How a lone grad student scooped the government—and what it means for your online privacy


The settlement process is time-consuming, however. Owing to the agency’s small legal staff, some settlements take years to complete, and by the time they’re done, the targeted companies are not what they used to be. In May, the FTC announced a privacy settlement with MySpace, which it accused of disclosing user information to third parties despite pledging not to do that. The investigation was opened in 2009, when MySpace was already a fading giant; by the time it was concluded in May, MySpace was all but a museum artifact. On Twitter, reaction to the suit included jokes to the effect of, “You mean MySpace still exists?”

Although the agency has some sway with Google and other companies that are sensitive to reputational issues—an FTC settlement might not hurt Google’s bottom line, but the bad press could—it has less influence over data mining firms like LexisNexis, Choicepoint, and RapLeaf, whose revenues come mostly from businesses rather than consumers. This is a major hole in the government’s effort to protect consumers from privacy violations, and the FTC has all but thrown up its hands in futility.

The privacy report it issued earlier this year called on Congress to pass legislation that would set guidelines on acceptable practices by data miners. The odds of that happening are quite long, because of industry opposition to government oversight and the difficulty of getting agreement in Congress on what should and should not be allowed.

***

Even though he lives in university housing, Jonathan Mayer is a star in the world of digital privacy; he is the mop-haired kid who busted Google in his spare time. Silicon Valley companies seek him out to learn what he’s up to. Mayer, being clever, uses these encounters to learn about the companies. What are they thinking about the most? What do they fear the most? He has made another discovery.

“The FTC doesn’t strike fear into the heart of tech companies,” he says. “They know that as long as they stay within lax boundaries, it’s unlikely the FTC will bring enforcement actions against them.”

Yet there is a feared privacy watchdog, Mayer notes: the European Union. American companies have far less political influence in Europe, and Europeans are far more attentive to privacy issues, partly due to memories of Nazi-era totalitarianism.

Because most tech services offered to Europeans are the same as offered to Americans, protections required by EU regulators are usually extended to American consumers. It’s the globalization of digital regulation: What happens in one country can affect all countries.

For instance, under Irish privacy law, citizens are entitled to know the information a company possesses on them—and this was used against Facebook by a 24-year-old Austrian, Max Schrems, who asked the company to hand over all the data it had on him. Facebook’s international headquarters are located in Dublin, so the firm had to comply.

"(Required)" indicates required fields