LAST spring, soon after Facebook acknowledged that the political consulting firm Cambridge Analytica had improperly obtained the data of tens of millions of the social network’s users, a top enforcement official at the Federal Trade Commission (FTC) drafted a memo about the prospect of disciplining Facebook.
Lawmakers, consumer advocates and even former commission officials were clamoring for tough action against the social media giant, and argued it had violated an earlier FTC consent decree barring it from misleading users about the manner their information was shared.
But enforcement official James A. Kohm took a different view.
In a previously undisclosed memo in March, Kohm—echoing Facebook’s own argument—cautioned that the latter was not responsible for the consulting firm’s reported abuses. The social network seemed to have taken reasonable steps to address the problem, he wrote, according to someone who read the memo, and most likely had not broken its promises to the FTC.
The Cambridge Analytica data leak set off a reckoning for Facebook and a far-reaching debate about the tech industry, which has collected more information about more people than almost any other in history. At the same time, the FTC, which is investigating Facebook, is under growing attack for what critics say is a systemic failure to police Silicon Valley’s giants and their enormous appetite for personal data.
Almost alone among industrialized nations, the United States has no basic consumer privacy law. The FTC serves as the country’s de facto privacy regulator, relying on more limited rules against deceptive trade practices to investigate Google, Twitter and other tech firms accused of misleading people about how their information is used.
But many in Washington view the agency as a watchdog that too rarely bites. In more than 40 interviews, former and current FTC officials, lawmakers, Capitol Hill staff members, and consumer advocates said that as evidence of abuses has piled up against tech companies, the FTC has been too cautious.
Now, as the Trump administration and Congress debate whether to expand the agency and its authority over privacy violations, the Facebook inquiry looms as a referendum on the FTC’s future.
“They have been asleep at the switch,” said Senator Richard Blumenthal, D-Conn., the ranking member of the subcommittee charged with overseeing the agency. “It’s a lack of will even more than paucity of resources.”
Even if the agency does not penalize Facebook over the Cambridge incident—and some former FTC officials disagree with Kohm’s reasoning—the commission could punish the company for other offenses. Former officials say they’ve been told that its inquiry has expanded to include recent security and privacy breaches as well as Facebook’s secretive data-sharing deals with Amazon, Netflix and other companies. Facebook declined to comment on the inquiry.
The agency, overseen by five commissioners—three of them typically from the president’s party, is habitually tight-lipped. FTC Chairman Joseph Simons declined to comment on the Kohm memo.
A cautionary tale
AS the federal government’s main consumer protection and antitrust authority, the FTC has pursued carmakers, drug companies, illegal robocallers and bloggers who fail to disclose corporate sponsors.
But it is hampered by its relatively small size: about 1,100 employees—roughly a quarter the staff of the Securities and Exchange Commission—and broad mandate. Guarding consumer privacy online, just one part of its mission, can raise complex technical issues.
The agency’s enforcement arm, led by Kohm, does not have its own tech experts, and instead borrows them from other agency units. The job of chief technologist, an adviser to the FTC chairman, has been vacant since April. And the armies of attorneys employed by tech giants outnumber its lawyers.
“They have considerably less staff than they had in the 1980s, and more responsibility,” said Justin Brookman, a former FTC official under the Obama administration who now works at the Consumers Union.
FTC officials said privacy and data security cases had gotten more attention than any others over the past decade.
Still, all five commissioners agreed at the November Senate hearing that the agency needed more money and greater regulatory authority to keep up with big tech.
In 2013 for example, FTC commissioners overruled a staff recommendation to sue Google for abusing its dominance in search to harm rivals. Three years later, when Google began merging data collected by several of its services, including Gmail and the ad technology platform DoubleClick, consumer groups filed a complaint with the FTC calling the practice “highly deceptive.” The agency took no public action.
Nor did the FTC penalize Facebook after it began acquiring phone numbers and other data from users of its WhatsApp subsidiary, which broke promises it had made when it acquired the messaging service. By contrast, the European Union’s antitrust chief fined Facebook $122 million last year for making misleading statements about the WhatsApp acquisition.
The social network said it had notified users of the change with new terms of service and had allowed them to opt out of aspects of how the platform used the data.
The FTC has defended its record on privacy, and pointed for instance to a $22.5-million fine imposed on Google in 2012 for bypassing privacy settings in Apple’s Safari browser in violation of a consent agreement. The fine was the largest civil penalty in the agency’s history.
Former officials say the agency struggles to enforce privacy within its traditional definition of deceptive or abusive business practices.
Proving harm
PRESIDENT Donald J. Trump’s arrival in Washington kicked off a period of uncertainty at the FTC. For 16 months, three of five seats remained vacant on the commission, which was initially led by acting Chairwoman Maureen K. Ohlhausen, an advocate of “regulatory humility.”
Ohlhausen’s staff told enforcement officials to slow down on cases so the White House would not view her as “anti-business,” according to a former senior official. That official and others interviewed for this article spoke on the condition of anonymity to describe conversations that were private or involved nonpublic FTC investigations.
In an interview, Ohlhausen denied ordering a slowdown and cited privacy actions she had brought against PayPal and Lenovo. But she acknowledged having argued against going after what she regarded as small cases, like Nomi.
With limited resources, she said, the FTC should “pursue cases where the evidence of actual or likely consumer harms is strongest.”
But that standard is difficult to apply against companies like Facebook and Google, whose services are free, and where it is challenging to prove that privacy lapses cause direct financial or emotional harm.
Two former staffers said Kohm, who has led the enforcement division for more than a decade, had expressed skepticism about proving harm in cases against tech companies.
In recent months, FTC employees meeting with Kohm asked how he viewed news reports that big tech firms had tracked users’ locations without clearly disclosing the practice. Kohm, whose division prosecutes boiler rooms, advertising scams, and other financial fraud schemes, responded that the tech companies were legitimate businesses offering free services, and it was unclear how they had harmed consumers, recalled one person in the meeting.
Kohm declined to comment for this article. Cathy MacFarlane, an FTC spokeswoman, denied in a statement that he placed a lower priority on privacy cases, saying Kohm “has dedicated his career to [enforce orders] the commission obtains, not setting his own agenda.”
Image credits: Tom Brenner/The New York Times