Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


11:02 AM

FTC Sets Consumer Data Collection Limits

As Spokeo gets fined $800,000, FTC tries to enforce differences between consumer-reporting services and people-search services, which gather and sell large amounts of publicly accessible personal data.

Do search firms, marketers, and advertisers collect and sell too much information about consumers?

To put the question another way: Is the mass buying and selling of people's personal information a modern age necessity--for fueling the advertising that allows much of today's online content to remain "free"--or does it too often risk violating consumers' right to privacy, as well as laws that prohibit selling inaccurate information about consumers?

Your answer to that question may inform your perspective on the FTC this month spanking data broker Spokeo with an $800,000 fine for marketing a service that provides consumer reports and background checks--not least to potential employers--that failed to abide by the Fair Credit Reporting Act (FCRA), which requires that information shared be accurate, used only for an allowed purpose, and that customers are informed of those requirements. The FTC also accused Spokeo of having written its own fake reviews--laudatory, of course--and then placing them on external websites and blogs.

"The FTC's settlement with Spokeo stands for the important proposition that companies cannot merely aver themselves out of the scope of FCRA--products to be used for important decisions like credit and employment must incorporate FCRA's protections to make sure those products are reliable," said Justin Brookman, director of the Center for Democracy and Technology's project on consumer privacy, in a blog post.

In response to the FTC settlement, Spokeo released a blog post titled "Empowering Spokeo's Users," in which Spokeo founder and president Harrison Tang says that the company never meant to act as a provider of consumer reports or background check information. He neglected to address the FTC's charge that Spokeo had disseminated fake reviews of its services.

Instead, Tang harkened back to the early days of the company, which he started with his Stanford roommates. He also spun his company's data collection practices as a force for consumer good. "Spokeo will continue to be a company based on innovation that empowers consumers to reconnect with family and friends, learn about celebrities and other famous people, and discover their own online footprint," he said.

Spokeo works by using "machine aggregation"--online crawlers--to collect people's personal information in a variety of ways. "Spokeo aggregates publicly available information from phone books, social networks, marketing surveys, real estate listings, and other public sources," included government census reports, "business websites," and mailing lists, according to Spokeo's privacy page. "This third-party data is then indexed through methods similar to those used by Google or Bing to create a listing. Because Spokeo only collects this data and does not create it, we cannot fully guarantee its accuracy."

Where does Spokeo's search service--which claims to have information on nearly 300 million U.S. consumers, and which Tang has likened to being a "Google for people"--end, and a consumer-reporting service begin? (For the record, consumers can opt out of having their information appear via Spokeo, but the onus is on consumers to opt out of any such service, rather than allowing them to opt in.)

Legally speaking, the FCRA defines "consumer reports" as "any written, oral, or other communication of any information by a consumer reporting agency bearing on a consumer's credit worthiness, credit standing, credit capacity, character, general reputation, personal characteristics, or mode of living," and which is expected to be used for credit, insurance, or employment purposes, or "a legitimate business need," such as a consumer-initiated transaction.

But what's to stop a company such as Spokeo from selling consumer reports, even if they're not marketed as such? In response to that question, FTC spokeswoman Claudia Farrell said via email that the agency keeps an eye on any business offering consumer reporting agency (CRA) services--even if they're not labeled as such--to ensure that they comply with the consumer report protections required under the FCRA. "If the [business] in question is not a CRA and/or not selling consumer reports, as defined by the FCRA, they are not covered," she said. "Of course, we would look at facts on a case by case basis. A company's declaration that they are not a CRA, or that the reports they sell are not consumer reports, does not exempt them from the FCRA."

In the case of Spokeo, meanwhile, the company says that it's changed its ways, not least by ceasing to offer a background check service marketed to HR departments, recruiters, and law enforcement agencies. Spokeo's chief strategy officer Emanuel Pleitez, who joined the company earlier this year, said that until February 2010, the company had only eight employees, and was testing different business models to see which one worked. He said the company's background-check service never attracted more than about 100 customers.

After February 2010, however, he said the company retooled, and began selling only a people-search service for consumers. It also eliminated all of the accounts that had been created via its HR and background-check marketing links, and implemented a new blogging policy to ensure that any Spokeo-commissioned material that appears on the Internet is clearly labeled as such. Furthermore, while Spokeo still amasses financial information, Pleitez said it's only available for reviewing median incomes on a neighborhood by neighborhood basis.

"We obviously talked with the FTC about what had happened, and how we move forward," said Pleitez. In addition, customer service personnel received training to deactivate accounts for any customers that appear to be using Spokeo for background-check purposes, and the company details to its customers, via email, the purposes for which its service can and cannot be used. Pleitez said the company is glad that the FTC's enforcement action has been announced, so that Spokeo can move on. "At our core, we're a technology company, we want to create a cool product," he said.

But such products still pose provocative privacy questions. Indeed, while people-search products may not be consumer reports, per the FTC's definition, they can reveal a surprising amount of personal information. Accordingly, the rule for cautious consumers remains the same: beware what you share.

"Today, more and more companies are trying to mine social media when making employment and credit decisions," said Brookman at the Center for Democracy and Technology. "In many cases, the consumers themselves are putting personal information out there using Facebook, Twitter, or any number of other publishing platforms--can they credibly complain if that information later comes back to bite them?"

New apps promise to inject social features across entire workflows, raising new problems for IT. In the new, all-digital Social Networking issue of InformationWeek, find out how companies are making social networking part of the way their employees work. Also in this issue: How to better manage your video data. (Free with registration.)

Comment  | 
Print  | 
More Insights
Threaded  |  Newest First  |  Oldest First
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-13
File Upload vulnerability exists in ArticleCMS 1.0 via the image upload feature at /admin by changing the Content-Type to image/jpeg and placing PHP code after the JPEG data, which could let a remote malicious user execute arbitrary PHP code.
PUBLISHED: 2021-05-13
Insecure permissions issue in zzcms 201910 via the reset any user password in /one/getpassword.php.
PUBLISHED: 2021-05-13
A malformed input file can lead to a segfault due to an out of bounds array access in raptor_xml_writer_start_element_common.
PUBLISHED: 2021-05-13
A flaw was found in OpenJPEG’s encoder. This flaw allows an attacker to pass specially crafted x,y offset input to OpenJPEG to use during encoding. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
PUBLISHED: 2021-05-13
A vulnerability was found in Linux Kernel where in the spk_ttyio_receive_buf2() function, it would dereference spk_ttyio_synth without checking whether it is NULL or not, and may lead to a NULL-ptr deref crash.