Written by Nicholas Confessore and Cecilia Kang
Last spring, soon after Facebook acknowledged that the data of tens of millions of its users had improperly been obtained by the political consulting firm Cambridge Analytica, a top enforcement official at the Federal Trade Commission drafted a memo about the prospect of disciplining the social network.
Lawmakers, consumer advocates and even former commission officials were clamoring for tough action against Facebook, arguing it had violated an earlier FTC consent decree barring it from misleading users about their how their information was shared.
But the enforcement official, James A. Kohm, took a different view. In a previously undisclosed memo in March, Kohm — echoing Facebook’s own argument — cautioned that Facebook was not responsible for the consulting firm’s reported abuses. The social network seemed to have taken reasonable steps to address the problem, he wrote, according to someone who read the memo, and most likely had not broken its promises to the FTC.
The Cambridge Analytica data leak set off a reckoning for Facebook and a far-reaching debate about the tech industry, which has collected more information about more people than almost any other in history. At the same time, the FTC, which is investigating Facebook, is under growing attack for what critics say is a systemic failure to police Silicon Valley’s giants and their enormous appetite for personal data.
Almost alone among industrialized nations, the United States has no basic consumer privacy law. The FTC serves as the country’s de facto privacy regulator, relying on more limited rules against deceptive trade practices to investigate Google, Twitter and other tech firms accused of misleading people about how their information is used.
The Google building in New York, July 27, 2018. A regulator with the Federal Trade Commission is under attack for what critics say is a systemic failure to police tech giants and their vast appetite for personal data.
But many in Washington view the agency as a watchdog that too rarely bites. In more than 40 interviews, former and current FTC officials, lawmakers, Capitol Hill staff members, and consumer advocates said that as evidence of abuses has piled up against tech companies, the FTC has been too cautious. Now, as the Trump administration and Congress debate whether to expand the agency and its authority over privacy violations, the Facebook inquiry looms as a referendum on the FTC’s future.
“They have been asleep at the switch,” said Sen. Richard Blumenthal, D-Conn., the ranking member of the subcommittee charged with overseeing the agency. “It’s a lack of will even more than paucity of resources.”
Even if the agency does not penalize Facebook over the Cambridge incident — and some former FTC officials disagree with Kohm’s reasoning — the commission could punish the company for other offenses. Former officials say they’ve been told that its inquiry has expanded to include recent security and privacy breaches as well as Facebook’s secretive data-sharing deals with Amazon, Netflix and other companies. Facebook declined to comment on the inquiry.
The agency — overseen by five commissioners, three of them typically from the president’s party — is habitually tight-lipped. FTC Chairman Joseph Simons declined to comment on the Kohm memo.
“If the FTC had reached a conclusion that there was no case, we would have announced it,” Simons said in a statement. “Our investigation continues and when it is finished, you can be sure that the result of that investigation will be made public.”
The agency’s defenders said it had taken significant action against tech companies in recent years. Consumer advocacy groups, they said, sometimes want the FTC to take on cases that its relatively narrow powers will not permit.
“The act creating the FTC was not designed with privacy in mind,” said Jessica Rich, a consumer protection expert who formerly led the FTC’s consumer bureau. “That they’ve been able to bring hundreds of privacy and data security cases is actually quite a feat, not only given the limitations on their authority but the challenges companies have mounted, especially recently.”
— A Cautionary Tale
As the federal government’s main consumer protection and antitrust authority, the FTC has pursued carmakers, drug companies, illegal robocallers and bloggers who fail to disclose corporate sponsors.
But it is hampered by its relatively small size — about 1,100 employees, roughly a quarter the staff of the Securities and Exchange Commission — and broad mandate. Guarding consumer privacy online, just one part of its mission, can raise complex technical issues. The agency’s enforcement arm, led by Kohm, doesn’t have its own tech experts, instead borrowing them from other agency units. The job of chief technologist, an adviser to the FTC chairman, has been vacant since April. And its lawyers are outnumbered by the armies of attorneys employed by tech giants.
“They have considerably less staff than they had in the 1980s, and more responsibility,” said Justin Brookman, a former FTC official under the Obama administration who now works at the Consumers Union.
FTC officials said privacy and data security cases had gotten more attention than any others over the past decade.
Still, all five commissioners agreed at the November Senate hearing that the agency needed more money and greater regulatory authority to keep up with big tech.
Critics said a greater problem was cultural. The FTC is haunted, for example, by a clash with Congress in the 1980s over an attempt by the agency to ban television ads for junk food directed at children, known as “KidVid.” Lawmakers pulled funding and severely weakened the FTC’s power to issue new regulations.
Even today, “in just about every meeting I have at the FTC, staff mention KidVid,” said Josh Golin, executive director of Campaign for a Commercial Free Childhood, which has filed complaints against YouTube and Facebook.
Fears that Congress could again cripple the FTC have made some career lawyers reluctant to take on politically sensitive cases, according to current and former employees, speaking about their experiences during the Trump and Obama administrations.
“They think of themselves as deal-makers, not cops,” said Matt Stoller, policy director at the Open Markets Institute, who has called for big tech platforms to be broken up and regulated. “They have an institutional culture of deference.”
That has hobbled the agency’s approach to tech giants, leading to inadequate responses to privacy violations or efforts to squeeze out emerging competitors, according to Gene Kimmelman, a former senior antitrust official at the Justice Department and president of the consumer group Public Knowledge. The FTC needs legislation to allow it to set new rules for the era of big tech, he argued.
In 2013, for example, FTC commissioners overruled a staff recommendation to sue Google for abusing its dominance in search to harm rivals. Three years later, when Google began merging data collected by several of its services, including Gmail and the ad technology platform DoubleClick, consumer groups filed a complaint with the FTC calling the practice “highly deceptive.” The agency took no public action.
Nor did the FTC penalize Facebook after it began acquiring phone numbers and other data from users of its WhatsApp subsidiary, breaking promises it had made when it acquired the messaging service. By contrast, the European Union’s antitrust chief fined Facebook $122 million last year for making misleading statements about the WhatsApp acquisition.
(Facebook said it notified users of the change with new terms of service and had allowed them to opt out of the practice.)
The FTC has defended its record on privacy, pointing for instance to a $22.5 million fine imposed on Google in 2012, for bypassing privacy settings in Apple’s Safari browser in violation of a consent agreement. The fine was the largest civil penalty in the agency’s history.
Former officials say the agency struggles to enforce privacy within its traditional definition of deceptive or abusive business practices.
Ashkan Soltani, who was the FTC’s chief technologist from 2014-15, said he raised concerns about a location-tracking company, Nomi Technologies, that collected data on people without their explicit consent. He recalled resistance from Republican commissioners and from some staff members who didn’t see a clear consumer harm, since Nomi’s data could not identify specific individuals.
Ashkan Soltani, who was the Federal Trade Commission’s chief technologist from 2014 to 2015, in Washington, May 11, 2015. Soltani met resistance within the agency when he raised concerns about the data practices of a location-tracking firm. Soltani argued that the FTC needed to get ahead of a technology that would soon become highly intrusive. (He eventually persuaded the agency to investigate, and in 2015 the FTC approved a settlement with Nomi.)
Today, dozens of companies gather, use or sell location information so precise that it can pinpoint a phone within a few yards. The data is so detailed that it can often be linked to a specific person — and frequently harvested without clear consent.
— Proving Harm
President Donald Trump’s arrival in Washington kicked off a period of uncertainty at the FTC. For 16 months, three of five seats remained vacant on the commission, which was initially led by acting Chairwoman Maureen K. Ohlhausen, an advocate of “regulatory humility.”
Ohlhausen’s staff told enforcement officials to slow down on cases, so the White House would not view her as anti-business, according to a former senior official. That official and others interviewed for this article spoke on the condition of anonymity to describe conversations that were private or involved nonpublic FTC investigations.
In an interview, Ohlhausen denied ordering a slowdown and cited privacy actions she had brought against PayPal and Lenovo. But she acknowledged having argued against going after what she regarded as small cases, like Nomi.
With limited resources, she said, the FTC should “pursue cases where the evidence of actual or likely consumer harms is strongest.”