Federal Trade Commission takes action against Twitter for deceptively using customers’ account security data to sell targeted ads. Twitter to pay 150 million dollars fine to settle privacy law suit.

May 26, 2022

The US Federal Trade Commission has taken action against Twitter for allowing advertisers to use its customers’ phone numbers and emails for targeted ads.  Customers provided that information to Twitter to protect their accounts.  The practice was reasonably long standing, from at least May 2013 until at least September 2019.  The practice affected more than 140 million Twitter users. 

It is interesting to note that in 2011 the FTC claimed Twitter misrepresented the extent to which it protected its customers privacy and the security of their non public information.  The FTC settled that complaint. 

The complaint states:

From at least May 2013 until at least September 2019, Twitter misrepresented to users of its online communication service the extent to which it maintained and protected the security and privacy of their nonpublic contact information. Specifically, while Twitter represented to users that it collected their telephone numbers and email addresses to secure their accounts, Twitter failed to disclose that it also used user contact information to aid advertisers in reaching their preferred audiences. Twitter’s misrepresentations violate the FTC Act and the 2011 Order, which specifically prohibits the company from making misrepresentations regarding the security of nonpublic consumer information. Plaintiff therefore seeks civil penalties for Twitter’s violations, as well as a permanent injunction and other equitable relief, to ensure Twitter’s future compliance with the law.

and Read the rest of this entry »

Federal Trade Commission requires the successor to Weight Watchers to delete data and destroy algorithms

April 7, 2022

The Federal Trade Commission ( the “FTC”) took action against the successor to Weight Watchers, Kurbo Inc and WW International (the “Defendants”), by a complaint filed 16 February 2022.  Settlement was reached last month.  The alleged breaches of the Federal Trade Commission Act and the Children’s Online Privacy Act are quite egregious, including:

  •   not providing any form of notice to parents that Defendants were collecting personal information from children, or seek to obtain parents’ consent for that collection until November 2019
  • a notice to parents that the defendant’s app was collecting personal information relating to a child was incomplete as it did not specify all of the categories of personal information collected from the child
  • until August 2021, Defendants retained personal information collected online from children indefinitely, only deleting the information when specifically requested by a parent—even if the user’s account had been dormant for multiple years

The terms of settlement follows a standard structure used by the FTC and in this context:

  • restraining the Defendants to continue with the breaches alleged;
  • requiring the Defendants to destroy all Personal Information Collected  within 30 days from accounts that have not, by that date, received direct notice and provided Verifiable Parental Consent;
  • destroying any models or algorithms developed in whole or in part using Personal Information Collected from Children
  • ordering the Defendants to pay the sum of $1,500,000 as a civil penalty
  • requiring the Defendants to enter into a compliance program including providing a compliance notice for 10 years, create specific records for inspection for 10 years. 

What is particularly interesting about this settlement is the requirement for the Defendants to destroy algorithms that were developed or created using personal information unlawfully obtained from children in breach of the legislation.  This is a significant development in regulation.  It underlines how intrinsic the use and collection of personal information is in the development and refinement of algorithms is and Read the rest of this entry »

Federal Trade Commission takes action against CafePress for data breaches and their cover up

March 18, 2022

What’s worse, the cover up or the crime?  The answer from the Watergate cover up was emphatically that the cover up was where the real ill lies.  For a lawyer a manageable legal problems becomes a much more serious one when a person or organisation hides evidence of an offence.  So CafePress discovered when the Federal Trade Commission (“FTC”) caught up with it for both data breaches as well as their cover up. 

CafePress failed to secure its clients sensitive information and then tried to cover up the data breach.  The first reports of CafePress being hacked in February 2019 was in August of that year with a number of reports including one by Forbes titled  CafePress Hacked, 23M Accounts Compromised. Is Yours One Of Them?   The prescient question in that article was”why has it taken so long to find out about the CafePress breach? Good question. An equally good one might be “why have I heard about this breach from HIBP and not CafePress itself?” These are questions that have attracted the attention of the FTC with it seeking a $500,000 fine to redress loss to consumers resulting from the data breach.  As well the owners of CafePress will be required to enter into a 20 year order covering security programs and compliance monitoring.  That is standard practice for the FTC.

The FTC has set out in history and the outcome in its press release which Read the rest of this entry »

Federal Trade Commission requires Zoom to enhance security practices

December 1, 2020

Zoom is now a verb.  The impact of video conferencing platform has made it ubiquitous and necessary to work from home and keep in touch with others during long weeks of shut downs. And it deserves its reputation as the go to platform; it is easy to use, it is free (for 40 minutes at a time), it allows for up to 100 people to join a meeting and it has many cool features such as separate rooms and messaging services.

It has also suffered from the growing pains that afflict technology that appear from nowhere and become massively popular overnight.  That included critical flaws in software for windows that allowed hackers to take over computers and flaws that lets an attacker to use a GIF to hack software and install malware and until recently not having end to end encryption. The list of flaws identified and fixed are set out in Zoom security issues: Here’s everything that’s gone wrong (so far).

As a result of the persistent flaws and inadequate privacy practices, now fixed, Zoom entered into a agreement with the New York Attorney General, on 7 May 2020, whereby Zoom would put into place and support new security measures and enhance privacy controls.

It was only a matter of time before Zoom’s privacy and security problems came to the attention of the US Federal Trade Commission.  It was investigated and earlier this month came to a settlement, again requiring it to provide better information security systems.  The jurisdictional basis for FTC bringing an action is that Zoom engaged in deceptive and unfair practices about it’s level of security, including representations about end to end encryption and the level of encryption.  The period of compliance with the Decision is 20 years.

The FTC issued a complaint  alleging that the misleading practices dated back to 2016.  The complaint highlights Read the rest of this entry »

Federal Trade Commission imposes $5 billion penalty and says it imposed sweeping new privacy restrictions

July 26, 2019

The Federal Trade Commission (FTC) has formally imposed a $5 billion fine on Facebook arising out of its breach of the 2012 FTC order.  The breaches related to sharing of data with third party users, to wit making that information available to Cambridge Analytica, as well as launching Privacy Shortcuts and Privacy Checkup in 2014 which were supposed to help with managing privacy settings but did not disclose Read the rest of this entry »

Federal Trade Commission to settle complaint with Facebook over privacy breaches for $5 billion.

July 14, 2019

Although the Federal Trade Commission (“FTC”) has not made a formal announcement the detailed reporting of the deliberations and voting by FTC Commissioners in favour ( 3-2) make it almost certain that once the civil division of the Justice Department approves the settlement, an almost certainty, an announcement will be formally made and Facebook will be liable to pay $5 billion. The Wall Street Journal broke the story with FTC Approves Roughly $5 Billion Facebook Settlement

Wired has undertaken a comprehensive report of the saga, which started with the FTC opening its investigation in March 2018, a week after the Cambridge Analytica scandal broke.  

The problem Facebook faces Read the rest of this entry »

Federal Trade Commission settles with mobile device retailer for misleading and deceptive conduct about its privacy policies and data security.

May 7, 2018

The Federal Trade Commissioner announced that it had settled with BLU Products arising from a complaint that it had deceived its customers regarding its privacy policies and data security practices.

Under the decision BLU and any business that it controls will need to Read the rest of this entry »

FTC revisits consent agreement with Uber after discovering Uber concealed other data breaches

April 17, 2018

In August 2017 Uber entered into a consent agreement with the US Federal Trade Commission (FTC) arising out of a data breach in May 2014 which revealed Uber’s unreasonable security practices.  I did a post on this settlement in August here. Settlements with the FTC can be onerous, unlike the limp enforceable undertakings in Australia, but better than being the subject of litigation.  Unfortunately Uber knew in 2016 that it had suffered a data breach in 2016 from lax security associated with third party cloud services, while the FTC was investigating the 2014 breach, but did not disclose it to the FTC.  In fact it deliberately covered it up and attempted to pay off the hackers (see my post in November 2017). A classic case of the cover up causing more problems than the breach for the organisation.

The FTC described it Read the rest of this entry »

US Federal Trade Commission settles with Lenovo on charges that it preinstalled software that compromised online security and the privacy of users

September 6, 2017

The Federal Trade Commission announced a settlement between it, 32 State Attorneys General and Lenovo relating to a complaint that it harmed consumers privacy and compromised data security with preloaded man in the middle software onto some of its laptops.  The software, described as VisualDiscovery, delivered ads to the lap top owners but in doing so compromised security protections.

This is a huge settlement which deals with Read the rest of this entry »

Uber settles Federal Trade Commission complaint that it engaged in deceptive claims about privacy and data security protections

August 17, 2017

The Federal Trade Commission (“FTC”) has entered into a agreement with Uber Technologies (“Uber”) arising from the FTC’s formal complaint that Uber had failed to fulfill its claims that it monitored employee access to consumer and driver data.

As the media release and the complaint makes clear Uber did what many organisations with a poor privacy and data security culture did, put Read the rest of this entry »