CDD Filings

January 27, 2017 - The Center for Digital Democracy and 18 media justice, consumer protection, civil liberties, and privacy groups strongly urge congressional leaders to oppose the use of the Congressional Review Act (CRA) to adopt a Resolution of Disapproval overturning the FCC’s broadband privacy rules.---Click the link below for the full PDF of the letter.

WASHINGTON, DC – December 6, 2016 – The growing popularity of “smart” Internet-connected toys poses significant privacy, security, and other risks to children, according to a complaint filed today (link is external) by leading child advocacy, consumer, and privacy groups at the Federal Trade Commission (FTC). My Friend Cayla and I-Que Intelligent Robot, dolls marketed to both young girls and boys, collect and use personal information from children in violation of the Children’s Online Privacy Protection Act (COPPA) and FTC rules prohibiting unfair and deceptive practices. The complaint calls upon the FTC to investigate and take action against Genesis Toys, the maker of My Friend Cayla and I-Que, and Nuance Communications, which provides third-party voice recognition software for the toys. Groups filing the complaint are the Campaign for a Commercial Free Childhood (CCFC), the Center for Digital Democracy (CDD), Consumers Union, and the Electronic Privacy Information Center (EPIC).When companies collect personal information from children through the Internet, they incur serious legal obligations to protect children’s privacy. COPPA reflects a general understanding that the collection and use of information about young children should be treated with care and avoided when possible. Yet, the complaint charges, “Both Genesis Toys and Nuance Communications unfairly and deceptively collect, use, and disclose audio files of children’s voices without providing adequate notice or obtaining verified parental consent.” The complaint also takes issue with Genesis' failure to take reasonable security measures to prevent unauthorized Bluetooth connections with the toys. As a result, Genesis fails to prevent strangers and predators from covertly eavesdropping on children's private conversations, which "creates a substantial risk of harm because children may be subject to predatory stalking or physical danger."“With the growing Internet of Things, American consumers face unprecedented levels of surveillance in their most private spaces, and young children are uniquely vulnerable to these invasive practices,“ said Claire T. Gartland, Director, EPIC Consumer Privacy Project. “The FTC has an obligation here to step in and safeguard the privacy of young children against toys that spy and companies that exploit their very voices for corporate gain.”According to the complaint, the list of privacy violations by these “spy toys” is lengthy. For example, the packaging for My Friend Cayla has no mention of privacy, and locating the doll's Terms of Service is a major challenge. Once a parent does locate Cayla’s Privacy Policy and Terms of Use, these documents shed little light on what information is actually collected from children, how it’s used, or where it ends up. In one of the most serious legal violations, Genesis fails to get parents’ consent before collecting children’s voice recordings and other personal data. Children’s voice recordings from the dolls are also sent to Nuance, a company that may use them for its law enforcement and military intelligence products.“Genesis and Nuance are completely disregarding their legal and ethical obligations when it comes to kids’ privacy,” Gartland said. “Instead, they have chosen to exploit children’s sensitive voice recordings and private conversations for corporate profit. It is extremely alarming that what a child says to her ‘trusted’ friend could end up in a voice biometrics database sold to law enforcement and intelligence agencies.”Today’s FTC complaint is part of an unprecedented, coordinated, transatlantic legal action involving consumer and privacy groups in the US and Europe. Leading European consumer organizations filed a series of formal complaints with EU regulators, and with data protection, consumer protection, and product safety agencies in France, the Netherlands, Belgium, Ireland, and Norway. The combined US and European advocacy effort was triggered by groundbreaking research from the Norwegian Consumer Council, which conducted an in-depth legal and technical analysis of three Internet-connected toys (link is external). The Council’s “Toyfail” report examined Cayla, I-Que, and Mattel’s interactive Hello Barbie doll, all of which are produced and distributed by multinational companies and targeted at children.These products are part of a new generation of digital playthings – known as the “Internet of Toys” – which are growing in popularity, with consumers spending an estimated $2.8 billion on them last year (link is external). The toys use WiFi, Bluetooth, or mobile apps, and offer “smart” features such as cameras, microphones, and sensors that can record and respond to children’s interactions.Consumer groups on both sides of the Atlantic have raised serious concerns about the threats that Internet-connected toys pose to children’s privacy, security, and safety, as well as potential harms to children’s psychosocial development.Researchers who analyzed the Cayla doll discovered that it had been pre-programmed with dozens of phrases that reference Disneyworld and Disney movies. This product placement is not disclosed to users and would be difficult for young children to recognize as advertising. “Children form friendships with dolls and toys with ‘personalities,’ and confide intimate details about their lives with them,” said CCFC’s Executive Director Josh Golin. “It is critical that the sensitive data collected by these toys be subject to the most stringent protections and not be used for manipulative and sneaky marketing.”Katie McInnis, technology policy counsel for Consumers Union, said, “As more toys are connected to the Internet, we have to ensure that children's privacy and security are protected. When a toy collects personal information about a child, families have a right to know, and they need to have meaningful choices to decide how their kids' data is used. We strongly urge the FTC to investigate these companies, stop the deceptive practices, and hold them accountable."“Children today are growing up immersed in a digital world, where mobile devices, games, apps, and now a new generation of Internet-toys are profoundly shaping their social interactions, personal experiences, and behaviors,” commented Kathryn Montgomery, Professor of Communication at American University and consultant to CDD. “Regulators need to ensure that children will be able to reap the benefits of these digital technologies without being subjected to harmful practices that undermine their privacy, safety, and wellbeing.”As Montgomery, who led the campaign for passage of COPPA, also noted: “This will be a crucial test of the new FTC under the Trump Administration. Now more than ever, we must ensure that children’s needs are high on the policy agenda for the Big Data era.”The full FTC complaint from CCFC, CDD, Consumers Union, and EPIC is available at https://epic.org/privacy/kids/EPIC-IPR-FTC-Genesis-Complaint.pdf (link is external).The full Toyfail report is available at http://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-laws (link is external).A short video demonstrating the toys’ vulnerabilities can be viewed at https://www.youtube.com/watch?v=lAOj0H5c6Yc (link is external).

Center for Digital Democracy, Center for Democracy & Technology, Consumer Action, Consumer Federation of America, Consumer Federation of California, Consumers Union, Electronic Privacy Information Center, National Association of Consumer Advocates, National Consumers League, Benton Foundation, Common Sense Kids Action, and Privacy Rights Clearinghouse file this brief to highlight the potential far-reaching ramifications of this case as well as the degree to which the panel decision breaks from century-long precedent, thereby creating a sharp split among the courts of appeals.First, the panel opinion raises issues of exceptional importance. If allowed to stand, the ruling could immunize from FTC oversight a vast swath of companies that engage to some degree in a common carrier activity. This result is unprecedented, deeply disruptive to the market, and at odds with Congress’s intent. Many of the world’s largest companies offer broadband Internet or other common carriage service. These highly diverse companies could harm consumers by committing acts that are deceptive or unfair, breach privacy commitments, fail to provide reasonable security for sensitive personal data, violate any of the seventy consumer protection statutes Congress has directed the FTC to enforce, or, as in the AT&T case, deliberately omit critical information about the services a company provides – and nonetheless escape FTC enforcement. No other federal agency has authority to fill this void.Second, the panel’s decision creates a deep Circuit split by breaking from the 100-year-long understanding that the term “common carrier” is defined by activities, not status. Departing from established norms of statutory construction, the panel failed to heed settled interpretive rules requiring that exemptions from antitrust laws be construed narrowly; that remedial statutes be read broadly to effectuate their purposes; and that an agency’s interpretation of its organic statute be accorded deference. The panel’s inversion of decades of precedent creates a substantial regulatory gap and puts the Ninth Circuit directly in conflict with the D.C. and Second Circuits.---For the full argument, see the attached PDF.

... ISPs are engaged in cross-device tracking of its subscribers and customers which allow them to target advertising at the individual and household level. Exemplary for all ISPs, we are highlighting AT&T’s efforts in this area. AT&T is expanding its cross-device tracking in order to target individuals on their mobile device after collecting and analyzing their data using the company's internal data and analytics capabilities. In a recent interview, AT&T AdWorks President Rick Welday explained that by the end of this year AT&T will allow marketers to “advertise in 14 million addressable households, 30 million mobile devices and millions of streams within the DirecTV app.” While AT&T may claim that its cross-device tracking is done “anonymously,” that is merely a euphemism to obscure the invasion of privacy that underlies such practices. Mr. Welday explains that AT&T’s data-driven monitoring of its customers enables it to develop dossiers that reveal whether their users are a new homeowner, a new parent, or in the market for an automobile. In its trials with cross-device targeting, AT&T worked with leading Fortune 100 brands as well as promoting its own “AT&T Mobility Wireless” service. The Fortune 100 companies that AT&T worked with likely provided their own so-called first-party data to be used for such cross-device targeting. This illustrates the operational realities today for consumer profiling data, where data are no longer shared with advertisers, but rather advertisers provide such data to ad-delivery platforms (such as AT&T's) for increasingly granular targeting.[3] Linking devices (and the application history on and geolocation on of those devices) to a particular consumer via a unique identifier should be prohibited, unless the ISP has obtained affirmative, express consent (opt-in). The rule’s definition of ‘sensitive information’ must therefore reflect industry practices and include any data elements that allow for this kind of cross-device tracking. The final rule must give ISP customers control over their data, and before companies can proceed with targeted advertising, they must obtain an opt-in consent from their customers. We are particularly concerned that without such safeguards the rules would allow for a by-passing of requirements of the Children’s Online Privacy Protection Act, by using insights gained via cross device tracking to target children without parental consent. Finally, we urge the Commission to affirm in its final rule the need for safeguards against any unauthorized attempts to re-link devices (and its app usage history and geolocation information) to associate them with one user. CDD respectfully urges the FCC to enact its proposed safeguards as soon as possible to help address the further eroding of Americans’ privacy by ISPs.

Washington, DC (August 29, 2016) – The Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD) today filed a complaint with the Federal Trade Commission, stating that the WhatsApp plan to transfer user data to Facebook is unlawful and that the FTC is obligated to block the proposed change in business practices. The EPIC-CDD complaint responds to a recent announcement from WhatsApp that the company plans to disclose the verified telephone numbers of WhatsApp users to Facebook for user profiling and targeted advertising. “When Facebook acquired WhatsApp, WhatsApp made a commitment to its users, to the Federal Trade Commission, and to privacy authorities around the world not to disclose user data to Facebook. Now they have broken that commitment,” said Marc Rotenberg, President of EPIC. “Clearly, the Federal Trade Commission must act. The edifice of Internet privacy is built on the FTC’s authority to go after companies that break their privacy promises.” Facebook and WhatsApp are the two largest social network services in the world. According to Wikipedia, WhatsApp has over one billion users. Facebook purchased the company in February 2014 for 19.3 billion dollars. EPIC Consumer Protection Counsel Claire Gartland explained, “In 2014, the FTC said that WhatsApp had to obtain affirmative consent to transfer user data to Facebook. There was an opt-out provision but that only applied to new information. Since WhatsApp intends to transfer user telephone numbers, which is not new data, it must obtain opt-in consent.” Gartland continued, “The phone number may also be the single most valuable piece of personal data obtained by WhatsApp. WhatsApp users are required to provide a verified phone number to use the service. And the phone number provides a link to a vast amount of personal information.” “The proposed change – an opt-out for data previously obtained – is exactly what the FTC said WhatsApp could not do,” said Gartland. “The transfer is only allowed if the consent is opt-in.” “The FTC has an obligation to protect WhatsApp users. Their personal information should not be incorporated into Facebook’s sophisticated data driven marketing business,” said Katharina Kopp, Ph.D., and CDD’s Director of Policy. “Data that was collected under clear rules should not be used in violation of the privacy promises that WhatsApp made. That is a significant change that requires an opt-in, according to the terms the FTC set out. It’s not complicated. If WhatsApp wants to transfer user data to Facebook, it has to obtain the user’s affirmative consent.” In 2011, EPIC, CDD and more than a dozen consumer privacy organizations pursued a successful complaint at the FTC that led to a twenty-year consent order after Facebook changed user privacy settings in a way that made users' personal information, such as Friend lists and application usage data, more widely available to the public and to Facebook’s business partners. Former FTC Chair John Liebowitz said at the time, “Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users. Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not." When Facebook proposed to acquire WhatsApp in 2014, EPIC and CDD said the FTC must protect the privacy of WhatsApp users. The FTC said that WhatsApp must continue to honor its privacy promises to consumers. The FTC warned, “If the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC's order against Facebook.” The Federal Trade Commission has previously undertaken investigations against many firms that have engaged in unfair or deceptive trade practices. The Electronic Privacy Information Center (EPIC) (link is external) is a public interest research center in Washington, DC. EPIC was established in 1994 to focus public attention on emerging privacy and civil liberties issues and to protect privacy, freedom of expression, and democratic values in the information age. EPIC maintains one of the most popular privacy web sites in the world - epic.org (link is external) - and pursues a wide range of program activities including policy research, public education, litigation, publications, and advocacy. The Center for Digital Democracy (CDD) is recognized as one of the leading consumer protection and privacy organizations in the United States. Since its founding in 2001 (and prior to that through its predecessor organization, the Center for Media Education), CDD has been at the forefront of research, public education, and advocacy protecting consumers in the digital age. REFERENCES EPIC/CDD, In the Matter of WhatsApp: Complaint, Request for Investigation, Injunction, and Other Relief (Aug. 29, 2016), https://epic.org/privacy/ftc/whatsapp/EPIC-CDD-FTC-WhatsApp-Complaint-20... (link is external) FTC, “Enforcing Privacy Promises” (2016), https://www.ftc.gov/news-events/media-resources/protecting-consumer-priv... (link is external) FTC Press Release, “FTC Notifies Facebook, WhatsApp of Privacy Obligations in Light of Proposed Acquisition” (Apr. 10, 2014), https://www.ftc.gov/news-events/press-releases/2014/04/ftc-notifies-face... (link is external) FTC Letter to FB and WhatsApp, "Letter From Jessica L. Rich, Director of the Federal Trade Commission Bureau of Consumer Protection, to Erin Egan, Chief Privacy Officer, Facebook, and to Anne Hoge, General Counsel, WhatsApp Inc.” (Apr. 10, 2014), https://www.ftc.gov/news-events/press-releases/2014/04/ftc-notifies-face... (link is external) FTC, "Facebook Settles FTC Charges That It Deceived Consumers By Failing To Keep Privacy Promises” (2011), https://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-... (link is external) FTC Consent Order with FB (2011), https://www.ftc.gov/news-events/press-releases/2012/08/ftc-approves-fina... (link is external) EPIC, In re WhatsApp, https://epic.org/privacy/internet/ftc/whatsapp/ (link is external) EPIC, In re Facebook, https://epic.org/privacy/inrefacebook/ (link is external) ###

The Center for Digital Democracy (CDD), which works to empower and protect consumers in the digital marketplace, endorses the Federal Communications Commission’s (FCC) important proposal to provide both choice and competition in the provision of navigational devices for video and related content. CDD strongly believes that the FCC should proceed with its plan to allow third parties to build and sell navigational devices. We support giving these developers/providers access to the information proposed in the NPRM, including Service Discovery, Entitlement, and Content Delivery data. For decades, a handful of powerful cable—and now also telephone—companies have held a monopoly over the design, availability, and use of set-top boxes. This has resulted in greater costs to subscribers, including an especially unfair burden on low- or limited-income consumers. The set-top stranglehold has impaired competition and programming diversity, and has undermined consumer privacy. --- Full PDF of filing attached.