nielsen bought Gracenote, Gracenote had sued a company called Sorenson Media for patent infringement. Sorenson Media had an "automatic content recognition" ACR platform for measuring viewers of TV broadcasting -- exactly the market Nielsen wishes to maintain its monopoly over.

How did that turn out? Well, Sorenson declared bankruptcy last fall (in large part due to an incredibly stupid contract it had signed), but I'm sure the cost of a patent lawsuit didn't help. Oh, and in February, Nielsen bought up Sorenson's assets at firesale prices.

And that's not all. Last year another small competitor, ErinMedia, sued Nielsen, claiming antitrust violations and that Nielsen was using "predatory practices designed to prevent competitive entry by companies like ErinMedia." A few weeks later, the company announced that it was effectively shutting down, noting that Nielsen had "chilled" its ability to close an investment round.

Oh, and remember Arbitron? The company that was at issue back in the 1960s? Nielsen bought them a few years back, leading the FTC to put some conditions on the deal in hopes that it would not "substantially lessen competition." So far that doesn't seem to be working.

And that brings us to the latest Nielsen use of patents against an upstart competitor. Last fall, Nielsen sued upstart competitor Samba TV, claiming patent infringement. The patents at issue -- 9,066,114, 9,479,831 and 9,407,962 -- all are incredibly vague and generic, and appear to be the kind of patents that aren't supposed to be allowed in a post-Alice world.

As Samba notes in its motion to dismiss, nothing here should have been patented in the first place:

For centuries, families and friends have gathered for plays and concerts—and more recently, for television and radio programming. Most silently observe. But others, often because they are already familiar with the programming, offer commentary: about the director, the actors, or the scenes. Some react to the content in order to enhance it: a lawyer presenting an animation typically offers comments at preplanned moments; or a theater employee may need to adjust lighting or curtains at the conclusion of certain scenes. The process of recognizing parts of a video, song, or other content and reacting—either instantly or at a later time (e.g., during a commercial break)—is not patentable. It is an abstract concept involving the three main stages of memory: processing, storage, and retrieval. Alice Corp. Pty. v. CLS Bank Int’l, 134 S. Ct. 2347, 2356 (2014) (a “method of organizing human activity” is not eligible for patenting).

Gracenote’s patents claim abstract concepts without contributing any new inventive technology to achieve them. Instead, the claims merely use existing technologies—technologies Gracenote does not even claim to have invented—as tools to carry out the concepts. The ’114, ’831, and ’962 patent claims use identifiers, called fingerprints, to recognize portions of audio or video signals and trigger responsive actions at predetermined times during the playback, such as providing information about a scene at its conclusion. The patents, however, do not purport to have invented fingerprints or even an improved fingerprinting technique. Using known fingerprinting technology as a tool to perform the abstract concept of signal recognition and reaction is patent-ineligible under 35 U.S.C. § 101.1

And yet, whether or not the court recognizes this and throws out the case, this lawsuit still might be effective in basically stifling a competitor's ability to even exist in the market. As James Madison once warned: "the monopoly itself, in its original operation, may produce more evil than good."

Filed Under: antitrust, arc, ftc, monopoly power, patents, tv tracking
Companies: arbitron, erinmedia, gracenote, nielsen, samba tv, sorenson

Just $6,790 Of $208 Million In Robocall Fines Have Been Collected By The FCC

from the this-isn't-working dept

Despite endless government initiatives and countless promises from the telecom sector, our national robocall hell continues. Robocalls from telemarketers continue to be the subject the FCC receives the most complaints about (200,000 complaints annually, making up 60% of all FCC complaints), and recent data from the Robocall Index indicates that the problem is only getting worse. Consumers continue to be hammered by mortgage interest rate scams, credit card scams, student loan scams, business loan scams, and IRS scams. 4.9 billion such calls were placed in February alone.

And while the FCC does routinely fine companies and scammers for robocalling, these aren't the kind of outfits that tend to leave a forwarding address. In fact of the $208 million in fines doled out by the FCC for robocall related fraud, the FCC has only been able to collect around $6,790 in actual penalties. That includes the recent, headline-grabbing record $120 million fine the FCC levied against a robocaller who had made up to 98 million robocalls during one three-month period. The FTC has similarly collected $121 million out of $1.5 billion penalties doled out to stop the annoying spam calls.

Often, it's hard to collect because the robocallers in question are just scam organizations that quickly disappear or can't pay. In other instances, it's just a lack of follow through at the FCC or Justice Department, something that's also plagued some of the agency's rulings against companies like AT&T. Many have been quick to point out that the collection failure highlights how fines alone aren't really doing much to thwart the problem, especially if authorities can't or won't collect them:

"The dearth of financial penalties collected by the US government for violations of telemarketing and auto-dialing rules shows the limits the sister regulators [FCC and FTC] face in putting a stop to illegal robocalls," the Journal wrote. "It also shows why the threat of large fines can fail to deter bad actors." Fines can be "a deterrent on legitimate companies that have real assets in the US," but they aren't as effective against scammers and overseas operators, an attorney quoted by the Journal said."

Most technology experts say the real solution to robocalling is finding improved ways to block the calls from reaching consumers in the first place. After years of companies like AT&T blaming everybody but themselves for the industry's apathy to the problem, carriers have finally promised to begin embracing authentication technologies like SHAKEN/STIR that should make it much harder to spoof numbers and complete these calls in the first place.

FCC boss Ajit Pai recently declared that if carriers don't deploy such technology this year (something they already planned), he might be forced to actually do his job and hold them more fully accountable for their failures on this front, be it glacial adoption of authentication tech, or providing free robocall tools to existing subscribers, who pay far too much for service to tolerate this scale of apocalyptic annoyance.

Filed Under: fcc, ftc, robocalls

Office Depot And Partner Ordered To Pay $35 Million For Tricking Consumers Into Thinking They Had Malware

from the gotcha! dept

I have worked in the B2B IT services industry for well over a decade. Much of that time was spent on the sales side of the business. As such, I have become very familiar with the tools and tactics used to convince someone that they are in need of the type of IT support you can provide. One common tactic is to use software to do an assessment of a machine to determine whether it's being properly maintained and secured. If it is not, a simple report showing the risks tends to be quite persuasive in convincing a prospective client to sign up for additional support.

Done the right way, these reports are factual and convincing. Done the Office Depot way, it seems only the latter is a requirement. The FTC announced on its site that Office Depot and its support partner, Support.com, Inc., has agreed to pay $35 million to settle a complaint in which the FTC alleged that consumers were tricked using a computer health application into thinking their machines were infected with malware when they often times were not.

Office Depot has agreed to pay $25 million while its software supplier, Support.com, Inc., has agreed to pay $10 million as part of their settlements with the FTC. The FTC intends to use these funds to provide refunds to consumers.

“Consumers have a hard enough time protecting their computers from malware, viruses, and other threats,” said FTC Chairman Joe Simons. “This case should send a strong message to companies that they will face stiff consequences if they use deception to trick consumers into buying costly services they may not need.”

The complaint itself, embedded below, is quite the read. Office Depot's scheme went like this. For a decade, Office Depot would take in customers' computers for diagnostics. Through it's partnership with Support.com, PC Health Check would be run on these machines and the owners of them would be given a short questionnaire to fill out. While that application can in fact be useful in detecting malware on machines, the FTC alleges that the "report" delivered to consumers was based entirely off of the short questionnaire instead. And what kind of questions were consumers asked to answer to indicate whether their machines were infected with malware or not?

Well...

These included questions about whether the computer ran slow, received virus warnings, crashed often, or displayed pop-up ads or other problems that prevented the user from browsing the Internet.

The complaint alleges that Office Depot and Support.com configured the PC Health Check Program to report that the scan found malware symptoms or infections whenever consumers answered yes to at least one of these four questions, despite the fact that the scan had no connection to the “malware symptoms” results. After displaying the results of the scan, the program also displayed a “view recommendation” button with a detailed description of the tech services consumers were encouraged to purchase—services that could cost hundreds of dollars—to fix the problems.

Members of the IT industry are already laughing at this. There is a universal understanding in our industry that if you ask a user if his or her machine is running slow, he or she will say yes. Full stop. To base a recommendation off of this answer, never mind to configure software to report malware symptoms based on it, is ludicrous in the extreme. Unless, of course, you're building a tech support business on the strategy of tricking consumers into thinking they have malware infections when they do not. In that case, all of this makes perfect sense.

Except that it's also a violation of laws against deceptive practices. It's also dumb in the extreme, as it's the kind of trick you can only get caught at once to torpedo your reputation and cause the public to never seek out your help for tech support again. Put another way, there is zero reason for anyone to ever seek out Office Depot's help for their computers ever again.

That's no way to run a business.

Filed Under: ftc
Companies: office depot, support.com