Journalism in the Public Interest

Our FTC Privacy Story and Its Critics

On June 28, ProPublica published a story by Peter Maass about the Federal Trade Commission and its efforts to protect the online privacy of consumers. The headline of the story was "How a Lone Graduate Student Scooped the Government and What It Means for Your Online Privacy." The 5,500 word article opened with an explanation of how a Stanford computer science student, Jonathan Mayer, conducted research through which he discovered earlier this year that Google was circumventing the privacy settings on a large number of iPhones and placing tracking cookies on them. The story credited Mr. Mayer with figuring this out before the FTC did. The bulk of the story focused on how well or how poorly the FTC is dealing with privacy issues as the data-mining industry explodes and its own budget remains relatively flat.

On June 29, FTC Director of Public Affairs Cecelia Prewett emailed a letter to us, taking sharp issue with our work. We have reviewed the story and her comments, and we have corrected the spelling of the FTC chairman's name (it is Leibowitz, not Liebowitz). Otherwise, we believe that no correction is appropriate.

So that readers can judge for themselves, we are publishing Ms. Prewett’s letter in full, along with follow-up correspondence between her and us. In brief, the letter attacks us for something we didn’t say (“that the FTC is ineffective”) and for something that had been widely reported (that the agency “was scooped by a graduate student on an important matter”) and had gone unchallenged by either Mr. Mayer or the FTC for months.

The letter also takes us to task for failing to give the FTC a chance in advance of publication to comment on the “ineffective” and “scoop” assertions.

We will make a point-by-point rebuttal of the “ineffective” and failing to seek comment points below. But first we want to address the “scoop” complaint because it is so unusual.

Ms. Prewett doesn’t claim that our story was untrue in asserting that Mr. Mayer scooped the FTC on the Google cookies matter. Her complaint, instead, is that our story contains "unwarranted assumptions" and constitutes "pure supposition" on the scoop question.

Thus, the two of us find ourselves in a position that is unique in the combined 75 years we have worked in journalism. We are tasked with deciding whether to correct reporting that the subject refuses to say is wrong. Nevertheless, we have reviewed Mr. Maass' reporting as well as the public record on this issue, and we continue to believe that our story is right.

The story said Mr. Mayer “unearthed” the cookie problem and “scooped” the FTC on the issue, and that the FTC “didn’t discover” it.

We continue to believe this is true. First, with respect to “unearthed” and “scooped” (the latter of which also appeared in our headline), we intended this to mean, and believe readers would have understood the article to say, that Mr. Mayer was the first person to bring the matter to public attention. There is no doubt that was the case. He did so by publishing on his own blog, simultaneously with the publication of an article in The Wall Street Journal. The Journal piece, which Mr. Mayer recently told us he read carefully and found strictly accurate, referred to Mr. Mayer as having “spotted” the problem. A public uproar and remedial action by Google followed immediately.

Then there is the phrase that the FTC “didn’t discover” the matter. Here, after repeated letters, calls and emails post-publication from the FTC, we are left with the important fact that the Commission still has never said that it did “discover” the cookies and how Google had planted them. It has, however, noted amid many elliptical and circuitous phrasings that it works closely with Mr. Mayer on a number of things—a relationship Mr. Mayer confirms, and is at admitted pains to preserve.

It is, of course, possible that Mr. Mayer “discovered” the problem and told the FTC about it, in the course of his work for them, and before he told the Journal. Would that mean our statement that the agency “didn’t discover” it was untrue? We don’t think so. Mr. Mayer is not on the agency’s staff—he is a graduate student.

It is also conceivable that someone on the FTC staff did discover the cookies before Mr. Mayer, and that the agency, for its own reasons, failed to act until Mr. Mayer went to the Journal and the public. But, again, the FTC has never said or even hinted that this happened, and there is no evidence that we know of that this occurred. Moreover, there is evidence to the contrary. Mr. Mayer, for instance, was described in a live interview on CNN as “the Stanford grad student who cracked the code.” He did not demur. On Bloomberg TV, he sat by as he was described as “the guy who discovered this.” Most significantly, the San Jose Mercury News reported that “Mayer’s research most recently led to investigations by the FTC…” All of this was published before our piece, which is why we did not ask the FTC about the "scoop" issue before we published. Neither Mr. Mayer nor the FTC has, to our knowledge, ever sought a correction from CNN, Bloomberg or the Mercury News. We have asked them if they intend to do so now, and they have not responded.

We also, of course, had asked Mr. Mayer for his version.

On May 9, Mr. Maass interviewed Mr. Mayer on the phone for about an hour, asking persistently about the specific extent of Mr. Mayer’s involvement with the FTC on his Google research. Mr. Mayer declined to answer those questions until Mr. Maass reformulated his query into a less-specific format, asking whether it would be safe for him to report that Mr. Mayer learned of the Google cookies before the FTC did. Mr. Maass firmly remembers Mr. Mayer telling him that it would be.

Our story was published on Thursday June 28. Ms. Prewett’s letter critical of the piece arrived in our inboxes at 4:47 pm on Friday June 29. On Monday July 2, we emailed her asking whether she was saying our story was untrue. She declined to do so. On Tuesday July 3, Mr. Maass interviewed Mr. Mayer on the phone for about half an hour.

Reporter Maass asked Mr. Mayer whether there was anything false in the story. Mr. Mayer replied that he had “skimmed” the story and he said, “I can’t remember anything that jumped out at me.” Mr. Maass then asked whether Mr. Mayer recalled confirming that it would be safe for Mr. Maass to report that he had scooped the FTC. Mr. Mayer said he recalled Mr. Maass’ questions on this issue but that he did not recall providing the confirmation that Mr. Maass remembers.

Then, yesterday, July 5, Mr. Mayer emailed a letter to us flatly asserting that he had not provided the confirmation to Mr. Maass. He called for a correction, not asserting that the story was inaccurate but because, in his words but echoing the FTC, it was not “adequately supported.”

So, did Mr. Mayer confirm to Mr. Maass on May 9 that he (Mr. Mayer) had scooped the FTC? Mr. Maass firmly recalls that he did. After the story appeared, Mr. Mayer first said he couldn’t recall providing the confirmation and then, in his letter, said flatly he had not done so. This is an uncomfortable situation for all concerned, but we stand by Mr. Maass, who is a longtime and award-winning journalist with a considerable reputation for fairness and accuracy.

All of which, finally, brings us to the FTC’s roster of complaints about our reporting of its performance protecting consumer privacy. It’s mostly a list of things we didn’t say.

Claim: "No effort, sincere or otherwise," was made to provide the FTC with the opportunity to respond to the reporting in ProPublica's story, including what the FTC refers to as the story's contention that "the FTC is ineffective."

Fact: Nowhere does our story describe the FTC as ineffective. Our reporter interviewed key FTC officials and asked them about major and minor issues that we reported on, including the problem of equipment shortages and the use of security filters on computers used by key researchers and lawyers. The story included their responses, which on occasion were quite vivid, for instance when David Vladeck, the head of the Consumer Protection Bureau, responded to a question about European regulators being more agressive than the FTC (his reply, quoted in the story: "That's a lie.") He and other officials were asked--and quoted in the story--about other important issues, including budgetary and staffing problems, including the paucity of privacy technologists. In total, the story contains a significant number of quotes from four different FTC officials as well as an FTC commissioner and President Obama.

Claim: "The FTC's long record of enforcement was given short shrift in the article."

Fact: We understand that FTC officials--like officials in almost any government agency--would prefer that our reporting focus on the good things they have done, rather than what they are not doing or cannot do. Nonetheless, while our investigation focused on FTC problems, we provided substantial information about FTC enforcement actions, and we gave full credit to the skills of key officials and their desire to do good enforcement work. To begin with, the story included this quotation from Mr. Vladeck: "Let me toot our own horn. We've gotten an enormous amount done in three years. I think we are sending a strong signal to the industry--you've got to straighten up and do the right thing."

Here is a selection of additional information the story provided about the FTC's work and the admirable qualities of key officials: "Under Chairman Jon Leibowitz, a Democrat appointed to the FTC in 2004 and tapped as chairman by President Obama in 2009, the FTC has pushed boundaries...The agency is working with the tech industry to create and voluntarily adopt a Do Not Track option, so that consumers can avoid some intrusive web tracking by advertising firms. And it issued a report this year that called for new legislation to define what data miners can and cannot do...

“The FTC tries to do the best with what it has. In 2009, with new Obama-era appointees aboard, it hired Christopher Soghoian, a privacy technologist who could perform the sort of sophisticated forensics that Mayer conducted on Google. A year later, in 2010, the FTC hired its first chief technologist, Edward Felten, a Princeton computer scientist who is highly regarded in tech policy circles...[Felten] is the sort of unconventional public servant the FTC has hired in recent years. He was an expert witness in the landmark antitrust suit against Microsoft, a board member of the Electronic Frontier Foundation, and in April he participated in a privacy hackathon with his teenage daughter. . . .

“Big firms like Google and Facebook, which depend on consumers using their services, cannot get away with having no policy at all or hiding behind legal hieroglyphics. . . . The agency pounced when Google introduced its Buzz social network because Gmail users were more or less swept into Buzz without their consent, even though Google had previously said it would not take unilateral action of that sort. The agency can take companies to court, but its overworked lawyers don't really have the time to go the distance against the bottomless legal staffs in Silicon Valley. The FTC settled the Buzz case with Google, which agreed to annual privacy audits for 20 years and promised to not lie to consumers about what the company does with their data. If Google violates the settlement, it then faces financial penalties that could be quite large — this is akin to a two-strike rule...

“Vladeck's appointment, in 2009, was welcomed by consumer-rights activists because of the nearly three decades he worked as a crusading lawyer for Public Citizen, which was founded by Ralph Nader; Vladeck has advocated long and hard for better government regulation. . . Vladeck has argued four cases before the U.S. Supreme Court and won three of them . . .”

Claim: "The article contains some notable inaccuracies. For example: the article states FTC 'has less influence over data mining firms like LexisNexis, Choicepoint and Rapleaf.' That's just plain wrong. Both LexisNexis and Choicepoint are under 20 year orders with the FTC; and the agency obtained $15 million in relief from Choicepoint."

Fact: Those orders relate to data-security lapses in which stored data was accessed by unauthorized parties. The orders do not relate to the tracking and mining activities that are the focus of our story and that are the context of the paragraph Ms. Prewett disputes. Additionally, the agency's comparatively weak powers over data brokers (versus consumer-facing firms like Facebook and Twitter) is reflected in its own call, in a major privacy report it issued earlier this year, for new legislation to govern what data brokers can and cannot do.

Claim: "The article states the FTC is focusing enforcement efforts on deception. That's inaccurate, too. The commission also has authority over unfair practices, and has used this authority in cases like Facebook and a peer-to-peer sharing application developer called Frostwire."

Fact: We never state that the commission does not have authority over unfair practices. In fact, our story notes that "the agency was created in 1914 to prevent unfair and deceptive practices in commerce." Nor do we state that the agency does not pursue unfair practices cases. Rather, we make a point that is hardly controversial in privacy circles--that it is more difficult for the FTC to prove unfairness on data-mining issues than deception. As we note, "What's inappropriate data collection to one person might be fair and harmless to another."

Further, Mr. Vladeck explicitly mentioned this issue in his interview with Mr. Maass. In a comment we did not include in the story, Mr. Vladeck said, regarding the Google Street View episode, to prove "unfairness, not only do you need that but you need harm or incipient harm to consumers, you need that the harm is not reasonably avoidable by the consumer, and on both of those issues, there were questions." Another FTC official made the same point to Mr. Maass--that under the FTC's statutory powers, unfairness would have been particularly hard to prove in the Street View case.

Claim: Mr. Maass reported that "the internet and mobile phone labs are in the basement (they are not)."

Fact: Before the story was published, Mr. Maass confirmed with FTC spokesperson Claudia Farrell that, at the New Jersey Avenue office of the FTC--which is where Patricia Poss, head of the Mobile Technology Unit, and much of the FTC privacy staff work—the internet lab is in the basement.

Claim: "Mr. Maass used his interview with our staffer, Patti Poss, as a vehicle to take a gratuitous shot at Patti and our public affairs officer, Claudia Bourne Farrell. During the interview, Claudia and Patti were discussing how to respond to Maass's questions because some of them were obviously leading and loaded, and others sought non-public information about the FTC. It seems Mr. Maass felt that quoting these side comments by Claudia and Patti would be helpful to his overall story narrative by making them appear defensive. From my perspective, this is a cheap and unprofessional tactic. It's certainly hard to see how it furthers the public interest."

Fact: Earlier in her letter, Ms. Prewett complained that we did not provide the opportunity for FTC officials to respond to the hard questions our story asks. Now she is upset that Mr. Maass asked hard questions and quoted the responses. His questions were neither leading nor loaded; they elicited statements that provided new information about problems at an important federal agency. We believe that serves the public interest.

One of the issues arose when Mr. Maass asked Ms. Poss about the difficulty she and others have in monitoring consumer hardware and software, because FTC rules and budget limitations constrain their access to such tools as Androids and iPhones. As the story says, Ms. Farrell interceded, warning Ms. Poss: “He’s trying to get you to bitch, Patti. Don’t do it.” Ms. Poss first tried to comply, then conceded that “we have some restrictions on the sites we can visit on government computers.” The exchange was on the record, and quoting it, far from being a cheap and unprofessional tactic, went to the heart of key challenges the FTC faces.

It is always a shame when government agencies feel they need to send PR flacks in to bat for them.  The reader is used to attempts to distract them from problems, mislead them about mistakes, prevaricate about possibilities.

It certainly sounds like the FTC had an opportunity to say “we welcome your story.  It has provided us with fresh leads, and a lot of issues to deal with.  We cannot comment on what the FTC has been doing in relation to this issue, but are keen to work both with the public and with ProPublica to address issues within this agency’s remit”.

Instead, the FTC has gone to some PR hack who cannot bear the idea of saying “maybe we can do things a bit better”, and sticks to the line that their employer is always, and must always be right.

The details of who scooped whom, and who was working upon what, are becoming less important than this game of information management and spin.

Jeffrey Chester

July 7, 2012, 11:44 a.m.

This is an inadequate review and analysis of the story.  I asked many of the consumer and privacy groups which deal with the FTC if they had been interviewed by Mr. Maass.  They all responded they hadn’t been contacted.  For a report not to interview the leading groups working on privacy at the FTC doesn’t reflect the level of serious journalism one associates with Pro Publica.  The report also failed to provide the context of the political and regulatory environment that shapes privacy decisions—something essential if one is to understand the issue and the FTC’s role.  Privacy and consumer advocates have both criticism and support for the FTC under Chairman Leibowitz.  But it has made significant strides on a complex issue that is at the heart of our political and financial system.  Greater in-depth reporting was required to do this story—but what we had appeared designed to grab a cheap headline. Pro Publica should insist its journalists engage in investigative reporting—recording interviews, obtaining documents, speaking to a broad range of sources. I urge you to commission another report on the privacy issue, including the FTC’s role.  The public deserves more serious reporting, analysis and nuance about a issue that affects our daily lives.

To me, it casts a much worse light on the FTC that they feel the need to get defensive about facts rather than deal with said facts.

I mean, the fact of the matter is that the FTC is behind the 8-ball.  Congress refuses to pass modern privacy laws and they’re surely undermanned with respect to the number of companies that acquire data from each of us, especially when the technology is evolving quickly.

The smart move in a situation like this is to accept any help that’s available, without worrying who “cracked the code” first.  Imagine if your local police department closed down their tip line and got into shouting matches with anybody who claimed to have witnessed a crime!

Tell us how ProPublica tracks IPs of people who leave comments here. Tell us how an anonymous commentator “scooped” ProPublica’s collection and tracking of information that can identify commentators—in some cases their home address—by their IP. And tell us whether ProPublica shares this information collected about people who comments on its stories with any of the left-wing list-management agencies it uses.

Jorge Banister

July 9, 2012, 9 p.m.

Here’s the problem: “Scoop” is a vernacular term used to describe one media outlet getting a story before competing media outlet gets the story. The FTC is not a media outlet. There was no competing media outlet for Mr. Mayer to “scoop.”

Mr. Mayer did what any active citizen might do—he helped a public agency pick up slack by reporting irregularities he discovered on his own. His action is little different than a resident reporting suspicious activity seen in a residential neighborhood. We wouldn’t say a resident “scooped” police by reporting a suspected burglary. No local crime reporter would long be welcome in the back room of a police station after blaring in a headline that a citizen who reported a crime “scooped” police. And yes, journalists are routinely expected not to unnecessarily insult their sources in a way that will impair other journalists’ capacity to maintain productive dialogue with public officials.

Use of the term “scooped” in ProPublica’s headline aggrandizes the role of journalists - albeit in this case a citizen journalist who reported on his blog what he had discovered. The term “scoop” implies Mayer’s research is newsworthiness, and inflates the privacy concern he reported. Why not interview expert sources who could tell us in their view how this privacy concern compares to other matters as a policy concern.
Moreover, ProPublica is selective in who is granted the coveted “scoop” badge. In this instance, it goes to someone whose findings advance ProPublica’s business and political goals. ProPublica would be wont to report that a right-wing citizen’s group “scooped” immigration officials if the citizen’s group reported illegal immigrant activity on a blog, perhaps co-published with an Arizona newspaper. The facts of the immigration matter would be similar in form to the “scoop” ProPublica attributed to the grad student.

The selective use of an inappropriate term that aggrandizes the role of citizen journalists appears to some of us readers to be an effort on ProPublica’s part to toot its horn after ProPubica was scooped. ProPublica didn’t scoop anybody in this story. It put a National Enquirer style headline above a come-lately story it repeated weeks after several other media outlets had followed a story first published in an outlet owned by a reviled competitor—Mr. Murdoch. Here’s the truth: With the help of a citizen journalist, Rupert Murdoch scooped ProPublica.

Why didn’t a seasoned reporter such as Maas not record the entire conversation?  That throws the entire story regarding Mayer into question. All reporters record their interviews, period. They all carry recording devices, and certainly have devices that hook up to telephone conversations. I have reporters in my family with much less experience and documented reportorial expertise than Mr. Maas, so I look askance at Maas’s claims of conversation with Mayer.,

This article is part of an ongoing investigation:

Dragnets: Tracking Censorship and Surveillance

ProPublica investigates the threats to privacy in an era of cellphones, data mining and cyberwar.

Get Updates

Our Hottest Stories