Out of the U.S. today comes a slew of new proposed restrictions against data brokers and their creepy practices.

The Consumer Financial Protection Bureau:

[…] The proposed rule would limit the sale of personal identifiers like Social Security Numbers and phone numbers collected by certain companies and make sure that people’s financial data such as income is only shared for legitimate purposes, like facilitating a mortgage approval, and not sold to scammers targeting those in financial distress. The proposal would make clear that when data brokers sell certain sensitive consumer information they are “consumer reporting agencies” under the Fair Credit Reporting Act (FCRA), requiring them to comply with accuracy requirements, provide consumers access to their information, and maintain safeguards against misuse.

The Federal Trade Commission:

The Federal Trade Commission will prohibit data broker Mobilewalla, Inc. from selling sensitive location data, including data that reveals the identity of an individual’s private home, to settle allegations the data broker sold such information without taking reasonable steps to verify consumers’ consent.

And also the Federal Trade Commission:

The Federal Trade Commission is taking action against Gravy Analytics Inc. and its subsidiary Venntel Inc. for unlawfully tracking and selling sensitive location data from users, including selling data about consumers’ visits to health-related locations and places of worship.

Both of the proposed FTC orders require these businesses to “maintain a sensitive location data program designed to develop a list of sensitive locations and prevent the use, sale, license, transfer, sharing, or disclosure of consumers’ visits to those locations”. These include, for example and in addition to those in the above quotes, shelters, labour union offices, correctional facilities, and military installations. This order was previewed last month in Wired.

As usual, I am conflicted about these policies. While they are yet another example of Lina Khan’s FTC and other government bureaucrats cracking down on individually threatening data brokers, it would be far better for everyone if this were not handled on a case-by-case basis. These brokers have already caused a wealth of damage around the world, and only they are being required to stop. Other players in the rest of the data broker industry will either self-govern or hope they do not fall into the FTC’s crosshairs, and if you believe the former is more likely, you have far greater faith in already-shady businesses than I do.

There is another wrench in these proposals: we are less than two months away from a second Trump presidency, and the forecast for the CFPB looks unfriendly. It was kneecapped during the first administration and it is on the chopping block for those overseeing a advisory committee masquerading as a government agency. The future of the FTC is more murky, with some indicators it will continue its current path — albeit from a Republican-skewed perspective — while others suggest a reversal.

The centring of the U.S. in the digital activity of a vast majority of us gives it unique power on privacy — power it has, so far, used in only very small doses. The future of regulatory agencies like these has relevance to all of us.

⌥ Permalink

Leah Nylen, Josh Sisco, and Dina Bass, Bloomberg:

The US Federal Trade Commission has opened an antitrust investigation of Microsoft Corp., drilling into everything from the company’s cloud computing and software licensing businesses to cybersecurity offerings and artificial intelligence products.

Seems like a lot of people who thought Microsoft would escape antitrust investigations in the U.S. might have been a little too eager.

This kind of scrutiny is a good thing, and long overdue. Yet one of the unavoidable problems of reducing the influence of these giant corporations now is the pain it is going to cause — almost by definition. If a corporation is abusing its power and scale to such a degree the FTC initiates an investigation, unwinding that will have — to put it mildly — an effect. We are seeing this in the Google case. This is true for any situation where a business or a group of people with too much influence needs correcting. That does not mean it should not happen.

It is true that Microsoft’s products and services are the backbone of businesses and governments the world over. These are delivered through tight integrations, all of which encourages further fealty to this singular solution. For example, it used its dominant position with Office 365 to distribute Teams for free, thereby making it even harder for other businesses to compete. It then leveraged Outlook and Teams to boost its web browser, after doing the same with Windows. If it charged for Teams out of the gate, this would be having a different discussion.

Obviously, the FTC’s concerns with Microsoft’s business practices stretch well beyond bundling Teams. According to this Bloomberg report, the Commission is interested in cloud and identity tying, too. On the one hand, it is enormously useful to businesses to have a suite of products with a single point of management and shared credentials. On the other hand, it is a monolithic system that is a non-starter for potential competitors.

The government is understandably worried about the security and stability risks of global dependence on Microsoft, too, but this is odd:

The CrowdStrike crash that affected millions of devices operating on Microsoft Windows systems earlier this year was itself a testament to the widespread use of the company’s products and how it directly affects the global economy.

This might just be Bloomberg’s contextualizing more than it is relevant to the government’s position. But, still, it seems wrong to me to isolate Windows as the problem instead of Crowdstrike itself, especially with better examples to be found in the SolarWinds breach and its track record with first-party security.

⌥ Permalink

The U.S. Federal Trade Commission:

The Federal Trade Commission is taking action against software maker Adobe and two of its executives, Maninder Sawhney and David Wadhwani, for deceiving consumers by hiding the early termination fee for its most popular subscription plan and making it difficult for consumers to cancel their subscriptions.

A federal court complaint filed by the Department of Justice upon notification and referral from the FTC charges that Adobe pushed consumers toward the “annual paid monthly” subscription without adequately disclosing that cancelling the plan in the first year could cost hundreds of dollars. Wadhwani is the president of Adobe’s digital media business, and Sawhney is an Adobe vice president.

The inclusion of two Adobe executives as co-defendants is notable, though not entirely unique — in September, the FTC added three executives to its complaint against Amazon, a move a judge recently upheld.

The contours of the case itself bear similarities to the Amazon Prime one, too. In both cases, customers are easily coerced into subscriptions which are difficult to cancel. Executives were aware of customer complaints, according to the FTC, yet they allegedly allowed or encouraged these practices. But there are key differences between these cases as well. Amazon Prime is a monthly cancel-anytime subscription — if you can navigate the company’s deliberately confusing process. Adobe, on the other hand, offers three ways to pay for many of its products: on a monthly basis which can be cancelled at any time, on an annual basis, or on a monthly basis locked into an annual contract. However, it predominantly markets its products with the latter option, and preselects it when subscribing. That is where the pain begins.

The difficulty and cost of cancelling an Adobe subscription is legendary. It is right up there with gyms for how badly it treats its customers. It has designed a checkout process that defaults people into an annual contract, and a cancellation workflow which makes extricating oneself from that contract tedious, time-consuming, and expensive. If Adobe wanted to make it obvious what users were opting into at checkout, and easy for them to end a subscription, it could have designed those screens in that way. Adobe did not.

⌥ Permalink