Author: Roger Ford

The FTC may have learned from the backlash over the $25,000 fine the FCC imposed on Google for intercepting wireless traffic with its Street View cars. According to a published report, Google and the FTC are negotiating over how large a fine Google will pay for bypassing default settings in the Safari web browser to install third-party tracking cookies in violation of the browser’s settings. The fine could exceed $10 million, according to Bloomberg — large, but tiny compared to the maximum fine of $16,000 per day per violation under the FTC’s statutory authority.

Roger Ford

Federal regulators are expected to announce this week that by 2014 all passenger cars will be required to come with rear-view cameras to help passengers see what’s behind them while they back up. While this will accelerate the trend of cameras becoming widespread in public places, the privacy implications seem minor compared with the safety gains. It’s nonetheless kind of interesting how the Times story, at least, does not mention the privacy implications.

Roger Ford

The Eleventh Circuit held Thursday, in a case with the inauspicious name of In re Grand Jury Subpoena Duces Tecum Dated March 25, 2011 (pdf link), that a suspect can invoke the Fifth Amendment and refuse to decrypt a hard drive’s contents in response to a subpoena.

The Fifth Amendment protects one from being compelled to provide self-incriminating testimony. The government argued (and has argued in several other cases) that the Fifth Amendment does not apply to decryption orders because complying with such orders does not provide new “testimony”; it merely provides files that previously exist on the hard drive. The court agreed that an order to provide preexisting files would not be an order to provide “testimony,” and so would not run afoul of the Fifth Amendment.

The court concluded, however, that this was not enough, because the act of decrypting the files could itself provide incriminating testimony:

Whether the drives’ contents are testimonial, however, is not the issue. What is at issue is whether the act of production may have some testimonial quality sufficient to trigger Fifth Amendment protection when the production explicitly or implicitly conveys some statement of fact. See Fisher v. United States, 425 U.S. 391, 410, 96 S. Ct. 1569, 1581, 48 L. Ed. 2d 39 (1976) (“The act of producing evidence in response to a subpoena nevertheless has communicative aspects of its own, wholly aside from the contents of the papers produced.”).

Accordingly, the court concluded, “the decryption and production would be tantamount to testimony by Doe of his knowledge of the existence and location of potentially incriminating files; of his possession, control, and access to the encrypted portions of the drives; and of his capability to decrypt the files.” Since these facts would be established through new, compelled actions, not previously existing documents, forcing him to confirm them would, for all intents and purposes, compel him to provide incriminating testimony.

The ninth Hackers On Planet Earth conference will take place in New York on July 13-15, 2012. Organizers have issued a call for speakers on a wide variety of topics, including “cryptography, copyright, telecommunications, new technologies, research, experimentation, surveillance, countersurveillance, privacy, anonymity, censorship, hardware hacking, programming, democracy and law, education, social engineering, digital protests, [and] hacking society.”

Facebook has announced its long-rumored privacy settlement with Facebook. The complaint focuses on several allegedly deceptive acts by Facebook, as listed in the press release:

• In December 2009, Facebook changed its website so certain information that users may have designated as private — such as their Friends List — was made public. They didn’t warn users that this change was coming, or get their approval in advance.
• Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data — data the apps didn’t need.
• Facebook told users they could restrict sharing of data to limited audiences — for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.
• Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.
• Facebook promised users that it would not share their personal information with advertisers. It did.
• Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.
• Facebook claimed that it complied with the U.S.-EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.

The proposed settlement would impose various privacy obligations on Facebook, including the quickly-becoming-standard 20 years of privacy audits.

Edited to add: Mark Zuckerberg’s statement.

Edit 2: My colleague Joe Hall points out Count 3 of the FTC’s complaint:

As described in Paragraphs 19–26, by designating certain user profile information publicly available that previously had been subject to privacy settings, Facebook materially changed its promises that users could keep such information private. Facebook retroactively applied these changes to personal information that it had previously collected from users, without their informed consent, in a manner that has caused or has been likely to cause substantial injury to consumers, was not outweighed by countervailing benefits to consumers or to competition, and was not reasonably avoidable by consumers. This practice constitutes an unfair act or practice.

This continues a recent trend of the FTC asserting its authority over “unfair” trade practices, even when they’re not “deceptive.” This also came up in the FTC’s settlement with Frostwire over unfair default settings, which prompted the FTC to warn companies to “spend some time thinking through [their] default settings” and consider questions like “Do your defaults keep users safe from making serious inadvertent errors?” and “Does your application work in ways consumers would reasonably expect?”

As a follow-up to Helen’s post about Verizon’s new privacy practices, EPIC has filed an FTC complaint alleging that the move amounts to an unlawful trade practice.

Michael Degusta has a wonderful blog post up about the history of missing software updates for Android smartphones, compared to Apple’s iPhone. A sample:

In this chart, green blocks represent periods when a phone ran the most up-to-date major version of its operating system, while yellow, orange, and red blocks represent periods where a phone could only run increasingly out-of-date major versions. See Michael’s post for the full chart and some great analysis.

Two factors combine to make the lack of updates a significant problem. First, in the United States at least, most phones are sold on two-year contracts, so a lack of updates means they will almost certainly be used well after their OS is no longer the current version. Second, since smartphones are constantly connected to the cell-phone network and the Internet, they present an attractive and vulnerable target for malware authors when security vulnerabilities are discovered. If updates can’t be applied to many of the smartphones in use, then the potential harm from a security problem expands greatly. Indeed, the many Android privacy and security problems show the potential severity of the issue.

So what is to be done? It’s understandable why, in the fast-moving and competitive market for Andoid smartphones, makers don’t want to spend money supporting devices they’re no longer selling. Yet if two-year contracts are the standard, it may not be unreasonable for users to expect makers to support a device for at least two years after they stop selling it. With the FTC’s recent reemphasis on trade practices that are “unfair” but not necessarily “deceptive” (a subject worthy of a post of its own), it will be interesting to see if the agency has anything to say about the Android orphan problem.