Last spring, soon after Facebook acknowledged that the data of tens of millions of its users had improperly been obtained by the political consulting firm Cambridge Analytica, a top enforcement official at the Federal Trade Commission drafted a memo about the prospect of disciplining the social network.
Lawmakers, consumer advocates and even former commission officials were clamoring for tough action against Facebook, arguing it had violated an earlier FTC consent decree barring it from misleading users about how their information was shared.
But the enforcement official, James Kohm, took a different view. In a previously undisclosed memo in March, Kohm — echoing Facebook’s own argument — cautioned that Facebook was not responsible for the consulting firm’s reported abuses. The social network seemed to have taken reasonable steps to address the problem, he wrote, according to someone who read the memo, and likely had not broken its promises to the FTC.
The Cambridge Analytica data leak set off a reckoning for Facebook and a far-reaching debate about the tech industry, which has collected more information about more people than almost any other in history. At the same time, the FTC, which is investigating Facebook, is under growing attack for what critics say is a systemic failure to police Silicon Valley’s giants and their enormous appetite for personal data.
Almost alone among industrialized nations, the United States has no basic consumer privacy law. The FTC serves as the country’s de facto privacy regulator, relying on more limited rules against deceptive trade practices to investigate Google, Twitter and other tech companies accused of misleading people about how their information is used.
But many in Washington view the agency as a watchdog that too rarely bites. In more than 40 interviews, former and current FTC officials, lawmakers, Capitol Hill staff members and consumer advocates said that as evidence of abuses has piled up against tech companies, the FTC has been too cautious. Now, as the Trump administration and Congress debate whether to expand the agency and its authority over privacy violations, the Facebook inquiry looms as a referendum on the FTC’s future.
“They have been asleep at the switch,” said Sen. Richard Blumenthal, D-Conn., the ranking member of the subcommittee charged with overseeing the agency. “It’s a lack of will even more than paucity of resources.”
Even if the agency does not penalize Facebook over the Cambridge incident — and some former FTC officials disagree with Kohm’s reasoning — the commission could punish the company for other offenses. Former officials say they’ve been told that its inquiry has expanded to include recent security and privacy breaches as well as Facebook’s secretive data-sharing deals with Amazon, Netflix and other companies. Facebook declined to comment on the inquiry.
The agency — overseen by five commissioners, three of them typically from the president’s party — is habitually tight-lipped. FTC Chairman Joseph Simons declined to comment on the Kohm memo.
“If the FTC had reached a conclusion that there was no case, we would have announced it,” Simons said in a statement. “Our investigation continues and when it is finished, you can be sure that the result of that investigation will be made public.”
The agency’s defenders said it had taken significant action against tech companies in recent years. Consumer advocacy groups, they said, sometimes want the FTC to take on cases that its relatively narrow powers will not permit.
“The act creating the FTC was not designed with privacy in mind,” said Jessica Rich, a consumer-protection expert who formerly led the FTC’s consumer bureau. “That they’ve been able to bring hundreds of privacy and data security cases is actually quite a feat, not only given the limitations on their authority but the challenges companies have mounted, especially recently.”
A cautionary tale
As the federal government’s main consumer protection and antitrust authority, the FTC has pursued carmakers, drug companies, illegal robocallers and bloggers who fail to disclose corporate sponsors.
But it is hampered by its relatively small size — about 1,100 employees, roughly a quarter the staff of the Securities and Exchange Commission — and broad mandate. Guarding consumer privacy online, just one part of its mission, can raise complex technical issues. The agency’s enforcement arm, led by Kohm, doesn’t have its own tech experts, instead borrowing them from other agency units. The job of chief technologist, an adviser to the FTC chairman, has been vacant since April. And its lawyers are outnumbered by the armies of attorneys employed by tech giants.
“They have considerably less staff than they had in the 1980s, and more responsibility,” said Justin Brookman, a former FTC official under the Obama administration who now works at the Consumers Union.
FTC officials said privacy and data security cases had gotten more attention than any others over the past decade.
Still, all five commissioners agreed at the November Senate hearing that the agency needed more money and greater regulatory authority to keep up with big tech.
Critics said a greater problem was cultural. The FTC is haunted, for example, by a clash with Congress in the 1980s over an attempt by the agency to ban television ads for junk food directed at children, known as “KidVid.” Lawmakers pulled funding and severely weakened the FTC’s power to issue new regulations.
Even today, “in just about every meeting I have at the FTC, staff mention KidVid,” said Josh Golin, executive director of Campaign for a Commercial Free Childhood, which has filed complaints against YouTube and Facebook.
Fears that Congress could again cripple the FTC have made some career lawyers reluctant to take on politically sensitive cases, according to current and former employees, speaking about their experiences during the Trump and Obama administrations.
“They think of themselves as dealmakers, not cops,” said Matt Stoller, policy director at the Open Markets Institute, who has called for big tech platforms to be broken up and regulated. “They have an institutional culture of deference.”
That has hobbled the agency’s approach to tech giants, leading to inadequate responses to privacy violations or efforts to squeeze out emerging competitors, according to Gene Kimmelman, a former senior antitrust official at the Justice Department and president of the consumer group Public Knowledge. The FTC needs legislation to allow it to set new rules for the era of big tech, he argued.
In 2013, for example, FTC commissioners overruled a staff recommendation to sue Google for abusing its dominance in search to harm rivals. Three years later, when Google began merging data collected by several of its services, including Gmail and the ad technology platform DoubleClick, consumer groups filed a complaint with the FTC calling the practice “highly deceptive.” The agency took no public action.
Nor did the FTC penalize Facebook after it began acquiring phone numbers and other data from users of its WhatsApp subsidiary, breaking promises it had made when it acquired the messaging service. By contrast, the European Union’s antitrust chief fined Facebook $122 million last year for making misleading statements about the WhatsApp acquisition.
(The social network said it had notified users of the change with new terms of service and had allowed them to opt out of aspects of how Facebook used the data.)
The FTC has defended its record on privacy, pointing for instance to a $22.5 million fine imposed on Google in 2012 for bypassing privacy settings in Apple’s Safari browser in violation of a consent agreement. The fine was the largest civil penalty in the agency’s history.
Former officials say the agency struggles to enforce privacy within its traditional definition of deceptive or abusive business practices.
Ashkan Soltani, who was the FTC’s chief technologist from 2014-15, said he raised concerns about a location-tracking company, Nomi Technologies, that collected data on people without their explicit consent. He recalled resistance from Republican commissioners and from some staff members who didn’t see a clear consumer harm, since Nomi’s data could not identify specific individuals.
Soltani argued that the FTC needed to get ahead of a technology that would soon become highly intrusive. (He eventually persuaded the agency to investigate, and in 2015 the FTC approved a settlement with Nomi.)
Today, dozens of companies gather, use or sell location information so precise that it can pinpoint a phone within a few yards. The data can often be linked to a specific person — and is frequently harvested without clear consent.
Proving harm…
