On June 28, ProPublica published a story by Peter Maass about the Federal Trade
Commission and its efforts to protect the online privacy of consumers. The
headline of the story was “How a Lone Graduate Student Scooped the
Government and What It Means for Your Online Privacy.” The 5,500 word article
opened with an explanation of how a Stanford computer science student, Jonathan
Mayer, conducted research through which he discovered earlier this year that
Google was circumventing the privacy settings on a large number of iPhones and
placing tracking cookies on them. The story credited Mr. Mayer with figuring
this out before the FTC did. The bulk of the story focused on how well or how
poorly the FTC is dealing with privacy issues as the data-mining industry
explodes and its own budget remains relatively flat.
On June 29, FTC Director of
Public Affairs Cecelia Prewett emailed a letter to us, taking sharp issue with
our work. We have reviewed the story and her comments, and we have corrected
the spelling of the FTC chairman’s name (it is Leibowitz,
not Liebowitz). Otherwise, we believe that no
correction is appropriate.
So that readers can judge
for themselves, we are publishing Ms. Prewett’s
letter in full,
along with follow-up correspondence between her and us. In brief, the letter
attacks us for something we didn’t say (“that the FTC is ineffective”) and for
something that had been widely reported (that the agency “was scooped by a
graduate student on an important matter”) and had gone unchallenged by either
Mr. Mayer or the FTC for months.
The letter also takes us to
task for failing to give the FTC a chance in advance of publication to comment
on the “ineffective” and “scoop” assertions.
We will make a
point-by-point rebuttal of the “ineffective” and failing to seek comment points
below. But first we want to address the “scoop” complaint because it is so
unusual.
Ms. Prewett doesn’t claim
that our story was untrue in asserting that Mr. Mayer scooped the FTC on the
Google cookies matter. Her complaint, instead, is that our story
contains “unwarranted
assumptions” and constitutes “pure supposition” on the scoop
question.
Thus, the two of us find
ourselves in a position that is unique in the combined 75 years we have worked
in journalism. We are tasked with deciding whether to correct reporting that the
subject refuses to say is wrong. Nevertheless, we have reviewed Mr. Maass’
reporting as well as the public record on this issue, and we continue to
believe that our story is right.
The story said Mr. Mayer “unearthed” the cookie problem
and “scooped” the FTC on the issue, and that the FTC “didn’t discover” it.
We continue to believe this is true. First,
with respect to “unearthed” and “scooped” (the latter of which also appeared in
our headline), we intended this to mean, and believe readers would have
understood the article to say, that Mr. Mayer was the first person to bring the
matter to public attention. There is no doubt that was the case. He
did so by publishing on his own blog, simultaneously with the publication of an
article in The Wall Street Journal. The Journal piece, which Mr. Mayer
recently told us he read carefully and found strictly accurate, referred to Mr.
Mayer as having “spotted” the problem. A public uproar and remedial
action by Google followed immediately.
Then there is the phrase that the FTC “didn’t discover”
the matter. Here, after repeated letters, calls and emails
post-publication from the FTC, we are left with the important fact that the
Commission still has never said that it did “discover” the cookies and how
Google had planted them. It has, however, noted amid many elliptical and
circuitous phrasings that it works closely with Mr. Mayer on a number of
things—a relationship Mr. Mayer confirms, and is at admitted pains to
preserve.
It is, of course, possible that Mr. Mayer “discovered” the
problem and told the FTC about it, in the course of his work for them, and before
he told the Journal. Would that mean our statement that the agency
“didn’t discover” it was untrue? We don’t think so. Mr. Mayer is
not on the agency’s staff—he is a graduate student.
It is also conceivable that someone on the FTC staff did
discover the cookies before Mr. Mayer, and that the agency, for its own
reasons, failed to act until Mr. Mayer went to the Journal and the
public. But, again, the FTC has never said or even hinted that this happened,
and there is no evidence that we know of that this occurred. Moreover,
there is evidence to the
contrary. Mr. Mayer, for instance, was described in a live interview on
CNN as “the Stanford grad student who cracked the code.” He did not
demur. On Bloomberg TV, he sat by as he was described as “the guy who
discovered this.” Most significantly, the San Jose Mercury News reported
that “Mayer’s research most recently led to investigations by the FTC…”
All of this was published before our piece, which is why we did not ask the FTC about the “scoop” issue before we published. Neither Mr. Mayer nor the FTC
has, to our knowledge, ever sought a correction from CNN, Bloomberg or the
Mercury News. We have asked them if they intend to do so now, and they
have not responded.
We also, of course, had asked Mr. Mayer for his version.
On May 9, Mr. Maass interviewed Mr. Mayer on the phone for
about an hour, asking persistently about the specific extent of Mr. Mayer’s
involvement with the FTC on his Google research. Mr. Mayer declined to answer
those questions until Mr. Maass reformulated his query into a less-specific
format, asking whether it would be safe for him to report that Mr. Mayer
learned of the Google cookies before the FTC did. Mr. Maass firmly remembers Mr. Mayer
telling him that it would be.
Our story was published on Thursday June 28. Ms. Prewett’s
letter critical of the piece arrived in our inboxes at 4:47 pm on Friday June
29. On Monday July 2, we emailed
her asking whether she was saying our story was untrue. She declined to do so.
On Tuesday July 3, Mr. Maass interviewed Mr. Mayer on the phone for about half
an hour.
Reporter Maass asked Mr. Mayer whether there was anything false
in the story. Mr. Mayer replied
that he had “skimmed” the story and he said, “I can’t remember anything that
jumped out at me.” Mr. Maass then asked whether Mr. Mayer recalled confirming
that it would be safe for Mr. Maass to report that he had scooped the FTC. Mr. Mayer said he recalled Mr. Maass’
questions on this issue but that he did not recall providing the confirmation
that Mr. Maass remembers.
Then, yesterday, July 5, Mr. Mayer emailed a letter to us
flatly asserting that he had not provided the confirmation to Mr. Maass. He called for a correction, not
asserting that the story was inaccurate but because, in his words but echoing
the FTC, it was not “adequately supported.”
So, did Mr. Mayer confirm to Mr. Maass on May 9 that he (Mr.
Mayer) had scooped the FTC? Mr.
Maass firmly recalls that he did. After the story appeared, Mr. Mayer first
said he couldn’t recall providing the confirmation and then, in his letter,
said flatly he had not done so. This is an uncomfortable situation for all
concerned, but we stand by Mr. Maass, who is a longtime and award-winning
journalist with a considerable reputation for fairness and accuracy.
All of which, finally,
brings us to the FTC’s roster of complaints about our reporting of its
performance protecting consumer privacy. It’s mostly a list of things we didn’t
say.
Claim:
“No effort, sincere or otherwise,” was made to provide the FTC with
the opportunity to respond to the reporting in ProPublica’s
story, including what the FTC refers to as the story’s contention that
“the FTC is ineffective.”
Fact: Nowhere
does our story describe the FTC as ineffective. Our reporter interviewed key
FTC officials and asked them about major and minor issues that we reported on,
including the problem of equipment shortages and the use of security filters on
computers used by key researchers and lawyers. The story included their
responses, which on occasion were quite vivid, for instance when David Vladeck, the head of the Consumer Protection Bureau,
responded to a question about European regulators being more agressive than the FTC (his reply, quoted in the story:
“That’s a lie.”) He and other officials were asked–and quoted in the
story–about other important issues, including budgetary and staffing problems,
including the paucity of privacy technologists. In total, the story contains a
significant number of quotes from four different FTC officials as well as an
FTC commissioner and President Obama.
Claim: “The
FTC’s long record of enforcement was given short shrift in the article.”
Fact: We
understand that FTC officials–like officials in almost any government
agency–would prefer that our reporting focus on the good things they have
done, rather than what they are not doing or cannot do. Nonetheless, while our
investigation focused on FTC problems, we provided substantial information
about FTC enforcement actions, and we gave full credit to the skills of key
officials and their desire to do good enforcement work. To begin with, the
story included this quotation from Mr. Vladeck:
“Let me toot our own horn. We’ve gotten an enormous amount done in three
years. I think we are sending a strong signal to the industry–you’ve got to
straighten up and do the right thing.”
Here
is a selection of additional information the story provided about the FTC’s
work and the admirable qualities of key officials: “Under Chairman Jon Leibowitz, a Democrat appointed to the FTC in 2004 and
tapped as chairman by President Obama in 2009, the FTC has pushed boundaries…The
agency is working with the tech industry to create and voluntarily adopt a Do
Not Track option, so that consumers can avoid some intrusive web tracking by
advertising firms. And it issued a report this year that
called for new legislation to define what data miners can and cannot do…
“The
FTC tries to do the best with what it has. In 2009, with new Obama-era
appointees aboard, it hired Christopher Soghoian, a privacy technologist who
could perform the sort of sophisticated forensics that Mayer conducted on
Google. A year later, in 2010, the FTC hired its first chief technologist,
Edward Felten, a Princeton computer scientist who is
highly regarded in tech policy circles…[Felten] is
the sort of unconventional public servant the FTC has hired in recent years. He
was an expert witness in the landmark antitrust suit against Microsoft, a board
member of the Electronic Frontier Foundation, and in April he participated in a
privacy hackathon with his teenage daughter. . . .
“Big firms like
Google and Facebook, which depend on consumers using their services, cannot get
away with having no policy at all or hiding behind legal hieroglyphics. . . . The
agency pounced when Google
introduced its Buzz social network because Gmail users were more or less swept
into Buzz without their consent, even though Google had previously said it
would not take unilateral action of that sort. The agency can take companies to
court, but its overworked lawyers don’t really have the time to go the distance
against the bottomless legal staffs in Silicon Valley. The FTC settled the Buzz case with Google,
which agreed to annual privacy audits for 20 years and promised to not lie to
consumers about what the company does with their data. If Google violates the
settlement, it then faces financial penalties that could be quite large —
this is akin to a two-strike rule…
“Vladeck’s appointment, in 2009, was welcomed by
consumer-rights activists because of the nearly three decades he worked as a
crusading lawyer for Public Citizen, which was founded by Ralph Nader; Vladeck has advocated long and hard for better government
regulation. . . Vladeck has argued four
cases before the U.S. Supreme Court and won three of them . . .”
Claim: “The article
contains some notable inaccuracies. For example: the article states FTC ‘has
less influence over data mining firms like LexisNexis, Choicepoint
and Rapleaf.’ That’s just plain wrong. Both
LexisNexis and Choicepoint are under 20 year orders
with the FTC; and the agency obtained $15 million in relief from Choicepoint.”
Fact: Those orders relate to data-security lapses in
which stored data was accessed by unauthorized parties. The orders do not
relate to the tracking and mining activities that are the focus of our story
and that are the context of the paragraph Ms. Prewett disputes. Additionally,
the agency’s comparatively weak powers over data brokers (versus
consumer-facing firms like Facebook and Twitter) is reflected in its own call,
in a major privacy report it issued earlier this year, for new legislation to
govern what data brokers can and cannot do.
Claim: “The article states the FTC is focusing
enforcement efforts on deception. That’s inaccurate, too. The commission also
has authority over unfair practices, and has used this authority in cases like
Facebook and a peer-to-peer sharing application developer called Frostwire.”
Fact: We never state that the commission does not
have authority over unfair practices. In fact, our story notes that “the
agency was created in 1914 to prevent unfair and deceptive practices in
commerce.” Nor do we state that the agency does not pursue unfair practices
cases. Rather, we make a point that is hardly controversial in privacy
circles–that it is more difficult for the FTC to prove unfairness on data-mining
issues than deception. As we note, “What’s inappropriate data collection
to one person might be fair and harmless to another.”
Further, Mr. Vladeck explicitly mentioned this issue in his interview
with Mr. Maass. In a comment we did not include in the story, Mr. Vladeck said, regarding the Google Street View episode, to
prove “unfairness, not only do you need that but you need harm or
incipient harm to consumers, you need that the harm is not reasonably avoidable
by the consumer, and on both of those issues, there were questions.”
Another FTC official made the same point to Mr. Maass–that under the FTC’s
statutory powers, unfairness would have been particularly hard to prove in the
Street View case.
Claim: Mr. Maass reported that “the internet
and mobile phone labs are in the basement (they are not).”
Fact: Before the story was published, Mr. Maass
confirmed with FTC spokesperson Claudia Farrell that, at the New Jersey Avenue office
of the FTC–which is where Patricia Poss, head of the
Mobile Technology Unit, and much of the FTC privacy staff work—the
internet lab is in the basement.
Claim: “Mr. Maass used
his interview with our staffer, Patti Poss, as a
vehicle to take a gratuitous shot at Patti and our public affairs officer, Claudia
Bourne Farrell. During the interview, Claudia and Patti were discussing how to
respond to Maass’s questions because some of them
were obviously leading and loaded, and others sought non-public information
about the FTC. It seems Mr. Maass felt that quoting these side comments by
Claudia and Patti would be helpful to his overall story narrative by making
them appear defensive. From my perspective, this is a cheap and unprofessional
tactic. It’s certainly hard to see how it furthers the public interest.”
Fact: Earlier in her letter, Ms. Prewett complained
that we did not provide the opportunity for FTC officials to respond to the
hard questions our story asks. Now she is upset that Mr. Maass asked hard
questions and quoted the responses. His questions were neither leading nor
loaded; they elicited statements that provided new information about problems
at an important federal agency. We believe that serves the public interest.
One of the issues
arose when Mr. Maass asked Ms. Poss about the
difficulty she and others have in monitoring consumer hardware and software,
because FTC rules and budget limitations constrain their access to such tools
as Androids and iPhones. As the story says, Ms. Farrell interceded, warning Ms.
Poss: “He’s trying to get you to bitch, Patti. Don’t
do it.” Ms. Poss first tried to comply, then conceded
that “we have some restrictions on the sites we can visit on government
computers.” The exchange was on the record, and quoting it, far from being a
cheap and unprofessional tactic, went to the heart of key challenges the FTC
faces.
