Our FTC Privacy Story and Its Critics
On June 28, ProPublica published a story by Peter Maass about the Federal Trade Commission and its efforts to protect the online privacy of consumers. The headline of the story was "How a Lone Graduate Student Scooped the Government and What It Means for Your Online Privacy." The 5,500 word article opened with an explanation of how a Stanford computer science student, Jonathan Mayer, conducted research through which he discovered earlier this year that Google was circumventing the privacy settings on a large number of iPhones and placing tracking cookies on them. The story credited Mr. Mayer with figuring this out before the FTC did. The bulk of the story focused on how well or how poorly the FTC is dealing with privacy issues as the data-mining industry explodes and its own budget remains relatively flat.
On June 29, FTC Director of Public Affairs Cecelia Prewett emailed a letter to us, taking sharp issue with our work. We have reviewed the story and her comments, and we have corrected the spelling of the FTC chairman's name (it is Leibowitz, not Liebowitz). Otherwise, we believe that no correction is appropriate.
So that readers can judge for themselves, we are publishing Ms. Prewett’s letter in full, along with follow-up correspondence between her and us. In brief, the letter attacks us for something we didn’t say (“that the FTC is ineffective”) and for something that had been widely reported (that the agency “was scooped by a graduate student on an important matter”) and had gone unchallenged by either Mr. Mayer or the FTC for months.
The letter also takes us to task for failing to give the FTC a chance in advance of publication to comment on the “ineffective” and “scoop” assertions.
We will make a point-by-point rebuttal of the “ineffective” and failing to seek comment points below. But first we want to address the “scoop” complaint because it is so unusual.
Ms. Prewett doesn’t claim that our story was untrue in asserting that Mr. Mayer scooped the FTC on the Google cookies matter. Her complaint, instead, is that our story contains "unwarranted assumptions" and constitutes "pure supposition" on the scoop question.
Thus, the two of us find ourselves in a position that is unique in the combined 75 years we have worked in journalism. We are tasked with deciding whether to correct reporting that the subject refuses to say is wrong. Nevertheless, we have reviewed Mr. Maass' reporting as well as the public record on this issue, and we continue to believe that our story is right.
The story said Mr. Mayer “unearthed” the cookie problem and “scooped” the FTC on the issue, and that the FTC “didn’t discover” it.
We continue to believe this is true. First, with respect to “unearthed” and “scooped” (the latter of which also appeared in our headline), we intended this to mean, and believe readers would have understood the article to say, that Mr. Mayer was the first person to bring the matter to public attention. There is no doubt that was the case. He did so by publishing on his own blog, simultaneously with the publication of an article in The Wall Street Journal. The Journal piece, which Mr. Mayer recently told us he read carefully and found strictly accurate, referred to Mr. Mayer as having “spotted” the problem. A public uproar and remedial action by Google followed immediately.
Then there is the phrase that the FTC “didn’t discover” the matter. Here, after repeated letters, calls and emails post-publication from the FTC, we are left with the important fact that the Commission still has never said that it did “discover” the cookies and how Google had planted them. It has, however, noted amid many elliptical and circuitous phrasings that it works closely with Mr. Mayer on a number of things—a relationship Mr. Mayer confirms, and is at admitted pains to preserve.
It is, of course, possible that Mr. Mayer “discovered” the problem and told the FTC about it, in the course of his work for them, and before he told the Journal. Would that mean our statement that the agency “didn’t discover” it was untrue? We don’t think so. Mr. Mayer is not on the agency’s staff—he is a graduate student.
It is also conceivable that someone on the FTC staff did discover the cookies before Mr. Mayer, and that the agency, for its own reasons, failed to act until Mr. Mayer went to the Journal and the public. But, again, the FTC has never said or even hinted that this happened, and there is no evidence that we know of that this occurred. Moreover, there is evidence to the contrary. Mr. Mayer, for instance, was described in a live interview on CNN as “the Stanford grad student who cracked the code.” He did not demur. On Bloomberg TV, he sat by as he was described as “the guy who discovered this.” Most significantly, the San Jose Mercury News reported that “Mayer’s research most recently led to investigations by the FTC…” All of this was published before our piece, which is why we did not ask the FTC about the "scoop" issue before we published. Neither Mr. Mayer nor the FTC has, to our knowledge, ever sought a correction from CNN, Bloomberg or the Mercury News. We have asked them if they intend to do so now, and they have not responded.
We also, of course, had asked Mr. Mayer for his version.
On May 9, Mr. Maass interviewed Mr. Mayer on the phone for about an hour, asking persistently about the specific extent of Mr. Mayer’s involvement with the FTC on his Google research. Mr. Mayer declined to answer those questions until Mr. Maass reformulated his query into a less-specific format, asking whether it would be safe for him to report that Mr. Mayer learned of the Google cookies before the FTC did. Mr. Maass firmly remembers Mr. Mayer telling him that it would be.
Our story was published on Thursday June 28. Ms. Prewett’s letter critical of the piece arrived in our inboxes at 4:47 pm on Friday June 29. On Monday July 2, we emailed her asking whether she was saying our story was untrue. She declined to do so. On Tuesday July 3, Mr. Maass interviewed Mr. Mayer on the phone for about half an hour.
Reporter Maass asked Mr. Mayer whether there was anything false in the story. Mr. Mayer replied that he had “skimmed” the story and he said, “I can’t remember anything that jumped out at me.” Mr. Maass then asked whether Mr. Mayer recalled confirming that it would be safe for Mr. Maass to report that he had scooped the FTC. Mr. Mayer said he recalled Mr. Maass’ questions on this issue but that he did not recall providing the confirmation that Mr. Maass remembers.
Then, yesterday, July 5, Mr. Mayer emailed a letter to us flatly asserting that he had not provided the confirmation to Mr. Maass. He called for a correction, not asserting that the story was inaccurate but because, in his words but echoing the FTC, it was not “adequately supported.”
So, did Mr. Mayer confirm to Mr. Maass on May 9 that he (Mr. Mayer) had scooped the FTC? Mr. Maass firmly recalls that he did. After the story appeared, Mr. Mayer first said he couldn’t recall providing the confirmation and then, in his letter, said flatly he had not done so. This is an uncomfortable situation for all concerned, but we stand by Mr. Maass, who is a longtime and award-winning journalist with a considerable reputation for fairness and accuracy.
All of which, finally, brings us to the FTC’s roster of complaints about our reporting of its performance protecting consumer privacy. It’s mostly a list of things we didn’t say.
Claim: "No effort, sincere or otherwise," was made to provide the FTC with the opportunity to respond to the reporting in ProPublica's story, including what the FTC refers to as the story's contention that "the FTC is ineffective."
Fact: Nowhere does our story describe the FTC as ineffective. Our reporter interviewed key FTC officials and asked them about major and minor issues that we reported on, including the problem of equipment shortages and the use of security filters on computers used by key researchers and lawyers. The story included their responses, which on occasion were quite vivid, for instance when David Vladeck, the head of the Consumer Protection Bureau, responded to a question about European regulators being more agressive than the FTC (his reply, quoted in the story: "That's a lie.") He and other officials were asked--and quoted in the story--about other important issues, including budgetary and staffing problems, including the paucity of privacy technologists. In total, the story contains a significant number of quotes from four different FTC officials as well as an FTC commissioner and President Obama.
Claim: "The FTC's long record of enforcement was given short shrift in the article."
Fact: We understand that FTC officials--like officials in almost any government agency--would prefer that our reporting focus on the good things they have done, rather than what they are not doing or cannot do. Nonetheless, while our investigation focused on FTC problems, we provided substantial information about FTC enforcement actions, and we gave full credit to the skills of key officials and their desire to do good enforcement work. To begin with, the story included this quotation from Mr. Vladeck: "Let me toot our own horn. We've gotten an enormous amount done in three years. I think we are sending a strong signal to the industry--you've got to straighten up and do the right thing."
Here is a selection of additional information the story provided about the FTC's work and the admirable qualities of key officials: "Under Chairman Jon Leibowitz, a Democrat appointed to the FTC in 2004 and tapped as chairman by President Obama in 2009, the FTC has pushed boundaries...The agency is working with the tech industry to create and voluntarily adopt a Do Not Track option, so that consumers can avoid some intrusive web tracking by advertising firms. And it issued a report this year that called for new legislation to define what data miners can and cannot do...
“The FTC tries to do the best with what it has. In 2009, with new Obama-era appointees aboard, it hired Christopher Soghoian, a privacy technologist who could perform the sort of sophisticated forensics that Mayer conducted on Google. A year later, in 2010, the FTC hired its first chief technologist, Edward Felten, a Princeton computer scientist who is highly regarded in tech policy circles...[Felten] is the sort of unconventional public servant the FTC has hired in recent years. He was an expert witness in the landmark antitrust suit against Microsoft, a board member of the Electronic Frontier Foundation, and in April he participated in a privacy hackathon with his teenage daughter. . . .
“Big firms like Google and Facebook, which depend on consumers using their services, cannot get away with having no policy at all or hiding behind legal hieroglyphics. . . . The agency pounced when Google introduced its Buzz social network because Gmail users were more or less swept into Buzz without their consent, even though Google had previously said it would not take unilateral action of that sort. The agency can take companies to court, but its overworked lawyers don't really have the time to go the distance against the bottomless legal staffs in Silicon Valley. The FTC settled the Buzz case with Google, which agreed to annual privacy audits for 20 years and promised to not lie to consumers about what the company does with their data. If Google violates the settlement, it then faces financial penalties that could be quite large — this is akin to a two-strike rule...
“Vladeck's appointment, in 2009, was welcomed by consumer-rights activists because of the nearly three decades he worked as a crusading lawyer for Public Citizen, which was founded by Ralph Nader; Vladeck has advocated long and hard for better government regulation. . . Vladeck has argued four cases before the U.S. Supreme Court and won three of them . . .”
Claim: "The article contains some notable inaccuracies. For example: the article states FTC 'has less influence over data mining firms like LexisNexis, Choicepoint and Rapleaf.' That's just plain wrong. Both LexisNexis and Choicepoint are under 20 year orders with the FTC; and the agency obtained $15 million in relief from Choicepoint."
Fact: Those orders relate to data-security lapses in which stored data was accessed by unauthorized parties. The orders do not relate to the tracking and mining activities that are the focus of our story and that are the context of the paragraph Ms. Prewett disputes. Additionally, the agency's comparatively weak powers over data brokers (versus consumer-facing firms like Facebook and Twitter) is reflected in its own call, in a major privacy report it issued earlier this year, for new legislation to govern what data brokers can and cannot do.
Claim: "The article states the FTC is focusing enforcement efforts on deception. That's inaccurate, too. The commission also has authority over unfair practices, and has used this authority in cases like Facebook and a peer-to-peer sharing application developer called Frostwire."
Fact: We never state that the commission does not have authority over unfair practices. In fact, our story notes that "the agency was created in 1914 to prevent unfair and deceptive practices in commerce." Nor do we state that the agency does not pursue unfair practices cases. Rather, we make a point that is hardly controversial in privacy circles--that it is more difficult for the FTC to prove unfairness on data-mining issues than deception. As we note, "What's inappropriate data collection to one person might be fair and harmless to another."
Further, Mr. Vladeck explicitly mentioned this issue in his interview with Mr. Maass. In a comment we did not include in the story, Mr. Vladeck said, regarding the Google Street View episode, to prove "unfairness, not only do you need that but you need harm or incipient harm to consumers, you need that the harm is not reasonably avoidable by the consumer, and on both of those issues, there were questions." Another FTC official made the same point to Mr. Maass--that under the FTC's statutory powers, unfairness would have been particularly hard to prove in the Street View case.
Claim: Mr. Maass reported that "the internet and mobile phone labs are in the basement (they are not)."
Fact: Before the story was published, Mr. Maass confirmed with FTC spokesperson Claudia Farrell that, at the New Jersey Avenue office of the FTC--which is where Patricia Poss, head of the Mobile Technology Unit, and much of the FTC privacy staff work—the internet lab is in the basement.
Claim: "Mr. Maass used his interview with our staffer, Patti Poss, as a vehicle to take a gratuitous shot at Patti and our public affairs officer, Claudia Bourne Farrell. During the interview, Claudia and Patti were discussing how to respond to Maass's questions because some of them were obviously leading and loaded, and others sought non-public information about the FTC. It seems Mr. Maass felt that quoting these side comments by Claudia and Patti would be helpful to his overall story narrative by making them appear defensive. From my perspective, this is a cheap and unprofessional tactic. It's certainly hard to see how it furthers the public interest."
Fact: Earlier in her letter, Ms. Prewett complained that we did not provide the opportunity for FTC officials to respond to the hard questions our story asks. Now she is upset that Mr. Maass asked hard questions and quoted the responses. His questions were neither leading nor loaded; they elicited statements that provided new information about problems at an important federal agency. We believe that serves the public interest.
One of the issues arose when Mr. Maass asked Ms. Poss about the difficulty she and others have in monitoring consumer hardware and software, because FTC rules and budget limitations constrain their access to such tools as Androids and iPhones. As the story says, Ms. Farrell interceded, warning Ms. Poss: “He’s trying to get you to bitch, Patti. Don’t do it.” Ms. Poss first tried to comply, then conceded that “we have some restrictions on the sites we can visit on government computers.” The exchange was on the record, and quoting it, far from being a cheap and unprofessional tactic, went to the heart of key challenges the FTC faces.
ProPublica investigates the threats to privacy in an era of cellphones, data mining and cyberwar.