Commission report warns U.S. is losing the spy race from lack of R&D, STEM-education

On Nov. 5, 2013, The National Commission for the Review of the Research and Development Programs of the United States Intelligence Community released an unclassified version of its assessment of U.S. research and development programs, finding that the U.S. is falling behind and highly uncoordinated. [The Report can be found here.]

The Commission making the review was originally constituted at the 9-11 Commission (properly The National Commission on Terrorist Attacks Upon the United States. In 2010, the Commission was reauthorized to serve more broadly on the Intelligence Community readiness.

The New York Times described the report as “blistering … charging that the intelligence world’s research-and-development efforts are disorganized and unfocused.”

The Commission said the lack of investment, coordination, infrastructure and foresight is putting the nation at risk.

U.S. technological superiority is diminishing in important areas, and our adversaries’ investments in [Science and Technology]—along with their theft of our intellectual property, made possible in part by insufficient cyber protection and policies—are giving them new, asymmetric advantages. The United States faces increasing risk from threats against which the IC could have severely limited warning, deterrence, or agility to develop effective countermeasures.

The report is not primarily an intelligence report. The Commission was not focused on the failures associated with the NSA massive – and in some cases unconstitutional – spying campaign. Nor was it tied to the Edward Snowden disclosures and the global embarrassment triggered by those disclosures.

Instead, the report identifies the need to treat intelligence as a global issue that needs broad reforms, such as STEM education and immigration/workforce reform. It identifies a wide range of concerns about the lack of investment in intelligence and the failure to be prepared.

The report calls for much greater data analytics, which will likely be the platform used by the NSA to justify its ongoing activities. Even a pro-intelligence report such as this, however, identifies the need for intelligent data analytics rather than the massive, undifferentiated and largely counter-productive methods currently highlighted by the NSA disclosures. Not surprisingly, the admonitions also demand better coordination, including “development of a new joint program plan between the Director of Science and Technology and the Deputy Director of National Intelligence for Intelligence Integration for Enhanced Integrated Intelligence, which it will use to track, prioritize, and coordinate Enhanced Integrated Intelligence R&D across the [intelligence community].”

“Exacerbating these challenges are U.S. policies that weaken the U.S. R&D talent base,” the report warned.  “As scientific and technical knowledge and the resulting economic growth spread around the world, the competition for R&D talent is increasingly global.”

This is just one of many reports highlighting the continued disarray of the intelligence community, an infrastructure struggling to keep up with cyber-threats and embarrassing the U.S. with political follies.

The report opens with a powerful juxtaposition of quotes that should help guide future discussions:

Failure to properly appraise the extent of scientific developments in enemy countries may have more immediate and catastrophic consequences than failure in any other field of intelligence.

—Task Force Report on National Security Organization (the Eberstadt Report) (1948)

Failure to properly resource and use our own R&D to appraise, exploit, and counter the scientific and technical developments of our adversaries—including both state and non-state actors—may have more immediate and catastrophic consequences than failure in any other field of intelligence.

—National Commission for the Review of the Research and Development Programs of the United States Intelligence Community (2013)

Report of the National Commission for the Review of the Research and Development Programs of the United Sta…

Rent-to-Spy Highlights Need for Diligence

(Photo Wikipedia)

Aaron’s Inc. a leading franchisee in the rent-to-own retail market has agreed to settle FTC complaints[1] that allowed Aaron’s franchisees to install and use software to spy on customers.

In announcing the proposed settlement, the FTC explained that “Aaron’s franchisees used the software, which surreptitiously tracked consumers’ locations, captured images through the computers’ webcams – including those of adults engaged in intimate activities – and activated keyloggers that captured users’ login credentials for email accounts and financial and social media sites.”

Aaron’s, Inc. is a leading rent-to-own retailer focusing on “residential furniture, consumer electronics, home appliances and accessories with more than 2,000 Company-operated and franchised stores in 48 states and Canada.” Aaron’s reports 1,190 Company-operated Aaron’s Sales and Lease Ownership stores, 717 Aaron’s Sales & Lease Ownership franchised stores, 78 HomeSmart stores, one franchised HomeSmart store, 17 Company-operated RIMCO stores, and six franchised RIMCO stores.

The allegations focus on the franchisees rather than Aaron’s own operations. Nonetheless, the complaint highlights that Aaron’s “allowed its franchisees to access and use the software, known as PC Rental Agent. In addition, Aaron’s stored data collected by the software for its franchisees and also transmitted messages from the software to its franchisees. In addition, Aaron’s provided franchisees with instructions on how to install and use the software.”

A proposed consent agreement with the FTC has been approved 4-0 by the Commission. Aaron’s will be prohibited from using monitoring technology that captures keystrokes or screenshots, or activates the camera or microphone on a consumer’s computer, except to provide technical support requested by the consumer.

Unfortunately the consent agreement still allows Aaron’s to install tracking technology, provided the customer gives consent. Given the history of such abuse, Aaron’s should be prohibited from using tracking software at all. Consent does little or nothing to affect consumer behavior; companies who have violated the public trust should be prohibited from seeking such illusory permission to continue to abuse their customers.

The risks of allowing opt-in consent are highlighted from another provision of the proposed consent decree:

The agreement will also prevent Aaron’s from using any information it obtained through improper means in connection with the collection of any debt, money or property as part of a rent-to-own transaction. The company must delete or destroy any information it has improperly collected and transmit in an encrypted format any location or tracking data it collects properly.

Under the agreement, Aaron’s will also be required to conduct annual monitoring and oversight of its franchisees and hold them to the requirements in the agreement that apply to Aaron’s and its corporate stores, and to terminate the franchise agreements of franchises that do not meet those requirements.

The proposed agreement will be subject to public comment through Nov. 21, 2013.[2] If opt-in consent is insufficient, the perhaps the Commission can be convinced.

---

[1] The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.

[2] Interested parties can submit written comments electronically or in paper form by following the instructions in the “Invitation To Comment” part of the “Supplementary Information” section. Comments in electronic form should be submitted online by following the instructions on the web-based form. Comments in paper form should be mailed or delivered to: Federal Trade Commission, Office of the Secretary, Room H-113 (Annex D), 600 Pennsylvania Avenue, N.W., Washington, DC 20580.

2013 NKU Security Symposium tomorrow, Friday, October 18, 2013

The NKU Chase Law + Informatics Institute, the Center for Applied Informatics, and our event sponsors look forward to the 2013 NKU Security Symposium tomorrow, Friday, October 18, 2013.

The program is free, but you must register. This is your last opportunity.

The Legal Issues in Privacy and Security (Legal Track) will be in Development B of the NKU METS Center in Erlanger, KY.

Legal Track Speakers:

• John C. (Jack) Greiner, attorney, Graydon Head

• Scot Ganow, attorney, Faruki Ireland & Cox P.L.L.

• Jennifer Orr Mitchell, partner, Dinsmore & Shohl LLP

• Michael G. Carr, JD, CISSP, CIPP, Chief Information Security Officer, University of Kentucky

Click here for the CLE Materials for the maximum of 4.0 general CLE credits approved by KY, OH & IN (new lawyer credits in IN).

• Jon M. Garon, NKU Chase College of Law

Data Security: Breach Notification Law Issues [pdf]

• Jennifer Orr Mitchell, Dinsmore & Shohl LLP

Attorneys and Other Contractors – HIPAA Business Associates in 2014 and Beyond [pdf]

For your convenience we have included directions below.

A detailed agenda can be found on the event website at http://cai.nku.edu/security2013/agenda.html

Directions to the NKU METS Center
From Downtown Cincinnati and Northern Kentucky:
I-71/75 South From the South: I-71/75 North … to I-275 West. Take first exit (Exit No. 2 – Mineola Pike). Left turn onto Mineola Pike crossing over I-275. Right turn at second light onto Olympic Blvd. Follow Olympic Blvd. into CIRCLEPORT Business Park past hotels to The METS Center. Parking is FREE in The METS Center’s large lot.

From Indiana:
I-74 to I-275 South into Kentucky. Stay on I-275, which curves East in Kentucky and go about 22 miles all the way past the Greater Cincinnati Airport until you get to Exit No. 2 – Mineola Pike. Right turn onto Mineola Pike. Then right turn at second light onto Olympic Blvd. Follow Olympic Blvd. into CIRCLEPORT Business Park past hotels to The METS Center. Parking is FREE in The METS Center’s large lot.

Special thanks to the sponsors of the legal track:  CincyIP and Frost Brown Todd. 

Negligence might finally be actionable for breach of duty to protect customer data

Business relationships are often strained when a third party successfully breaches the data security of a target, creating profound negative consequences not only to the target but also to that company’s vendors, business associates, and customers. These damages are often costly but sometimes hard to identify or quantify.

In the majority of security breaches, the customers who have had their identity exposed have suffered no actual economic harm. The courts, therefore, are appropriately reluctant to give monetary damages to those injured customers and generally refuse to compensate for the time lost checking credit scores or otherwise dealing with the problems associated with the data breach.

The vendors and business associates, however, may incur substantially greater economic losses and more direct financial injury. Because this injury is exclusively economic loss, a question remains whether such loss is compensable under tort law or whether all remedies are limited entirely to contract claims.

In Lone Star Nat. Bank v. Heartland Payment Systems, No. 12-20648, 2013 WL 4728445 (5th Cir. Sept. 3, 2013), the Fifth Circuit reversed a dismissal of a tort claim based on the plaintiff bank’s assertion it suffered financial harm when it had to replace consumers’ compromised credit cards and to refund fraudulent charges as a result of the negligence of the defendant in securing against data breach. The case arose from a 2008 data breach of the defendant’s payment processor’s systems, exposing 130 million credit card numbers.

The Fifth Circuit focused on the law of New Jersey after establishing the jurisdictional basis for the claim. The court explained, “the economic loss doctrine generally limits a plaintiff seeking to recover purely economic losses, such as lost profits, to contractual remedies.” Economic losses are generally covered exclusively by contract remedies, unlike tort principles which “are better suited for resolving claims involving unanticipated physical injury, particularly those arising out of an accident.”

Contract may be better than tort, but such a limitation oversimplifies the scope of tort law. Tort injuries occur in inchoate interests such as defamation and assault. Not all tortious harms are physical.

The New Jersey Supreme Court had earlier held the tort remedy applied when a duty was breach. It explained that when “a defendant owes a duty of care to take reasonable measures to avoid the risk of causing economic damages, aside from physical injury, to particular plaintiffs or plaintiffs comprising an identifiable class with respect to whom defendant knows or has reason to know are likely to suffer such damages from its conduct. . . .” People Express Airlines, Inc. v. Consolidated Rail Corp., 495 A.2d 107 (N.J. 1985).

Based on this line of reasoning, the Fifth Circuit reinstated the claim. It acknowledged that New Jersey law generally did not permit the tort claim if there was a contract between the parties, since the terms of their express agreement should govern the allocation of risk. But third party beneficiary law often provides that parties not directly negotiating the agreement may still be affected by it, and so to might a group of readily identifiable tort victims who are not party to the contract but affected by the duties created.

Since the defendant, Heartland “would not be exposed to ‘boundless liability,’ but rather to the reasonable amount of loss from a limited number of entities [then] even absent physical harm, Heartland may owe the Issuer Banks a duty of care and may be liable for their purely economic losses.” The decision merely allows the case to proceed and a great many additional defenses will be addressed. Nonetheless, the decision is an important reminder on the creation of contracts and the scope of those contracts as they affect third parties contemplated but not direct parties to the agreements.

COPPA updates go into effect today, if anyone is watching

The FTC revised the Children’s Online Privacy Protection Rule (COPPA) in December 2012 to take into account the rapidly expanding move to mobile applications, social media and the evolving nature of personally identifiable information. Those rules go into effect July 1, 2013.

COPPA is supposed to inform parents of data being collected about their children and provide opportunities for the parents to consent or opt out of the service.[1] Unfortunately, in application, COPPA has been applied as an either/or test – a site either caters to children and therefore complies with COPPA or prohibits use of services by children and therefore takes no steps to comply with parental notification and consent rules.

Many operators provide non-children services but do nothing to discourage use by children under 13, a practice which has obviated the impact of COPPA. Social media sites, in particular, tend to avoid compliance with COPPA and instead post disclaimers requiring that the users are over 13. But these sites have no verification procedures as to identity or age.

The FTC hopes to change this with the new rules. The amendments to COPPA are intended to minimize this gamesmanship by reducing the ability for a company to ignore actual usage by under-age customers and hide behind age disclaimers. Only time will tell whether the new rules will have that effect.

A second aspect of the new rule will likely have more impact. Self-regulatory associations can submit their certification program to the FTC for pre-approval. Provided members remain within compliance of the certified program, the approval serves as a safe-harbor, protecting members of the association from FTC enforcement actions. Examples of those applications include the following:

• Aristotle International, Inc. – Aristotle International Inc.’s Revised Integrity Children’s Privacy Compliance Program
• Children’s Advertising Review Unit (CARU), Council of Better Business Bureaus, Inc.- Children’s Advertising Review Unit of the Council of Better Business Bureaus’ (CARU) Revised Self-Regulatory Program for Children’s Advertising and Safe Harbor Requirements
• ESRB Privacy Online – ESRB Revised Safe Harbor/Kids Seal Program Guidelines
• TRUSTe – TRUSTe Revised Children’s Privacy Program
• Privo, Inc. – PRIVO Revised Safe Harbor Self-Regulatory Guidelines

The self-regulatory associations, particularly the ESRB, take member enforcement very seriously. The multi-billion dollar gaming industry has become the model for differentiating products based on market segment. It has a strong incentive to segregate its under-13 products from the other products. Of course, it remains to be seen whether this will result in fewer 10-year-olds sneaking onto 15+ (or 18+) platforms, but the video game industry has been more effective than most in reducing the casual avoidance of the age restrictions.

The biggest change under COPPA revisions is the type of information now covered as personally identifiable information. Mobile and social media have transformed the tools available to individually track a customer. Persistent identifiers such as unique IDs, computer or chip serial numbers, unique device identifiers, IP addresses, and geo-location tags all work individually or together to create unique identification. None of those tools include a name or address, yet serve to provide comprehensive, persistent information regarding the identity of each individual. COPPA therefore expands the definition of personally identifiable information to reduce personalized targeting of advertising at children.

As an example of how personally identifiable information has evolved, this paragraph describes the ESRB’s updated guidance on personally identifiable information:

Personally Identifiable Information means any information that can be used to identify an individual or which enables direct contact with an individual. This would include an individual’s name, online contact information (i.e. email addresses or other identifier that permits direct online contact with a person via instant messaging, video, voice over internet protocol or any other means not specifically defined herein), phone number, fax number, home address, social security number, driver’s license number, credit card number, photos, videos, or audio containing the image or voice of a child, persistent identifiers (such as a customer number held in a cookie or a processor serial number, a unique device identifier, or IP address), or geo-location information sufficient to identify a street name and name of town. Demographic information that is combined with personal information (including, but not limited to, gender, educational background, or political affiliation) also becomes Personally Identifiable information. Personally Identifiable Information does not include information that is encoded or rendered anonymous, or publicly available information that has not been combined with non-public Personally Identifiable Information (and has not been previously defined as Personally Identifiable Information.)

The expanded COPPA will take months to truly affect the marketplace. Even then, it will only be effective if companies take the obligations not to track seriously and treat their customers with respect – something missing from the past 15 years of COPPA compliance.

Some and perhaps a majority of people prefer to be served ads that are relevant and interesting, so they don’t mind the outcome of behavioral advertising even if they are squeamish regarding the methods used to select the ads. But Congress assumes that children have fewer defenses to advertising and these techniques can be manipulative and harmful. Targeting individual minors under 13 is therefore prohibited without the parents consent. Hopefully, the COPPA revisions will make this difference begin to matter.

For more information, see the additional guidance provided by the FTC:

The FTC has also released two new pieces designed to help small businesses that operate child-directed websites, mobile applications and plug-ins ensure they are compliant with upcoming changes to the rule.

The first is a document, “The Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business, which is designed especially for small businesses and contains a step-by-step process for companies to determine if they are covered by COPPA, and what steps they are required to take to protect children’s privacy. The FTC also released a video aimed at businesses to help explain their obligations under the revised rule, including an explanation of the changes.

Finally, the FTC has updated a guide for parents, “Protecting Your Child’s Privacy Online,” that explains what COPPA is, how it works and what parents can do to help protect their children’s privacy online.

These new documents provide guidance from the FTC staff that supplements the rule and other COPPA–related material previously published by the FTC, including an updated set of frequently asked questions about the rule. FTC staff will periodically update the FAQs.

In addition to the guidelines and frequently asked questions, FTC staff maintain a “COPPA Hotline” email address, COPPAHotLine@ftc.gov, where industry members can send questions on how to ensure they are compliant with the rule. Comments on the FAQs or suggestions for new FAQs may also be submitted through the COPPA Hotline email address.

---

[1] The COPPA rule requires that operators of websites or online services that are either directed to children under 13 or have actual knowledge that they are collecting personal information from children under 13 give notice to parents and get their verifiable consent before collecting, using, or disclosing such personal information, and keep secure the information they collect from children.

Cyber Defense Strategies and Responsibilities for Industry Call for Papers Now Open

The Northern Kentucky Law Review and Salmon P. Chase College of Law seek submissions for the third annual Law + Informatics Symposium on February 27-28, 2014.

2014 Law + Informatics Symposium on

Cyber Defense Strategies and Responsibilities for Industry

 The focus of the conference is to provide an interdisciplinary review of issues involving business and industry responses to cyber threats from foreign governments, terrorists, and corporate espionage. The symposium will emphasize the role of the NIST Cybersecurity Framework and industries providing critical infrastructure.

The symposium is an opportunity for academics, practitioners, consultants, and students to exchange ideas and explore emerging issues cybersecurity and informatics law as it applies to corporate strategies and the obligations of business leaders. Interdisciplinary presentations are encouraged. Authors and presenters are invited to submit proposals on topics relating to the theme, such as the following:

Cyber Warfare Rules of Engagement Offensive and defensive approaches Responses to state actors Engagement of non-state actors Distinguishing corporate espionage from national defense Proportionality and critical infrastructure Cyber diplomacy Cold War footing and concerns of human rights implications Front Lines for Industry Role of regulators such as FERC Legacy systems and modern threats NIST guidelines NIST Cybersecurity Framework Engaging Dept. of Homeland Security Implications on various industries (electric power,  telecommunications and transportation systems, chemical facilities) Health and safety issues

Global Perspectives Concepts of cyber engagement in Europe Perception of Internet and social media as threat to national soverignty Rules of engagement outside U.S. and NATO Implications for privacy and human rights Stuxnet, Duqu, Gauss, Mahdi, Flame, Wiper, and Shamoon Cyber engagement in lieu of kinetic attacks or as a component of kinetic engagement   Corporate Governance Confidentiality and disclosure obligations Responsibilities of the board of directors Staffing, structures and responses Data protection & obligations regarding data breaches Corporate duty to stop phishing and other attacks for non-critical industries Investment and threat assessment Litigation and third party liability   Other Issues Executive orders and legislative process Lawyer responsibility in the face of potential threats Practical implications of government notices Perspective on the true nature of the threat

Submissions & Important Dates: 

• Please submit materials to Nkylrsymposium@nku.edu
• Submission Deadline for Abstracts: September 1, 2013
• Submission Deadline for First Draft of Manuscripts: January 1, 2014
• Submission Deadline for Completed Articles: February 1, 2014
• Symposium Date: February 27-28, 2014

Law Review Published Article:  The Northern Kentucky Law Review will review, edit and publish papers from the symposium in the 2014 spring symposium issue.  Papers are invited from scholars and practitioners across all disciplines related to the program. Please submit a title and abstract (of 500-100 words) or draft paper for works in progress. Abstracts or drafts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Presentations (without publication) based on Abstracts:  For speakers interested in presenting without submitting a publishable article, please submit an abstract of the proposed presentation. Abstracts should be submitted by September 1, 2013. Submissions may be accepted on a rolling basis after that time until all speaking positions are filled.

Publication of Corporate Handbook on Cyber Defense: The Law + Informatics Institute may edit and publish a handbook for corporate counsel related to the topics addressed at the symposium. Scholars and practitioners interested in authoring book chapters are invited to submit their interest by September 1, 2013 which may be in addition to (or as an adaptation of) a submitted abstract for The Northern Kentucky Law Review. Submissions may be accepted on a rolling basis after that time until all chapter topics are filled.

About the Law and Informatics Institute:  The Law + Informatics Institute at Chase College of Law provides a critical interdisciplinary approach to the study, research, scholarship, and practical application of informatics, focusing on the regulation and utilization of information – including its creation, acquisition, aggregation, security, manipulation and exploitation – in the fields of intellectual property law, privacy law, evidence (regulating government and the police), business law, and international law.

Through courses, symposia, publications and workshops, the Law + Informatics Institute encourages thoughtful public discourse on the regulation and use of information systems, business innovation, and the development of best business practices regarding the exploitation and effectiveness of the information and data systems in business, health care, media, and entertainment, and the public sector.

For More Information Please Contact:

• Professor Jon M. Garon, symposium faculty sponsor and book editor: garonj1@nku.edu or 859.572.5815
• Lindsey Jaeger, executive director: JaegerL1@nku.edu or 859.572.7853
• Aaren Meehan, symposium editor, meehana2@mymail.nku.edu or 859-912-1551

Another Hidden Cost of Rent-to-Own: Your Privacy

Although I normally try to add context to commentary about the legal issues covered in this blog, this FTC press release speaks for itself: Secretly Installed Software on Rented Computers Collected Information, Took Pictures of Consumers in Their Homes, Tracked Consumers’ Locations

Seven rent-to-own companies and a software design firm have agreed to settle Federal Trade Commission charges that they spied on consumers using computers that consumers rented from them, capturing screenshots of confidential and personal information, logging their computer keystrokes, and in some cases taking webcam pictures of people in their homes, all without notice to, or consent from, the consumers.

The software design firm collected the data that enabled rent-to-own stores to track the location of rented computers without consumers’ knowledge according to the FTC complaint.  The settlements bar the companies from any further illegal spying, from activating location-tracking software without the consent of computer renters and notice to computer users, and from deceptively collecting and disclosing information about consumers.

“An agreement to rent a computer doesn’t give a company license to access consumers’ private emails, bank account information, and medical records, or, even worse, webcam photos of people in the privacy of their own homes,” said Jon Leibowitz, Chairman of the FTC.  “The FTC orders today will put an end to their cyber spying.”

“There is no justification for spying on customers.  These tactics are offensive invasions of personal privacy,” said Illinois Attorney General Madigan.

The FTC named DesignerWare, LLC, a company that licensed software to rent-to-own stores to help them track and recover rented computers.  The FTC also reached settlements with seven companies that operate rent-to-own stores and licensed software from DesignerWare, including franchisees of Aaron’s, ColorTyme, and Premier Rental Purchase.

According to the FTC, DesignerWare’s software contained a “kill switch” the rent-to-own stores could use to disable a computer if it was stolen, or if the renter failed to make timely payments.  DesignerWare also had an add-on program known as “Detective Mode” that purportedly helped rent-to-own stores locate rented computers and collect late payments.  DesignerWare’s software also collected data that allowed the rent-to-own operators to secretly track the location of rented computers, and thus the computers’ users.

When Detective Mode was activated, the software could log key strokes, capture screen shots and take photographs using a computer’s webcam, the FTC alleged.  It also presented a fake software program registration screen that tricked consumers into providing their personal contact information.

Data gathered by DesignerWare and provided to rent-to-own stores using Detective Mode revealed private and confidential details about computer users, such as user names and passwords for email accounts, social media websites, and financial institutions; Social Security numbers; medical records; private emails to doctors; bank and credit card statements; and webcam pictures of children, partially undressed individuals, and intimate activities at home, according to the FTC.

In its complaint against DesignerWare, the FTC charged that licensing and enabling Detective Mode, gathering personal information about renters, and disclosing that information to the rent-to-own businesses was unfair, and violated the FTC Act.  The agency also alleged that DesignerWare’s use of geolocation tracking software without first obtaining permission from the computers’ renters and notifying the computers’ users was unfair and illegal.  It charged that providing the rent-to-own operators the means to break the law was unfair, and providing the fake registration forms to obtain consumer data was deceptive.

The seven rent-to-own companies were charged with breaking the law by secretly collecting consumers’ confidential and personal information and using it to try to collect money from them.  Use of the bogus “registration” information was deceptive, the FTC alleged.

The proposed settlement orders will ban the software company and the rent-to-own stores from using monitoring software like Detective Mode and will ban them from using deception to gather any information from consumers.  They also will prohibit the use of geolocation tracking without consumer consent and notice, and bar the use of fake software registration screens to collect personal information from consumers.  In addition, DesignerWare will be barred from providing others with the means to commit illegal acts, and the seven rent-to-own stores will be prohibited from using information improperly gathered from consumers in connection with debt collection.  All the proposed settlements contain record keeping requirements to allow the FTC to monitor compliance with the orders for the next 20 years.

Those named in the FTC’s complaints include DesignerWare, LLC; its principals,  Timothy Kelly and Ronald P. Koller, individually and as officers of DesignerWare, LLC.; Aspen Way Enterprises, Inc.; Watershed Development Corp.; Showplace, Inc., d/b/a Showplace Rent-to-Own; J.A.G. Rents, LLC, d/b/a ColorTyme; Red Zone, Inc., d/b/a ColorTyme; B. Stamper Enterprises, Inc., d/b/a Premier Rental Purchase; and C.A.L.M. Ventures, Inc., d/b/a Premier Rental Purchase.

The Office of the Illinois Attorney General partnered with the FTC in this investigation.  Today General Lisa Madigan announced the filing of an action against one of the rent-to-own companies that used Detective Mode and that is located in Illinois, Watershed Development Corp.

The Commission vote to accept the consent agreement packages containing the proposed consent orders for public comment was 4-0-1, with Commissioner J. Thomas Rosch abstaining.

COPPA Rule Supplemental Comments Extended to Sept. 24th

In an earlier post, I discussed the significance of proposed changes to the Children’s Online Privacy Protection Rule (COPPA Rule) recommended by the FTC. The FTC has extended the comment period regarding the revisions to the COPPA Rule until September 24, 2012.

The COPPA Rule is designed to protect children under 13 from unwanted privacy intrusion by providing parents control over what information websites and online services may collect from these children.

The revised rule expands the websites covered by the COPPA Rule, makes clear that targeted or behavioral advertising geared at protected minors is covered and expanded the definition of personal information to include persistent identifiers.

Some comments have already been filed. They can be read online.

According to the FTC, the extension was “in response to requests from several organizations.” The FTC now anticipates that “public comments on the Supplemental Notice of Proposed Rulemaking will now be accepted until September 24, 2012.”

Significant revisions to Children’s Online Privacy Protection Rule triggers supplement review

In 1998 Congress responded to the growing demand for protection from invasions of privacy and the potential for marketers or predators to target young children by passing the Children’s Online Privacy Protection Act (COPPA). The Children’s Online Privacy Protection Rule (16 CFR part 312) provides the rules governing the implantation of the law.

As described in the Federal Register, the COPPA Rule include three key features:

Among other things, the Rule requires that operators provide notice to parents and obtain verifiable parental consent prior to collecting, using, or disclosing personal information from children under 13 years of age. The Rule also requires operators to keep secure the information they collect from children and prohibits them from conditioning children’s participation in activities on the collection of more personal information than is reasonably necessary to participate in such activities. The Rule contains a ‘‘safe harbor’’ provision enabling industry groups or others to submit to the Commission for approval self-regulatory guidelines that would implement the Rule’s protections.

In April 2010 the FTC began a process to update the Rules. A notice was sent out in September 2011, generating 350 comments regarding the proposed changes. After receiving the comments and reviewing its own proposal, the FTC substantially changed the proposed update to the Rule. As a result, the FTC has issues a Supplemental Notice of Proposed Rulemaking under which comments will be accepted until September 10, 2012.

Instructions for submitting comments are found in the Notice. Comments can be submitted electronically by clicking here.

The FTC explains the changes as follows:

The proposed modifications to the definitions of “operator” and “website or online service directed to children” would allocate and clarify the responsibilities under COPPA when third parties such as advertising networks or downloadable software kits (“plug-ins”) collect personal information from users through child-directed websites or services. The Commission proposes to state within the definition of “operator” that personal information is “collected or maintained on behalf of” an operator where it is collected in the interest of, as a representative of, or for the benefit of, the operator. This change would make clear that an operator of a child-directed site or service that chooses to integrate the services of others that collect personal information from its visitors should itself be considered a covered “operator” under the Rule.

The Commission also proposes to modify the definition of “website or online service directed to children” to:

1. Clarify that a plug-in or ad network is covered by the Rule when it knows or has reason to know that it is collecting personal information through a child-directed website or online service;
2. Address the reality that some websites that contain child-oriented content are appealing to both young children and others, including parents. Under the current Rule, these sites must treat all visitors as under 13 years of age. The proposed definition would allow these mixed audience websites to age-screen all visitors in order to provide COPPA’s protections only to users under age 13; and,
3. Clarify that those child-directed sites or services that knowingly target children under 13 as their primary audience or whose overall content is likely to attract children under age 13 as their primary audience must still treat all users as children.

Finally, the Commission proposes to modify the Rule’s definition of “personal information” to make clear that a persistent identifier will be considered personal information where it can be used to recognize a user over time, or across different sites or services, where it is used for purposes other than support for internal operations. In connection with this change, the Commission proposes to modify the definition of “support for internal operations” in order to explicitly state that activities such as: site maintenance and analysis, performing network communications, use of persistent identifiers for authenticating users, maintaining user preferences, serving contextual advertisements, and protecting against fraud and theft will not be considered collection of “personal information” as long as the information collected is not used or disclosed to contact a specific individual, including through the use of behaviorally-targeted advertising, or for any other purpose.

Taken together, these changes attempt to deal with the increasing use of cross-platform sign-ins and authentication. They do not, however, deal directly with social media or other websites that have no provisions for compliance with the Rule but instead encourage users under the age of 13 to mis-identify themselves to the benefit of the website operator.

As the Washtington Post noted, “vague language … could allow companies supplying online ads — or even Facebook and Twitter which sometimes appear as little icons on Web sites — to avoid the parental consent process.”

Still, the update addresses at least some of the important changes to the structure of internet communications and the importance of mobile apps as a platform for communications.

September 10^th is coming fast. Public comments will be critical in effectively shaping the update to the Rule.

New CRS Reports Highlight Legislation for Cybersecurity

As noted in Eric Ficher, Federal Laws Relating to Cybersecurity: Discussion of Proposed Revisions, (June 29, 2012) (CRS Report R42114) (full-text), cybersecurity is a “somewhat fuzzy subject.” Yet it has become the focus of considerable regulatory and legislative attention.

Dr. Fischer, Senior Specialist in Science and Technology, has provided a comprehensive roadmap for CRS which provides some context for the competing legislative approaches to this important but under-reported topic.

As the report notes, “There is as yet no overarching framework legislation in place, but many enacted statutes address various aspects of cybersecurity.” The report reviews proposed changes to 28 separate laws from the Posse Comitatus Act of 1879 to the Intelligence Reform and Terrorism Prevention Act of 2004. He reports that “more than 50 statutes address various aspects of cybersecurity either directly or indirectly, but there is no overarching framework legislation in place.” So the report provides an important outline of the disparate efforts to address cybersecurity in congress.

The report identifies ten broad areas for the legislative proposals:

• national strategy and the role of government,
• reform of the Federal Information Security Management Act (FISMA),
• protection of critical infrastructure (including the electricity grid and the
• chemical industry),
• information sharing and cross-sector coordination,
• breaches resulting in theft or exposure of personal data such as financial
• information,
• cybercrime,
• privacy in the context of electronic commerce,
• international efforts,
• research and development, and
• the cybersecurity workforce.

Not to be outdone, the companion report provides even more specific information regarding recent legislative efforts. Rita Tehan, Cybersecurity: Authoritative Reports and Resources (July 3, 2012) (CRS Report R42507) (full-text) provides a comprehensive overview. Together, the two reports provide a critical roadmap to the present legislative efforts. Tehan’s introduction provides a glimpse at the scale of the activity:

“Cybersecurity is a sprawling topic that includes national, international, government, and private industry dimensions. More than 40 bills and resolutions with provisions related to cybersecurity have been introduced in the first session of the 112th Congress, including several proposing revisions to current laws. In the 111th Congress, the total was more than 60. Several of those bills received committee or floor action, but none have become law. In fact, no comprehensive cybersecurity legislation has been enacted since 2002.”

Fischer notes the importance of these changes. As he notes, “for more than a decade, various experts have expressed increasing concerns about cybersecurity, in light of the growing frequency, impact, and sophistication of attacks on information systems in the United States and abroad. Consensus has also been building that the current legislative framework for cybersecurity might need to be revised.”

Additional coverage can be found by ITWiki, PrivacyLives, and Justice Information Sharing.