The FTC: Encryption Champion or Bumbling Hypocrites on Data Security?

FTC Chairwoman Edith Ramirez today told the International Association of Privacy Professionals annual summit that FTC “encourages companies to use strong encryption.” She added that “encryption plays an incredibly important role” in protecting consumer privacy and security.

It’s a bold pro-privacy move, at a time when a debate rages about encryption in consumer services. It’s also consistent with the hard line the FTC has taken in using its deception authority against companies that say they’ll use encryption or “top security” but don’t — and its unfairness authority against companies whose data security the agency deems unreasonable.

Good for her. We should all be glad the FTC is standing up for consumers.

But until little more than a month ago, the FTC itself had failed to use TLS encryption — perhaps the most basic form of email security. I pointed this out at the time, using the handy feature Google had just rolled out for Gmail, alerting you whenever you were about to send an email to an insecure server:

What happened? Perhaps the FTC leadership didn’t realize the agency was living in the email Dark Ages until Google’s new tool made this obvious. Perhaps they even read my tweet? (I doubt it, given that the FTC still hasn’t done anything about the fact that one of the six elevators at its headquarters has a carpet featuring the agency’s seal that’s missing the letter ‘i’ in ‘America’).

Or perhaps the FTC had already set about fixing this vulnerability after FTC Commissioner Julie Brill opened a phishing email back in February? Brill told the story to the Washington Post after leaving the Commission late last month:

Gene Kimmelman, president of the consumer group Public Knowledge — sent her an email with an innocuous-looking Google Drive attachment. But after clicking on the link and entering in some of her personal information on the resulting page, she soon realized the truth: This was not a Google site at all.
Instead, online criminals had muscled their way into Kimmelman’s email account and begun sending fake emails in his name to everyone in the account’s address book. …
Luckily, even though Brill had given out some of that data, she had made sure that the criminals wouldn’t be able to hijack her own accounts. She’d taken advantage of two-factor authentication, a security measure that prevents someone from logging into a website unless they can also reproduce a special code sent to a separate device such as your mobile phone. Two-factor or two-step verification has been adopted by Google, Amazon and other major websites to combat the rise of digital fraud.

Whew! A close call. It’s a good thing Brill had taken care to protect her accounts — and a good thing that those private services’ two-factor authentication protected her!

Who knows how many other FTC employees might have fallen for such attacks? A breach could have compromised the FTC’s entire system, giving hackers access to the huge troves of sensitive commercial and personal information collected by the FTC.

The FTC learned, fixed the problem, and moved on. Problem solved. No harm done. Right?

Right.

Now imagine that you ran a small business that had made the exact same mistake. Think the FTC would be so understanding?

Just ask LabMD. Back in 2007 (about the time when TLS was first taking off — a good nine years before the FTC implemented it), the Georgia-based cancer testing lab allegedly failed to take adequate measures to ensure that its employees complied with company policies against installing third party software on work computers. This allegedly allowed a billing manager to install Limewire peer-to-peer filesharing software on her computer.

Several years later, a cybersecurity shakedown racket called Tiversa was able to used an advanced search tool to find this file on the Limewire network. Tiversa tried to shake LabMD down for money to “remediate the vulnerability.” LabMD refused and so Tiversa turned the case over to the FTC. (That’s how its racket worked.)

The FTC spent three years investigating the company, then finally brought an enforcement action in 2013. The FTC’s own Administrative Law Judge dismissed this complaint late last year, saying the FTC had failed to establish even the likelihood of consumer injury and rejecting the evidence provided by Tiversa suggesting the files had ever left LabMD’s computers.

LabMD had won a partial victory; the legal fight is now before the full Commission. But the company had already closed up shop under the weight of the lawsuit, which damaged its brand and prevented the company from renewing its business insurance.

In short, the FTC was utterly merciless — determined to get its pound of flesh even if it killed a company that quite literally helped save the lives of cancer patients.

Imagine taking the same merciless approach to the FTC. Edith Ramirez wouldn’t just lose her job. She’d be hounded, ridiculed and mocked mercilessly for the technological incompetence of what we’ve called the “Federal Technology Commission” — a moniker she’s embraced.

Hypocrisy is one thing. Incompetence is another. This isn’t the first time the FTC has flubbed things technologically. The central irony of the LabMD case is that the FTC started looking into the issue of P2P filesharing back in 2005 and issued a report broadly warning about P2P risks — but failed to use its enforcement powers against the makers of P2P software until 2011, when the FTC settled an enforcement action against Frostwire for designing its software to trick users into sharing files they thought were private.

The new Democratic FTC got that right — doing what previous Republican Chairmen had failed to do. But the agency hadn’t really upped its game on tech.

The real scandal of the LabMD case is partly technical and partly common sense. On the latter, how could the FTC staff possibly have failed to realize the essentially criminal nature of Tiversa’s business model? Back in 2012, when the FTC staff wanted an administrative subpoena before suing LabMD, Commissioner Rosch warned:

I am concerned that Tiversa is more than an ordinary witness, informant, or “whistle-blower.” It is a commercial entity that has a financial interest in intentionally exposing and capturing sensitive files on computer networks, and a business model of offering its services to help organizations protect against similar infiltrations. Indeed, in the instant matter, an argument has been raised that Tiversa used its robust, patented peer-to-peer monitoring technology to retrieve the [file at issue], and then repeatedly solicited LabMD, offering investigative and remediation services regarding the breach, long before Commission staff contacted LabMD. In my view, while there appears to be nothing per se unlawful about this evidence, the Commission should avoid even the appearance of bias or impropriety by not relying on such evidence or information in this investigation.

You’d think that would have made the FTC ask tough questions. Apparently, it didn’t. At trial, a former Tiversa employee testified that the evidence Tiversa supplied to the FTC (showing that LabMD’s file of sensitive billing information had spread onto the LimeWire network) was completely fabricated. A more technologically sophisticated agency would have double-checked Tiversa’s evidence. They didn’t.

But what can we expect from an agency that can’t even secure its own email?

It’s high time Congress reasserted its authority over the FTC — something it hasn’t done since 1994 and, before that, since 1980.

But it might start by asking some more basic questions about how much the de facto Federal Technology Commission really knows about the technology it has claimed such sweeping discretion to regulate. For instance:

  • Has the FTC turned on two-factor authentication for its own employees? If not, they’re still highly vulnerable to phishing attacks.
  • What other security “best practices” is the FTC ignoring? TLS is pretty standard

Oh, and could someone please get them to fix the “UNITED STATES OF AMERCA” thing?

It’s embarrassing. Sheesh!