How a lone grad student scooped the FTC
And what it means for your online privacy
This story was originally published by ProPublica.
ProPublica is a Pulitzer Prize-winning investigative newsroom. Sign up for The Big Story newsletter to receive stories like this one in your inbox.
Jonathan Mayer had a hunch.
A gifted computer scientist, Mayer suspected that online advertisers might be getting around browser settings that are designed to block tracking devices known as cookies. If his instinct was right, advertisers were following people as they moved from one website to another even though their browsers were configured to prevent this sort of digital shadowing. Working long hours at his office, Mayer ran a series of clever tests in which he purchased ads that acted as sniffers for the sort of unauthorized cookies he was looking for. He hit the jackpot, unearthing one of the biggest privacy scandals of the past year: Google was secretly planting cookies on a vast number of iPhone browsers. Mayer thinks millions of iPhones were targeted by Google.
This is precisely the type of privacy violation the Federal Trade Commission aims to protect consumers from, and Google, which claims the cookies were not planted in an unethical way, now reportedly faces a fine of more than $10 million. But the FTC didn't discover the violation. Mayer is a 25-year-old student working on law and computer science degrees at Stanford University. He shoehorned his sleuthing between classes and homework, working from an office he shares in the Gates Computer Science Building with students from New Zealand and Hong Kong. He doesn't get paid for his work and he doesn't get much rest.
If it seems odd that a federal regulator was scooped by a sleep-deprived student, get used to it, because the federal government is often the last to know about digital invasions of your privacy. The largest privacy scandal of the past year, also involving Google, wasn't discovered by federal regulators, either. A privacy official in Germany forced Google to hand over the hard drives of cars equipped with 360-degree digital cameras that were taking pictures for its Street View program. The Germans discovered that Google wasn't just shooting photos: The cars downloaded a panoply of sensitive data, including emails and passwords, from open Wi-Fi networks. Google had secretly done the same in the United States, but the FTC, as well as the Federal Communications Commission, which oversees broadcast issues, had no idea until the Germans figured it out.
Nearly every day, and often several times a day, there is fresh news of privacy invasions as companies hone their ability to imperceptibly assemble a vast amount of data about anyone with a smartphone, laptop or credit card. Retailers, search engines, social media sites, news organizations — all want to know as much as they can about their visitors and users so that ads can be targeted as precisely as possible. But data mining, which has become central to the corporate bottom line, can be downright creepy, with companies knowing what you search for, what you buy, which websites you visit, how long you browse — and more. Earlier this year, it was revealed that Target realized a teenage customer was pregnant before her father knew; the firm identifies first-term pregnancies through, among other things, purchases of scent-free products. It's akin to someone rifling through your wallet, closet or medicine cabinet, but in the digital sphere no one picks your pocket or breaks into your house. The tracking is done mostly without your knowledge and, in many cases, despite your attempts to stop it, as Mayer discovered.
The FTC is the lead agency in the government's effort to ensure that companies do not cross the still-hazy border between acceptable and unacceptable data collection. But the agency's ambitions are clipped by a lack of both funding and legal authority, reflecting a broader uncertainty about the role government should play in what is arguably America's most promising new industry. Companies like Facebook and Google are global brands for which data mining is at the core of present and future profits. How far should they go? Current laws provide few limits, mainly banning data collection from children under 13 and prohibiting the sale of personal medical data. Beyond that, it's a digital mosh pit, and it's likely to remain that way because more regulation tends to be regarded by politicians in both parties as meaning fewer jobs. Students will probably continue to beat the FTC to the punch: The agency just has one privacy technologist working in its Division of Privacy and Identity Protection and one in the Division of Financial Practices. "I don't think it's controversial to note that they seem to be understaffed," Mayer said in a phone interview between classes. "I think that's pretty clear."
This isn't the usual sort of story about regulation watered down by intimate ties between government officials and the industry they oversee. Unlike the U.S. Minerals Management Service, where not long ago a number of officials were found to have shared drugs and had sex with representatives of the oil and gas industry, key FTC officials hired by the Obama administration are privacy hawks who worked previously for consumer-rights groups like Public Citizen and the Electronic Frontier Foundation. Under Chairman Jon Leibowitz, a Democrat appointed to the FTC in 2004 and tapped as chairman by President Obama in 2009, the FTC has pushed boundaries; its first privacy technologist, hired shortly after Liebowitz became chairman, was a semifamous activist who made a name for himself by printing fake boarding passes to draw attention to airline security lapses (the FBI, which raided his house, was not pleased). The agency is working with the tech industry to create and voluntarily adopt a Do Not Track option, so that consumers can avoid some intrusive web tracking by advertising firms. And it issued a report this year that called for new legislation to define what data miners can and cannot do.
Yet the FTC is ill-equipped to find out, on its own, what companies like Google and Facebook are doing behind the scenes. For instance, ProPublica discovered that the FTC's Privacy and Identity Protection technologist has a digital hand tied behind his back because the computer in his office has security filters that restrict access to key websites. While Mayer has an ultrafast Internet connection, top-of-the-line computer, an office chair he loves and tasty lunches for free ("Stanford students do not want in any way," he notes), the FTC technologist uses his personal laptop and, because there is no Wi-Fi at the agency, connects to the Internet by tethering it to his iPhone. He browses the Web at cellphone speed. There are no free lunches.
The FTC is headquartered in a landmarked building on Pennsylvania Avenue flanked by two sculptures of a man trying to restrain a muscle-bound horse that is straining to gallop away. The sculptures, completed in 1942, are entitled "Man Controlling Trade," and they explain a lot about the FTC's current dilemma. The notion of controlling trade, popular when the sculptures were erected a half-century ago, is not a vote-winner today. The FTC was an early battleground of the movement that began in the Reagan era to reduce government regulation. The agency had more than 1,700 employees in the 1970s, but is down to 1,176 today, even though the economy has more than doubled in that span. The FTC's responsibilities are vast: It must police everything from financial scams to antitrust activity, identity theft and misleading advertising.
Especially among Republicans, there is little interest in providing more resources. California Rep. Mary Bono-Mack, at a recent hearing on privacy legislation, warned that the government "has this really bad habit of overreaching whenever it comes to new regulations." Although the American Civil Liberties Union may see an epidemic of privacy violations, Bono-Mack said, "I haven't gotten a single letter from anyone back home urging me to pass a privacy bill." The skepticism is not just an outside-the-building phenomenon; it comes from within the FTC, too. One of the agency's five commissioners, Republican Thomas Rosch, dissented from its 2013 budget request, which asks for less money than the prior year budget of $312 million. Rosch said he believed the FTC still wanted too much. "In these austere times we should do more ... with fewer resources," his dissent said.
The cold shoulder is not entirely Republican. Earlier this year the Obama administration unveiled a "Privacy Bill of Rights" that sets a variety of enviable standards for consumer privacy. "American consumers can't wait any longer for clear rules of the road that ensure their personal information is safe online," President Obama said. The document, which among other things would allow individuals to control the data collected on them, was welcomed by consumer groups. But it's not legislation. It's a wish-list. The administration hopes that some of its wishes, like a Do Not Track system, will be granted through voluntary industry standards. But many of the wishes require Congress to pass laws that it is unlikely to pass anytime soon. The FTC's meager budget request would seem to be the best indication yet of the prospects for significantly greater federal privacy protection.
It's an old story with a new twist. Few industries have as many admirers in Washington, D.C., as Silicon Valley, which unlike the oil industry has what appears to be an equally large number of friends on both sides of the aisle. The tech industry is generally regarded as liberal-leaning — for instance, Eric Schmidt, the Google chairman, was an Obama campaign adviser and serves on the president's Council of Advisors on Science and Technology. But Sen. John McCain, R-Ariz., was counseled in his presidential bid by both Carly Fiorina, the former CEO of Hewlett-Packard, and by Meg Whitman, the former CEO of eBay who now heads HP. Silicon Valley is one of the country's few global growth industries; politicians are reluctant to put restrictions on what it can and cannot do.
The FTC tries to do the best with what it has. In 2009, with new Obama-era appointees aboard, it hired Christopher Soghoian, a privacy technologist who could perform the sort of sophisticated forensics that Mayer conducted on Google. A year later, in 2010, the FTC hired its first chief technologist, Edward Felten, a Princeton computer scientist who is highly regarded in tech policy circles. But the three men who have filled the privacy technologist job that Soghoian filled first (each have served for about a year) faced an awkward problem: The desktop in their office is digitally shackled by security filters that make it impossible to freely browse the Web. Crucial websites are off-limits, due to concerns of computer viruses infecting the FTC's network, and there are severe restrictions on software downloads. When Soghoian tried to download a Wi-Fi-sniffing app, his boss told him within a few minutes that he had tripped a security alarm; he could not use the app on his computer. It had to be deleted immediately.
To defend against hackers, filtered computers are standard in the government, but they are problematic for officials who are trying to discover dishonest activity on the Web; it's a bit like telling a cop he can't patrol in high-crime neighborhoods. A handful of unfiltered computers are available in restricted labs at the FTC's headquarters on Pennsylvania Avenue and its satellite offices on New Jersey Avenue and M Street, but this is an ungainly setup. Rather than leaving their office, waiting for an elevator, swiping their ID badges across a sensor at the lab's locked door and logging into a computer soaked with malware (because the lab computers are used to test suspicious applications and websites), the technologists have instead stayed in their office and tethered their personal laptops to their personal cellphones. The office does not have a window, and the cell signals are not strong; even by phone standards, their Web connection is slow.
Soghoian and the current privacy technologist, Michael Brennan, tried to get an unfiltered desktop installed in their office. Each time — Soghoian in 2010, Brennan in 2011 — they got tantalizingly close, with new machines delivered to them. But the computers were never connected to the Internet. Someone at the agency — they don't know who — got cold feet. "I basically had a two-thousand-dollar computer doing nothing," Soghoian said. Brennan isn't even at the office so much these days; he is a part-timer who lives in Philadelphia, where he is getting a Ph.D. in computer science at Drexel University. When he works in Washington, the FTC's privacy gunslinger crashes at a friend's house.
Only one FTC official has an unfiltered desktop: Felten, the chief technologist. He is the sort of unconventional public servant the FTC has hired in recent years. He was an expert witness in the landmark antitrust suit against Microsoft, a board member of the Electronic Frontier Foundation, and in April he participated in a privacy hackathon with his teenage daughter. Felten, hired mainly to provide policy advice to the FTC chairman, also conducts investigations of suspicious websites or apps — this is what he uses the unshackled computer for. During an interview, he pointed to it, a bit like a museum guide gesturing toward a priceless artwork, and said, "This is rare. I think this is the only one."
He acknowledged the agency is hindered by a shortage of technical experts who can find the sorts of violations that Mayer stumbled on.
"We could for sure do more if we had more people," he said while sitting in his office, which is nearly bare, with a few FTC posters on the walls, a small table and chairs, and a large desk for his two computers. "There are a lot of opportunities that we have to let go by because we don't have the people to seize them ... opportunities to measure and evaluate what's happening every day in people's computers and phones."
Felten, who plans to resume full-time teaching at Princeton in the fall, was asked whether he has better technological resources there.
"Oh yes," he replied. "That's certainly the case."
The mismatch between FTC aspirations and abilities is exemplified by its Mobile Technology Unit, created earlier this year to oversee the exploding mobile phone sector. The six-person unit consists of a paralegal, a program specialist, two attorneys, a technologist and its director, Patricia Poss. For the FTC, the unit represents an important allocation of resources to protect the privacy rights of more than 100 million smartphone owners in America. For Silicon Valley, a six-person team is barely a garage startup. Earlier this year, the unit issued a highly publicized report on mobile apps for kids; its conclusion was reflected in the subtitle, "Current Privacy Disclosures Are Disappointing." It was a thin report, however. Rather than actually checking the personal data accessed by the report's sampling of 400 apps, the report just looked at whether the apps disclose, on the sites where they are sold, the types of personal data that would be accessed and what the data would be used for. The body of the report is just 17 pages. (The FTC says it will do deeper research in future reports.)
The mobile unit has an equipment problem, too. Like most government agencies, the FTC issues Blackberries to key officials. Poss, the unit's director, has one. The Blackberry dominated when Al Gore ran for president, but today it's barely an also-ran with just 12 percent of the smartphone market. That's not a problem if you only use your Blackberry for texts, emails and calls. But it's a problem if, like Poss, your job is to keep track of what's happening in the smartphone market. Most consumers use Androids or iPhones, and most of the apps written for them are not available on the Blackberry.
If Poss wants to learn what's going on in the 88 percent of the smartphone market that her Blackberry cannot access, she would need to leave her office and go to one of the FTC labs, where she can use or check out an iPhone or Android. It's a clunky setup, so she resorts to a familiar workaround: She uses her personal smartphones. She has an iPhone as well as an Android.
A moment after she mentioned this in an interview, she added, "I probably shouldn't be saying that."
FTC officials are reluctant to talk about their lack of funding, partly because public whining, especially during hard economic times, is infrequently rewarded. It's also politically unwise. A vocal portion of the electorate believes the government and its regulatory arms have too much money and power as it is. Additionally, the FTC is trying to keep the tech industry honest by hinting that the feds are watching everything. It does not help if Silicon Valley realizes the FTC possesses just a handful of iPhones and Androids that are kept under lock and key in the basement.
The interview with Poss was conducted in an office on the third floor of the FTC's headquarters, with an FTC spokeswoman on hand. When Poss was asked whether it wouldn't make sense for the director of the Mobile Technology Unit to have a government-issued iPhone or Android, the spokeswoman, Claudia Farrell, interceded.
"He's trying to get you to bitch, Patti. Don't do it."
Poss, a lawyer who has worked at the FTC for more than 12 years, began to look uncomfortable, as though she was in the witness box, unsure what she was supposed to say. She made amends by noting she can use her office computer to look at the smartphone app descriptions posted on the websites where they are sold. Then she reversed herself.
"Actually, you can't," Poss said. "We have some restrictions on the sites we can visit on government computers."
She hesitantly mentioned that Apple's app store is among the sites blocked by the FTC's security system. If she wants to look at the most popular websites for mobile apps, she has to go to a basement lab.
Farrell joined the conversation again.
"You're not going to make this a gut-wrenching story about how Patti has to leave the confines of her office to do her work?"
The FTC maintains an aura of secrecy about its Internet testing labs in Washington. Their location is known but not much else. Officials would not talk about the equipment in the labs. Poss and Farrell refused to divulge the number of iPhones and Androids, though it appears to be not much more than a handful. "I don't want to lead you to think we have an unlimited supply," Poss acknowledged before being discouraged from acknowledging anything more.
It is hard for outsiders to know more because the FTC refuses to let reporters visit the labs.
"We're not going to show it to you, no way," said David Vladeck, who directs the agency's Bureau of Consumer Protection and controls access to the labs.
It was pointed out that government agencies conducting far more secret operations — such as the Pentagon and the Central Intelligence Agency — often allow journalists and other outsiders to visit classified facilities. The embedding program during the Iraq war gave reporters the chance to report on the planning and execution of secret military operations. The FTC's labs would not seem to rival the technology displayed when journalists ride aboard nuclear-powered submarines, for instance.
Vladeck would not bend.
"We don't trust anybody," he said.
Current and former FTC officials say the labs are the size of suburban living rooms, with computers and accessories that do not look much different from what would be seen at a Kinko's. "There's nothing special there," Soghoian said. "It looks like a computer room in a public library or middle school."
Vladeck's appointment, in 2009, was welcomed by consumer-rights activists because of the nearly three decades he worked as a crusading lawyer for Public Citizen, which was founded by Ralph Nader; Vladeck has advocated long and hard for better government regulation. A conversation with Vladeck, who has argued four cases before the U.S. Supreme Court and won three of them, is akin to a combative courtroom session. He often leans across the table and speaks in a high-pitched bellow. During an interview in his office, he said that when he arrived at the FTC, "We weren't geared up for this battle." That's partly because the Bush-era FTC was not terribly aggressive on privacy but also because data mining has particularly taken off in the past few years.
"No regulator is ever going to tell you that he or she is satisfied with the resources," Vladeck said. "Would I like more resources? Of course, and I think I could put them to good use. But let me toot our own horn. We've gotten an enormous amount done in three years. I think we are sending a strong signal to the industry — you've got to straighten up and do the right thing."
Since he arrived, the FTC has reached privacy settlements with the some of the largest tech firms, including Facebook, Google and Twitter, though in each case, there were no fines, because the FTC's authority to issue fines on a first offense is limited. The agency is like a runner with two sprained ankles, because in addition to its narrow legal power, it has a surprisingly small staff to pursue its legal cases.
Staffing at the Division of Privacy and Identity Protection, which does the bulk of the FTC's privacy work and is under Vladeck's control, slid from 51 in 2011 to 50 in 2012, even though the data mining industry it oversees has rapidly expanded; it now employs more than 100,000 people and has revenues close to $5 billion, according to industry analyst and newsletter publisher Gregory Piatetsky-Shapiro. There are about 20 lawyers working on privacy cases at the FTC. "The bottlenecks are the lawyers for the most part," Soghoian said. And the FTC has another problem: Republican Rep. John Mica, chairman of the House Committee on Transportation and Infrastructure, is trying to evict the agency from its headquarters, which is on a prime block of Pennsylvania Avenue.
Vladeck has improvised. He described his strategy as similar to highway cops — the point isn't to catch every car that breaks the speed limit, but enough to signal to the others that they can't get away with much. He goes after the shiniest cars.
Yet those cases demonstrated the FTC's limits, too. The agency was created in 1914 to prevent unfair and deceptive practices in commerce. Unfairness is harder to prove in privacy — what's inappropriate data collection to one person might be fair and harmless to another — so the FTC is focusing enforcement efforts on deception. That means a company has to say one thing about its data-collection practices and do another. But many companies have privacy policies that say very little — in which case, they aren't deceiving consumers if they do things that might be untoward.
Ironically, the best way for a company to avoid privacy tussles with the FTC is to not say much about their privacy practices. On the other side of things, many companies protect themselves from prosecution by fully disclosing their policies in dense legal jargon that few consumers bother to read or, when they do, they have a hard time understanding that their personal data will be collected and shared in nearly infinite ways. Companies that follow these strategies — and many do — are difficult targets for the FTC.
Big firms like Google and Facebook, which depend on consumers using their services, cannot get away with having no policy at all or hiding behind legal hieroglyphics. They are the shiny cars that the FTC pulls over when it can. The agency pounced when Google introduced its Buzz social network because Gmail users were more or less swept into Buzz without their consent, even though Google had previously said it would not take unilateral action of that sort. The agency can take companies to court, but its overworked lawyers don't really have the time to go the distance against the bottomless legal staffs in Silicon Valley. The FTC settled the Buzz case with Google, which agreed to annual privacy audits for 20 years and promised to not lie to consumers about what the company does with their data. If Google violates the settlement, it then faces financial penalties that could be quite large — this is akin to a two-strike rule.
The settlement process is time-consuming, however. Due to the agency's small legal staff, some settlements take years to complete, and by the time they're done, the targeted companies are not what they used to be. Last month, the FTC announced a privacy settlement with Myspace, which it accused of disclosing user information to third parties despite pledging not to do that. The investigation was opened in 2009, when Myspace was already a fading giant; by the time it was concluded in May, Myspace was all but a museum artifact. On Twitter, reaction to the suit included jokes to the effect of, "You mean Myspace still exists?"
Although the agency has some sway with Google and other companies that are sensitive to reputational issues — an FTC settlement might not hurt Google's bottom line but the bad press could — it has less influence over data mining firms like LexisNexis, Choicepoint and RapLeaf, whose revenues come mostly from businesses rather than consumers. This is a major hole in the government's effort to protect consumers from privacy violations, and the FTC has all but thrown up its hands in futility. The privacy report it issued earlier this year called on Congress to pass legislation that would set guidelines on acceptable practices by data miners. The odds of that happening are quite long, because of industry opposition to government oversight and the difficulty of getting agreement in Congress on what should and should not be allowed.
Even though he lives in university housing, Jonathan Mayer is a star in the world of digital privacy; he is the mop-haired kid who busted Google in his spare time. Silicon Valley companies seek him out to learn what he's up to. Mayer, being clever, uses these encounters to learn about the companies. What are they thinking about the most? What do they fear the most? He has made another discovery.
"The FTC doesn't strike fear into the heart of tech companies," he says. "They know that as long as they stay within lax boundaries, it's unlikely the FTC will bring enforcement actions against them."
Yet there is a feared privacy watchdog, Mayer notes: the European Union. American companies have far less political influence in Europe, and Europeans are far more attentive to privacy issues, partly due to memories of Nazi-era totalitarianism. Because most tech services offered to Europeans are the same as offered to Americans, protections required by EU regulators are usually extended to American consumers. It's the globalization of digital regulation: What happens in one country can affect all countries.
For instance, under Irish privacy law, citizens are entitled to know the information a company possesses on them — and this was used against Facebook by a 24-year-old Austrian, Max Schrems, who asked the company to hand over all the data it had on him. Facebook's international headquarters are located in Dublin, so the firm had to comply. Last year it gave Schrems more than 1,200 pages of data that included just about every keystroke he had made while on the social network, including items he had deleted and location information he had never provided. Facebook had kept almost every poke and like, every friend and defriend, every invitation accepted or rejected. Schrems posted the information online and compared his Facebook dossier to the data that the East German secret police, the Stasi, had kept on millions of citizens.
In effect, Schrems exposed Facebook's data retention practices, and this led to a big change. In May, Facebook said its 900 million customers — not just the ones in Europe — would receive far more detail on its data collection, making it easier for them to know what information was being collected and what was being done with it. The company acknowledged that the change was the result of a harsh report issued by Irish authorities looking into the Schrems case. Ireland wasn't trying to protect the privacy rights of Americans, but its pressure on Facebook had precisely that effect.
The outsourcing of consumer data protection has been going on for a number of years. In 2008, European privacy officials asked Google, Microsoft and Yahoo! to delete, far quicker than they were doing, the data they were retaining about user searches. In short order, the search giants complied — not only for their European customers but for Americans, too. "The EU drives regulation worldwide," Mayer says. "While we make nods to self-regulation and cooperation, the reality is that the EU is getting all of this done."
The power of Europe's privacy regulators — and the weakness of America's — was demonstrated most vividly in the Street View dustup. While there was only modest protest against Google photographing American streets and homes, the company immediately ran into big trouble when its cars began to roam around Europe. The collection and abuse of personal information also was a hallmark of communist regimes that ruled Eastern Europe during the Cold War. Throughout Europe, local and national authorities expressed concerns about Street View, and the project quickly hit a number of walls.
Google promised its cars were only taking pictures — and the firm's word was enough for U.S. officials — but French authorities demanded to know for sure. They inspected one of the vehicles in 2010 and realized that Google was not telling the whole story: The hard drives in the cars were downloading data from Wi-Fi networks. Google downplayed the revelation by contending the downloads were innocuous — just technical data, not personal information.
In Germany, where popular opposition to Street View was strongest, the data commissioner of Hamburg, Johannes Caspar, demanded to inspect a Street View car, too. At first, Google reportedly told him it didn't know where the cars were. The firm eventually found one — but its hard drive was gone. At that point, Google said it was taking a new look at what the cars were downloading. Caspar insisted the company hand over a hard drive. After a few months, Google complied. Caspar discovered that Google had downloaded vast amounts of personal data.
It had done the same in the United States.
Vladeck had a quick response when it was suggested the Europeans were better privacy watchdogs.
"That's a lie," he shot back.
He leaned forward, speaking a bit more slowly.
"That is a lie."
He argued that although the Germans uncovered Street View's data collection, the FTC was not asleep at the wheel because it was investigating Street View at the time. But Vladeck said the FTC could not have done much even if it had examined a hard drive, since the agency's reach extends only to unfair or deceptive practices. Google had never told consumers it wasn't downloading Wi-Fi data, so it hadn't deceived them by doing so. To prove an unfair practice, the FTC would have needed to show that the data downloads caused consumers an unavoidable harm. "Street View would have been a very difficult case for us," Vladeck said. The agency quietly closed its investigation in late 2010 with no action.
Google was not yet free of the government's watchdogs. The Federal Communications Commission conducted a separate investigation of its own and discovered the data collection was not accidental, as Google had claimed once it owned up to downloading the data. The FCC sharply criticized Google in April but fined the company just $25,000, which is not even a rounding error in the Web giant's first quarter profit of $2.89 billion.
This story was co-published with Wired. Megha Rajagopolan contributed reporting.