June 28, 2012 at 9:07 PM ET
Updated 2:30 p.m. ET June 29: The FTC has responded to the ProPublica article with a statement, shared below.
The Federal Trade Commission, established almost a century ago to investigate unfair and deceptive business practices, appears to be rather poorly suited for policing the vast and changeable online world, suggests a report from ProPublica. The FTC is secretive about its methods, but a cursory examination by the non-profit, investigative news organization shows that the agency's capabilities are limited in fundamental ways.
Despite the FTC employing nearly 1,200 employees, the relatively new department established to cover the mobile sector of commerce comprises just six people — three of whom are from the legal department, ProPublica said. Furthermore, the people who ostensibly oversee commerce involving the hundreds of millions of phones in this country — along with apps, services and carriers — are restricted in both the hardware and software they use.
BlackBerry phones are used at the FTC and other government agencies for security reasons, but iPhone or Android devices and the apps they run are kept in a basement lab, which very likely makes real use of them impossible. Several employees interviewed admitted to using personal devices to do their work. The FTC itself doesn't seem to see the necessity of providing its employees with the means to do their job:
The interview with [Mobile Technology Unit director Patricia] Poss was conducted in an office on the third floor of the FTC’s headquarters, with an FTC spokeswoman on hand. When Poss was asked whether it wouldn’t make sense for the director of the Mobile Technology Unit to have a government-issued iPhone or Android, the spokeswoman, Claudia Farrell, interceded.
“He’s trying to get you to bitch, Patti. Don’t do it.”
The Internet inside the agency, too, is restricted. Many sites, including Apple's App Store, simply cannot be accessed from the government's network. ProPublica's writer compares it to telling cops they can't go to high-crime neighborhoods.
So it comes as no surprise that when Internet-based companies are found to be deceiving or mistreating their customers, it's usually a young security wonk or other non-public entity that makes the discovery. Or, as in a recent case where Google was found to have collected an enormous amount of private data using its Street View cars, the mistreatment was only discovered after another government took the matter in its own hands (Germany, in this case), and the indictment had global effects.
That's not to say they don't know they could be doing more, as the agency's chief technologist, Edward Felten, tells ProPublica:
We could for sure do more if we had more people ... There are a lot of opportunities that we have to let go by because we don’t have the people to seize them … opportunities to measure and evaluate what’s happening every day in people’s computers and phones.
When the FTC does find itself in a position to regulate Internet and mobile companies, the process is often so slow compared to fast-moving tech industry, that by the time the case is made and any punishment doled out, the offense (or even the offender) is already long forgotten. For instance, the ProPublica report says, the FTC began legal proceedings against Myspace in 2009 — when that social network was in decline — and only wrapped it up and fined the company in May of this year.
The agency is simply outgunned, but it refuses to gear up, says ProPublica. Despite being outmaneuvered on both sides — on one by large companies dancing around regulations, on the other by private or individual investigators doing their job for them — they are not requesting more money or manpower, or claiming very reasonably that they are more necessary than ever.
But as ProPublica points out, those who ask do not always receive:
FTC officials are reluctant to talk about their lack of funding, partly because public whining, especially during hard economic times, is infrequently rewarded. It’s also politically unwise. A vocal portion of the electorate believes the government and its regulatory arms have too much money and power as it is. Additionally, the FTC is trying to keep the tech industry honest by hinting that the feds are watching everything. It does not help if Silicon Valley realizes the FTC possesses just a handful of iPhones and Androids that are kept under lock and key in the basement.
The tech industry may not have great reason to fear the FTC at the moment, but it is still under careful surveillance by independent organizations like the EFF and other privacy and business watchdogs. They may not have the ability to bring the weight of the federal government to bear on offending companies, but they can at least provoke the no less serious threat of public scrutiny.
Update: The FTC issued a statement, from spokesperson Claudia Bourne Farrell, in response to the ProPublica report, emphasizing the work the agency has done and disputing the report's findings. The FTC statement does not dispute the limited size and resources of the mobile and Internet-focused teams within the agency.
The Federal Trade Commission has brought 39 cases on data security breaches, 16 cases alleging violations of the Children’s Online Privacy Protection Act, including more than 100 cases involving spam and spyware, dozens of cases alleging violations of the Do Not Call Registry, and dozens more involving unfair or deceptive privacy practices, including cases against Google, Facebook, and Twitter.
These enforcement actions have created strong incentives for companies of all sizes to secure data, to abide by their own privacy promises, to respect consumers' choices, and to protect children's privacy.
The FTC’s extensive record of enforcement was given short shrift by a recent article published by ProPublica. This article also made some unwarranted assumptions - for example that computer scientist Jonathan Mayer discovered there were undisclosed cookies on the Safari Internet browsers of some consumers before the FTC did. The article also contains some notable inaccuracies. For example: the article states FTC "has less influence over data mining firms like LexisNexis, Choicepoint and Rapleaf." That’s wrong. Lexis Nexis and Choicepoint are under 20 year orders with the FTC. The agency obtained $15 million in relief from Choicepoint.
The article states the FTC is focusing enforcement efforts on deception. That’s inaccurate, too. The Commission also has authority over unfair practices, and has used this authority in cases like Facebook and a peer-to-peer file-sharing application developer called Frostwire. FTC also has brought many cases alleging violations of the Fair Credit Reporting Act.
In short, we take pride in our accomplishments and investigative work on behalf of the nation’s consumers. We think the FTC has made smart, efficient use of our resources and taxpayer dollars.
Devin Coldewey is a contributing writer for msnbc.com. His personal website is coldewey.cc.