Federal Trade Commission must observe core principles of consumer protection, regardless of the pace of technology, Commissioner Julie Brill says.
Apple-IBM Deal: 9 Moves Rivals Should Make
(Click image for larger view and slideshow.)
As the Federal Trade Commission cracks down on in-app purchasing activity by Apple, Amazon, and maybe Google, and other aspects of the mobile and big-data world, such as the activities of data brokers, the agency is striving mightily to keep abreast of changing technology, an FTC commissioner said Wednesday.
"The law on some level is always going to lag behind technology because technology is moving at lightning speed," FTC Commissioner Julie Brill said during Tech in Policy event hosted by The Hill. Yet as businesses take advantage of new technologies, "there are fundamental consumer protection rules that apply, and they should be thinking about those as they move forward."
While saying she could not comment on specific FTC actions, Brill said the fact that the agency is taking action should send the message that it will move against companies large or small. "If they fall outside normal consumer protection principles, we will take action," she said. "There's a fundamental principle that, before you charge the consumer, make sure you obtain consent." Applying that principle in a high tech environment might be tricky, but it is still necessary.
One of the issues with in-app purchases has been that they make it too easy for the user to run up a big bill, even when the user is a child playing a game and the person getting the bill is a parent who didn't specifically authorize those purchases.
Brill appeared onstage with Morgan Reed, executive director of ACT, also known as The App Association. Reed agreed that managing in-app purchases properly is important, although he insisted the industry is "growing up" about how to do it better. "We're doing a much better job of saying, 'Are you sure you want to buy this? Are you sure you're good with this?'" he said, but doing it properly takes some finesse because app users get frustrated when they are bombarded with too many confirmation pop-ups.
FTC Commissioner Julie Brill
"One of the things we've learned from HIPAA notification and credit card notifications is that over-notification is almost worse than no notification," Reed said.
The FTC has tried to stay abreast of the issues as they pertain to children in particular, acting ahead of its normal 10-year regulatory update cycle to update the COPPA rules for children's data privacy last year. When the regulations were reviewed in 2005, there seemed to be little need for change, but by 2010 mobile apps for children had become such a big factor that the agency recognized it needed to accelerate its update of the rules, she said. Balancing consumer concerns against what's practical for industry to implement is not easy, but she believes the FTC job has done a good job of preserving its "fundamental principles" of consumer protections for the new environment.
Reed said the opportunity for industry to participate in that process was important. As an example of how outdated the rules had become, he said, "some of the methodologies for verifiable parent consent involved faxing. Does anyone here even have a fax machine anymore?"
Brill also worried about big-data analysis of consumer behavior getting out of hand, particularly in areas like consumer health. She pointed to the story of Target finding out a teenage girl was pregnant before her parents knew. (The retailer apologized after it started sending the girl baby coupons after an analysis of her shopping patterns). Similarly, some women trying to get pregnant have begun using apps that track their ovulation -- just one example of a class of healthcare apps that track highly sensitive data. Wearable devices that collect medical data take that even further.
"We need to think how we can apply some of the principles around notice and choice" to those health and fitness tracking applications, she said. "We're going to have to be more creative about it because these are often devices that do not have a user interface."
Reed noted health monitoring apps and devices also are providing an inexpensive way to gather biometric data patients can share with their doctors and get better care. "We need that information to flow," he said, and regulators need to take care not to intervene in ways that prevent those positive interactions.
Brill said the issue is not about people sharing health data with their doctors but about third parties who might have access to the transaction and store that data. The concern is when you "communicate that you have diabetes, that you have high blood pressure, and this information goes into a profile about you," she said.
Reed tried to make the distinction that such violations of trust are "about the behavior and not the fact that data can flow between devices."
"I actually reject that," Brill fired back, arguing that industry is too quick to say that the issues revolve solely around how the information is used, not what information is collected. When a data breach occurs, consumers don't want to be surprised to find out what information retailers or hospitals had collected and stored about them. "We need to think about sensitive data being held in a third party's hands," she said.
Reed agreed that organizations collecting big data need to be held to a high standard. "I'd like to see the FTC go after more people about data breaches," he said. "They should be held accountable for sloppy practices in the data center," he said, so that all businesses are made more aware of the hazards of "not spending money on the front end to make data secure."
Our new survey shows federal agencies focusing more on security, as they should, but they're still behind the times with cloud and overall innovation. Read InformationWeek's Government IT Priorities digital issue.
David F. Carr oversees InformationWeek's coverage of government and healthcare IT. He previously led coverage of social business and education technologies and continues to contribute in those areas. He is the editor of Social Collaboration for Dummies (Wiley, Oct. 2013) and ... View Full Bio
How Enterprises Are Attacking the IT Security EnterpriseTo learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
IT Strategies to Conquer the CloudChances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.