ProPublica

Journalism in the Public Interest

Cancel

How a Lone Grad Student Scooped the Government and What It Means for Your Online Privacy

Hobbled by government filters, a withering budget and limited legal clout, the Federal Trade Commission struggles to police an army of data miners bent on exploiting our online footprints.

Jonathan Mayer (Peter McCollough/ Wired)

Updates: An article about the reaction to this piece was posted here on July 6. A second update was added on Aug. 16.

June 28: This story has been corrected.

This story was co-published with Wired.

Jonathan Mayer had a hunch.

A gifted computer scientist, Mayer suspected that online advertisers might be getting around browser settings that are designed to block tracking devices known as cookies. If his instinct was right, advertisers were following people as they moved from one website to another even though their browsers were configured to prevent this sort of digital shadowing. Working long hours at his office, Mayer ran a series of clever tests in which he purchased ads that acted as sniffers for the sort of unauthorized cookies he was looking for. He hit the jackpot, unearthing one of the biggest privacy scandals of the past year: Google was secretly planting cookies on a vast number of iPhone browsers. Mayer thinks millions of iPhones were targeted by Google.

This is precisely the type of privacy violation the Federal Trade Commission aims to protect consumers from, and Google, which claims the cookies were not planted in an unethical way, now reportedly faces a fine of more than $10 million. But the FTC didn't discover the violation. Mayer is a 25-year-old student working on law and computer science degrees at Stanford University. He shoehorned his sleuthing between classes and homework, working from an office he shares in the Gates Computer Science Building with students from New Zealand and Hong Kong. He doesn't get paid for his work and he doesn't get much rest.

If it seems odd that a federal regulator was scooped by a sleep-deprived student, get used to it, because the federal government is often the last to know about digital invasions of your privacy. The largest privacy scandal of the past year, also involving Google, wasn't discovered by federal regulators, either. A privacy official in Germany forced Google to hand over the hard drives of cars equipped with 360-degree digital cameras that were taking pictures for its Street View program. The Germans discovered that Google wasn't just shooting photos: The cars downloaded a panoply of sensitive data, including emails and passwords, from open Wi-Fi networks. Google had secretly done the same in the United States, but the FTC, as well as the Federal Communications Commission, which oversees broadcast issues, had no idea until the Germans figured it out.

Nearly every day, and often several times a day, there is fresh news of privacy invasions as companies hone their ability to imperceptibly assemble a vast amount of data about anyone with a smartphone, laptop or credit card. Retailers, search engines, social media sites, news organizations — all want to know as much as they can about their visitors and users so that ads can be targeted as precisely as possible. But data mining, which has become central to the corporate bottom line, can be downright creepy, with companies knowing what you search for, what you buy, which websites you visit, how long you browse — and more. Earlier this year, it was revealed that Target realized a teenage customer was pregnant before her father knew; the firm identifies first-term pregnancies through, among other things, purchases of scent-free products. It's akin to someone rifling through your wallet, closet or medicine cabinet, but in the digital sphere no one picks your pocket or breaks into your house. The tracking is done mostly without your knowledge and, in many cases, despite your attempts to stop it, as Mayer discovered.

The FTC is the lead agency in the government's effort to ensure that companies do not cross the still-hazy border between acceptable and unacceptable data collection. But the agency's ambitions are clipped by a lack of both funding and legal authority, reflecting a broader uncertainty about the role government should play in what is arguably America's most promising new industry. Companies like Facebook and Google are global brands for which data mining is at the core of present and future profits. How far should they go? Current laws provide few limits, mainly banning data collection from children under 13 and prohibiting the sale of personal medical data. Beyond that, it's a digital mosh pit, and it's likely to remain that way because more regulation tends to be regarded by politicians in both parties as meaning fewer jobs. Students will probably continue to beat the FTC to the punch: The agency just has one privacy technologist working in its Division of Privacy and Identity Protection and one in the Division of Financial Practices. "I don't think it's controversial to note that they seem to be understaffed," Mayer said in a phone interview between classes. "I think that's pretty clear."

This isn't the usual sort of story about regulation watered down by intimate ties between government officials and the industry they oversee. Unlike the U.S. Minerals Management Service, where not long ago a number of officials were found to have shared drugs and had sex with representatives of the oil and gas industry, key FTC officials hired by the Obama administration are privacy hawks who worked previously for consumer-rights groups like Public Citizen and the Electronic Frontier Foundation. Under Chairman Jon Leibowitz, a Democrat appointed to the FTC in 2004 and tapped as chairman by President Obama in 2009, the FTC has pushed boundaries; its first privacy technologist, hired shortly after Leibowitz became chairman, was a semifamous activist who made a name for himself by printing fake boarding passes to draw attention to airline security lapses (the FBI, which raided his house, was not pleased). The agency is working with the tech industry to create and voluntarily adopt a Do Not Track option, so that consumers can avoid some intrusive web tracking by advertising firms. And it issued a report this year that called for new legislation to define what data miners can and cannot do.

Yet the FTC is ill-equipped to find out, on its own, what companies like Google and Facebook are doing behind the scenes. For instance, ProPublica discovered that the FTC's Privacy and Identity Protection technologist has a digital hand tied behind his back because the computer in his office has security filters that restrict access to key websites. While Mayer has an ultrafast Internet connection, top-of-the-line computer, an office chair he loves and tasty lunches for free ("Stanford students do not want in any way," he notes), the FTC technologist uses his personal laptop and, because there is no Wi-Fi at the agency, connects to the Internet by tethering it to his iPhone. He browses the Web at cellphone speed. There are no free lunches.

***

The Federal Trade Communications building with the sculpture 'Man Controlling Trade' in front. (<a href='http://www.flickr.com/photos/mvjantzen/3089726522/'>Rounded Corner</a>, by <a href='http://www.flickr.com/photos/mvjantzen/'>M.V. Jantzen</a>, using a <a href='http://creativecommons.org/licenses/by-nc/2.0/deed.en'>Creative Commons</a> license.)The FTC is headquartered in a landmarked building on Pennsylvania Avenue flanked by two sculptures of a man trying to restrain a muscle-bound horse that is straining to gallop away. The sculptures, completed in 1942, are entitled "Man Controlling Trade," and they explain a lot about the FTC's current dilemma. The notion of controlling trade, popular when the sculptures were erected a half-century ago, is not a vote-winner today. The FTC was an early battleground of the movement that began in the Reagan era to reduce government regulation. The agency had more than 1,700 employees in the 1970s, but is down to 1,176 today, even though the economy has more than doubled in that span. The FTC's responsibilities are vast: It must police everything from financial scams to antitrust activity, identity theft and misleading advertising.

Especially among Republicans, there is little interest in providing more resources. California Rep. Mary Bono-Mack, at a recent hearing on privacy legislation, warned that the government "has this really bad habit of overreaching whenever it comes to new regulations." Although the American Civil Liberties Union may see an epidemic of privacy violations, Bono-Mack said, "I haven't gotten a single letter from anyone back home urging me to pass a privacy bill." The skepticism is not just an outside-the-building phenomenon; it comes from within the FTC, too. One of the agency's five commissioners, Republican Thomas Rosch, dissented from its 2013 budget request, which asks for less money than the prior year budget of $312 million. Rosch said he believed the FTC still wanted too much. "In these austere times we should do more ... with fewer resources," his dissent said.

The cold shoulder is not entirely Republican. Earlier this year the Obama administration unveiled a "Privacy Bill of Rights" that sets a variety of enviable standards for consumer privacy. "American consumers can't wait any longer for clear rules of the road that ensure their personal information is safe online," President Obama said. The document, which among other things would allow individuals to control the data collected on them, was welcomed by consumer groups. But it's not legislation. It's a wish-list. The administration hopes that some of its wishes, like a Do Not Track system, will be granted through voluntary industry standards. But many of the wishes require Congress to pass laws that it is unlikely to pass anytime soon. The FTC's meager budget request would seem to be the best indication yet of the prospects for significantly greater federal privacy protection.

It's an old story with a new twist. Few industries have as many admirers in Washington, D.C., as Silicon Valley, which unlike the oil industry has what appears to be an equally large number of friends on both sides of the aisle. The tech industry is generally regarded as liberal-leaning — for instance, Eric Schmidt, the Google chairman, was an Obama campaign adviser and serves on the president's Council of Advisors on Science and Technology. But Sen. John McCain, R-Ariz., was counseled in his presidential bid by both Carly Fiorina, the former CEO of Hewlett-Packard, and by Meg Whitman, the former CEO of eBay who now heads HP. Silicon Valley is one of the country's few global growth industries; politicians are reluctant to put restrictions on what it can and cannot do.

The FTC tries to do the best with what it has. In 2009, with new Obama-era appointees aboard, it hired Christopher Soghoian, a privacy technologist who could perform the sort of sophisticated forensics that Mayer conducted on Google. A year later, in 2010, the FTC hired its first chief technologist, Edward Felten, a Princeton computer scientist who is highly regarded in tech policy circles. But the three men who have filled the privacy technologist job that Soghoian filled first (each have served for about a year) faced an awkward problem: The desktop in their office is digitally shackled by security filters that make it impossible to freely browse the Web. Crucial websites are off-limits, due to concerns of computer viruses infecting the FTC's network, and there are severe restrictions on software downloads. When Soghoian tried to download a Wi-Fi-sniffing app, his boss told him within a few minutes that he had tripped a security alarm; he could not use the app on his computer. It had to be deleted immediately.

To defend against hackers, filtered computers are standard in the government, but they are problematic for officials who are trying to discover dishonest activity on the Web; it's a bit like telling a cop he can't patrol in high-crime neighborhoods. A handful of unfiltered computers are available in restricted labs at the FTC's headquarters on Pennsylvania Avenue and its satellite offices on New Jersey Avenue and M Street, but this is an ungainly setup. Rather than leaving their office, waiting for an elevator, swiping their ID badges across a sensor at the lab's locked door and logging into a computer soaked with malware (because the lab computers are used to test suspicious applications and websites), the technologists have instead stayed in their office and tethered their personal laptops to their personal cellphones. The office does not have a window, and the cell signals are not strong; even by phone standards, their Web connection is slow.

Soghoian and the current privacy technologist, Michael Brennan, tried to get an unfiltered desktop installed in their office. Each time — Soghoian in 2010, Brennan in 2011 — they got tantalizingly close, with new machines delivered to them. But the computers were never connected to the Internet. Someone at the agency — they don't know who — got cold feet. "I basically had a two-thousand-dollar computer doing nothing," Soghoian said. Brennan isn't even at the office so much these days; he is a part-timer who lives in Philadelphia, where he is getting a Ph.D. in computer science at Drexel University. When he works in Washington, the FTC's privacy gunslinger crashes at a friend's house.

Only one FTC official has an unfiltered desktop: Felten, the chief technologist. He is the sort of unconventional public servant the FTC has hired in recent years. He was an expert witness in the landmark antitrust suit against Microsoft, a board member of the Electronic Frontier Foundation, and in April he participated in a privacy hackathon with his teenage daughter. Felten, hired mainly to provide policy advice to the FTC chairman, also conducts investigations of suspicious websites or apps — this is what he uses the unshackled computer for. During an interview, he pointed to it, a bit like a museum guide gesturing toward a priceless artwork, and said, "This is rare. I think this is the only one."

He acknowledged the agency is hindered by a shortage of technical experts who can find the sorts of violations that Mayer stumbled on.

"We could for sure do more if we had more people," he said while sitting in his office, which is nearly bare, with a few FTC posters on the walls, a small table and chairs, and a large desk for his two computers. "There are a lot of opportunities that we have to let go by because we don't have the people to seize them ... opportunities to measure and evaluate what's happening every day in people's computers and phones."

Felten, who plans to resume full-time teaching at Princeton in the fall, was asked whether he has better technological resources there.

"Oh yes," he replied. "That's certainly the case."

***

Christopher Soghoian (Graeme Mitchell/Wired Magazine)The mismatch between FTC aspirations and abilities is exemplified by its Mobile Technology Unit, created earlier this year to oversee the exploding mobile phone sector. The six-person unit consists of a paralegal, a program specialist, two attorneys, a technologist and its director, Patricia Poss. For the FTC, the unit represents an important allocation of resources to protect the privacy rights of more than 100 million smartphone owners in America. For Silicon Valley, a six-person team is barely a garage startup. Earlier this year, the unit issued a highly publicized report on mobile apps for kids; its conclusion was reflected in the subtitle, "Current Privacy Disclosures Are Disappointing." It was a thin report, however. Rather than actually checking the personal data accessed by the report's sampling of 400 apps, the report just looked at whether the apps disclose, on the sites where they are sold, the types of personal data that would be accessed and what the data would be used for. The body of the report is just 17 pages. (The FTC says it will do deeper research in future reports.)

The mobile unit has an equipment problem, too. Like most government agencies, the FTC issues Blackberries to key officials. Poss, the unit's director, has one. The Blackberry dominated when Al Gore ran for president, but today it's barely an also-ran with just 12 percent of the smartphone market. That's not a problem if you only use your Blackberry for texts, emails and calls. But it's a problem if, like Poss, your job is to keep track of what's happening in the smartphone market. Most consumers use Androids or iPhones, and most of the apps written for them are not available on the Blackberry.

If Poss wants to learn what's going on in the 88 percent of the smartphone market that her Blackberry cannot access, she would need to leave her office and go to one of the FTC labs, where she can use or check out an iPhone or Android. It's a clunky setup, so she resorts to a familiar workaround: She uses her personal smartphones. She has an iPhone as well as an Android.

A moment after she mentioned this in an interview, she added, "I probably shouldn't be saying that."

FTC officials are reluctant to talk about their lack of funding, partly because public whining, especially during hard economic times, is infrequently rewarded. It's also politically unwise. A vocal portion of the electorate believes the government and its regulatory arms have too much money and power as it is. Additionally, the FTC is trying to keep the tech industry honest by hinting that the feds are watching everything. It does not help if Silicon Valley realizes the FTC possesses just a handful of iPhones and Androids that are kept under lock and key in the basement.

The interview with Poss was conducted in an office on the third floor of the FTC's headquarters, with an FTC spokeswoman on hand. When Poss was asked whether it wouldn't make sense for the director of the Mobile Technology Unit to have a government-issued iPhone or Android, the spokeswoman, Claudia Farrell, interceded.

"He's trying to get you to bitch, Patti. Don't do it."

Poss, a lawyer who has worked at the FTC for more than 12 years, began to look uncomfortable, as though she was in the witness box, unsure what she was supposed to say. She made amends by noting she can use her office computer to look at the smartphone app descriptions posted on the websites where they are sold. Then she reversed herself.

"Actually, you can't," Poss said. "We have some restrictions on the sites we can visit on government computers."

She hesitantly mentioned that Apple's app store is among the sites blocked by the FTC's security system. If she wants to look at the most popular websites for mobile apps, she has to go to a basement lab.

Farrell joined the conversation again.

"You're not going to make this a gut-wrenching story about how Patti has to leave the confines of her office to do her work?"

***

Director of the FTC's Bureau of Consumer Protection David Vladeck testifies in a hearing on cell phone privacy on May 19, 2011, in Washington, D.C. (Alex Brandon/AP Photo)The FTC maintains an aura of secrecy about its Internet testing labs in Washington. Their location is known but not much else. Officials would not talk about the equipment in the labs. Poss and Farrell refused to divulge the number of iPhones and Androids, though it appears to be not much more than a handful. "I don't want to lead you to think we have an unlimited supply," Poss acknowledged before being discouraged from acknowledging anything more.

It is hard for outsiders to know more because the FTC refuses to let reporters visit the labs.

"We're not going to show it to you, no way," said David Vladeck, who directs the agency's Bureau of Consumer Protection and controls access to the labs.

It was pointed out that government agencies conducting far more secret operations — such as the Pentagon and the Central Intelligence Agency — often allow journalists and other outsiders to visit classified facilities. The embedding program during the Iraq war gave reporters the chance to report on the planning and execution of secret military operations. The FTC's labs would not seem to rival the technology displayed when journalists ride aboard nuclear-powered submarines, for instance.

Vladeck would not bend.

"We don't trust anybody," he said.

Current and former FTC officials say the labs are the size of suburban living rooms, with computers and accessories that do not look much different from what would be seen at a Kinko's. "There's nothing special there," Soghoian said. "It looks like a computer room in a public library or middle school."

Vladeck's appointment, in 2009, was welcomed by consumer-rights activists because of the nearly three decades he worked as a crusading lawyer for Public Citizen, which was founded by Ralph Nader; Vladeck has advocated long and hard for better government regulation. A conversation with Vladeck, who has argued four cases before the U.S. Supreme Court and won three of them, is akin to a combative courtroom session. He often leans across the table and speaks in a high-pitched bellow. During an interview in his office, he said that when he arrived at the FTC, "We weren't geared up for this battle." That's partly because the Bush-era FTC was not terribly aggressive on privacy but also because data mining has particularly taken off in the past few years.

"No regulator is ever going to tell you that he or she is satisfied with the resources," Vladeck said. "Would I like more resources? Of course, and I think I could put them to good use. But let me toot our own horn. We've gotten an enormous amount done in three years. I think we are sending a strong signal to the industry — you've got to straighten up and do the right thing."

Since he arrived, the FTC has reached privacy settlements with the some of the largest tech firms, including Facebook, Google and Twitter, though in each case, there were no fines, because the FTC's authority to issue fines on a first offense is limited. The agency is like a runner with two sprained ankles, because in addition to its narrow legal power, it has a surprisingly small staff to pursue its legal cases.

Staffing at the Division of Privacy and Identity Protection, which does the bulk of the FTC's privacy work and is under Vladeck's control, slid from 51 in 2011 to 50 in 2012, even though the data mining industry it oversees has rapidly expanded; it now employs more than 100,000 people and has revenues close to $5 billion, according to industry analyst and newsletter publisher Gregory Piatetsky-Shapiro. There are about 20 lawyers working on privacy cases at the FTC. "The bottlenecks are the lawyers for the most part," Soghoian said. And the FTC has another problem: Republican Rep. John Mica, chairman of the House Committee on Transportation and Infrastructure, is trying to evict the agency from its headquarters, which is on a prime block of Pennsylvania Avenue.

Vladeck has improvised. He described his strategy as similar to highway cops — the point isn't to catch every car that breaks the speed limit, but enough to signal to the others that they can't get away with much. He goes after the shiniest cars.

"When we sue a company like Google and get them under order for doing what we thought was a plain violation of the FTC Act, which was making material changes to their privacy policy without notifying people and getting their consent, the message we hope we sent loud and clear was, 'You can't do that. If we're going to go after Google, which is one of the biggest corporations in the world, you can bet were going to go after you too.'"

Yet those cases demonstrated the FTC's limits, too. The agency was created in 1914 to prevent unfair and deceptive practices in commerce. Unfairness is harder to prove in privacy — what's inappropriate data collection to one person might be fair and harmless to another — so the FTC is focusing enforcement efforts on deception. That means a company has to say one thing about its data-collection practices and do another. But many companies have privacy policies that say very little — in which case, they aren't deceiving consumers if they do things that might be untoward.

Ironically, the best way for a company to avoid privacy tussles with the FTC is to not say much about their privacy practices. On the other side of things, many companies protect themselves from prosecution by fully disclosing their policies in dense legal jargon that few consumers bother to read or, when they do, they have a hard time understanding that their personal data will be collected and shared in nearly infinite ways. Companies that follow these strategies — and many do — are difficult targets for the FTC.

Big firms like Google and Facebook, which depend on consumers using their services, cannot get away with having no policy at all or hiding behind legal hieroglyphics. They are the shiny cars that the FTC pulls over when it can. The agency pounced when Google introduced its Buzz social network because Gmail users were more or less swept into Buzz without their consent, even though Google had previously said it would not take unilateral action of that sort. The agency can take companies to court, but its overworked lawyers don't really have the time to go the distance against the bottomless legal staffs in Silicon Valley. The FTC settled the Buzz case with Google, which agreed to annual privacy audits for 20 years and promised to not lie to consumers about what the company does with their data. If Google violates the settlement, it then faces financial penalties that could be quite large — this is akin to a two-strike rule.

The settlement process is time-consuming, however. Due to the agency's small legal staff, some settlements take years to complete, and by the time they're done, the targeted companies are not what they used to be. Last month, the FTC announced a privacy settlement with Myspace, which it accused of disclosing user information to third parties despite pledging not to do that. The investigation was opened in 2009, when Myspace was already a fading giant; by the time it was concluded in May, Myspace was all but a museum artifact. On Twitter, reaction to the suit included jokes to the effect of, "You mean Myspace still exists?"

Although the agency has some sway with Google and other companies that are sensitive to reputational issues — an FTC settlement might not hurt Google's bottom line but the bad press could — it has less influence over data mining firms like LexisNexis, Choicepoint and RapLeaf, whose revenues come mostly from businesses rather than consumers. This is a major hole in the government's effort to protect consumers from privacy violations, and the FTC has all but thrown up its hands in futility. The privacy report it issued earlier this year called on Congress to pass legislation that would set guidelines on acceptable practices by data miners. The odds of that happening are quite long, because of industry opposition to government oversight and the difficulty of getting agreement in Congress on what should and should not be allowed.

***

Austrian law student Max Schrems speaks with the 1,222 pages of his Facebook data in front of him. (Dieter Nagl/AFP/Getty Images)Even though he lives in university housing, Jonathan Mayer is a star in the world of digital privacy; he is the mop-haired kid who busted Google in his spare time. Silicon Valley companies seek him out to learn what he's up to. Mayer, being clever, uses these encounters to learn about the companies. What are they thinking about the most? What do they fear the most? He has made another discovery.

"The FTC doesn't strike fear into the heart of tech companies," he says. "They know that as long as they stay within lax boundaries, it's unlikely the FTC will bring enforcement actions against them."

Yet there is a feared privacy watchdog, Mayer notes: the European Union. American companies have far less political influence in Europe, and Europeans are far more attentive to privacy issues, partly due to memories of Nazi-era totalitarianism. Because most tech services offered to Europeans are the same as offered to Americans, protections required by EU regulators are usually extended to American consumers. It's the globalization of digital regulation: What happens in one country can affect all countries.

For instance, under Irish privacy law, citizens are entitled to know the information a company possesses on them — and this was used against Facebook by a 24-year-old Austrian, Max Schrems, who asked the company to hand over all the data it had on him. Facebook's international headquarters are located in Dublin, so the firm had to comply. Last year it gave Schrems more than 1,200 pages of data that included just about every keystroke he had made while on the social network, including items he had deleted and location information he had never provided. Facebook had kept almost every poke and like, every friend and defriend, every invitation accepted or rejected. Schrems posted the information online and compared his Facebook dossier to the data that the East German secret police, the Stasi, had kept on millions of citizens.

In effect, Schrems exposed Facebook's data retention practices, and this led to a big change. In May, Facebook said its 900 million customers — not just the ones in Europe — would receive far more detail on its data collection, making it easier for them to know what information was being collected and what was being done with it. The company acknowledged that the change was the result of a harsh report issued by Irish authorities looking into the Schrems case. Ireland wasn't trying to protect the privacy rights of Americans, but its pressure on Facebook had precisely that effect.

The outsourcing of consumer data protection has been going on for a number of years. In 2008, European privacy officials asked Google, Microsoft and Yahoo! to delete, far quicker than they were doing, the data they were retaining about user searches. In short order, the search giants complied — not only for their European customers but for Americans, too. "The EU drives regulation worldwide," Mayer says. "While we make nods to self-regulation and cooperation, the reality is that the EU is getting all of this done."

The power of Europe's privacy regulators — and the weakness of America's — was demonstrated most vividly in the Street View dustup. While there was only modest protest against Google photographing American streets and homes, the company immediately ran into big trouble when its cars began to roam around Europe. The collection and abuse of personal information also was a hallmark of communist regimes that ruled Eastern Europe during the Cold War. Throughout Europe, local and national authorities expressed concerns about Street View, and the project quickly hit a number of walls.

Google promised its cars were only taking pictures — and the firm's word was enough for U.S. officials — but French authorities demanded to know for sure. They inspected one of the vehicles in 2010 and realized that Google was not telling the whole story: The hard drives in the cars were downloading data from Wi-Fi networks. Google downplayed the revelation by contending the downloads were innocuous — just technical data, not personal information.

In Germany, where popular opposition to Street View was strongest, the data commissioner of Hamburg, Johannes Caspar, demanded to inspect a Street View car, too. At first, Google reportedly told him it didn't know where the cars were. The firm eventually found one — but its hard drive was gone. At that point, Google said it was taking a new look at what the cars were downloading. Caspar insisted the company hand over a hard drive. After a few months, Google complied. Caspar discovered that Google had downloaded vast amounts of personal data.

It had done the same in the United States.

Vladeck had a quick response when it was suggested the Europeans were better privacy watchdogs.

"That's a lie," he shot back.

He leaned forward, speaking a bit more slowly.

"That is a lie."

He argued that although the Germans uncovered Street View's data collection, the FTC was not asleep at the wheel because it was investigating Street View at the time. But Vladeck said the FTC could not have done much even if it had examined a hard drive, since the agency's reach extends only to unfair or deceptive practices. Google had never told consumers it wasn't downloading Wi-Fi data, so it hadn't deceived them by doing so. To prove an unfair practice, the FTC would have needed to show that the data downloads caused consumers an unavoidable harm. "Street View would have been a very difficult case for us," Vladeck said. The agency quietly closed its investigation in late 2010 with no action.

Google was not yet free of the government's watchdogs. The Federal Communications Commission conducted a separate investigation of its own and discovered the data collection was not accidental, as Google had claimed once it owned up to downloading the data. The FCC sharply criticized Google in April but fined the company just $25,000, which is not even a rounding error in the Web giant's first quarter profit of $2.89 billion.

Correction: As noted in the story, the government is encouraging a Do Not Track option to protect consumer privacy on the Web. In one reference, we mistakenly called it a Do Not Track "list." An earlier version of this story misspelled the last name of FTC Chairman Jon Leibowitz.

Update (8/16): The FTC now says its chief technologist observed that Google cookies were overriding Safari browser settings in December 2011, before Jonathan Mayer (and The Wall Street Journal, citing Mayer) first publicly disclosed them as a privacy issue on Feb. 17. The FTC has declined to say whether it learned about the cookies from Mayer; we've filed a Freedom of Information Act request to learn more about what the agency knew and when.

Megha Rajagopolan contributed reporting.

Some of us continue to know that trade needs to be controlled.  It’s great to think you can trust a company to be honest, scrupulous, and caring about consumers.  It’s also a pipe dream.

Companies exist to make profits.  Executives in companies know that if shareholders don’t think they’re making enough profits, the executives will be out of a job.  All of the incentives in business are poisonous to individuals.

And yet we’ve somehow decided to rely on some sort of trust system.

Wake up!  The world is being stolen from under our feet, and we’re letting it happen!

One serious correction, there’s no concept of a “Do Not Track list.”  It’s intended to be a per-user software setting, since there’s no trivial way to figure out that the guy calling himself John Smith on this site is the same John Smith way over there.  However, you can (and many web browsers already do, though no website pays attention to it, yet) announce with every communication that you—whoever you are—don’t want to be recorded.

That’s up for discussion in the Senate Commerce Committee today, because advertising companies are trying to interpret that as not showing you targetted ads, but to record your actions anyway.

Unfortunately, given that law enforcement and Washington keep trying to arrange a situation where they can use third-parties as proxies for surveillance of large numbers of Internet users, I worry that there’s a conflict of interest.  After all, if they think they’re entitled to review your actions online as recorded by a private organization (without a warrant), then it doesn’t make much sense to limit what they can record.

This piece fails to reflect Pro Publica’s mandate to engage in investigative and greater in-depth reporting.  The FTC has made significant advances in privacy over the last several years—against terrific odds.  This story should have analyzed the powerful digital marketing system and its impact on individuals and then discussed what the FTC has been able to accomplish.  It should have assessed the clout of lobbyists that constantly work to undermine the FTC.  It failed to have a nuanced and informed view of developments in the EU.  And its advances in terms of policy and infrastructure to protect the public.  The editors should review this story and ask to see the sources used.  Did the reporter interview independent advocates who work—and criticize—the FTC?  Or did they do a superficial examination of a critical public policy issue, relying on people with an axe to grind or way outside the political process.  Pro Public is funded to do something better.

In their defense, Jeff, the first sentence points to the article also being in/on Wired, where the audience is…slightly different than here and the mandate is somewhat less investigative.

I just can’t get too excited about this stuff.  Marketing is always annoying.  Everying is in our constant-bombardment, screen based, 24-hour news cycle, reality-show obscessed culture.  But, let’s face it pop up adds and targeted marekting, and even spam, are SUCH A MAJOR IMPROVEMENT over telemarketing and junk mail.  Don’t you remember the days of getting a call at dinner time every stinkin night?  And, that was before they had Caller ID so you always answered the phone.  I still get reams of junk mail, which goes unopened right into the trash. 
Planting cookies is in now way, not in a billion, million, trillion years, “akin to someone rifling through your wallet, closet or medicine cabinet.”  At most, use of online info to “target” sales material is an annoyance.  It’s not a freakin invasion of privacy to note that I bought toothpaste so now Crest wants to push ads to me while I browse HuffPo.  What’s primarily annoying is when I click on one add and then that add starts popping up on every single web page I visit.  It’s far from effective, and just kinda stupid. 
Crime keeps me up at night.  People stealing my personal data to rip me off is a problem.  Guys trying to sell me crap is annoying but it’s hardly something to get so worked up about.

Excellent article but not much of a surprise. ...There is a market out there for a company to provide a good email account/software where it is not scanned for advertising. People would pay for it…..Also, all we need is some computer techie to cook a program that is like a friendly virus. You leave it on overnight or a few hours during the day and it does random product searches, medical searches and subject searches…just overload that data mining software of these companies. Laws will never be passed to protect privacy and is is only going to get worse. Overloading them my friends, I believe is the only way we can get our privacy back….massively overloading the information they are compiling with bogus information.

Tom Detzel, Senior Editor

June 28, 2012, 5:40 p.m.

John – You’re right, Do Not Track “list” isn’t accurate. A prior reference to the Do Not Track option was correct, but we erred the second time. Thanks for pointing it out; we’ve corrected the story.

Stephen
Today, 7:17 a.m
Companies exist to make profits.
Companies exist because they have public charters. The Public has the rarely used and poorly defined authority to revoke such charters when they fail to perform in accordance with Public strictures. When the watch dogs are given bones or muzzels Mayhem prevails.

So, how do I get neccessary updates and still keep out Microsoft’s .net user profile? 800+ megabites of tracking or some other unknown linkage that I don’t want on my computer. It is very discouraging to see that a news outlet I have never visited before knows who I am in the comments section. (not here at least)
We have to admit that Microsoft is at the heart of this technology by using Windows against us. It says that deleting this “might’ effect some programs but will not say which. I don’t have a smart phone that I interface with, or watch tv through my computer, what programs could those be?
Look in ADD/DELETE PROGRAMs on your computer, check “show updates”. I bet you have had it added to yours in the last year as well.

@Peter Maas -  Did you find any leads to Microsoft? Where do you think they fit into this equation and what technology are they contributing?

This is a terrific investigative piece, despite Jeff Chester’s complaint that you didn’t produce a whole book instead of an article on one facet of the personal privacy problem. The FTC has never fully recovered from the ideological assaults it (and other agencies) suffered during the Reagan Administration. I should note that it did begin to recover during the George H.W. Bush Administration, but more resources are urgently required to deal with an unprecedented problem. Nothing better illustrates the problem confronting the FTC in 2012 than the proclamation by Rep. Mica that the most important item on his agenda this year is removing the FTC from its headquarters on Pennslyvania Ane. and turning the building over to the National Portrait Gallery. You can look it up. For the record, I either worked at the FTC or covered it as a journalist for the newsletter FTC:WATCH for 37 years, until I retired.

ChasRip, what you’re saying is actually a bit obsolete.  Between various tricks and depending on how well a user protects himself, a powerful platform can acquire your entire browsing history (most browsers sealed that security hole, which involved listing links and “styling” them to download trackable images) and your live browsing activity (displaying the “share” buttons notifies the owner).  That doesn’t even count the routine analytics information like your IP address, operating system, and browser version (and, stored over time, when you upgrade things).

If you interact with the platform directly (search Google, check your friend’s message on Facebook, and so forth), that information can then be associated with your identity.  If you accessed it via cellphone, the platform may also have your physical location and your provider certainly does.  If it’s a social network, that information can be connected to a list of your relationships and interests (Facebook, I know from former employees, keeps a log of every page they’ve seen you look at).  If you buy something through the platform (advertise on Facebook, pay with Google Checkout, buy from Amazon), they also have your credit card information.

The problem is that this isn’t about advertising.  If you’re so insecure in your masculinity that you’re uncomfortable seeing a reference to a tampon, that’s between you and your therapist.  For the rest of us, it’s a treasure trove for organized crime, stalkers, rogue employees, abusive law enforcement officials, oppressive governments (the web is global, after all), and others.

(To blow this out of proportion and amp up the paranoia, I suspect automated blackmail isn’t far in our future, because it’d be so easy:  Steal databases from an advertising network and a social network, cross-reference them to figure out who visits what sites and how to contact them, open a PayPal account, and send an e-mail or postcard threatening to reveal a porn habit, interest in unpopular social movements, or otherwise destroy their privacy unless they pay up.  Even if you just demand a dollar and find one sucker in every thousand Facebook users, that’s a few million bucks for about an hour’s worth of programming.  With the same data mining work the advertisers are trying to use, using the information to discover probably-secret information about the targets, a criminal could do far better on both price and response rate.)

(Or, some nasty government can find someone who’s been reading about freedom online and arrest he and all his friends as dissidents, by tracking their mobile phones.  Or skip the arrest and send a drone/missile to follow the phone signal, as seems to have happened to Marie Colvin.  Again, except for acquiring the drone, that can all be done automatically.)

Now, it’s possible (right now) to mitigate most of these risks.  Most of the approaches are listed above (Adblock, Ghostery, and similar, search engines like DuckDuckGo that commit to not “outing” you, keeping software up to date, and so forth), but go back to the top of the article.  No matter how smart you think you are, there’s someone getting paid to find some other way you leak information that hasn’t been plugged.

That’s the point of the discussion, after all:  Does an advertising company have a right to this information, just because they say they it’s public?  If you don’t like it, should your only option be to enter an arms race to protect yourself from their attacks?

Look at the analogous standpoint:  You lock your doors at night at home, I’d bet, but you wouldn’t be interested in getting rid of the laws against breaking and entering.  And that’s probably true whether you’ve ever been robbed or not.

Why should it be a surprise that a single grad student for no pay was more productive than an entire government agency. NOBODY in a government agency has much of an incentive to be productive in any why whatsoever. Those who didn’t pay attention to the GSA scandal are deluding themselves. It’s not just the GSA, its almost ALL levels of government.

Interesting read.

As an information security professional, I consider it a bigger issue that FTC allows its employees to utilize their personal phones/equipment for government use. Isn’t this a violation of policy on uncontrolled equipment?

Heh.  I thought I was being mock-paranoid.  From the EFF’s blog on yesterday’s hearing:

“The issue of cybersecurity arose when the advertising industry’s Bob Liodice struggled under questioning from Senator Rockefeller. Abandoning the meme that the advertising industry was adequately self-regulating to assuage the privacy concerns of users, Liodice switched tactics and began to argue that widespread data collection about our everyday Internet browsing habits was necessary for cybersecurity. When asked whether this included issues such as online sexual predators and identity theft, Liodice agreed.”

Sure.  Advertising companies want to track you…to find out if you’re a sexual predator.  That makes perfect sense.

@JH.  Haters gotta hate, don’t they?  Yes, there are scandals in government - but are you suggesting that doctors don’t work because they get holidays in the Bahamas that are paid for by drug companies?

Your suggestion that nobody in a government agency is productive is absolute rubbish, as shown (for instance) by things like interstate highways and school funding programs, as well as all sorts of other work.  Government may not always do what YOU want, but that’s because you’re wrong.  Government is a bureaucracy and works slowly sometimes, because that is the nature of government - it serves millions of people, and has to consider them all.  A business doesn’t care if it annoys some people as long as it sells a product.

And of course, the flip-side of government not being allowed to perform its function (as in the case of the FTC), is that you don’t have the protections you need and deserve.  And the private sector sure doesn’t have your best interests at heart.  Or do you think you’ll be fine without all of the (government-driven) laws that are intent on protecting your rights?

@John.  Yep, businesses care about your welfare.  In-as-much as they can get your money, they care.  In other words, trust nobody.

Ironically, this very page and web site has 8 “trackers”.

If you use Firefox, add “ghostery”, a web-site tracker display and blocking add-in. Quite interesting how closely page views are watched by a web of commerce.

“the federal government is often the last to know about digital invasions of your privacy”

Of course.

Think about how/why they *would* know: investigating companies AND PEOPLE when there is no probable cause to do so.

If the police did such a thing, you’d rightly be *howling* with rage.

@Sarah: this very page and web site has 8 “trackers”.

Tellingly, AdBlock Plus is blocking… 8 items.

Maybe /ghostery/ is now better and more stable, but it was very unstable a few months ago, regularly crashing FF.

If you ever tried to file one of these complaints with the FTC, EU or CA privacy office, or a State privacy office you will find out that you are automatically their enemy.  If you get an answer at all it will be list of reasons why your concern is invalid, not under their authority, etc.  The only way they will react or investigate is if they are forced to by public ourcry.

Seriously, who cares what an old lady does, who she talks to, how many cookies she bakes, when she does shop, when she has visited her friends, where she used to live, etc.
Nobody really cares about me.  I never put anything on here that I don’t want anyone else to know.  Maybe everyone just needs to not post so much private information if they don’t care for anyone to know.  I’m no one special like I said.  I’m just an old lady.

Michael Desjardins

July 1, 2012, 12:30 a.m.

Summing up what I have learned from this and other similar articles:
1. We can all start protecting ourselves by quitting Facebook.
2. Avoid using Internet Explorer because Microsoft already knows too much about you thru their Windows software.
3. Avoid using Google Chrome because Google Search already knows too much about you.
4. Avoid using Yahoo because they share your info with Microsoft.
5. Avoid using cell phone Apps because many are just as bad.
6. Avoid using Wi-Fi because all your info is not secure.
7. Corporations can sell all the info they collect from our internet and cell phone use and sell it to government officials, employers, private investigators, etc.
This info can easily be used to blackmail future political candidates to toe the line and not try to make and real changes to our country.
Now Im feeling really creeped out by our corporations and government.

@Michael D

You forgot to check the bona fides of the people from whom you’re buying a tin foil hat.  If you’re not careful, they’ll include a homing signal in that as well, so they know where you’re shopping and with whom.

@ C Mitchell

We’re watching your cookies!

A quick serch on this page:

Social networks tracking:
- Facebook Connect
- Twitter Badge
- Google +1
- LinkedIn

Ad network tracking:
- Outbrain

Company tracking:
- Google Analytics

So, while reading this you are being tracked! Good luck.

I am not upset about Google driving around collecting data although when it comes to Android based equipment.

I reside in an authoritarian country but it does far less than the likes of Apple or Google to track me. It has the ability, but it chooses not to. How do I know? Because a senior colonel in the internal police is a good, and trusted, friend and who has shown me what the country knows about me. It was riddled with inaccuracies, in my favour.

As for Google’s war driving, if I am stupid enough to use an open WiFi then it is my responsibility to close it, not Google’s. If I choose to have sex in my garden, visible from the road, am I entitled to demand people look elsewhere? All my computers are on a LAN, in my business and in my home.

When it comes to cell phones I was as mad as hell that Apple and Google were recording, and collecting, my data. I regard my physical location as a key piece of personal data.

So I carry a GPS jammer which I activate whenever I use my Android, which effectively shows I am in the Arctic. If Google chooses to believe I am always in the Arctic using InterNet, so be it.

Sure the cellco might know, if I had a SIM in my Android..

For actually making cell calls I use and ancient cell phone that actually has a pull-out antenna and even an external antenna connector. It doesn’t do GPS, it doesn’t do anything except make calls, when I switch it on.

I also have a pager, so I can learn of who wishes to communicate with me yet it doesn’t reveal my location.

To me the US Government is by far and wide the most intrusive of all and I do everything I can to frustrate any tracking efforts it has in place for all people. On principle.

Web sites, which allegedly the NSA expensively records, are the means I display many of my message, all encrypted with PGP, so recipients can copy and paste into their computers to decrypt.

There are many other precautions I take but I accept responsibility for ensuring, wherever I can, to never transmit anything raw that I want protected. So come on Google bring your cars over and I’ll make you coffee but you’ll get nothing else.

Click Whisperer

July 1, 2012, 9:24 p.m.

Don’t put anything in writing you don’t want everyone to read - words to live by. Privacy is an illusion.

Jerry Baustian

July 1, 2012, 10:31 p.m.

Do we really want an FTC that knows everything about everyone quicker and more efficiently than private sleuthing?

Get Firefox.  Then get the Do Not Track Plus, AdBlock Plus, and NoScript plugins.

In your browser privacy preferences, accept cookies but clear them when the browser closes (many sites won’t work properly if you reject all cookies).  Also set the browser to clear history when it closes.

Then make it a habit to close and exit the browser completely when you’re done.

If you have access to a proxy site, use that.

That will reduce the amount of tracking breadcrumbs you leave behind.

Oh, and get rid of your Facebook and Twitter accounts.

“Mayer is a 25-year-old student working on law and computer science degrees at Stanford University.”

lolll…Mayer is why Corporate America is trying so hard to offshore anything that might require technical knowledge.  “Threats” such as Mayer are, in my opinion, the why behind the enormous effort to bring back “the glass house” paradigm.  Of course this version is called “the cloud”, but it is identical to “the glass house” in that all knowledge of what is actually going on - to include how data is harvested, filtered, and manipulated before distribution to the plebes - will be absolutely opaque to the public.

You have to understand that it was a lot easier to “cook the books” - for any and all purposes, from the usual financial corruption to hiding such things as “negative outcomes” in health care or large accidental (or intentional) releases of toxins into the environment - back when your only exposure was the handful within “the glass house”; their loyalty could be purchased cost-effectively.

The “cloud” offers that opportunity again - except this time, the computational resources and data will be sited in other nations (the first layer of insulation, as data without context is often useless…you have to know what you’re seeing to detect a red flag) where the fierceness of competition for jobs ensures low-cost loyalty while millennia-old caste and class systems (perhaps strengthened with pervasive state police if Corporate America again turns to their totalitarian brethren in the PRC) ensure everybody knows their place…and so will not “rock the boat” as Americans like Mayer are wont to do.

The way the internet works at this moment is still largely a horizontal information distribution system; that is, once information hits the pipe, it is available to anyone and everyone.  What “the cloud” and the effort to replace the PC with iDumb devices represents is an effort to return information distribution to a vertical system, wherein large amounts of information are collected - go uphill - but only what is deemed “appropriate” for the public to know goes back down.

The non-PC devices offer an opportunity to accelerate that process.  Perhaps those who own specific vendor devices are already familiar with “portals” which, whether they realize it or not, steer them down specific paths…paths where the websites “just work better” with their device.  Paths where what they see is filtered before they even turn their marvelously powerful - but powerful only in terms of displaying what is pushed to them - device on.  Paths where they learn that which they need to know to achieve somebody else’s purposes - purposes mostly having to do with separating them from their money, for now.

But given Citizens United...how long before the websites that “just work” with their devices make sure that they know how to goosestep properly - or, more accurately, that they know who to goosestep with?

Great Post.
The internet computes censorship/blocks as damage and re-routes around it.
Long live Bittorrent and P2P!
I use mipnow.com to bypass all blocks they show you how to surf the net anonmously and privately and how to access all bittorrent sites.

I have a little extension called Collusion (https://chrome.google.com/webstore/detail/ganlifbpkcplnldliibcbegplfmcfigp) that tracks the trackers. When I loaded this article about online privacy, Collusion listed 13 companies tracking me. Interesting.

This article is part of an ongoing investigation:
Surveillance

Surveillance

ProPublica investigates the threats to privacy in an era of cellphones, data mining and cyberwar.

Get Updates

Stay on top of what we’re working on by subscribing to our email digest.

optional