Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid Forensics |
| Cell Phones and Hostage Situations »
April 27, 2009
Unfair and Deceptive Data Trade Practices
Do you know what your data did last night? Almost none of the more than 27 million people who took the RealAge quiz realized that their personal health data was being used by drug companies to develop targeted e-mail marketing campaigns.
There's a basic consumer protection principle at work here, and it's the concept of "unfair and deceptive" trade practices. Basically, a company shouldn't be able to say one thing and do another: sell used goods as new, lie on ingredients lists, advertise prices that aren't generally available, claim features that don't exist, and so on.
They maintain that when you join the website, you consent to receiving pharmaceutical company spam. But since that isn't spelled out, it's not really informed consent. That's deceptive.
Cloud computing is another technology where users entrust their data to service providers. Salesforce.com, Gmail, and Google Docs are examples; your data isn't on your computer -- it's out in the "cloud" somewhere -- and you access it from your web browser. Cloud computing has significant benefits for customers and huge profit potential for providers. It's one of the fastest growing IT market segments -- 69% of Americans now use some sort of cloud computing services -- but the business is rife with shady, if not outright deceptive, advertising.
Take Google, for example. Last month, the Electronic Privacy Information Center (I'm on its board of directors) filed a complaint with the Federal Trade Commission concerning Google's cloud computing services. On its website, Google repeatedly assures customers that their data is secure and private, while published vulnerabilities demonstrate that it is not. Google's not foolish, though; its Terms of Service explicitly disavow any warranty or any liability for harm that might result from Google's negligence, recklessness, malevolent intent, or even purposeful disregard of existing legal obligations to protect the privacy and security of user data. EPIC claims that's deceptive.
Facebook isn't much better. Its plainly written (and not legally binding) Statement of Principles contains an admirable set of goals, but its denser and more legalistic Statement of Rights and Responsibilities undermines a lot of it. One research group who studies these documents called it "democracy theater": Facebook wants the appearance of involving users in governance, without the messiness of actually having to do so. Deceptive.
These issues are not identical. RealAge is hiding what it does with your data. Google is trying to both assure you that your data is safe and duck any responsibility when it's not. Facebook wants to market a democracy but run a dictatorship. But they all involve trying to deceive the customer.
Cloud computing services like Google Docs, and social networking sites like RealAge and Facebook, bring with them significant privacy and security risks over and above traditional computing models. Unlike data on my own computer, which I can protect to whatever level I believe prudent, I have no control over any of these sites, nor any real knowledge of how these companies protect my privacy and security. I have to trust them.
This may be fine -- the advantages might very well outweigh the risks -- but users often can't weigh the trade-offs because these companies are going out of their way to hide the risks.
Of course, companies don't want people to make informed decisions about where to leave their personal data. RealAge wouldn't get 27 million members if its webpage clearly stated "you are signing up to receive e-mails containing advertising from pharmaceutical companies," and Google Docs wouldn't get five million users if its webpage said "We'll take some steps to protect your privacy, but you can't blame us if something goes wrong."
And of course, trust isn't black and white. If, for example, Amazon tried to use customer credit card info to buy itself office supplies, we'd all agree that that was wrong. If it used customer names to solicit new business from their friends, most of us would consider this wrong. When it uses buying history to try to sell customers new books, many of us appreciate the targeted marketing. Similarly, no one expects Google's security to be perfect. But if it didn't fix known vulnerabilities, most of us would consider that a problem.
This is why understanding is so important. For markets to work, consumers need to be able to make informed buying decisions. They need to understand both the costs and benefits of the products and services they buy. Allowing sellers to manipulate the market by outright lying, or even by hiding vital information, about their products breaks capitalism -- and that's why the government has to step in to ensure markets work smoothly.
Last month, Mary K. Engle, Acting Deputy Director of the FTC's Bureau of Consumer Protection said: "a company's marketing materials must be consistent with the nature of the product being offered. It's not enough to disclose the information only in a fine print of a lengthy online user agreement." She was speaking about Digital Rights Management and, specifically, an incident where Sony used a music copy protection scheme without disclosing that it secretly installed software on customers' computers. DRM is different from cloud computing or even online surveys and quizzes, but the principle is the same.
Engle again: "if your advertising giveth and your EULA [license agreement] taketh away don't be surprised if the FTC comes calling." That's the right response from government.
A version of this article originally appeared on The Wall Street Journal.
EDITED TO ADD (2/29): Two rebuttals.
Posted on April 27, 2009 at 6:16 AM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
I've told my company, but they still go ahead and do it. Once you let something out the firewall, you might as well consider it public, as it sooner or later may be, regardless of the safeguards someone gives you. If you don't want it to be public, then don't let it out.
Sing it, brother! Once your data is out there you lose all control.
This is why I'm going to grow into an suspicious old fart who uses only cash, travels by car (and pays tolls in actual coins), has the last working copy of Word/Pages in the world, and wears a mask outside because I don't want to photographed.
In this speech to Congress in 2007 (http://www.ftc.gov/speeches/majoras/070206RSARemarks.pdf, pp. 10-11), then FTC Commissioner Deborah Platt Majoris distinguished between 3 types of FTC enforcement actions: (1) where a company has misrepresented the security protections it provides (ValueClick); (2) where a company does not have policies and procedures in place to protect against "well-known and security threats" such as SQL-injection attacks (BJ's); and (3) where a company does not have reasonable procedures in place to verify the identity of the parties with whom it is sharing customer personal information (ChoicePoint).
With each successive enforcement action, the FTC has extended the reach of its information security enforcement activities. The FTC began its enforcement path with regulated entities, moved on to taking action for breach of security commitments in privacy policies and TOSs, and has reached a general obligation to maintain an effective security program, the FTC has essentially created a national, non-statutory standard requiring any business that collects and maintains personal information to develop and implement an information security program.
Well, you have to remember that most lawyers get paid by the hour, so they're effectively paid by the word. ;-)
But you make a good point, and one that the FTC is dealing with. They have realized that no one reads privacy policies, so, effectively, there is no consent from consumers to whatever the company is doing. Leading companies are trying to find ways to simplify privacy policies and also provide "real time" advice to consumers about why a company is collecting specific information and what they intend to do with it.
Interestingly, shrinking internet privacy comes hand-in-hand with growing business of copyright protection racket. Presently the US govt is working on some ACTA thing which is supposed to rise the latter above drakonian level and leave nothing of the former.
But hey, maybe there is a chance to get these beasts to eat each other? I mean, there could be a law that any personally indentifiable data (that is, if there is a way for a trained investigator to trace them back to the actual person) are protected by existing copyright laws and belong to that person, so selling or leaking data like these sites do would be a felony.
Do you think any right protection group could pull that trick off?
"if your advertising giveth and your EULA [license agreement] taketh away don't be surprised if the FTC comes calling."
makes me furious. Every EULA that reserves the right to change the EULA in the future, so that it no longer has the wording I've agreed to, reserves the right to make a deceptive change that meets Engle's criteria. So the FTC should 'COME CALLING' on every EULA that reserves the right to make future changes as if I have still agreed to them. So where's the FTC?
In many cases, a company reserves the right to change the EULA and also suggests some way I can find out about this and withdraw my consent if I want. But in the computer world, five milliseconds of operating under a changed EULA is enough time to do all sorts of mischief that I do not approve of. My withdrawal of consent will of course be too late.
Contracts, and EULAs, should never include the right to make unilateral changes.
- toby robison
Anyone using Google Analytics (and that's a lot of websites) should carefully read the indemnification clause.
8. INDEMNIFICATION . You agree to indemnify, hold harmless and defend Google and its wholly owned subsidiaries, at Your expense, any and all third-party claims, actions, proceedings, and suits brought against Google or any of its officers, directors, employees, agents or affiliates, and all related liabilities, damages, settlements, penalties, fines, costs or expenses (including, without limitation, reasonable attorneys' fees and other litigation expenses) incurred by Google or any of its officers, directors, employees, agents or affiliates, arising out of or relating to (i) Your breach of any term or condition of this Agreement, (ii) Your use of the Service, (iii) Your violations of applicable laws, rules or regulations in connection with the Service, or (iv) Your Brand Features. In such a case, Google will provide You with written notice of such claim, suit or action. You shall cooperate as fully as reasonably required in the defense of any claim. Google reserves the right, at its own expense, to assume the exclusive defense and control of any matter subject to indemnification by You.
Note the bit about attorneys' fees and other litigation expenses.
Interestingly, while look for this I stumbled on a different version:
which does not include the language. Perhaps it's not binding in the UK?
On their registration page (Privacy and Personalization) they say:
"We will not share your address or send you e-mail without your permission."
Is that new? Or is that a joke?
Blockbuster Online used Facebook's "Beacon" ad program. Under this program, Blockbuster's customers' video rental selections would be published as part of those customers' Facebook accounts, including as "news feeds" to Facebook friends of those customers. Plaintiffs, Blockbuster customers with Facebook accounts, sued in federal district court, alleging violation by Blockbuster of the Video Privacy Protection Act (18 U.S.C. § 2710). The VPPA prohibits a movie rental service provider from disclosing consumers' personally identifiable information, including movie rental selections, to third parties without the informed written consent of the consumer at the time of the disclosure. Blockbuster moved to invoke the arbitration clause in its terms and conditions, which required that all claims be determined by arbitration and which purported to waive the rights of customers to bring a class action lawsuit against Blockbuster. In this case, Blockbuster was attempting to use the newly added arbitration provision to deal with claims that came about prior to the implementation of the new TOS, so Blockbuster was attempting to use the new TOS retroactively. The plaintiffs argued that the arbitration provision is unenforceable because it is illusory, and the court agreed. The plaintiffs also argued that the arbitration clause is unenforceable because it is unconscionable, but, having already ruled the provision to be illusory, the court did not address this issue.
Depending on what happens with this case, we may need to revise how we deal with updates to online agreements.
A client alert about this is available on my firm's website, but in the interests of avoiding using Bruce's website to drive traffic to ours, I won't provide a link to it here in the comments.
@Harry, I usually try to avoid tolls as well. The roads can be more interesting and one can expect to have their plates photographed less often.
The notion that your data is "secure" if it's on your own computer is simply false, unless indeed you are willing to drop your computer down a well and fill in the well with concrete. To a sufficiently determined attacker, nothing is secure; what's more, diligence has essentially nothing to do with increased security.
I once sat in on a kickoff meeting with a company that was going to do a security review of my company. I asked the rep if her company used social engineering to break in. "No," she said. "That always works, so we don't learn anything."
@John Cowan - who wrote what that led you to think the writer considers data on a PC to be secure?
More secure than data released to others, yes. But secure in an absolute sense, no.
So who do you blame when your data falls into the wrong hands because of your operating system or other software that you had installed on your operating system failed to prevent an attacker from gaining access?
The OS vendor? The software vendor? The hardware vendor? None of them are willing to accept that responsibility. Read your license agreements.
"Cloud" computing and storage are the same as an OS and add on software. It just happens to have the added feature of being easily accessable from connected devices without running your own high availability networks and servers.
Service providers, especially huge ones, have their reputation at stake should anything happen to a customers data. That reputation is worth $bignum. If they would like to remain in business, they strive to protect that.
These issues will never be fully addressed given the overall education level of the US population. Federal regulation won't solve the problem, only pick the winners. Until the population of users/consumers stops signing up for services that don't factually and completely disclose there's a incentive to avoid that disclosure. Market forces should demand full disclosure, but the market with respect to the masses is blind, deaf, and ignorant to these basic issues.
First chance today to read this post and wanted to pass this on.
This link is for "Analyze license agreements for interesting words and phrases. Make sense of the nonsensical. "
There is a tool that reads EULA, provacy agreements and the like. I've used it before and it does a pretty decent job of highlighting areas that might be worth considering. I am not an attorney so I can't say what if any legal ramifications of agreeing to anything. However it is worth a look to see for yourself.
Is it really deceptive for Google to promote the security of Google Docs without promising that it's 100% free from bugs or vulnerabilities?
Offline word processors aren't 100% free or invulnerable, and you'll find the same legal escape clauses in any commercial license agreement.
Do you think documents kept in Google Docs might actually be safer from loss or theft than documents kept on your laptop's hard drive?
The "escape clauses" are a symptom of a larger problem: companies don't know what they might be held responsible for, so even legit companies have huge EULAs.
That makes it hard to pick out the scammers. It would help if they used something like #include, and we had something like Creative Commons EULAs that had most of the necessary boilerplate.
This goes for more than just online EULAs of course. It would help with everything from mortgages to credit cards to investment products.
The UK has stronger data protection law than the US and Google would not be able to include any illegal (in UK) clauses.
Having said that, our stronger laws don't stop our government losing shed loads of our data!
@ Rich, uk visa lawyer,
There is another important reason why Google's TnC's are different in the U.K. To that of the U.S..
What "uk visa lawyer" did not mention is there is a significant difference in US civil/tort courts to that of UK and it is the thorny issue of "who picks up the bill and why".
By and large in the US under the civil/tort system currently in place each party pays their own costs irrespective of judgment (which is why Google want's you to pick up the tab not them).
Unfortunatly this "pay your own lawyer" system favours those Gov and Corperate entities with deep pockets over "the little people" no matter how just the little persons case.
Therefore it is just like high stakes poker where a bad hand/case is fairly easy to make "go away" simply by forcing the other party to "fold" simply by making their money run out. Thus this bankrupting / blackmailing of less financialy endowed individuals with "electronic discovery" etc is rapidly becoming the latest Tort Defence stratagie for otherwise hopeless cases (and US judges appear quite happy to play along as it lines their pockets almost as well as those of the lawyers).
This is very sad as "the little people" almost invariably have to accept that they cannot stand up for their rights against the big boys no matter how just the case as they don't have the money to play...
As somebody on this blog reminded me the other day, the NSA showed the very seamy underhanded way Gov entities can do this. Basicaly an NSA "executive" decided they did not like an individual and removed their security clearance for no verifiably legitimate reason and thereby removed the persons ability to earn a living, the ensuing legal action was an example of buracratic kow-towing petty minded spitefullness (which is just one reason why you should avoid working in such places if you can).
In the UK the situation is different, but not realy any better in any real manner when it's big-v-little.
In the UK the winner of the case will usually be granted some measure of their costs (although in general it never exceeds 75% even if the judge awards "full costs" as the lawyers then argue, who pays for the time taken to say "good morning" by the lawyer to the client... etc and yes there are specialised lawyers to do just this sort of arguing).
Further in 1976 in Calderbank-v-Calderbank a compramise offer to settle the despute before costs got out of hand was made in writting by one party to the other. It was rejected however the judgment handed down was not favourable to the winner (look up the full details if you are that interested). The existance of the compramise offer was taken into account and the win was effectivly piric. Since then "Calderbank" letter/offer/enquiry have figured in the UK for deciding costs. Worse a decision was handed down that effectivly makes a Calderbank the equivalent of a "payment into court" which is a significant and worying trend...
Oh and another legal dirty trick "discounting", if you are the lossing party in a civil or criminal action, the barister for the winning party can make a totaly unsupported claim for costs, and then remove your ability to enquire into their validity by discounting them by a nominal amount say 10%.
The only thing I can say is that when instructing a lawyer is to send them a letter instructing them not to carry out any activities that are not recoverable, and further they are to fully account both in activity and cost their costs and further they are to send as their first action a letter to the other parties lawyers that it is encumberent on them to prove all costs beyond reasonable doubt and that no discounting or other tricks will be accepted, further that all "offers" are to be made by payment into independent mutualy agreed escrow account of the full amount otherwise they will not be considered as serious offers.
But as once (only half jokingly) said "all of the legal proffession are perfidious beyond measure, thus seamingly the best course of action would be is to strangle all lawyers at birth, but get yourself a good lawyer first..."
@Bruce "Cloud computing is another technology where users entrust their data to service providers. Salesforce.com, Gmail, and Google Docs are examples; your data isn't on your computer -- it's out in the "cloud" somewhere -- and you access it from your web browser."
Not that that's anything new. Hotmail's been around since what, '98?
Larry Ellison on Cloud Computing:
I got about 10% of the way through the RealAge questions and bailed due to privacy concerns. Perhaps I was just paranoid - but that doesn't mean they weren't out to abuse my data, and as it now turns out, they were.
I like windscar's idea about having a few standard EULAs available, a la Creative Commons, which would clarify things. The problem is that these companies *want* to obfuscate their privacy policies, rather than clarifying them. They *want* to hide what they're doing with your data.
Frankly, I'd like to see something like the standardized "Nutrition Facts" labels that show up on food packaging ... call it "Privacy Facts." We don't let food companies hide the fact that their products contain reconstituted monkey meat, or 5000% RDA of sodium, in a densely-worded pamphlet buried at the bottom of the box. Why should this be any different?
This discussion seems to have involved into 3 separate but interesting topics:
1. Deceptive/lying terms or term summaries in products. This indeed should be considered a crime against the market and public at large, and should be made easy to police and prosecute just like selling food not fit for human consumption (something like the system with the people who inspect restaurants etc. to make sure they don't have rats running around in the kitchen etc.).
2. Wholesale trading in personal information (on any pretext) this should be outright banned. When large batches of personal info really needs to be given to truly separate entities (not just as part of company splits/mergers/reconstruction/renaming/subcontracting etc.), a specific published government permit open to citizen rebuttal and not open-ended should be used. E.g. "ABC corp. has applied for permission to merge copies of census data and the customer records of companies DEF, GHI and JKL to compute anonymised statistics of market shares customer overlap percentages etc. sorted by various demographics and to repeat this activity on an ongoing basis. ABC has sworn to discard the customer and personal information records after processing and to limit the numeric precision of the resulting statistics such that information about individuals cannot be deduced or reconstructed from the results. On this condition, the FTC proposes to grant this permit starting Jun 31. 2009, public comments and objections shall be filed with the FTC no later than May 31. 2009. The FTC will render its decision on Jun 10 2009 and legal challenges to the decision may be brought before the Federal district court between Jun 10 2009 and Jun 15 2009. Federal court rulings will be due Jun 20, 2009, US Supreme Court appeals due Jun 25, with ruling no later than Jun 31. 2009" (This fictive example would be published in the Federal Register for Apr. 31 2009. Note the use of nonexistent dates to emphasize the fictional nature of this example.)
3. Standardised EULAs. Yes, this would be a very good thing, over the years I have seen too many "customized" EULAs that were a mess of bad cut/paste, thoughtless clauses that benefit noone, unrelated consents as conditions of using already paid products etc. Some of the EULAs that would really be nice would be:
"The standard driver EULA" permitting use on any computer for the sole purpose of operating a specified list of (presumably bought and paid for) hardware products, including permission to use only parts of the package (in case the other parts don't suit you) and to use any related software patents in 3rd party drivers designed exclusively for said hardware and other hardware that comes with a similar permit.
"The standard Update and Supplement EULA" stating simply that the update is subject to the terms under which you acquired the original, is conditional on the original being legit, explicitly permitting use with each licensed original in your possession and stating that this does not void, extend or renew your existing warranties (if any) for the original.
"The bonusware EULA" stating that the software may be used with any legitimate copy of the main product, is free of charge and carries no warranty whatsoever. (Think stuff like the Solaris Bonus CD or Microsoft PowerToys).
"The support tool EULA" stating that you are licensed to use and copy the tool only as directed by personal messages from the providers technical support department. (Think debug versions of programs that reveal secret inner workings, info gathering tools etc.)
"Paid software per desktop EULA" stating that you must pay for each computer or remote desktop-like session running the software with all the usual no-reverse-engineering, no-infinite-amount lawsuits disclaimers etc. Should avoid the floppy-disk-era "one backup" clause, as most professionals now use multilevel backup schedules.
"Paid software per computer EULA" stating that you must pay for each computer or virtual machine running the software, but no surcharge for remote users or multiboot.
"Paid software per concurrent user EULA" stating that you must pay for each simultaneous use of the user interface whether by human or non-human users.
"Paid Source EULA" stating that you may use the provided source code, headers and libraries for anything except publishing it or repackage it as a general purpose runtime for use by non-licensees. Also allows sharing of patches through a mechanism open only to other licensees. (Think Java, C Runtimes, non-free crypto toolkits, UNIX sources pre-McBride).
This whole personal records thing is a huge pet peeve of mine. The United States needs to protect its citizens and adopt personal record retention standards more like the EU (please not the other way around). Also I have an older article against Google's medical record land-grab that people may enjoy: http://www.win-vector.com/blog/2008/03/...
I agree that companies should have to have your permission to share data about you or use it in ways you didn't intend. Admonishing individuals never to let the data out of their possession in the first place is unrealistic, since it would render all commerce except in-person cash purchases impossible.
EULAs are a separate topic, but the whole concept of one is pretty much a form of fraud. When we defeated UCITA that should have been that; the law needs to continue to say (or resume saying, if it has changed) that any contract you make when you purchase a product must be on the outside of the box, where you can see it BEFORE you hand over the money, or it is null and void.
Hey Bruce - are you talking about American or British versions of terms of service being deceptive? In Germany there are serious legal bariers for having any sort of deceptive (in fact, "surprising") terms in the TOS [section 305c paragraph. 1 BGB - german civil code]. Check the German version of the TOS of google or other big companies (of course, they would only apply to people living in Germany) and you'll see that there is nothing seriously deceptive in there.
I would find a post (with references) on the differences between how different countries have regulated the tradeoff between 'consumer protection' and 'freedom to conclude contracts' most interesting - since there is a clear tradeoff here. I have the impression that the American consumer is utterly helpless against any coorporation with a legal department, while small German companies are burdened with rediculous amounts of overhead trying to ensure compliance.
@ Bruce Schneier:
"Last month, the Electronic Privacy Information Center (I'm on its board of directors)..."
Thank goodness you're not on Google's board instead.
Thank goodness you're not on Google's board instead.
I think Bruce would not last too long on Googles board - he is too honest about user data collection stuff...
(while Google on the other hand is a front-end for NSA)
@ Bruce Schneier:
WSJ Online has amended your original article.
@ Ron (above)
The version of the article on this blog has been rewritten based on RealAge's complaint; it is not the same version that appears on the WSJ website.
There's also the extra problem of management incompetence or ignorance in not ensuring that the security they believe (or say) is in place actually is.
A couple of years ago I had the Australian Privacy Commission jump on the second largest Telco for not following their own privacy statement. "We will protect your data etc."
Yes, they did have the capability of providing secure financial transactions. But they didn't actually use it during the transaction where it was needed.
At least it wasn't until the APC followed up my complaint.
Sometimes Governmant agencies actually prove worthwhile.
I notice that not one returned a comment on the post about indemnification language that seems to appear in all EULA's now, whether it be software or use of a website. That language, which appears to make the consumer responsible for all lawyer fees if some third party sues the software provider, scares the heck out of me. I know 99% of the population doesn't read these fine print tomes called EULA's, but I still don't understand why there hasn't been more fuss about this. I generally won't use sites with that language, but they are getting harder and harder to find. I would hope that clause would be found unenforceable by the courts if it was ever invoked, but the consumer would still have to pay their life savings to a lawyer to prove that.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.