Share with your network!
Two presentations at the Black Hat conference on Wednesday presented starkly different views of the Federal Trade Commission (FTC), the US government agency responsible for consumer protection. In HOW TO HACK GOVERNMENT: TECHNOLOGISTS AS POLICY MAKERS, Ashkan Soltani and Terrell McSweeny from the FTC described the FTC's actions against various companies who had failed to adequately protect consumer privacy. Later in the day Michael Daugherty, the CEO of LabMD, gave a talk entitled BEHIND THE MASK: THE AGENDA TRICKS AND TACTICS OF THE FEDERAL TRADE COMMISSION AS THEY REGULATE CYBERSECURITY in which he accused the FTC and private security company Tiversa of unethical and illegal behavior when LabMD was investigated for accidentally revealing customer data.
The FTC was created a hundred years ago. Back in the early 20th Century corporate protection was far more important to legislators than consumer protection, and the main driver behind the FTC legislation was to protect corporations from unfair competition from ruthless operations that were prepared to lie to their customers. As a result, the penalties that the FTC imposes on violators are not generally punitive. They may only impose a consent order requiring the violator to follow the law in future, and possibly require that any funds generated illegally are returned. If the money has been spent that part of the judgment may be suspended.
This may be an effective strategy against large corporations. The speakers gave examples including Google and Facebook who had failed to respect consumer privacy, had been brought back in line by FTC action. However, it is less effective against the genuinely malicious actors – the “free gift card” scammers, the phone bill crammers, the work from home scams, and the miracle diet pushers. We have seen the FTC take effective action against individuals running all of these scams, but none of them have gone to jail unless they have been unrepentant repeat offenders ignoring court orders. There is no real disincentive for other scammers not to try the same scams, knowing that the worst that can happen to them is that they have to stop, and give back any money they haven't already spent.
In many cases these scammers are violating other laws – the CFAA if they are paying for botnets to send spam, and almost certainly the wire fraud statute, which is even more broadly worded than the CFAA. Enforcement of these falls under different government departments – the DOJ for the CFAA and the Secret Service for wire fraud. I would like to see the FTC coordinate with other law enforcement agencies to see the most malicious scammers suffer genuine criminal penalties.
Another limitation of the FTC is that they cannot discuss cases in progress with anyone outside the FTC. This severely limits their ability to collaborate with private industry (apart from special cases like Tiversa which I will discuss below). Security companies like Cloudmark may have unparalleled visibility into the consumer scams that are currently being promoted over the Internet, but we are limited to sending reports into a black box which may or may not result in an indictment two or three years later. However, these criticisms are minor compared with the charges leveled at the FTC by Michael Daugherty.
Mr Daugherty admits that in 2010 an employee of his former company, LabMD, accidentally placed a file containing nine thousand customer billing records in a folder that was shared using the peer-to-peer file sharing system LimeWire. Admitting that in a room full of computer security professionals is like turning up at a twelve step meeting drunk. However, far worse things were to happen to LabMD, resulting in the company closing.
The leak was detected by a security company called Tiversa, who contacted Daugherty, but refused to reveal details of the breach they had detected unless LabMD signed up for their incident response service. Daugherty refused, and Tiversa turned details of the leak over to the FTC. However, according to former Tiversa employee Richard Wallace, Tiversa also planted multiple copies of the leaked data in various locations on the Internet to make the breach appear to be worse than it was.
The FTC investigated and requested that LabMD sign a consent decree. This would ensure that LabMD's data security procedures were regularly audited in future, which would go along way to prevent any more customer records being shared via LimeWire, exfiltrated with Bittorrent, or indeed eaten by the family dog. However Daugherty felt that the cost of the audits and the damage to LabMD's reputation would be too great for what he regarded as a minor peccadillo, and he refused to sign. At this point he thinks the FTC investigators felt challenged and decided to throw the book at him.
The FTC has a very big book.
So does Michael Daugherty, these days.
LabMD was unable to keep up with the legal struggle and folded, but Daugherty's legal battle with the FTC continues, along with his attempting to gain assistance from Congress. I'll be watching the case with great interest. There's one thing that Michael Daugherty and I would certainly agree on, and that is the need for more transparency in the FTC.
Correction: In an earlier version of this post, Mr Daugherty was incorrectly referred to as the former CEO of LabMD.