Cyberthreat Sharing and Antitrust

Top News

  • FTC Fails to Address Privacy in Settlement with Zoom: The FTC has reached a settlement with Zoom requiring the company to address data security but fails to address user privacy. Writing in dissent, Commissioner Slaughter said, "When companies offer services with serious security and privacy implications for their users, the Commission must make sure that its orders address not only security but also privacy." Commissioner Chopra, also dissenting, wrote "The FTC’s status quo approach to privacy, security, and other data protection law violations is ineffective." In July 2019, EPIC sent a detailed complaint to the FTC citing the flaws with Zoom and warning that the company had "exposed users to the risk of remote surveillance, unwanted video calls, and denial-of-service attack." In April 2020, EPIC wrote to Chairman Simons urging the FTC to open an investigation. EPIC has long advocated for the creation of a U.S. data protection agency. (Nov. 9, 2020)
  • Department of Justice Files Antitrust Suit Against Google: The Department of Justice has filed an antitrust case against Google in federal court, alleging violations of anti-monopoly laws in the search and advertising markets. EPIC has long warned regulators about the harmful privacy consequences of market consolidation by Google and other technology firms. More than a decade ago, EPIC urged the FTC to block Google’s proposed acquisition of DoubleClick. EPIC said that the acquisition would enable Google to collect the personal information of billions of users and track their browsing activities across the web. EPIC correctly warned that this acquisition would accelerate Google’s dominance of the online advertising industry and diminish competition. The FTC ultimately allowed the merger to go forward. EPIC has since repeatedly warned the FTC that other mergers posed similar risks to consumer privacy and competition. In 2011, EPIC warned the FTC that Google’s dominance in the internet search marketplace was allowing it to preference its own content in search results. Today Google occupies 92% of the search market worldwide. (Oct. 20, 2020)
  • EPIC to Senate Commerce: the U.S. Needs a Data Protection Agency: In a statement to the Senate Commerce Committee before a hearing on the need for federal privacy legislation, EPIC urged lawmakers to establish an independent U.S. Data Protection Agency. EPIC laid out the FTC's typical privacy playbook: consent decrees, infrequent penalties, and no meaningful changes in business practices. "The FTC does not have the motivation or the tools necessary to enforce meaningful privacy and data protection rights in 2020," EPIC said, pointing to settlements the FTC had reached with Facebook, Google, YouTube, Uber, and Equifax. EPIC also noted the FTC's failure to use its existing authority to regulate privacy, including its rulemaking authority under Section 5 to establish stronger data security standards. "If the FTC fails to use these authorities, then the Commission is not capable of protecting Americans’ privacy, and the Commission should no longer be trusted to do so," EPIC stated. EPIC urged the Committee to hold a hearing on and give a favorable report to S. 3300, the Data Protection Act filed by Senator Gillibrand, which creates an independent U.S. Data Protection Agency. (Sep. 22, 2020)
  • EPIC: "Regulators Failed and Google Turned The Internet Into a Surveillance Machine": In advance of a Senate Judiciary Committee hearing on "Stacking the Tech: Has Google harmed competition in online advertising?," EPIC argued in a Medium post that the answer to that question is obviously yes, but Congress shares some of the blame. "There are many problems with today's online advertising systems," EPIC wrote, "[b]ut it didn't have to be this way. More active regulation by the government could have sustained online advertising models that were good for advertisers and businesses and for consumers, journalism, and democracy." In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web. (Sep. 15, 2020)
  • EPIC to Senate Commerce: Hold Hearing on Data Protection Agency Legislation: In a statement to the Senate Commerce Committee before a Federal Trade Commission oversight hearing, EPIC urged lawmakers to establish an independent U.S. Data Protection Agency. "When it comes to data protection, the FTC is not up to the task. It is time to establish an independent federal data protection agency in the United States," EPIC wrote. EPIC pointed to the FTC's failure to both stop mergers that threaten consumer privacy and enforce its own consent orders. EPIC urged the Committee to hold a hearing on and give a favorable report to S. 3300, the Data Protection Act filed by Senator Gillibrand, which creates an independent U.S. Data Protection Agency. (Aug. 4, 2020)
  • Lawmakers Request FTC Privacy Investigation Into Adtech Industry : A bipartisan group of lawmakers led by Senators Ron Wyden [D-Ore.] and BIll Cassidy [R-La.] today called on the Federal Trade Commission to investigate the online ad economy. Wyden, Cassidy and other members asked the FTC to investigate how personal data, including the tracking of individuals at places of worship and protests, collected from Americans’ phones to deliver advertisements is being obtained by data brokers and sold without the knowledge or consent of users. The lawmakers urged the FTC to open a 6(b) investigation into the matter. Earlier this year, consumer groups called on the FTC to use its 6(b) authority to conduct a study on companies collecting data on children. No action has been taken on that request. In addition to Sens. Wyden and Cassidy, the letter is signed by Sens. Maria Cantwell, D-Wash., Sherrod Brown, D-Ohio, Elizabeth Warren, D-Mass., and Edward Markey, D-Mass. Reps. Anna Eshoo, D-Calif, Zoe Lofgren, D-Calif., Yvette D. Clarke, D-N.Y., and Ro Khanna, D-Calif., signed as well. EPIC has filed many detailed complaints with the FTC regarding consumer privacy and has called for the creation of a U.S. Data Protection Agency due to the FTC's lack of action on privacy issues. (Jul. 31, 2020)
  • Groups Tell FTC to Investigate TikTok’s Failure to Protect Children’s Privacy: EPIC and coalition of child advocacy, consumer, and privacy groups today filed a complaint urging the Federal Trade Commission to investigate and penalize TikTok for violating the Children's Online Privacy Protection Act. TikTok paid a $5.7 million fine for violating the children's privacy law last year. But more than a year later, TikTok has failed to delete personal information previously collected from children and is still collecting kids’ personal information without notice to and consent of parents. The groups were led by the Campaign for a Commercial-Free Childhood and the Center for Digital Democracy. (May. 14, 2020)
  • New York AG Reaches Agreement with Zoom over Privacy Violations: New York Attorney General Letitia James has announced an agreement with Zoom Video Communications following an investigation into Zoom's consumer safeguards. Zoom agreed to enhance encryption protocols, perform yearly penetration testing, and add privacy-enhancing features to its platform. The agreement also provides enhanced privacy controls for education accounts. Last month, EPIC urged the FTC to issue best practices for online conferencing. (May. 8, 2020)
  • Senators Call on FTC to Investigate Ed Tech, Advertising Aimed at Children: A bipartisan group of Senators has urged the Federal Trade Commission to launch an investigation into children's data practices in the educational technology and digital advertising sectors. In a letter to the FTC, Senators Edward Markey (D-Mass.), Josh Hawley (R-Mo.), Richard Blumenthal (D-Conn.), Bill Cassidy (R-La.), Dick Durbin (D-Ill.), and Marsha Blackburn (R-Tenn.) said "The FTC should use its investigatory powers to better understand commercial entities that engage in online advertising to children—especially how those commercial entities are shifting their marketing strategies in response to the Coronavirus pandemic and increased screen time among children." In December 2019, EPIC submitted comments to the FTC on the agency's regulatory review of the Children's Online Privacy Protection Act (COPPA) Rules. EPIC said the FTC should : (1) maintain the strong safeguards for children's data, (2) reject the "school official exception", (3) the FTC define the term "commercial purpose" and ensure that children's personal data collected in schools is not transferred to EdTech companies; and (4) the FTC require notification within forty-eight hours of a data breach of children's data by a company subject to COPPA. (May. 8, 2020)
  • Court Approves FTC-Facebook Deal, But Says Data Protection Laws Need Updating: Despite objections from EPIC and other consumer groups, a federal judge has approved the Federal Trade Commission’s settlement with Facebook over the company’s alleged violations of the 2012 consent decree and the FTC Act. The court called Facebook’s alleged conduct “stunning,” “unscrupulous,” “shocking,” and “underhanded,” and even stated that it “might well have fashioned different remedies were it doing so out of whole cloth.” The court nevertheless approved the deal because of the “deferential” standard it felt bound to apply, but the court warned that, should the FTC accuse Facebook of further violations of the law, the court “may not apply quite the same deference to the terms of a proposed resolution.” EPIC had moved to intervene in the case and filed an amicus brief arguing that the deal imposes “few new obligations on the company that would limit the collection and use of personal data, nor will there be any significant changes in business practices.” The court denied EPIC’s motion to intervene but acknowledged that EPIC’s arguments as amicus “call into question the adequacy of laws governing how technology companies that collect and monetize Americans’ personal information must treat that information.” (Apr. 24, 2020)
  • EPIC Urges FTC to Investigate Zoom, Issue Best Practices for Online Conferencing: In a letter to FTC Chairman Joe Simons, EPIC urged the FTC to "open an investigation of Zoom's business practices and to issue, as soon as practicable, Best Practices for Online Conferencing Services." The EPIC letter followed a 2019 complaint from EPIC warning that Zoom had "placed at risk the privacy and security of the users of its services." EPIC also explained to the FTC that Zoom had "exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attack." In the April 2020 letter to the Commission, EPIC reminded the Commission that it acted on similar complaints from EPIC concerning Facebook and Google but failed to act on the Zoom complaint. EPIC cited widespread reports of privacy and security flaws with the online conferencing service. EPIC wrote, "Now more than ever, the Federal Trade Commission has a responsibility to safeguard American consumers. We urge you to act." (Apr. 5, 2020)
  • Senators Again Question White House Google Website Plan: Five U.S. Senators have sent a follow-up letter to Google requesting more information about the company's plans to protect user data on the coronavirus screening website. Senators Bob Menendez, Sherrod Brown, Richard Blumenthal, Kamala Harris, and Cory Booker had sent a letter to the White House expressing concern about the website two weeks ago. The Senators wrote now to say that personal data should "not be used for any commercial purposes in the future, and Verily should clearly state if the collected information is in compliance with the Health Insurance Portability and Accountability Act (HIPAA)." The Senators asked for responses to several questions by April 6, 2020. Google is under a consent order that gives the FTC authority to oversee the company's privacy practices as a consequence of EPIC's complaints about Google Buzz. EPIC later sued the FTC, EPIC v. FTC, for the agency's failure to enforce the consent against Google. (Apr. 1, 2020)
  • Privacy International Tracks Privacy Impact of Response to COVID-19: Privacy International has created a resource to track the privacy implications of the various responses to the Coronavirus by tech companies, governments, and international agencies. Some responses to the pandemic involve mass surveillance and locational tracking that impact on privacy and human rights. For example, Israel plans to use cellphone data for contact tracing and a U.S. company Athena Security has proposed mass surveillance for temperature monitoring. U.S. Senators have written to the Federal Trade Commission and the White House expressing concern over the privacy implications of the Administration's plan to allow Google to establish a virus screening website for COVID-19. (Mar. 19, 2020)
  • Senators Question White House Google Website Plan: Five U.S. Senators have sent a letter to the White House expressing concern over the privacy implications of the Administration's plan to allow Google to establish a virus screening website for COVID-19. Senators Bob Menendez, Sherrod Brown, Richard Blumenthal, Kamala Harris, and Cory Booker said "If the Administration and the private company responsible for launching and maintaining the website does not establish sufficient privacy safeguards, Americans who use the site will be more susceptible to identity theft, negative credit decisions, and employment discrimination." The Senators asked for responses to thirteen questions by March 30, 2020. Google is under a consent order that gives the FTC authority to oversee the company's privacy practices. The FTC consent order followed complaints by EPIC about Google Buzz. EPIC later sued the FTC, EPIC v. FTC, for the agency's failure to enforce the consent against Google. (Mar. 19, 2020)
  • FTC Publishes Privacy and Data Security Update: The FTC has published "Privacy & Data Security Update for 2019." The FTC report summarizes the enforcement actions the agency pursued last year, including the proposed settlement with Facebook. EPIC challenged the settlement, arguing that the "Court should not adopt the proposed Consent Decree because the parties have not established that it would be fair, adequate, reasonable, appropriate, or consistent with the public interest." EPIC also uncovered 29,000 complaints against Facebook, currently pending at the FTC. The Court required the FTC and Facebook to respond to EPIC's objections. EPIC and other consumer organizations have many privacy complaints currently pending at the FTC that the Commission has failed to pursue. EPIC recently filed complaints with the FTC on HireVue and Airbnb for unfair and deceptive uses of AI. (Feb. 27, 2020)
  • EPIC Files Complaint with FTC about Airbnb's Secret "Trustworthiness" Scores: EPIC has filed a complaint with the FTC, alleging that Airbnb has committed unfair and deceptive practices in violation of the FTC Act and the Fair Credit Reporting Act. Airbnb secretly rates customers “trustworthiness" based on a patent that considers such factors as “authoring online content with negative language.” The company’s opaque, proprietary algorithm also considers "posts on the person’s social network account" as well the individual's relationships with others, and adjusts the "trustworthiness" score based on the scores of those associations. EPIC said the company failed to comply with "established public policies" for AI decision-making, such as the OECD AI Principles and the Universal Guidelines for AI. EPIC has recently brought complaints to the FTC about the employment screening firm HireVue and the Universal Tennis Rating secret scoring technique. EPIC has also petitioned the FTC to conduct a rulemaking for "the use of artificial intelligence in commerce." The EPIC AI Policy Sourcebook includes the OECD AI Principles, the Universal Guidelines for AI, and other AI policy frameworks. (Feb. 27, 2020)
  • FTC to Investigate Prior Big Tech Acquisitions: The FTC announced plans to review acquisitions by Google, Amazon, Apple, Facebook, and Microsoft between 2010-2019. The FTC will review those acquisitions that the companies were not required by law to report at the time of acquisition. FTC Chairman Joe Simons said the initiative would "evaluate whether the federal agencies are getting adequate notice of transactions that might harm competition." In a joint statement, Commissioner Wilson and Commissioner Chopra said, "While we commend the FTC for exploring this timely and important topic, we reiterate our call for the Commission to prioritize 6(b) studies that explore consumer protection issues arising from the privacy and data security practices of technology companies, including social media platforms." EPIC filed a complaint with the FTC in 2014 opposing Facebook's acquisition of WhatsApp. EPIC is presently in federal court seeking to improve the FTC's proposed settlement with Facebook and to unwind the merger. (Feb. 12, 2020)
  • EPIC Seeks Regulation of AI, Petitions Federal Trade Commission: Today EPIC filed a petition with the Federal Trade Commission for a rulemaking "concerning the use of artificial intelligence in commerce." The EPIC petition follows two recent EPIC complaints to the FTC about the use of AI for employment screening and the secret scoring of young athletes. EPIC noted that several FTC Commissioners have called for updated regulations to address the challenges of Artificial Intelligence. EPIC pointed to the recent OMB Guidance for Regulation of Artificial Intelligence in support of the FTC rulemaking. EPIC also publishes the AI Policy Sourcebook, the first reference book on AI policy. (Feb. 3, 2020)
  • FTC May Block Facebook Integration of WhatsApp User Data: According to recent news reports, the FTC may pursue an injunction against Facebook to prevent the integration of WhatsApp and Instagram user data. Analysts noted that integration would make it more difficult to break up the company if required by a subsequent antitrust review. When Facebook proposed to acquire WhatsApp in 2014, EPIC filed a complaint with the FTC advising the agency to block the sale unless adequate privacy safeguards were established for WhatsApp user data.The FTC wrote in response "if the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC's order against Facebook." The European Commission fined Facebook 122 million dollars in 2017 for misleading statements about the integration of the data sets. In a recent filing with a federal court, EPIC wrote "the Commission also seems entirely unconcerned by Facebook's planned integration of the personal data of WhatsApp users even though this would violate representations both firms previously made to the Commission." (Dec. 17, 2019)
  • Court Seeks Amicus Briefs in FTC-Facebook Settlement: An order from a federal court in Washington, DC creates an opportunity for groups and individuals to file amicus briefs about the proposed FTC settlement with Facebook. The proposed settlement concerns violations of consumer privacy and the adequacy of the settlement. EPIC argued, "This Court should not adopt the proposed Consent Decree because the parties have not established that it would be fair, adequate, reasonable, appropriate, or consistent with the public interest." EPIC explained that the proposed settlement "largely mirrors the preexisting Consent Order from 2012. There are few new obligations on the company that would limit the collection and use of personal data, nor will there be any significant changes in business practices." EPIC asked the court to provide an opportunity for others to file amicus briefs. The deadline for motions is December 17, 2019. (Dec. 16, 2019)
  • BREAKING: Court Orders FTC and Facebook to Reply to EPIC’s Brief: Today the U.S. District Court for the District of Columbia ordered both Facebook and the FTC to file replies to EPIC's amicus brief and sur-replies to EPIC's motion to intervene in United States v. Facebook. The case concerns the proposed settlement between the FTC and Facebook for violations of consumer privacy. EPIC argued, "This Court should not adopt the proposed Consent Decree because the parties have not established that it would be fair, adequate, reasonable, appropriate, or consistent with the public interest.” EPIC explained that the proposed settlement “largely mirrors the preexisting Consent Order from 2012. There are few new obligations on the company that would limit the collection and use of personal data, nor will there be any significant changes in business practices.” EPIC noted, the "Commission also seems entirely unconcerned by Facebook’s planned integration of the personal data of WhatsApp users even though this would violate representations both firms previously made to the Commission.” Through a Freedom of Information Act Request, EPIC has uncovered more than 29,000 complaints against Facebook currently pending at the Commission. (Dec. 10, 2019)
  • FTC Announces Non-Penalty in Cambridge Analytica Case: The FTC issued a press release today about Cambridge Analytica, the company blamed for the Brexit vote that harvested the personal data of 87 m Facebook users for voter profiling and tracking. The misuse of personal data occurred while Facebook was under a consent order and subject to the supervision of the FTC. EPIC urged the FTC to reopen the investigation of Facebook after news of the Cambridge Analytica breach in early 2018. More than 18 months after the scandal broke, the FTC found that Cambridge Analytica, a company now bankrupt, deceived consumers through its data-gathering practices. EPIC previously told Congress that the Cambridge Analytica scandal could have been avoided if the FTC had enforced its own Consent Order. (Dec. 7, 2019)
  • EPIC to Congress: FTC Must Consider Privacy, Block Google-Fitbit Deal: In a statement to the House Judiciary Committee, EPIC told lawmakers that merger review must consider data protection and that the Federal Trade Commission must block Google's plan to acquire Fitbit. "Far from protecting market competition and promoting innovation, the Commission is facilitating industry consolidation," EPIC said in the statement released in advance of the hearing. EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC noted that if the FTC approves Google's acquisition of Fitbit, it will be the 230th firm that Google/Alphabet has acquired "with barely a whimper from the Federal Trade Commission." EPIC said: "This is not antitrust enforcement. This is agency negligence." EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC warned the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. (Nov. 12, 2019)
  • EPIC Files Complaint with FTC about Employment Screening Firm HireVue: Today, EPIC filed a complaint with the FTC alleging that recruiting company HireVue has committed unfair and deceptive practices in violation of the FTC Act. EPIC charged that HireVue falsely denies it uses facial recognition. EPIC also said the company failed to comply with baseline standards for AI decision-making, such as the OECD AI Principles and the Universal Guidelines for AI. The company purports to evaluate a job applicant's qualifications based upon their appearance by means of an opaque, proprietary algorithm. EPIC has brought many similar consumer privacy complaints to the FTC, including a complaint on Facebook's facial recognition practices that contributed to the FTC's 2019 settlement with Facebook. Last year EPIC also asked the FTC to investigate the Universal Tennis Rating system, a secret technique for scoring high school athletes. (Nov. 6, 2019)
  • EPIC to Oppose Google-Fitbit Deal: In a statement released today, Marc Rotenberg said that EPIC would oppose Google's proposed acquisition of the fitness tracking company Fitbit. Mr. Rotenberg said the deal should not be approved. "There is no reason to trust Google's assurances about privacy protection," Mr. Rotenberg said, citing previous matters involving Doubleclick, YouTube, Google HomeMini, and Nest. Noting statements antitrust enforcement by the the FTC Chairman and the Assistant Attorney General, Mr. Rotenberg also said, "The Google-Fitbit deal is a test of their commitment to competition, innovation, and data protection." EPIC brought the 2012 case against the FTC for the agency's failure to enforce the 2011 consent order against Google after the company consolidated user data across multiple services. (Nov. 4, 2019)
  • EPIC to Congress: Consumers Must Be Protected in Merger Reviews: In a statement to the House Judiciary Committee, EPIC told lawmakers that merger review should consider data protection. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. EPIC, Color of Change, the Open Markets Institute, and others have also urged the FTC to require Facebook to spin-off WhatsApp and Instagram. (Oct. 18, 2019)
  • Senator Cantwell to FTC: Settlement Lets Facebook "Off the Hook": Senator Maria Cantwell [D-WA], Ranking Member on the Senate Commerce Committee, has sent a letter to Federal Trade Commission Chairman Joseph Simons regarding the FTC's controversial settlement with Facebook. "I am concerned that the settlement lets Facebook off the hook for unspecified violations, and given the many public reports of Facebook's mishandling of consumer data, it is difficult to fully understand the impact of this provision on the settlement on the data privacy protection of the millions of U.S. consumers that have used and continue to use Facebook," Cantwell wrote to Simons. Through a Freedom of Information Act Request. EPIC has obtained thousands of new consumer complaints (part 1, part 2) against Facebook. EPIC is formally challenging the proposed settlement, charging that the Commission has failed to investigate thousands of complaints against the company. (Oct. 15, 2019)
  • EPIC to Congress: 29,000 Facebook Complaints Pending at FTC: In advance of an FTC oversight hearing, EPIC told the House Appropriations Committee that more than 29,000 complaints against Facebook are now pending at the Federal Trade Commission. EPIC obtained documents last week revealing 3,000 new complaints against Facebook since the Commission proposed the $5 b settlement with Facebook two months ago. EPIC's Freedom of Information Act Request had previously found 26,000 complaints pending against the social media giant. "The FTC is simply ignoring thousands of consumer privacy complaints about Facebook's ongoing business practices," EPIC said to the Committee. EPIC is formally challenging the proposed settlement with Facebook, charging that the Commission has failed to investigate thousands of complaints against the company. EPIC urged the Committee to support the creation of a U.S. Data Protection Agency, saying "The Federal Trade Commission may help consumers with broken toasters, but the FTC is not an effective data protection agency." (Sep. 25, 2019)
  • EPIC Renews Call for Antitrust Agencies to Unwind Bad Mergers: In a second statement to the Senate Judiciary Committee, EPIC urged lawmakers to unwind bad mergers such as Facebook's acquisition of WhatsApp and Google's acquisition of YouTube and Nest. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC also warned that Google's acquisition of YouTube would skew search results. EPIC, Color of Change, and the Open Markets Institute urged the FTC to require Facebook to spin-off WhatsApp and Instagram as part of the recent enforcement action. The FTC failed to do so. (Sep. 23, 2019)
  • EPIC Uncovers 3,156 More Facebook Complaints at FTC—Over 29,000 Now Pending: Through a Freedom of Information Act Request, EPIC has obtained thousands of new consumer complaints (part 1, part 2)against Facebook. The most recent documents, released to EPIC, follow the Commission’s proposed $5 b settlement in July. Among the complaints uncovered by EPIC are those from consumer groups and members of Congress. EPIC also obtained records of new complaints in the FTC’s Consumer Sentinel database. EPIC earlier uncovered 26,000 complaints against Facebook since the announcement of the 2011 consent order. EPIC is formally challenging the proposed settlement with Facebook, charging that the Commission has failed to investigate thousands of complaints against the company. (Sep. 22, 2019)
  • EPIC Urges Antitrust Agencies to Unwind Bad Mergers: In a statement to the Senate Judiciary Committee, EPIC urged lawmakers to press the FTC and the Department of Justice on Enforcement of the Antitrust Laws. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC also warned that Google's acquisition of YouTube would skew search results. EPIC, Color of Change, and the Open Markets Institute urged the FTC to require Facebook to spin-off WhatsApp and Instagram as part of the recent enforcement action. The FTC failed to do so. (Sep. 16, 2019)
  • FTC YouTube Settlement Fails to Safeguard Children's Privacy: Following a comprehensive complaint launched by the CCFC and the CDD concerning children's privacy, the Federal Trade Commission announced a settlement today with YouTube and parent company Google. The companies agreed to pay $170 million to settle claims that they violated the Children's Online Privacy Protection Act, but little will change in the companies business model. Writing in dissent, Commissioner Slaughter said, "Youtube and Google were knowingly profiting off of the unlawful tracking of children." She said the Commission should have required a "technological backstop" to ensure that behavioral advertising of children would not continue. Commissioner Chopra, also dissenting, wrote "the Commission repeats many of the same mistakes from the Facebook settlement." In a statement, Senator Markey said the FTC should have required Google to delete all data it collected from children under 13, prohibit Google from launching kids service without prior review, and required annual public audits. EPIC joined the CCFC and the CDD in the complaint to the FTC. Earlier, after Google acquired YouTube, EPIC sued the FTC to block Google's proposed consolidation of user data. The judge ruled against EPIC, but wrote "EPIC - along with many other individuals and organizations - has advanced serious concerns that may well be legitimate..." (Sep. 4, 2019)
  • Gallup Poll: Americans Divided on Regulation for Big Tech Firms: A new Gallup poll found that 48 percent of respondents said the government should boost its regulation of technology companies like Amazon, Facebook and Google, while 40 percent said regulation of these firms shouldn't change. Roughly 60 percent of self-identified liberals, union members, college graduates and Democrats support increased oversight of tech companies. EPIC maintains an extensive page on Privacy and Public Opinion which shows consistent support among Americans for stronger laws to protect their privacy. EPIC has also opposed mergers that threaten consumer privacy, including Facebook's acquisition of WhatsApp, Google's acquisition of DoubleClick, and Google's acquisition of Nest Labs. (Aug. 22, 2019)
  • EPIC Pursues Intervention in FTC Facebook Case: EPIC has filed a reply brief in support of its motion to intervene in United States v. Facebook, a case concerning the proposed settlement between the Federal Trade Commission and Facebook. The Government and Facebook have sought to block EPIC's participation. EPIC pursued intervention to protect the interests of Facebook users and to ensure that pending complaints at the FTC were not ignored. EPIC told the court overseeing the case that the settlement "is not adequate, reasonable, or appropriate." In response to Facebook and the government, EPIC explained that the settlement is "arbitrary and capricious because the Commission seeks to grant Facebook immunity from any unlawful practices identified in prior consumer complaints, without addressing or even identifying the prior complaints." EPIC also argues that the FTC's failure to consider public comments on the settlement, as the agency is required to do under its own regulations, "denies EPIC and others the opportunity to submit comments on the consent agreement." An EPIC FOIA lawsuit uncovered more than 26,000 complaints against Facebook pending at the agency. In 2009, EPIC and other consumer privacy organizations filed the original complaint that created legal authority for the FTC to oversee Facebook's privacy practices. Many members of Congress, consumer organizations, and corporate law experts have opposed the proposed settlement, which was narrowly approved by the Commission, 3-2. (Aug. 12, 2019)
  • EPIC Comments on FTC Safeguards Rule: EPIC provided comments to the FTC on the agency's proposed update to the Safeguards Rule on data security for financial institutions. In the proposal, the FTC highlighted that EPIC "recommended that certain practices set forth in the FTC's Safeguards Rule Guidance, such as employee background checks, authentication requirements, and encryption, should be mandatory." EPIC's comments (1) express support for the FTC's decision to mandate baseline security requirements, (2) request that the Safeguard Rules apply to all organizations and companies that collect consumer data, and (3) urge the FTC impose data minimization requirements. Recent breaches have highlighted the need for stronger data protection laws. EPIC has renewed calls for a data protection agency in the U.S. (Aug. 1, 2019)
  • EPIC Challenges FTC-Facebook Settlement, Asks Court to Hear from Privacy Groups: EPIC has filed a Motion to Intervene in United States v. Facebook to protect the interests of Facebook users. The case concerns a proposed settlement between the FTC and Facebook. EPIC said the settlement "is not adequate, reasonable, or appropriate." EPIC also explained that the settlement would extinguish more than 26,000 consumer complaints against Facebook pending at the FTC. EPIC asked the court for an opportunity for EPIC and others to be heard before the settlement is finalized. EPIC filed the original complaint that created legal authority for the FTC to oversee Facebook. Back in 2011, EPIC also urged the Commission to require Facebook to restore the privacy settings of users, give users access to all of the data that Facebook keeps about them, stop making facial recognition profiles without users' consent, make the results of the government privacy audits public, and stop secretly tracking users across the web. Earlier this year, EPIC and others urged the FTC to pursue structural remedies, including the divestiture of WhatsApp. Many organizations and individuals have expressed concern about the proposed settlement, which was narrowly approved by the Commission, 3-2. More info at https://epic.org/privacy/facebook/epic2019-challenge/ (Jul. 26, 2019)
  • EPIC Seeks Consumer Complaints about Facebook Pending Before FTC Prior to Settlement Agreement: EPIC has submitted an urgent Freedom of Information Act request to the Federal Trade Commission seeking all consumer complaints pending before the Commission at the time the agency entered into the settlement with Facebook. The proposed settlement order "resolves" all consumer complaints alleging violation of the consent order prior to June 12, 2019. Earlier this year, EPIC determined that there were 26,000 complaints against Facebook pending at the Commission. Many US privacy organizations have also filed detailed complaints with the Commission, alleging that Facebook's business practices violate the FTC Act and also the Children's Online Privacy Protection Act. The release of the information sought by EPIC could help the public and the Congress assess the adequacy of the proposed settlement. (Jul. 25, 2019)
  • FTC Opens Antitrust Investigation of Facebook: Facebook has disclosed that the Federal Trade Commission opened an antitrust investigation into the company. In a recent statement for a Senate Judiciary committee hearing on antitrust, EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. This year, EPIC, Color of Change, the Open Markets Institute, and others urged the FTC to spin off WhatsApp as a remedy for violations of the 2011 consent order. In a settlement announced this week, the Commission failed to do so. (Jul. 25, 2019)
  • BREAKING - FTC Issues Facebook Fine, EPIC - "Too little, too late.": The Federal Trade Commission announced today the first fine against Facebook since EPIC and a coalition of privacy organizations filed a complaint with the Commission about the company’s businesses practices back in 2009. In a 2011 consent order the FTC said it would bar Facebook "from making any further deceptive privacy claims.” But in the years that followed, the FTC failed to act even as complaints emerged about marketing to children, privacy settings, tracking users, gathering health data, and facial recognition. Earlier this year, EPIC determined that there were 26,000 complaints against Facebook pending at the Commission. EPIC President Marc Rotenberg said today, “The FTC’s action is too little, too late. American consumers cannot wait another decade for the Commission to act against a company that violates their privacy rights. Congress should move quickly to establish a data protection agency." (Jul. 24, 2019)
  • EPIC Urges Antitrust Agencies to Raise their Game: In a statement to the Senate Judiciary committee, EPIC urged lawmakers to press the FTC and the Department of Justice on Enforcement of the Antitrust Laws. EPIC wrote that "companies that protect user privacy are being absorbed by companies that do not protect privacy." EPIC pointed to the Facebook-WhatsApp deal and the failure of the FTC to protect the personal data of WhatsApp users after the merger. EPIC previously testified before the Senate Judiciary Committee about mergers in the online advertising industry after EPIC told the FTC that Google's acquisition of DoubleClick would diminish privacy and stifle innovation. EPIC earlier opposed Doubleclick's acquisition of Abacus, explaining that the deal would lead to increased profiling of American consumers. EPIC, Color of Change, the Open Markets Institute, and others have also urged the FTC to require Facebook to spin-off WhatsApp and Instagram. (Jul. 18, 2019)
  • BREAKING - EPIC Seeks Public Release of FTC Settlement with Facebook: Today EPIC filed an expedited Freedom of Information Act request with the Federal Trade Commission, seeking the public release of the proposed settlement with Facebook. Last week the Wall Street Journal first reported that the FTC approved a $5 billion settlement with Facebook for violating a 2011 consent order that EPIC helped obtain. However, details about the settlement have not been disclosed. In January, EPIC recommended that the FTC 1) impose substantial fines; 2) establish structural remedies; 3) require compliance with Fair Information Practices; 4) reform hiring and management practices; and 5) restore democratic governance. In a series of FOIA cases, EPIC uncovered the biennial audits of Facebook, the number of complaints pending against Facebook at the Commission (26,000), and records of meetings by the chief agency official responsible for overseeing enforcement. EPIC also launched the #EnforceTheOrder campaign. (Jul. 15, 2019)
  • Tim Wu Testifies Before House Antitrust Committee: Former EPIC Advisory Board member Tim Wu will testify this week before a House committee regarding online platforms and market power. EPIC previously told the Subcommittee on Antitrust that "the internet advertising system today is not healthy. Two companies dominate the market. The privacy of Internet users is under assault. The revenue model that sustained journalism is broken. The current model is not sustainable. Privacy rules can help level the playing field." In 2000, EPIC opposed Doubleclick's acquisition of Abacus. In 2007, EPIC told the FTC that Google's proposed acquisition of DoubleClick would lead to consumers being tracked and profiled by advertisers across the web. (Jul. 15, 2019)
  • WSJ Reports that FTC Agrees to $5B Fine Against Facebook: The Federal Trade Commission has reportedly approved a $5 billion fine against Facebook, the largest fine in the Commission's history. EPIC brought the original complaint to the FTC that led to the 2011 Consent Order against Facebook. This is the first enforcement action the FTC has taken against Facebook in the eight years since the Consent Order was put in place. Earlier this year, an EPIC Freedom of Information Act request uncovered more than 26,000 complaints against Facebook pending at the Commission. EPIC also launched the #EnforceTheOrder campaign to urge action by the FTC. In January, EPIC recommended that the FTC enforcement action 1) impose substantial fines; 2) establish structural remedies; 3) require compliance with Fair Information Practices; 4) reform hiring and management practices; and 5) restore democratic governance. (Jul. 12, 2019)
  • EPIC Files Complaint with FTC about Zoom: Today EPIC filed a complaint with the FTC alleging that the videoconferencing company Zoom has committed unfair and deceptive practices in violation of the FTC Act. According to EPIC, Zoom intentionally designed its web conferencing service to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user. As a result, Zoom exposed users to the risk of remote surveillance, unwanted videocalls, and denial-of-service attacks. EPIC has brought many similar consumer privacy complaints to the FTC, including the complaint that led to the FTC consent order against Facebook and the complaint that led to the FTC consent order against Google. EPIC cited the Google order, which produced a $22.5 m fine, in the complaint concerning Zoom. EPIC, In re Zoom ("Concerning Zoom's ability to bypass browser security settings and remotely enable a user's web camera without the knowledge or consent of the user.”) (Jul. 11, 2019)
  • EPIC FOIA - FTC Enforcement Director Participated in Over 100 Meetings About Facebook Post-Cambridge Analytica: As a result of EPIC's Freedom of Information Act request, the Federal Trade Commission released records indicating that FTC Associate Director of Enforcement James A. Kohm participated in at least 162 meetings since the Commission adopted the consent order with Facebook in 2011. Almost 140 meetings occurred after Facebook admitted to the unlawful transfer of over 87 million user profiles to Cambridge Analytica. In March 2018, the FTC said it would reopen investigation of Facebook, but the agency has never taken an enforcement action against the country. EPIC launched the #EnforceTheOrder campaign this year to urge action by the FTC. (Jul. 11, 2019)
  • EPIC to Lobby for US Privacy Agency: In a statement released today, EPIC's Marc Rotenberg said the privacy organization would lobby for the creation a data protection agency in the United States. Criticizing the failure of the FTC to enforce the consent order against Facebook, Rotenberg said "the Commission has turned its back on the American public...Instead of going after the dominant tech firms that pose the greatest threats to privacy and competition, the FTC has chosen instead to go after small businesses." EPIC's President explained that EPIC had not previously lobbied Congress, but would do so now, "we have decided that EPIC can no longer stand on the sidelines." The statement concluded, "A data protection agency is the cornerstone of effective privacy protection. Data protection agencies act as ombudsmen for the public. They encourage innovation and good business practices. They identify emerging privacy challenges and pursue solutions. They take enforcement action when necessary and they impose penalties that are meaningful. Virtually every democratic country has created a privacy agency. But the United States has not. As a consequence, data breach and identity theft continue to rise in the United States. The pace of mergers is accelerating and the rate of innovation is slowing." (Jun. 21, 2019)
  • With Complaints Against Facebook Piling Up, FTC Goes After Small Businesses: The FTC today announced a minor settlement with a company called SecurTest over its claims concerning the EU-U.S. Privacy Shield program. The Commission also sent letters to 13 small companies for falsely claiming participation in various privacy programs. The FTC issued no fines and took no further action. The proposed consent agreement is subject to public comment after publication in the Federal Register. The announcement comes more than a year after the Commission said it would reopen the investigation of Facebook, following the Cambridge Analytica scandal. Earlier this year, an EPIC Freedom of Information Act request uncovered more than 26,000 complaints against Facebook pending at the Commission. EPIC brought the original complaint to the FTC in 2009 that led to the 2011 consent order. EPIC has repeatedly urged the FTC to #EnforceTheOrder against Facebook. (Jun. 14, 2019)
  • As State AGs Gather at FTC Event, Still No Action on Facebook: The FTC hosted a roundtable with state attorneys general in Nebraska as the final hearing on competition and consumer protection in the 21st century. More than a year has passed since the FTC reopened the investigation of Facebook after the Cambridge Analytica scandal, but the FTC has not issued a fine, imposed penalties, or even updated the public about the status of the investigation. EPIC Consumer Protection Counsel Christine Bannan testified at an earlier FTC hearing that the FTC's success should be measured by the enforcement of its orders. EPIC launched the #EnforceTheOrder campaign to pressure the FTC to take enforcement action against Facebook. EPIC brought the original complaint to the FTC in 2009 that led to the consent order. Facebook anticipates a $3-5 billion fine from the FTC, but EPIC, Color of Change, and the Open Markets Institute have urged the Commission to use its equitable authorities to improve privacy protection and governance, reform hiring practices, and to spin off WhatsApp and Instagram. (Jun. 11, 2019)
  • EPIC Seeks Memos from FTC Enforcement Director About Inaction on Facebook Consent Order: EPIC has filed a Freedom of Information Act request with the Federal Trade Commission seeking memos and internal communications about the Associate Director of the Enforcement Division James A. Kohm. Kohm is responsible for overseeing enforcement of the consent order against Facebook. Since the FTC announced the 2011 Consent Order, the FTC has never charged Facebook with a single violation of the order. In March 2018, the FTC announced an investigation of Facebook following the Cambridge Analytica scandal. 430 days have now passed with no report, no fine, and not even an update about the status of the investigation. EPIC has repeatedly urged the FTC to #EnforceTheOrder against Facebook. (May. 30, 2019)
  • New Report on the FTC's Big Tech Revolving Door Problem: A new report from the consumer group Public Citizen finds extensive conflicts of interest at the Federal Trade Commission. According to Public Citizen, most top officials at the Federal Trade Commission (FTC) become lawyers and lobbyists for major technology companies after they leave the agency or bring Silicon Valley conflicts with them when they arrive. These conflicts help explain the FTC's chronic reluctance to enforce consumer protection and antitrust laws, said Public Citizen. EPIC previously urged the FTC to block anticompetitive mergers, such as Google's acquisition of DoubleClick and Facebook's acquisition of WhatsApp, as well as to enforce the pending consent order against Facebook that EPIC helped establish in 2011. EPIC even sued the FTC when the consumer agency failed to enforce the consent order against Google, following the Buzz consent order. As of today, 423 days have passed since the FTC announced in March 2018 that it would reopen the investigation of Facebook. But still there is no fine, no report, and no update. (May. 23, 2019)

Overview

The term "cyberthreat" refers to a malicious attempt to interfere with an information system. Cyberthreats can take the form of hacking into networks or accounts, infecting computers or computer systems with viruses, or using code to leak, change, copy or destroy information. Some cyberthreats are intentional attacks; some are unintentional information breaches; some are focused on a particular network or to extract a particular kind of information; and others are untargeted attempts to degrade information or networks generally.

Both government and private-sector networks experience cyberthreats. Some private-sector firms have developed the practice of notifying each other when they experience a particular kind of cyberthreat. This is often referred to as an "information sharing environment." If a virus erodes the security of one firm's network, for example, that firm would inform the other participants in the information sharing environment so that they could all guard against the virus. Other firms refrain from participating in information-sharing programs out of concerns about violating antitrust laws.

The federal government has also instituted information-sharing environments to share cyberthreat information. Some of these are restricted to government agencies only, while others can include private firms and contractors. Agencies tend to share cyberthreat information broadly with each other, while the Department of Homeland Security (the agency responsible for coordinating private/public sector cyberthreat sharing) shares select information with the private sector.

FTC and DOJ Report

In April 2014, the Department of Justice and the Federal Trade Commission issued a report on the antitrust implications of cyberthreat sharing among private firms. The report concluded that "properly designed cyber threat information sharing is not likely to raise antitrust concerns." The report distinguished "business information," such as pricing or business plans, from "cyberthreat information," which the Commission characterized as "purely technical."

In its report, the Commission outlined its process for evaluating antitrust allegations and applied that analysis to cyberthreat sharing. The Commission concluded that, although antitrust analysis is highly fact-specific, the general theory of cyberthreat information sharing "appears unlikely in the abstract to increase the ability or incentive of participants to raise price or reduce output, quality, service, or innovation." The report encouraged private firms to engage in cyberthreat information sharing.

DHS Report

Also in April 2014, the Department of Homeland Security (DHS) released its annual Executive Order 13636 Privacy and Civil Liberties Assessments Report. This report addresses the privacy and civil liberties implications that arise from government-sector and government/private sector cyberthreat information sharing programs. DHS published the report as a requirement from Executive Order 13636, Improving Critical Infrastructure Cybersecurity (EO), and Presidential Policy Directive 21, Critical Infrastructure Security and Resilience (PPD-21), in which the White House directed federal agencies "to work together and with the private sector to strengthen the security and resilience of the Nation’s critical infrastructure (CI) against evolving threats and hazards." Section 4 of the Executive Order instructs the federal government "to increase the volume, timeliness, and quality of cyber threat information shared with U.S. private sector entities so that these entities may better protect and defend themselves against cyber threats."

In the Report, DHS explains that last year, it responded to Section 4 of the Executive Order by instituting "Sharelines." Sharelines are pieces of malicious code and other cyberthreats that DHS has flagged as being shareable with the private sector. DHS also provides an account of the privacy and civil liberties risks inherent in sharing data of any kind - including personally identifiable data. While DHS lists the steps it takes to strip the data it collects of identifying information, the report nevertheless concludes that it will keep the identifying information "when the named individual consents to disclosure or when the disclosure would be operationally necessary to characterize a threat."

Resources

News Items

Share this page:

Defend Privacy. Support EPIC.
US Needs a Data Protection Agency
2020 Election Security