By Jon Healey
6:36 PM CST, February 22, 2013
The Federal Trade Commission opened a potentially significant new front Friday in its efforts to protect consumers against data theft. The commission announced a settlement with mobile device manufacturer HTC America that requires the company to plug security holes in millions of smartphones and tablet computers, develop a comprehensive approach to data protection and undergo independent security assessments every other year.
Federal law gives the commission the authority to go after "unfair" business practices that harm consumers, and it's used that authority increasingly in recent years to crack down on companies that don't safeguard the sensitive data they collect from customers. According to the commission, though, the HTC case is the first time it's applied that legal theory to security problems in a device's software.
It's a subtle expansion of the commission's activities, but one without a clear outer boundary. If HTC is liable because it allegedly "failed to provide reasonable and appropriate security in the design and customization of software," one can only wonder when the commission will go after manufacturers of other consumer products that expose their users to data theft every time they connect to the Internet. Such as, for example, the device you're using to read this blog.
At issue here isn't how the commission is interpreting federal law as much as whom it's applying the law to.
Three privacy experts I spoke with said the case against HTC didn't represent much of a change, if any, in the commission's definition of an unfair practice. As Lee Tien of the Electronic Frontier Foundation noted, the commission has been asserting jurisdiction for several years over data security problems that affect consumer privacy.
The FTC's complaint also included a straightforward allegation that HTC deceived consumers about software vulnerabilities. According to the commission, the company's product manuals and other material told customers ways to stop their data from being collected, but those steps were ineffective.
What's new, said Ryan Calo, a law professor at the University of Washington, is the commission using its power over unfair practices against a device maker that already falls under another federal agency's consumer protection mandates (in HTC's case, that would be the Federal Communications Commission).
Granted, the FTC has made clear its interest in the data-collection practices of the fast-growing mobile industry. Last year, for example, it issued privacy guidelines for the developers of mobile apps. But app developers aren't regulated by the FCC -- device manufacturers are.
That's not to say the requirements in the settlement aren't welcome. HTC didn't admit to any wrongdoing, and no court will decide whether the FTC could have proved its allegations against the company. But in general, companies whose devices handle sensitive personal information should make data security a top priority, and if they carelessly ignore vulnerabilities that harm consumers, they should be held liable. The vulnerabilities HTC was accused of creating or overlooking were serious ones, potentially enabling hackers to send text messages, monitor phone calls and record passwords and other data that users typed into websites.
One of the questions raised by the case, though, is where does the FTC go now?
Justin Brookman, director of consumer privacy for the Center for Democracy and Technology, noted that software will have security holes -- it's in the nature of the beast. The commission, he said, shouldn't take the position that every complex software-driven system with a vulnerability amounts to an unfair practice; there's an honest debate to be had over how insecure a device would have to be to reach that level. The threshold the commissioners set in the HTC case may be reasonable, Brookman said, but "at some point they could go too far."
Because it ended in a settlement, the case against HTC sets no precedent. Instead, it just provides guidance to the public about what the FTC considers to be unlawful. As one settlement leads to the next, however, that creates a body of "non-law law" that's neither created by Congress nor reviewed by the courts, said Berin Szoka, president of the libertarian TechFreedom think tank. "That's what's going to get the agency in trouble, even if the standard for unfairness is really quite sound," Szoka said.
There's a sort of dynamic equilibrium at regulatory agencies, whose purview tends to expand and contract in response to court rulings and changes in political control. The FTC is currently in an expansive mode on cyber security, as the commissioners and other federal policymakers play catchup to the threats that abound in our digitized and interconnected world.
In fact, the commission is already encountering some pushback. When it accused Wyndham Hotels last year of failing to give its customers' personal data "reasonable and appropriate" protections against theft, the hotel chain refused to settle. The U.S. Chamber of Commerce has thrown its support behind Wyndham, arguing that the commission has been punishing businesses for failing to meet a standard that the FTC has never articulated.
The question for the agency isn't just how it can use its authority to stop unfair data security practices, Szoka said. It's also "how you constrain that authority, how you make it understandable to people."
Follow Jon Healey on Twitter @jcahealey