FTC Split on ID Theft Protections, United on Common Carrier Exemption

Credit freezes on breached accounts should be limited to cases where there’s a finding of “significant risk of harm,” Chmn. Deborah Majoras said. Consumers will wave off breach warnings if they're “overnoticed” by companies operating under strict breach notice laws, she said, or become “panicked” and undertake “expensive measures.” The FTC decided in 2005 that credit freeze provisions were premature, as the “laboratories of democracy” -- several states -- had passed their own credit freeze provisions, and the ID theft- related Fair & Accurate Credit Transaction Act had just taken effect, Majoras said.

Comr. Pamela Harbour said commissioners “disagree slightly on the margins.” Significant risk of harm sets “too high of a bar” for consumer protection, because companies worried about stock dips will be “very reluctant to quantify the breach as ’significant,'” she said. Comr. William Kovacic called the disagreement a “continuing conversation… We learn a bit more each time about what an appropriate standard might be” as the FTC investigates breach incidents.

The FTC has FCC envy, if commissioners’ comments were any indication. There’s no practical reason the FTC should be excluded from issues like telcos’ broadband pricing and marketing, Comr. Thomas Rosch said -- the agency’s track record on telecom issues such as mergers “speaks for itself.” All 5 commissioners answered affirmatively to Sen. Dorgan’s (D-N.D.) question on whether the common carrier exemption -- which limits telecom-oriented trade areas to FCC jurisdiction -- should be repealed.

Ranking Member Stevens (R-Alaska) said a “collision course” between FCC and FTC seemed inevitable. He said the committee planned to give the FTC a “clean bill of health” -- its first reauthorization since 1998. There are “several areas of overlap where we work closely” with the FCC, Majoras said. “We've divided the work quite effectively” on pretexting, with the FCC handling telco protections for customer proprietary network information (CPNI) and FTC cracking down on Internet sellers of CPNI, she added. Majoras noted the FTC filed 5 complaints against Internet sellers before the HP pretexting scandal captivated Congress.

But the convergence in services means “we find ourselves bumping up against that [common carrier] exemption more and more,” Majoras said: The agency is “already seeing places in which companies raise [the exemption] and stymie our enforcement efforts.” Bundling of broadband with voice service is becoming the norm, but when the FTC tries to investigate advertising and pricing structure, companies have said “nu-uh, you can’t do that,” she added. “Highly dynamic industries… are blurring together” but the “legal infrastructure” for consumer protection enforcement is outdated, Kovacic said.

The FTC may be hitting a wall on deterring Internet malefactors via its current authority, commissioners said. Pryor asked “why should spyware be legal at all?” We don’t think any software that installs without notice and consent should be, Comr. Jon Leibowitz said. “Are your remedies [against violators] sufficient?” Pryor asked. Leibowitz said profit disgorgement can be adequate but the Commission really wants civil-penalty authority: “It’s hard to determine what the injury is to each consumer” and discern which profits came from illegal activity. The most determined wrongdoers are “only going to be deterred if their freedom is withdrawn,” Kovacic said, asking for more latitude to work with criminal enforcement authorities to secure jail time for “vicious organized criminals” abroad.

Agencies always say they need more resources, Pryor said. Whether publicly or privately, “tell us what you would do with those resources” and exactly what statutory authority the FTC would like,” so if money shows up in the budget, Congress can oblige, he said.

But the agency is “tremendously gratified” about its new cross-border fraud authority under the SAFE WEB Act (WID Dec 28 p4), Harbour said. The FTC’s original deceptive-practices authorization is “outdated in the face of 21st century trade and technological developments,” in which “high tech con artists could strike quickly… and seemingly disappear without a trace,” she said. The FTC has a new steering group to implement SAFE WEB, she added. Govts. are devising “more consistent and reliable protections for consumers” through an Asia-Pacific Economic Cooperation working group on cross- border data privacy rules, Harbour said.

The FTC requested $240 million and 1,084 full-time employees for FY2008, a $17 million increase over FY2007. The requested increase would fund mandatory salary and contract expenses ($8.8 million) and 10 new full-time employees for the Privacy & Identity Protection Program ($1.4 million). It would also fund consumer protection outreach and enforcement efforts ($4.5 million): “Media literacy” ($2 million); electronic litigation, e-gov and IT initiatives ($1.6 million); Do Not Call renewals and outreach ($1.3 million); spyware enforcement and promoting “industry self- regulation” on marketing entertainment and food to children ($100,000 each); and various building and “human capital” needs ($900,000).