Tech Law Journal Daily E-Mail Alert
Friday, August 10, 2012, Alert No. 2,426.
Home Page | Calendar | Subscribe | Back Issues | Reference
FTC Releases Decision and Order in Administrative Action Against Facebook

8/10. The Federal Trade Commission (FTC) adopted and released its final Decision and Order [9 pages in PDF] in the administrative proceeding against Facebook which it initiated last November. Facebook admits no wrongdoing, the FTC imposes no fine, and the FTC imposes modest limits on the extent to which Facebook may deceive or lie to its users about its disclosure of users' information. The FTC has adopted the decision proposed last November, without modification.

Last November the FTC brought and settled an administrative action against Facebook for the sharing of users' information, in a manner that was inconsistent with its statements to its users, in violation of Section 5 of the FTC Act, which is codified at 15 U.S.C. § 45.

Last year, Facebook changed its web site, so that certain information that users designated as private, such as their friends list, was made public, without notice or obtaining approval. On November 29, 2011, the FTC released an administrative complaint against Facebook. It simultaneously announced a settlement. See, story titled "FTC Imposes Privacy Related Terms on Facebook" in TLJ Daily E-Mail Alert No. 2,315, November 29, 2012.

The FTC then published a notice in the Federal Register (FR) which solicited public comments. See, FR, Vol. 76, No. 233, December 5, 2011, at Pages 75883-75885. The FTC received 59 comments.

The Electronic Privacy Information Center (EPIC) submitted a comment [31 pages in PDF] in which it urged the FTC to also require that Facebook "Restore the privacy settings that users had in 2009, before the unfair and deceptive practices addressed by the Complaint began; Allow users to access all of the data that Facebook keeps about them; Cease creating facial recognition profiles without users’ affirmative consent; Make Facebook’s privacy audits publicly available to the greatest extent possible; Cease secret post-log out tracking of users across web sites."

Chris Hoofnagle of the University of California at Berkeley submitted a comment in which he argued that "Facebook has engaged in a deliberate, unfair strategy to open profiles, and that as a result, the consent agreement does not place the victim class of millions of Americans into its expectancy position -- the settings they had prior to Facebook's adjustment of them."

Hoofnagle, who is Director of Information Privacy Programs at the Berkeley Center for Law & Technology, wrote that "Information-intensive companies such as Facebook follow a Machiavellian public relations strategy when introducing new programs. Without warning, these companies introduce "features" that invariably result in more information being shared with advertisers, wait for a negative reaction, and then announce minimal changes without affecting the new feature. They explain away the fuss with public relations spin ... This strategy works, time and time again."

He added that "Facebook reaped gains from a clearly unfair business practice. The settlement is insufficient to address this problem for two reasons: first, Facebook's promise to not break the law again is illusory. It can't break the agreement, because Facebook has already opened up profiles to the maximum extent possible. It has won its battle to tilt the disclosure landscape towards publicity. Second, it is also insufficient because the millions of Americans whose settings were affected are worse off, and Facebook is better off."

The FTC rejected these and other recommendations for changes to the final order. See, FTC file with all of its rejection letters.

FTC Commissioner Thomas Rosch wrote a dissent. He objected to allowing Facebook off with a consent agreement without an admission or finding of wrongdoing.

He also wrote that "I am concerned that the order may not unequivocally cover all representations made in the Facebook environment ... relating to the deceptive information sharing practices of apps about which Facebook knows or should know. ... I would include language in the order to make that clear, lest Facebook argue subsequently that the Commission order only covers deceptive conduct engaged in by Facebook itself."

This Decision and Order imposes limits on the extent to which Facebook may lie to its users about sharing of information.

It orders that Facebook "shall not misrepresent" its "collection or disclosure" of certain information or "the extent to which a consumer can control the privacy" of such information.

It also requires that Facebook, "prior to any sharing of a user's nonpublic user information ... with any third party, which materially exceeds the restrictions imposed by a user’s privacy setting(s)" must first disclose to users what information will be shared, and obtain users' "affirmative express consent".

It also requires that Facebook "implement procedures reasonably designed to ensure that covered information cannot be accessed by any third party from servers under" Facebook's control.

It also requires that Facebook develop "a comprehensive privacy program that is reasonably designed to (1) address privacy risks related to the development and management of new and existing products and services for consumers, and (2) protect the privacy and confidentiality of covered information."

It also imposes record keeping and reporting requirements. And, it remains in effect for 20 years.

FTC Commissioner Maureen Ohlhausen did not participate. The Decision and Order is dated July 27, 2012. However, the FTC did not make it public until August 10.

Microsoft Reaffirms Its Commitment to Do Not Track By Default

8/7. Brendon Lynch, Chief Privacy Officer of Microsoft, wrote a short piece titled "Do Not Track in the Windows 8 Setup Experience". He confirms Microsoft's commitment to do not track by default.

Microsoft announced in May that do not track (DNT) will be the default setting for Internet Explorer 10. See, story titled "Microsoft's Next Brower Will Have Do Not Track on by Default" in TLJ Daily E-Mail Alert No. 2,389, June 4, 2012.

Lynch wrote in his August 7 piece that "In the Windows 8 set-up experience, customers will be asked to choose between two ways of configuring a number of settings: ``Express Settings´´ or ``Customize.´´ ... DNT fits naturally into this process. Customers will receive prominent notice that their selection of Express Settings turns DNT ``on.´´  In addition, by using the Customize approach, users will be able to independently turn ``on´´ and ``off´´ a number of settings, including the setting for the DNT signal."

The Federal Trade Commission (FTC) released a report [112 pages in PDF] on March 26, 2012, titled "Protecting Consumer Privacy in a Era of Rapid Change: Recommendations for Businesses and Policy Makers". It states that while companies that make browsers offer "a mechanism to limit online tracking", "consumers are largely unaware of their ability to limit or block online tracking through their browsers, in part because these options may be difficult to find".

The FTC report states that FTC "staff supports a more uniform and comprehensive consumer choice mechanism for online behavioral advertising, sometimes referred to as ``Do Not Track.´´ Such a universal mechanism could be accomplished by legislation or potentially through robust, enforceable self-regulation. The most practical method of providing uniform choice for online behavioral advertising would likely involve placing a setting similar to a persistent cookie on a consumer's browser and conveying that setting to sites that the browser visits, to signal whether or not the consumer wants to be tracked or receive targeted advertisements. To be effective, there must be an enforceable requirement that sites honor those choices."

The World Wide Web Consortium (W3C) has a Tracking Protection Working Group that is working on a standard regarding what DNT means, and what web sites are expected to do, or not expected to do, in response to a user's DNT expression. See, W3C's March 13, 2012 draft document titled "Tracking Preference Expression".

A user gets a web page by using a browser on a computer that sends a request in hypertext transfer protocol (HTTP) via the internet. The server for that web page sends back the code that the user's browser renders as a viewable web page. A concept behind implementing a DNT regime is that a user's browser would send a HTTP header to servers with every request for web pages that indicates that the user does not wish to be tracked. DNT works only if the contacted web servers and advertisers honor these requests.

Recent history has shown that getting web sites and advertisers to honor consumer choices may prove difficult. See, for example, story titled "FTC Sues and Settles With Google for Circumventing Apple Safari Browser's Blocking of Third Party Cookies" in TLJ Daily E-Mail Alert No. 2,425, August 9, 2012.

Senate Committee Holds Hearing on Privacy and Data Security at Federal Agencies

7/31. The Senate Homeland Security and Governmental Affairs Committee's (SHSGAC) Subcommittee on Oversight of Government Management held a hearing titled "State of Federal Privacy and Data Security Law: Lagging Behind the Times?".

Sen. Daniel Akaka (D-HI) wrote in his opening statement that the Privacy Act (PA) and its interpretation by the courts is "out of date", for example, because damages for violation of the PA are limited to economic harm, and because federal agencies remain free to use private sector databases. He also noted that the OMB has not had a chief privacy officer since the Clinton administration, that "responsibility for protecting privacy is fragmented and agencies' compliance with privacy requirements is inconsistent", and that agency data breaches are "widespread". He is the sponsor of S 1732 [LOC | WW], the "Privacy Act Modernization for the Information Age Act".

Sen. Tom Carper (D-DE) wrote in his opening statement that there is a "need for Federal data security standards".

See also, prepared testimony of Mary Ellen Callahan (DHS Chief Privacy Officer), prepared testimony of Greg Long (Federal Retirement Thrift Investment Board), prepared testimony [22 pages in PDF] of Greg Wilshusen (Government Accountability Office), prepared testimony of Peter Swire (Ohio State University law school), prepared testimony of Chris Calabrese (ACLU), and prepared testimony of Paul Rosenzweig (Heritage Foundation).

In This Issue
This issue contains the following items:
 • FTC Releases Decision and Order in Administrative Action Against Facebook
 • Microsoft Reaffirms Its Commitment to Do Not Track By Default
 • Senate Committee Holds Hearing on Privacy and Data Security at Federal Agencies
 • FCC Denies Comcast's Petition for Stay Pending Judicial Review of Tennis Channel Order
Washington Tech Calendar
New items are highlighted in red.
Saturday, August 11

The Federal Communications Bar Association's (FCBA) Young Lawyers Committee will host an event titled "3rd Annual End of Summer Rooftop BBQ". The price to attend is $15. Registrations and cancellations are due by 4:00 PM. on August 8. See, notice. For more information contact Justin Faulb at faulbjl at gmail dot com, Delara Derakhshani at delara dot derakhshani at gmail dot com, or Brendan Carr at BrendanTCarr at gmail dot com. Location: undisclosed.

Monday, August 13

The House will not meet, except for pro forma sessions, until September 10.

The Senate will not meet, except for pro forma sessions, until September 10.

5:00 PM. Deadline to submit initial comments to the Copyright Office (CO) in response to its notice in the Federal Register (FR) regarding its proposed rules that implement the provision of the Satellite Television Extension and Localism Act of 2010 (STELA) that allows copyright owners to audit certain Statements of Account filed with the CO. See, FR, Vol. 77, No. 115, Thursday, June 14, 2012, at Pages 35643-35652. See also, story titled "Copyright Office Issues Proposed STELA Rules Regarding Auditing Statements of Account" in TLJ Daily E-Mail Alert No. 2,398, June 18, 2012.

Tuesday, August 14

The Senate will meet at 2:30 PM in pro forma session.

9:00 AM - 5:00 PM. Day one of a two day meeting of the Department of Energy's (DOE) Advanced Scientific Computing Advisory Committee (ASCAC). See, notice in the Federal Register, Vol. 77, No. 147, Tuesday, July 31, 2012, at Pages 45345-45346. Location: American Geophysical Union (AGU), 2000 Florida Ave., NW.

Wednesday, August 15

9:00 AM - 12:00 NOON. Day two of a two day meeting of the Department of Energy's (DOE) Advanced Scientific Computing Advisory Committee (ASCAC). See, notice in the Federal Register, Vol. 77, No. 147, Tuesday, July 31, 2012, at Pages 45345-45346. Location: American Geophysical Union (AGU), 2000 Florida Ave., NW.

9:00 AM - 3:00 PM. The Department of Health and Human Services' (DHHS) Office of the National Coordinator for Health Information Technology's (ONCHIT) HIT Standards Committee will meet by webcast. See, notice in the Federal Register, Vol. 77, No. 147, Tuesday, July 31, 2012, at Pages 45353-45354.

12:00 NOON. The World Wide Web Consortium's (W3C) Tracking Protection Working Group will meet by teleconference. The call in number is 1-617-761-6200. The passcode is TRACK (87225)

Deadline to submit reply comments to the Copyright Office (CO) in response to its notice in the Federal Register (FR) in which it proposes rules changes regarding the definition of a claimant for purposes of copyright registration. The CO proposes to eliminate the footnote to the definition of a claimant codified at 37 CFR § 202.3(a)(3)(ii), which provides that a claimant includes individuals or entities that have obtained the contractual right to claim legal title to copyright in an application for copyright registration. See, FR, Vol. 77, No. 96, Thursday, May 17, 2012, at Pages 29257-29259. See also, story titled "Copyright Office Proposes to Change Definition of Claimant" in TLJ Daily E-Mail Alert No. 2,386, May 30, 2012.

Thursday, August 16

1:00 - 2:30 PM. The American Bar Association (ABA) will host a webcast and telecast panel discussion titled "A New Beginning in the End: Sound Recording Copyright Terminations -- A Discussion and Debate". The speakers will be Lisa Alter (Alter & Kendrick), Lacy Lodes (Consor Intellectual Asset Management), Lisa Buckley (Pryor Cashman), Marybeth Peters (Oblon Spivak), and Mark Jaffe (Ekeland & Jaffe). Prices vary. CLE credits. See, notice.

2:00 - 3:15 PM. The President's National Security Telecommunications Advisory Committee (NSTAC) will meet via teleconference. The agenda includes discussions of (1) the Nationwide Public Safety Broadband Network (NPSBN), (2) the DHS's National Cybersecurity and Communications Integration Center (NCCIC), and (3) the proposal to develop a separate out of band data network supporting communications among carriers, ISPs, vendors, and additional critical infrastructure owners and operators during a severe cyber incident that renders the internet unusable. This event is open to the public. There will be a period for public comments. The deadline to register to present comments is August 9. The deadline to submit comments in advance of the meeting is August 10. The deadline to submit post meeting comments is August 30. See, notice in the Federal Register, Vol. 77, No. 146, Monday, July 30, 2012, at Pages 44641-44642.

Friday, August 17

The Senate will meet at 11:30 AM in pro forma session.

Deadline to submit comments to the National Institute of Standards and Technology's (NIST) Computer Security Division (CSD) regarding its draft SP 800-124 Rev 1 [29 pages in PDF] titled "Guidelines for Managing and Securing Mobile Devices in the Enterprise".

Monday, August 20

2:00 PM. The U.S. Court of Appeals (FedCir) will hear oral argument in Apple v. Samsung Electronics, App. Ct. No. 2012-1507, an appeal from the U.S. District Court (NDCal) in the patent infringement case involving smart phones and tablet computers. At issue in this oral argument is whether the District Court should have enjoined sale of Samsung's Galaxy Nexus smart phone. Panel I. Location: Courtroom 201.

Deadline to submit to the Copyright Royalty Board (CRB) Petitions to Participate in, and filing fees for, the CRB's proceeding to determine the distribution of the digital audio recording technology royalty fees in the 2005, 2006, 2007 and 2008 Musical Works Funds. See, notice in the Federal Register, Vol. 77, No. 140, July 20, 2012, at Pages 42764-42765.

Deadline to submit comments to the Department of Health and Human Services' (DHHS) Agency for Healthcare Research and Quality (AHRQ) in response to its Request for Information (RFI) regarding current strategies and challenges regarding quality measurement enabled by health information technology (IT). See, notice in the Federal Register, Vol. 77, No. 140, July 20, 2012, Pages 42738-42740.

FCC Denies Comcast's Petition for Stay Pending Judicial Review of Tennis Channel Order

8/9. The Federal Communications Commission (FCC) denied Comcast's Petition for Stay Pending Judicial Review [132 pages in PDF] by the U.S. Court of Appeals (DCCir) of the FCC's order regarding Comcast's distribution of the Tennis Channel.

FCC Commissioner Ajit Pai released a statement in which he wrote that "Had Comcast's petition been presented to the full Commission, I would have voted to stay the Commission’s Order for the reasons Commissioner McDowell and I set forth in our Joint Dissenting Statement." See, dissent.

On July 24, 2012, the FCC released a redacted copy [47 pages in PDF] of its Memorandum Opinion and Order (MOO) in the matter of the Tennis Channel's complaint against Comcast. This MOO affirms the conclusion of an administrative law judge (ALJ) that Comcast violated the FCC's program carriage rules, and must provide equal carriage to Tennis Channel (TC).

The MOO disclosed that the majority of the FCC Commissioners assert that the FCC has broad authority to make decisions for cable companies, and other multichannel video programming distributor (MVPD), regarding what programming to distribute, and at what tier to distribute them.

See, story titled "FCC Asserts Broad MVPD Program Carriage Authority" in TLJ Daily E-Mail Alert No. 2,412, July 26, 2012.

The FCC adopted this MOO on July 16, but did not release it to the public until July 24, 2012. This MOO is FCC 12-78 in MB Docket No. 10-204 and File No. CSR-8258-P.

About Tech Law Journal

Tech Law Journal publishes a free access web site and a subscription e-mail alert. The basic rate for a subscription to the TLJ Daily E-Mail Alert is $250 per year for a single recipient. There are discounts for subscribers with multiple recipients.

Free one month trial subscriptions are available. Also, free subscriptions are available for federal elected officials, and employees of the Congress, courts, and executive branch. The TLJ web site is free access. However, copies of the TLJ Daily E-Mail Alert are not published in the web site until two months after writing.

For information about subscriptions, see subscription information page.

Tech Law Journal now accepts credit card payments. See, TLJ credit card payments page.

Solution Graphics

TLJ is published by David Carney
Contact: 202-364-8882.
carney at techlawjournal dot com
3034 Newark St. NW, Washington DC, 20008.

Privacy Policy
Notices & Disclaimers
Copyright 1998-2012 David Carney. All rights reserved.