Risk
6/27/2012
11:02 AM
Connect Directly
RSS
E-Mail
50%
50%

FTC Sets Consumer Data Collection Limits

As Spokeo gets fined $800,000, FTC tries to enforce differences between consumer-reporting services and people-search services, which gather and sell large amounts of publicly accessible personal data.

Do search firms, marketers, and advertisers collect and sell too much information about consumers?

To put the question another way: Is the mass buying and selling of people's personal information a modern age necessity--for fueling the advertising that allows much of today's online content to remain "free"--or does it too often risk violating consumers' right to privacy, as well as laws that prohibit selling inaccurate information about consumers?

Your answer to that question may inform your perspective on the FTC this month spanking data broker Spokeo with an $800,000 fine for marketing a service that provides consumer reports and background checks--not least to potential employers--that failed to abide by the Fair Credit Reporting Act (FCRA), which requires that information shared be accurate, used only for an allowed purpose, and that customers are informed of those requirements. The FTC also accused Spokeo of having written its own fake reviews--laudatory, of course--and then placing them on external websites and blogs.

"The FTC's settlement with Spokeo stands for the important proposition that companies cannot merely aver themselves out of the scope of FCRA--products to be used for important decisions like credit and employment must incorporate FCRA's protections to make sure those products are reliable," said Justin Brookman, director of the Center for Democracy and Technology's project on consumer privacy, in a blog post.

In response to the FTC settlement, Spokeo released a blog post titled "Empowering Spokeo's Users," in which Spokeo founder and president Harrison Tang says that the company never meant to act as a provider of consumer reports or background check information. He neglected to address the FTC's charge that Spokeo had disseminated fake reviews of its services.

Instead, Tang harkened back to the early days of the company, which he started with his Stanford roommates. He also spun his company's data collection practices as a force for consumer good. "Spokeo will continue to be a company based on innovation that empowers consumers to reconnect with family and friends, learn about celebrities and other famous people, and discover their own online footprint," he said.

Spokeo works by using "machine aggregation"--online crawlers--to collect people's personal information in a variety of ways. "Spokeo aggregates publicly available information from phone books, social networks, marketing surveys, real estate listings, and other public sources," included government census reports, "business websites," and mailing lists, according to Spokeo's privacy page. "This third-party data is then indexed through methods similar to those used by Google or Bing to create a listing. Because Spokeo only collects this data and does not create it, we cannot fully guarantee its accuracy."

Where does Spokeo's search service--which claims to have information on nearly 300 million U.S. consumers, and which Tang has likened to being a "Google for people"--end, and a consumer-reporting service begin? (For the record, consumers can opt out of having their information appear via Spokeo, but the onus is on consumers to opt out of any such service, rather than allowing them to opt in.)

Legally speaking, the FCRA defines "consumer reports" as "any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living," and which is expected to be used for credit, insurance, or employment purposes, or "a legitimate business need," such as a consumer-initiated transaction.

But what's to stop a company such as Spokeo from selling consumer reports, even if they're not marketed as such? In response to that question, FTC spokeswoman Claudia Farrell said via email that the agency keeps an eye on any business offering consumer reporting agency (CRA) services--even if they're not labeled as such--to ensure that they comply with the consumer report protections required under the FCRA. "If the [business] in question is not a CRA and/or not selling consumer reports, as defined by the FCRA, they are not covered," she said. "Of course, we would look at facts on a case by case basis. A company's declaration that they are not a CRA, or that the reports they sell are not consumer reports, does not exempt them from the FCRA."

In the case of Spokeo, meanwhile, the company says that it's changed its ways, not least by ceasing to offer a background check service marketed to HR departments, recruiters, and law enforcement agencies. Spokeo's chief strategy officer Emanuel Pleitez, who joined the company earlier this year, said that until February 2010, the company had only eight employees, and was testing different business models to see which one worked. He said the company's background-check service never attracted more than about 100 customers.

After February 2010, however, he said the company retooled, and began selling only a people-search service for consumers. It also eliminated all of the accounts that had been created via its HR and background-check marketing links, and implemented a new blogging policy to ensure that any Spokeo-commissioned material that appears on the Internet is clearly labeled as such. Furthermore, while Spokeo still amasses financial information, Pleitez said it's only available for reviewing median incomes on a neighborhood by neighborhood basis.

"We obviously talked with the FTC about what had happened, and how we move forward," said Pleitez. In addition, customer service personnel received training to deactivate accounts for any customers that appear to be using Spokeo for background-check purposes, and the company details to its customers, via email, the purposes for which its service can and cannot be used. Pleitez said the company is glad that the FTC's enforcement action has been announced, so that Spokeo can move on. "At our core, we're a technology company, we want to create a cool product," he said.

But such products still pose provocative privacy questions. Indeed, while people-search products may not be consumer reports, per the FTC's definition, they can reveal a surprising amount of personal information. Accordingly, the rule for cautious consumers remains the same: beware what you share.

"Today, more and more companies are trying to mine social media when making employment and credit decisions," said Brookman at the Center for Democracy and Technology. "In many cases, the consumers themselves are putting personal information out there using Facebook, Twitter, or any number of other publishing platforms--can they credibly complain if that information later comes back to bite them?"

New apps promise to inject social features across entire workflows, raising new problems for IT. In the new, all-digital Social Networking issue of InformationWeek, find out how companies are making social networking part of the way their employees work. Also in this issue: How to better manage your video data. (Free with registration.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio