CDD Filings Digital Consumer
Program Areas
-
Electronic Privacy Information Center & CDD Defend Privacy Rights of WhatsApp Users
WhatsApp plan to transfer user data to Facebook is unlawful, groups tell Federal Trade Commission (FTC)
Washington, DC (August 29, 2016) – The Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD) today filed a complaint with the Federal Trade Commission, stating that the WhatsApp plan to transfer user data to Facebook is unlawful and that the FTC is obligated to block the proposed change in business practices. The EPIC-CDD complaint responds to a recent announcement from WhatsApp that the company plans to disclose the verified telephone numbers of WhatsApp users to Facebook for user profiling and targeted advertising. “When Facebook acquired WhatsApp, WhatsApp made a commitment to its users, to the Federal Trade Commission, and to privacy authorities around the world not to disclose user data to Facebook. Now they have broken that commitment,” said Marc Rotenberg, President of EPIC. “Clearly, the Federal Trade Commission must act. The edifice of Internet privacy is built on the FTC’s authority to go after companies that break their privacy promises.” Facebook and WhatsApp are the two largest social network services in the world. According to Wikipedia, WhatsApp has over one billion users. Facebook purchased the company in February 2014 for 19.3 billion dollars. EPIC Consumer Protection Counsel Claire Gartland explained, “In 2014, the FTC said that WhatsApp had to obtain affirmative consent to transfer user data to Facebook. There was an opt-out provision but that only applied to new information. Since WhatsApp intends to transfer user telephone numbers, which is not new data, it must obtain opt-in consent.” Gartland continued, “The phone number may also be the single most valuable piece of personal data obtained by WhatsApp. WhatsApp users are required to provide a verified phone number to use the service. And the phone number provides a link to a vast amount of personal information.” “The proposed change – an opt-out for data previously obtained – is exactly what the FTC said WhatsApp could not do,” said Gartland. “The transfer is only allowed if the consent is opt-in.” “The FTC has an obligation to protect WhatsApp users. Their personal information should not be incorporated into Facebook’s sophisticated data driven marketing business,” said Katharina Kopp, Ph.D., and CDD’s Director of Policy. “Data that was collected under clear rules should not be used in violation of the privacy promises that WhatsApp made. That is a significant change that requires an opt-in, according to the terms the FTC set out. It’s not complicated. If WhatsApp wants to transfer user data to Facebook, it has to obtain the user’s affirmative consent.” In 2011, EPIC, CDD and more than a dozen consumer privacy organizations pursued a successful complaint at the FTC that led to a twenty-year consent order after Facebook changed user privacy settings in a way that made users' personal information, such as Friend lists and application usage data, more widely available to the public and to Facebook’s business partners. Former FTC Chair John Liebowitz said at the time, “Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users. Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not." When Facebook proposed to acquire WhatsApp in 2014, EPIC and CDD said the FTC must protect the privacy of WhatsApp users. The FTC said that WhatsApp must continue to honor its privacy promises to consumers. The FTC warned, “If the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC's order against Facebook.” The Federal Trade Commission has previously undertaken investigations against many firms that have engaged in unfair or deceptive trade practices. The Electronic Privacy Information Center (EPIC) (link is external) is a public interest research center in Washington, DC. EPIC was established in 1994 to focus public attention on emerging privacy and civil liberties issues and to protect privacy, freedom of expression, and democratic values in the information age. EPIC maintains one of the most popular privacy web sites in the world - epic.org (link is external) - and pursues a wide range of program activities including policy research, public education, litigation, publications, and advocacy. The Center for Digital Democracy (CDD) is recognized as one of the leading consumer protection and privacy organizations in the United States. Since its founding in 2001 (and prior to that through its predecessor organization, the Center for Media Education), CDD has been at the forefront of research, public education, and advocacy protecting consumers in the digital age. REFERENCES EPIC/CDD, In the Matter of WhatsApp: Complaint, Request for Investigation, Injunction, and Other Relief (Aug. 29, 2016), https://epic.org/privacy/ftc/whatsapp/EPIC-CDD-FTC-WhatsApp-Complaint-20... (link is external) FTC, “Enforcing Privacy Promises” (2016), https://www.ftc.gov/news-events/media-resources/protecting-consumer-priv... (link is external) FTC Press Release, “FTC Notifies Facebook, WhatsApp of Privacy Obligations in Light of Proposed Acquisition” (Apr. 10, 2014), https://www.ftc.gov/news-events/press-releases/2014/04/ftc-notifies-face... (link is external) FTC Letter to FB and WhatsApp, "Letter From Jessica L. Rich, Director of the Federal Trade Commission Bureau of Consumer Protection, to Erin Egan, Chief Privacy Officer, Facebook, and to Anne Hoge, General Counsel, WhatsApp Inc.” (Apr. 10, 2014), https://www.ftc.gov/news-events/press-releases/2014/04/ftc-notifies-face... (link is external) FTC, "Facebook Settles FTC Charges That It Deceived Consumers By Failing To Keep Privacy Promises” (2011), https://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-... (link is external) FTC Consent Order with FB (2011), https://www.ftc.gov/news-events/press-releases/2012/08/ftc-approves-fina... (link is external) EPIC, In re WhatsApp, https://epic.org/privacy/internet/ftc/whatsapp/ (link is external) EPIC, In re Facebook, https://epic.org/privacy/inrefacebook/ (link is external) ### -
In Reply Comments to FCC, CDD Explains Why Consumers Require Privacy Protection from Broadband Network Providers
Filing counters industry claims, including on consumer choice and role of digital ad market. Provided new evidence on growth of ISP "Big Data" commercial consumer profiling practices. CDD and colleagues also file on failure of multistakeholder process and also need to protect privacy of children and adolescents
We believe that the absence of any FCC rulemaking to protect the privacy of broadband customers would significantly add to the already prevalent sense of confusion and sense of loss of control among broadband internet customers under the existing FTC regime. Instead, the proposed rules will give ISP customers much needed control over their data and are much more likely to increase consumer confidence. Second, we would like to emphasize that current BIAS provider data practices already undermine the privacy of their customers and that they are in the process of further building out their powerful data management capabilities. Due to these practices and their significant position in the data eco system, BIAS providers are a growing and significant marketplace force in digital advertising. Contrary to companies’ and trade associations’ claims, we see no evidence that giving BIAS providers’ customers effective privacy choices will limit the online advertising industry to flourish. The American public wants to see its privacy protected and needs the safeguards proposed by the Commission. Nothing less will limit the expansion of an unprecedented intrusion of BIAS providers into the most private aspects of American consumers’ lives. The Commissions’ proposed rules are needed to protect individual autonomy and the fundamental right to privacy and self-determination. see attached for the complete Reply Comment Also attached is joint filing showing how the so-called "Multistakeholder" Process on privacy, organized by the Department of Commerce, has repreatedly failed to protect the public. -
In the Matter of Petition of Public Knowledge, Center for Digital Democracy, Consumer Watchdog, Consumer Federation of America, and TURN —The Utility Reform Network Introduction: 47 U.S.C. §551 and 47 U.S.C. § 338(i) (collectively referred to as “privacy rules”) require that cable and satellite providers (herein referred to as “cable operators”) obtain the “written or electronic consent of the subscriber concerned” prior to the collection and use of that information for advertising purposes. Cable operators are also required to provide a written statement to their subscribers, which clearly and conspicuously informs the subscriber of the nature of the use of their personally identifiable information. Through these rules, Congress and the Federal Communications Commission have emphasized the importance of giving consumer’s control over how their information is being used. Despite this, cable operators have continued to use large amounts of their customers’ data without properly obtaining customer consent or informing subscribers of the extent of the use of their information. The Commission should enforce the relevant privacy provisions to ensure that cable operators only use subscriber information when they have the consent required by law. Cable Operators Collect and Share Large Amounts of Customer Data to Generate Targeted Advertising. The use of consumer data to target consumers for advertising is on the rise. Exactly how and to what extent cable operators are leveraging their customer’s data has been extensively documented in a recent report by the Center for Digital Democracy. Cable operators increasingly gather their customers’ personal information, share and combine that information with third parties, and use it to target customers for advertising on an individual level. Verizon, Comcast, Google, AT&T, Time Warner, Cablevision and others have incorporated powerful layers of data collection and digital marketing technologies to better target individuals. AT&T’s TV Blueprint, for example, “gives advertisers working with AT&T the ability to reach people based on factors like device, operating system, whether or not they’re heavy data users or the status of their carrier contract,” using “sophisticated second-by-second set- top box data” and other information. AT&T pulls data “from millions of set-top boxes” and analyzes consumer viewing history and uses these data to target consumers based on their viewing profile. Companies like Cablevision leverage granular data and precise details of household viewing behavior, and combine it with third-party data covering other intimate details of consumers’ lives to analyze and target specific individuals with video advertising across a range of screens. In their own words, “this set-top box level targeting lets marketers target customers that fit particular trends, profiles, demographics and attributes, and they can also pair the Cablevision data with their own or third-party data.” Cablevision and AT&T are not alone in their pervasive use of consumer data. Comcast recently acquired Visible World, which boasts of using data “from millions of enabled Smart TVs” as part of its advertising targeting service. Data points used to target consumers include income, ethnicity, education level, what kind of car they drive, purchase history, and location of their residence. Further, Comcast has acquired companies like This Technology, which is capable of inserting personalized content into network streams—including advertising messages tailored for specific individuals. These programs illustrate how cable providers give advertisers the ability to easily access and use a customer’s information, without that customer knowing the extent to which that information is being used. While these practices are broadly indicative of the ways many cable operators improperly use subscriber data, AT&T, Cablevision, and Comcast are among the most egregious. The Commission should investigate these practices and find that they violate the privacy rules. --- Full filed complaint attached below.
-
CDD Calls on FCC to Protect Consumer Privacy on Broadband Networks
Comments show ISP "Big Data" techniques used to target consumers and discusses limited capabilities of FTC
The Center for Digital Democracy (CDD), a nonprofit organization representing the interests of consumers in the digital marketplace, strongly supports the Federal Communication Commission’s (FCC) proposal to empower individuals to make effective decisions regarding their privacy on broadband networks. Broadband Internet access service (BIAS) plays a powerful and distinctive role in the commercial digital media marketplace, requiring precisely the set of sensible safeguards offered by the Notice of Proposed Rulemaking (NPRM). CDD believes it is entirely necessary and consistent with the Communications Act that the commission extend longstanding consumer-protection policies for the telephone network into the modern broadband context. The role of the network in the broadband marketplace has a distinct purpose compared to so-called “edge” content providers: to facilitate a fairly managed and efficient connection between the subscriber/consumer and the content and/or services of their choice. Given their network-management role, BIAS providers have unique capabilities in terms of monitoring the communications and activities of their subscribers, enabling the capture and use of an extensive array of personal and other consumer information. Positioned by necessity at the center of subscribers’ wireline or wireless broadband use, and holding a “digital key” that can help analyze much of their users’ digitally connected behaviors, BIAS providers have unlimited opportunities to influence the decisions consumers make via data-collection-related applications and services. Consumers today confront a far-reaching and largely invisible data-gathering apparatus that tracks and analyzes their every move online. For example, as the FTC has acknowledged, the growth of cross-device tracking, enabling the identification of a particular consumer’s use of personal computers, mobile phones, tablets, and increasingly even television, and combining multiple sources of data for the development of a targeting profile, illustrates how recent advances in digital data collection pose growing threats to consumer privacy. Indeed, the journal of the Association of National Advertisers explained just last month, “cross-device marketing … allows unprecedented access to individual consumers via personal or shared household devices. … Data-driven cross-device marketers gain exclusive access to a slew of advantageous marketing enhancements, including consistent messaging across all devices … .” Leading BIAS providers promise such cross-device targeting capabilities. Lacking the ability to enact regulations to protect privacy (except for children 12 and under), the FTC has been powerless to ensure consumer protection from cross-device tracking practices, let alone from the growing myriad of practices that gather consumer data from social media, mobile app, online video usage, programmatic targeting, and many other practices. Without the authority to issue regulations on privacy-related matters connected to consumer financial services, for example, the FTC has been forced to rely on its Section 5 authority related to unfair and deceptive practices. In practical terms, this has enabled the digital-data industry to recognize that there are no real constraints to their rapidly expanding collection, analysis, and use of consumer data. The FTC has long recognized that its inability to issue regulations has placed the agency at a serious disadvantage, and has called for the enactment of new regulatory authority. For example, as former FTC Chairman Jon Leibowitz testified before Congress in 2009, in order for the agency “to perform a greater and more effective role protecting consumers … changes in the law and additional authority to promulgate needed rules …” are required. As CDD explained in its March 2016 report on the growth of digital data gathering by leading ISPs (and filed separately in this proceeding), companies such as ATT, Comcast, Verizon, Cablevision, and Charter have made significant investments in their ability to capture, process, and take advantage of a consumer’s information across all the devices they use daily. They are using cloud- and IP-based management systems to deliver data-connected advertising and marketing; have invested in or allied with real-time programmatic marketing technologies that, in milliseconds, make personalized ad-related decisions on which consumers to target and for what product; and have acquired numerous companies that strengthen their hold and use of consumer information, including data gathered by their consumers’ use of apps, online video, and mobile phones... Key characteristics of the BIAS data collection apparatus include: [see attached comments for full submission] -
Set-top Box market should be open, but consumers and privacy protected, CDD tells FCC
Calls for Safeguards for sensitive data, including protecting youth, seniors, and use of ethnic/racial information in FCC"s Navigational Device Proceeding
The Center for Digital Democracy (CDD), which works to empower and protect consumers in the digital marketplace, endorses the Federal Communications Commission’s (FCC) important proposal to provide both choice and competition in the provision of navigational devices for video and related content. CDD strongly believes that the FCC should proceed with its plan to allow third parties to build and sell navigational devices. We support giving these developers/providers access to the information proposed in the NPRM, including Service Discovery, Entitlement, and Content Delivery data. For decades, a handful of powerful cable—and now also telephone—companies have held a monopoly over the design, availability, and use of set-top boxes. This has resulted in greater costs to subscribers, including an especially unfair burden on low- or limited-income consumers. The set-top stranglehold has impaired competition and programming diversity, and has undermined consumer privacy. --- Full PDF of filing attached. -
This brief is submitted on behalf of several Consumer Privacy Organizations who seek to protect consumers from data breach, financial fraud, and identity theft. The Consumer Privacy Organizations associated with the EPIC amicus brief believe that a court order to compel Apple to develop a technique to break security features designed to keep out third parties will result in an increase in crime against consumers. The Electronic Privacy Information Center (“EPIC”) is a public interest research center in Washington, D.C., established in 1994 to focus public attention on emerging privacy and civil liberties issues. EPIC was specifically established to advocate for the use of strong encryption technology and for the development of related Privacy Enhancing Technologies. EPIC led the effort in the United States in the 1990s to support strong encryption tools and played a key role in the development of the international framework for cryptography policy that favored the deployment of strong security measures to safeguard personal information. EPIC also published the first comparative studies of international encryption policy. (See EPIC Cryptography and Libert 1998: An International Survey of Encryption Policy.) The Center for Digital Democracy (CDD) is one of the leading consumer protection and privacy organizations in the United States. Since its founding in 2001, CDD has been at the forefront of research, public education, and advocacy protecting consumers in the digital age. Constitutional Alliance is privately funded nonpartisan non-profit organiation whose stated mission is to "preserve state and national sovereignty, and the unalienable rights to life, liberty and the pursuit of happiness as pronounced in the Declaration of Independence and protected under the Bill of Rights of the United States of America." Consumer Action empowers underrepresented consumers nationwide to assert their rights in the marketplace and financially prosper through multilingual financial education materials, community outreach, and issue-focused advocacy. Consumer Watchdog is a nonprofit organization dedicated to educating and advocating on behalf of consumers for over 25 years.11 Its mission is to provide an effective voice for the public interest. Consumer Watchdog’s programs include health care reform, oversight of insurance rates, energy policy, protecting privacy rights, protecting legal rights, corporate reform, and political accountability. The Cyber Privacy Project researches and educates the public about privacy issues raised in today’s networked world. Patient Privacy Rights (“PPR”) works to empower individuals and prevent widespread discrimination based on health information using a grassroots, community organizing approach. PPR educates consumers, champions smart policies, and exposes and holds industry and the government accountable. The Privacy Rights Clearinghouse (“PRC”) is a nonprofit consumer education and advocacy organization based in San Diego, California. Established in 1992, the PRC focuses on consumers’ rights and interests relating to informational privacy, answers individual consumer inquiries, and maintains a robust website of practical privacy protection tips. Privacy Times provides accurate reporting, objective analysis and thoughtful insight into the events that shape the ongoing debate over privacy and Freedom of Information. --- See full brief attached.
-
Advocates Charge Google with Deceiving Parents about Content on YouTube Kids
App for preschoolers is rife with videos that are potentially harmful to children
Washington, DC – Tuesday, May 19 – Two leading child and consumer advocacy groups have filed an important update to their Federal Trade Commission complaint against Google’s YouTube Kids app for false and deceptive marketing. In a letter sent to the Commission today, the groups charged that Google is deceiving parents by marketing YouTube Kids as a safe place for children under five to explore when, in reality, the app is rife with videos that would not meet anyone’s definition of “family friendly.” A review by the Campaign for a Commercial-Free Childhood (CCFC) and Center for Digital Democracy (CDD) has found a significant amount of content that would be extremely disturbing and/or potentially harmful for young children to view, including: Explicit sexual language presented amidst cartoon animation Videos that model unsafe behaviors such as playing with lit matches, shooting a nail gun, juggling knives, tasting battery acid, and making a noose A profanity-laced parody of the film Casino featuring Bert and Ernie from Sesame Street Graphic adult discussions about family violence, pornography, and child suicide Jokes about pedophilia and drug use Advertising for alcohol products CDD and CCFC provided a video (link is external) to the FTC today documenting an array of inappropriate content that can found on YouTube Kids. “Federal law prevents companies from making deceptive claims that mislead consumers," said Aaron Mackey, the coalition’s attorney at Georgetown Law's Institute for Public Representation. "Google promised parents that YouTube Kids would deliver appropriate content for children, but it has failed to fulfill its promise. Parents rightfully feel deceived by YouTube Kids." Google claims that YouTube Kids was “built from the ground up with little ones in mind” and is “packed full of age-appropriate videos.” The app includes a search function that is voice-enabled for easy use for preschool children. Google says it uses “a mix of automated analysis, manual sampling, and input from our users to categorize and screen out videos and topics that may make parents nervous.” Google also assures parents that they “can rest a little easier knowing that videos in the YouTube Kids app are narrowed down to content appropriate for kids.” But, as the complaint explains: Google does not, in fact, “screen out the videos that make parents nervous” and its representations of YouTube Kids as a safe, child-friendly version of YouTube are deceptive. Parents who download the app are likely to expose their children to the very content they believed they would avoid by using the preschool version of YouTube. In addition to the unfair and deceptive marketing practices we identified in our initial request for an investigation, it is clear that Google is deceiving parents about the effectiveness of their screening processes and the content on YouTube Kids. “In the rush to expand its advertising empire to preschoolers, Google has made promises about the content on YouTube Kids that it is incapable of keeping,” said Josh Golin, Associate Director of CCFC. “As a parent, I was shocked to discover that an app that Google claims is safe for young children to explore includes so much inappropriate content from the Wild West of YouTube.” Today’s letter is an update to the advocates’ April 7, 2015 FTC complaint that charged Google with engaging in unfair and deceptive practices towards children and their parents. That complaint detailed how YouTube Kids featured ads and other marketing material that took advantage of children’s developmental vulnerabilities. It also noted that the “blending of children’s programming content with advertising material on television has long been prohibited because it is unfair and deceptive to children. The fact that children are viewing the videos on a tablet or smart phone screen instead of on a television screen does not make it any less unfair and deceptive.” The complaint also called on the FTC to address the failure by Google to disclose that many makers of so-called “user-generated” videos featuring toys and candy have relationships with those product's manufacturers. “The same lack of responsibility Google displayed with advertising violations on YouTube Kids is also apparent in the content made available on the app,” observed Dale Kunkel, Professor of Communication at University of Arizona. “There is a serious risk of harm for children who might see these videos. It’s clear Google simply isn’t ready to provide genuinely appropriate media products for children.” Added Jeff Chester, executive director of CDD, “Google gets an 'F' when it comes to protecting America’s youngest kids. The failure of the most powerful and technologically advanced media company to create a safe place for America’s youngest kids requires immediate action by the FTC.” Today’s letter to the FTC is available below. The coalition’s original FTC complaint is available at http://bit.ly/1LeQHCN. The compilation of YouTube Kids video clips can be viewed at https://vimeo.com/127837914 (link is external). -
News
U.S. PIRG Education Fund & CDD File Add'l Comments on Big Data at FTC: Urge Action to Rein in "Wild West" of Unfair & Discriminatory Practices
U.S. PIRG Education Fund and the Center for Digital Democracy (CDD) respectfully submit these additional comments to the Federal Trade Commission (FTC). A set of regulatory and other safeguards is urgently required to ensure that contemporary “Big Data”-driven financial services are used in an equitable, transparent, and responsible manner. All Americans, especially those who confront daily challenges to their economic security, should be assured that their lives will be enhanced—not undermined—by the new digital-data financial services marketplace. A closer critical examination of the commercial information infrastructure in the U.S. reveals a set of well-developed and interconnected data collection and use practices that few consumers are aware of—let alone have consented to. While the commission’s September 2014 workshop explored some of the key issues, it did not sufficiently examine the implications of current “Big Data” business practices. U.S. PIRG Education Fund and CDD urge the commission to issue a final report that addresses the issues we identify [see attached file].