A Briefing On Public Policy Issues Affecting Civil Liberties Online from The Center For Democracy and Technology
(1) CDT Urges Steady Increase in FTC Funding
(2) Evolving Internet Threats Pose New Challenges
(3) New Privacy Law Could Bring New Responsibilities
On February 28, CDT Deputy Director Ari Schwartz urged a House Appropriations subcommittee to steadily increase funding for the Federal Trade Commission (FTC) to support the agency's increasingly important role in the fight against online fraud, identity theft and spyware. In recent years, the FTC has emerged as the lead federal agency in the fight against a broad range of Internet scams and crimes. In that role, the commission has shut down several dangerous and costly scams, obtained substantial redress for consumers and established important precedents for acceptable behavior in the areas of e-commerce and software downloads. CDT is urging Congress to take this new slate of responsibilities into account as it makes its appropriations for the FTC.
Some of the most pervasive and costly Internet threats -- threats that in many cases didn't exist 5-10 years ago -- now fall under the FTC's authority.
Consumers are increasingly alarmed about the proliferation of online scams, Internet privacy intrusions, fraud and abuse. In an April 2006 poll for the Center for American Progress, 69 percent of respondents indicated they were very or somewhat worried about having their identities stolen.
Spyware has proven especially costly for consumers. Consumer Reports estimates that the problem cost consumers $2.6 billion last year and affected 1 in 8 Internet users. As disturbing as those figures are, even they cannot give an adequate picture of the harm caused by spyware-related privacy invasions, which can wreak havoc on Internet users lives and livelihoods.
To prevent problems such as spyware from mushrooming, there must be a systemic commitment to aggressively investigate and prosecute Internet crime. This begins by providing sufficient resources to enforcement agencies, in particular the FTC.
The FTC is the lead federal agency responsible for protecting consumers against spam, spyware, identity theft and other Internet fraud.
By law, the FTC enforces the:
In addition the agency now plays the lead federal role in addressing issues relating to:
When we take into account the scope of the FTC's responsibilities it becomes obvious that maintaining this aggressive enforcement on behalf of American consumers requires additional funds for the FTC. The online marketplace will become both more complex and more essential over time, and the FTC has been and will continue to be a critical force in maintaining consumer trust in the Internet. Increased resources are a vital part of making that happen.
In the early days of Internet crime, a vast number of offenses amounted to little more than virtual vandalism. Hackers would often circumvent Internet security as a way of showing off to their friends and proving their skills. That trend has long been on the decline, as malicious actors on the Internet are increasingly going after financial gain first and foremost. This means that more consumers are losing more money than ever before either as a direct or indirect result of malicious activity online, and that malicious hackers have more financial resources than ever before. As a result, the FTC's consumer protection mission has risen to even more critical importance. Compensating consumers who have been harmed and putting a stop to fraudulent schemes becomes ever more important as fraud and monetary loss become more widespread.
As the FTC's role in fighting new fraud increases, its job becomes more complicated. One of the great paradoxes of the Internet is that while most Internet users are having their movements tracked and traced in ways never before imagined, those that are willing to take the time and energy can hide the tracks of their online activities in ways that make them very difficult to find. While this is a huge boon for free expression around the world, it also can help criminals and malicious Internet operations to evade the grasp of law enforcement. Using just a few simple tools, criminals and scammers can quickly and easily cloak their identities and locations. Tracking them down may require the assistance of multiple network operators, applications providers and technical experts to unravel a complex web of online identities and cloaking services.
Tracking individuals online is made more complicated by the fact that many malicious Internet schemes involve groups of companies, affiliates, and individuals acting together to defraud consumers. Not only must the identities and locations of all of these actors be traced, but the business arrangements and relationships between them must also be sorted out before law enforcers can act. The Internet's distributed nature lends itself to arrangements wherein multiple parties each contribute to form a complete operation or business plan. This characteristic has helped to provide all kinds of new services, but it may be exploited just as easily for malevolent purposes as for benevolent ones. The complexity of these arrangements will likely continue to grow as malicious Internet users realize that working with many different parties complicates enforcement and spreads liability to multiple entities.
The global nature of the Internet further complicates the task of apprehending malicious online actors. Internet scams are increasingly based overseas or in multiple countries at once, adding a whole new dimension to enforcement investigations. Law enforcers must cultivate relationships with their foreign counterparts in order to increase cooperation when it comes time to conduct investigations. The same is true for domestic enforcement across multiple states. The FTC has always had the authority and the willingness to cooperate with state attorneys general on enforcement matters, and the Internet makes these cases ever more likely since consumers from many different states may be affected by a single online scam. In order to be fruitful, this cooperation requires all parties to expend extra resources.
Because of the rapid changes involved with Internet scams, investigations of Internet fraud are becoming increasingly technologically intensive. Although vast resources may not have been required when the FTC first began investigating online scams, technological advances over the past few years have heightened the level of sophistication necessary for successful investigations. If the FTC is to continue as a leader in online enforcement, it must keep pace with these changes.
The Internet revolution also complicates FTC oversight of completed cases. Before digital technologies became pervasive, it was much easier for the FTC to monitor whether former defendants were complying with the provisions of their settlement agreements or court orders. The Internet provides simple means for such actors to quickly and easily setup new schemes under new monikers in new locations, making it difficult for the FTC to draw links to former businesses or identities and determine compliance.
In all of these ways, the fast pace of technological change demonstrates the need for the FTC to expend new resources in order to stay up to speed.
Privacy is at the heart of online consumer protection. Since the advent of widespread computing, the Internet and distributed databases, it has become far easier for businesses to collect, store and trade information about their customers. Frequently, the information collected includes sensitive or personally identifying data, which, if not properly secured, can become a tool for identity theft. Companies also may use this data to track consumer preferences and behavior, often without the consumer’s knowledge or permission.
Despite this unprecedented threat, there is still no single comprehensive law that spells out consumer privacy rights. Instead, a confusing patchwork of distinct, and sometimes inadequate or nonexistent, standards has developed over the years, producing more than a few oddities. For example, we reserve our strongest privacy protections for cable and video records, while travel records and online purchasing data are left disturbingly vulnerable, financial privacy laws have major exceptions, and some important uses of “public records” are left unregulated.
Over the past nine years, CDT has urged Congress to enact a single consistent regime, based on fair information practice principles. Specifically, consumers should be able to:
These protections are crucial to address the new threats faced by online consumers. Consumers need to be put back in control of their personal information, so that privacy is preserved and fraud and abuse prevented.
When this law is finally passed, the FTC, with its leadership role on these issues to date, will undoubtedly be asked to enforce these new privacy protections as well. As the privacy issue is debated, a plan for enforcing the law should be considered concurrently. While the long-term streamlining of privacy law will make educational and other efforts easier, Congress must recognize that the historic effort of protecting Americans’ privacy will require significant resources to implement.