Tuesday, July 25, 2006

The Internet and the Future of Consumer Protection, part 3

Panel 3 was made up of current and former FTC commissioners and directors, and featured a lively dialogue. The sharpest divergence among panelists was whether the FTC would be much aided by the power to impose monetary penalties for unfair practices. CNet report: FTC Wants Beefed-Up Powers Against Net Scammers. I have rearranged and summarized the discussion, which was pretty wide-ranging. If you want reliable records, check out the transcript when it appears, or the video available now.

Jon Leibowitz, FTC Commissioner, argued that ad companies should be held responsible for enabling nuisance adware. They are responsible for ads placed downstream.

The FTC didn’t seek fines in its recent spyware cases because it has no authority for fines for first-time violations of §5; the FTC may also forfeit its right to seek fines in order to proceed ex parte and move fast, which is a Hobson’s choice. The FTC can do consumer redress, but you can’t use that to compensate consumers for the injuries they suffer to browsing convenience and loss of privacy. Civil penalties under §5 that the FTC could pursue without going through the Justice Department – the way the SEC has autonomy – are the crucial need. Liebovitz also mentioned the possibility of reviving the synopsis method, whereby the FTC litigates one case against one business and then serves notice on other entities doing the same thing.

Every decade, the same issues come up: what’s the penalty? If it’s just a cease and desist order, the CEO of a company will always say, “Let’s keep doing it until they tell us to cut it out.” That is why the remedy is key.

A separate problem is that legal anomalies prevent the FTC from giving confidential information to sister agencies in other countries (and receiving it from them, since it would then be FOIAable). This ought to be fixed, and there is proposed legislation.

J. Thomas Rosch, Commissioner and former Director of the Bureau of Consumer Protection: We are seeing the return of an unfairness theory. Breach of privacy cases particularly don’t necessarily involve deception, though they often do. The nature of “unfairness” has changed. With kidvid, the principal complaint was host selling. Today, kids’ ads are interactive, viral, maybe more persuasive and dangerous. The class of vulnerable consumers has also changed; it used to be the elderly and kids. Now there’s a huge universe of unsophisticated internet consumers.

What are the barriers to enforcement? Section 5(n) is a big constraint on the FTC’s ability to go after unfair conduct. The FTC has also taken the position that a pure omission isn’t deceptive, which is another constraint, as is the First Amendment. Politically, the bad burns FTC received on kidvid in the 1970s also curtail action. Kidvid crippled the agency, maybe forever. The tools for dealing with violators are also too limited; we need civil penalties. The final barrier is that the international community has less of a consensus on consumer protection than on antitrust.

We don’t have the ability to deal with things like advergames and buzz marketing (this was in response to a specific question about these things). If the FTC challenged viral marketing, it could expect the same political backlash as with kidvid, even though today’s tactics are more effective than host selling. Proceeding by synopsis or commission rule won’t be enough, though rulemaking might be a good idea for discrete topics like phishing. Kids are being hired as affiliates to carry out various schemes; without civil penalties, we’re just telling them to go to their rooms (where, by the way, they have wireless).

Robert Pitofsky, former Chair: Pitofsky emphasized that both traditional fraud and new privacy issues were everywhere on the internet, and that all FTC’s activity had First Amendment overtones, especially when the FTC starts talking about violence, porn and other bad content. The goal should be to protect the internet as an efficient market without high barriers to entry and as a reliable source of information.

A change he identified from the past is that important private players like eBay and Microsoft are now seeking more regulation. Best practices: mileage standards and Green Guides have worked well even though the car companies know they won’t be prosecuted for violating the mileage standards. Best practices work best with a discrete universe of sellers; they may not work when you’re dealing with the world.

Though the private sector has an important role in detecting abuse, the FTC needs to stand behind self-regulation with a stick. Until penalties are sufficient to make investment in fraud unwise, consumer education will be insufficient to solve the problem. We also need legislation mandating notice and consent for use of personal information. Advertisers know how to get messages across and they can figure out how to get people to pay attention to privacy information.

The FTC can also enact Magnusson-Moss rules to deal with phishing and spam. Civil penalties would apply once the rules were in place. They’d be enforced by the Justice Department, and rulemaking is cumbersome, but it can happen.

Howard Beales, former director, Bureau of Consumer Protection: Privacy is not the real issue for consumers. Anonymity is the core of the problem – on the Internet, no one knows you’re a dog. (The attendees were polite enough to laugh at that.) It’s not just a problem for consumers, since credit card losses are twenty times higher on the internet than offline, which is also a function of anonymity in transactions. Successful internet businesses invest in credibility through branding, like Amazon, or screening, like eBay. Without secure authentication of identity, we will only be able to trust the biggest players.

Notice is a failed promise for privacy – who reads GLB notices? People have other things to do. We should deal with the consequences of information use instead of notice, which has no value in itself. Relatedly, if Congress had acted on spyware four years ago, it might have made automatic updates illegal, even though that’s a great way to protect your computer. Legislation is dangerous!

Also, our problem was always finding solvent fraudsters, not getting authorization to seek civil penalties. Note, too, that as part of setting statutory penalties under the current law, a court must consider preserving the company’s ability to continue in business, which is not what we want with phishers.

The law (deception and unfairness) is broad, but the tradeoff is that it’s often not clear you violated the law until after the fact.

Liebowitz: But we can give good guidance to businesses. And, as with the issue of settlements that keep generic drugs off the market, we can go for penalties the second time, when people should know better, not the first time.

Rosch: Maybe the key is, as Beales says, to reduce anonymity and require notice of who the seller is. But Rosch has antitrust misgivings about creating reputational barriers to entry. Also, without international coordination, there’s no way to solve anonymity problems, since even phone calls can come from anywhere and look like they’re local with VOIP.

Pitofsky: There’s been some political climate change, but the FTC still can’t go after an entire market sector alone. It needs Congress. On privacy: Pitofsky hates to leave the burden on consumers, but, though notice has failed in some contexts, warnings on cigarettes have worked, and we shouldn’t give up. Inducing internet stakeholders to come to consumers’ aid might be better than global notice requirements or reductions in anonymity.

Unfairness as a basis for civil penalties barely survived a constitutional challenge on vagueness grounds before; he is not sanguine about using civil penalties in this fashion.

Liebovitz: We could diminish the risks of unconstitutional vagueness by specifying best practices.

Beales: With respect to advergames, marketers don’t yet know whether they work. If problems develop, advertisers may change their practices. The FTC can address misinformation if it develops. The Commission doesn’t and shouldn’t have authority to address the broader issue of the commercialization of society. (My comment: Why not? Why shouldn’t government do things that individuals alone can’t coordinate?)

Beales on privacy/anonymity: Building security into software is a good solution to the anonymity problem. If you can’t get into my computer, everything’s fine.

Rosch: That eventually chills some of the wonders of the internet. Civil penalties would help: Start imposing them, and we’d get good notices for adware. Fairly legitimate companies are involved in the business and would be scared by the risk fo fines.

Beales: Talk about chill! Which components of WordPerfect would have to be separately disclosed? Someone asked Beales: What about when you can’t uninstall software? Isn’t that obviously bad? Beales responded that some Windows software resists uninstallation. (Not sure that’s responsive to some significant fraction of the audience.)

Liebowitz, responding to Beales on anonymity: The genius of the internet is that you can get started without anyone’s permission. Liebowitz is concerned that incumbents could use consumer protection law to keep new entrants out.

Beales: I don’t want licensing, but I do want to know with whom I’m transacting.

Question: Are there gaps in the FTC’s jurisdiction? Consensus answer: The common carrier exception, but that’s narrow and eroding. Given media convergence, repealing the exception would make sense, but Brand X limited its effect. Liebowitz also pointed to the jurisdictional hurdle to the FTC going after nonprofits on its own (Justice can pursue them in court). Faux nonprofits often hide behind that fa├žade to thwart the FTC.

Question: What have we learned from CAN-SPAM? Beales: I haven’t seen anything systematic. It clarified the rules for legitimate players, which is often the effect of consumer protection legislation: the good comply, and the bad give us another reason they’re bad. The ISP private right of action is useful. Once again, the real problem here is authentication. Liebowitz: CAN-SPAM is good because fines are allowed and because it’s strict liability for certain acts.

Question: What’s the one issue you’d put on the forthcoming hearings’ agenda? Beales: Authenticity and anonymity. Rosch: Civil penalties. Pitofsky: Civil penalties and legislation to require notice and consent. Liebowitz: All of the above.

No comments: