CDD Filings

Washington, DC (August 29, 2016) – The Electronic Privacy Information Center (EPIC) and the Center for Digital Democracy (CDD) today filed a complaint with the Federal Trade Commission, stating that the WhatsApp plan to transfer user data to Facebook is unlawful and that the FTC is obligated to block the proposed change in business practices.The EPIC-CDD complaint responds to a recent announcement from WhatsApp that the company plans to disclose the verified telephone numbers of WhatsApp users to Facebook for user profiling and targeted advertising.“When Facebook acquired WhatsApp, WhatsApp made a commitment to its users, to the Federal Trade Commission, and to privacy authorities around the world not to disclose user data to Facebook. Now they have broken that commitment,” said Marc Rotenberg, President of EPIC. “Clearly, the Federal Trade Commission must act. The edifice of Internet privacy is built on the FTC’s authority to go after companies that break their privacy promises.” Facebook and WhatsApp are the two largest social network services in the world. According to Wikipedia, WhatsApp has over one billion users. Facebook purchased the company in February 2014 for 19.3 billion dollars.EPIC Consumer Protection Counsel Claire Gartland explained, “In 2014, the FTC said that WhatsApp had to obtain affirmative consent to transfer user data to Facebook. There was an opt-out provision but that only applied to new information. Since WhatsApp intends to transfer user telephone numbers, which is not new data, it must obtain opt-in consent.”Gartland continued, “The phone number may also be the single most valuable piece of personal data obtained by WhatsApp. WhatsApp users are required to provide a verified phone number to use the service. And the phone number provides a link to a vast amount of personal information.”“The proposed change – an opt-out for data previously obtained – is exactly what the FTC said WhatsApp could not do,” said Gartland. “The transfer is only allowed if the consent is opt-in.”“The FTC has an obligation to protect WhatsApp users. Their personal information should not be incorporated into Facebook’s sophisticated data driven marketing business,” said Katharina Kopp, Ph.D., and CDD’s Director of Policy. “Data that was collected under clear rules should not be used in violation of the privacy promises that WhatsApp made. That is a significant change that requires an opt-in, according to the terms the FTC set out. It’s not complicated. If WhatsApp wants to transfer user data to Facebook, it has to obtain the user’s affirmative consent.”In 2011, EPIC, CDD and more than a dozen consumer privacy organizations pursued a successful complaint at the FTC that led to a twenty-year consent order after Facebook changed user privacy settings in a way that made users' personal information, such as Friend lists and application usage data, more widely available to the public and to Facebook’s business partners.Former FTC Chair John Liebowitz said at the time, “Facebook is obligated to keep the promises about privacy that it makes to its hundreds of millions of users. Facebook's innovation does not have to come at the expense of consumer privacy. The FTC action will ensure it will not."When Facebook proposed to acquire WhatsApp in 2014, EPIC and CDD said the FTC must protect the privacy of WhatsApp users. The FTC said that WhatsApp must continue to honor its privacy promises to consumers.The FTC warned, “If the acquisition is completed and WhatsApp fails to honor these promises, both companies could be in violation of Section 5 of the Federal Trade Commission (FTC) Act and, potentially, the FTC's order against Facebook.”The Federal Trade Commission has previously undertaken investigations against many firms that have engaged in unfair or deceptive trade practices.The Electronic Privacy Information Center (EPIC) (link is external) is a public interest research center in Washington, DC. EPIC was established in 1994 to focus public attention on emerging privacy and civil liberties issues and to protect privacy, freedom of expression, and democratic values in the information age. EPIC maintains one of the most popular privacy web sites in the world - epic.org (link is external) - and pursues a wide range of program activities including policy research, public education, litigation, publications, and advocacy. The Center for Digital Democracy (CDD) is recognized as one of the leading consumer protection and privacy organizations in the United States. Since its founding in 2001 (and prior to that through its predecessor organization, the Center for Media Education), CDD has been at the forefront of research, public education, and advocacy protecting consumers in the digital age.REFERENCESEPIC/CDD, In the Matter of WhatsApp: Complaint, Request for Investigation, Injunction, and Other Relief (Aug. 29, 2016),https://epic.org/privacy/ftc/whatsapp/EPIC-CDD-FTC-WhatsApp-Complaint-20... (link is external)FTC, “Enforcing Privacy Promises” (2016),https://www.ftc.gov/news-events/media-resources/protecting-consumer-priv... (link is external)FTC Press Release, “FTC Notifies Facebook, WhatsApp of Privacy Obligations in Light of Proposed Acquisition” (Apr. 10, 2014),https://www.ftc.gov/news-events/press-releases/2014/04/ftc-notifies-face... (link is external)FTC Letter to FB and WhatsApp, "Letter From Jessica L. Rich, Director of the Federal Trade Commission Bureau of Consumer Protection, to Erin Egan, Chief Privacy Officer, Facebook, and to Anne Hoge, General Counsel, WhatsApp Inc.” (Apr. 10, 2014),https://www.ftc.gov/news-events/press-releases/2014/04/ftc-notifies-face... (link is external)FTC, "Facebook Settles FTC Charges That It Deceived Consumers By Failing To Keep Privacy Promises” (2011),https://www.ftc.gov/news-events/press-releases/2011/11/facebook-settles-... (link is external)FTC Consent Order with FB (2011),https://www.ftc.gov/news-events/press-releases/2012/08/ftc-approves-fina... (link is external)EPIC, In re WhatsApp,https://epic.org/privacy/internet/ftc/whatsapp/ (link is external)EPIC, In re Facebook,https://epic.org/privacy/inrefacebook/ (link is external)###

We believe that the absence of any FCC rulemaking to protect the privacy of broadband customers would significantly add to the already prevalent sense of confusion and sense of loss of control among broadband internet customers under the existing FTC regime. Instead, the proposed rules will give ISP customers much needed control over their data and are much more likely to increase consumer confidence. Second, we would like to emphasize that current BIAS provider data practices already undermine the privacy of their customers and that they are in the process of further building out their powerful data management capabilities. Due to these practices and their significant position in the data eco system, BIAS providers are a growing and significant marketplace force in digital advertising. Contrary to companies’ and trade associations’ claims, we see no evidence that giving BIAS providers’ customers effective privacy choices will limit the online advertising industry to flourish. The American public wants to see its privacy protected and needs the safeguards proposed by the Commission. Nothing less will limit the expansion of an unprecedented intrusion of BIAS providers into the most private aspects of American consumers’ lives. The Commissions’ proposed rules are needed to protect individual autonomy and the fundamental right to privacy and self-determination. see attached for the complete Reply Comment Also attached is joint filing showing how the so-called "Multistakeholder" Process on privacy, organized by the Department of Commerce, has repreatedly failed to protect the public.

In the Matter of Petition of Public Knowledge, Center for Digital Democracy, Consumer Watchdog, Consumer Federation of America, and TURN —The Utility Reform Network Introduction: 47 U.S.C. §551 and 47 U.S.C. § 338(i) (collectively referred to as “privacy rules”) require that cable and satellite providers (herein referred to as “cable operators”) obtain the “written or electronic consent of the subscriber concerned” prior to the collection and use of that information for advertising purposes. Cable operators are also required to provide a written statement to their subscribers, which clearly and conspicuously informs the subscriber of the nature of the use of their personally identifiable information. Through these rules, Congress and the Federal Communications Commission have emphasized the importance of giving consumer’s control over how their information is being used. Despite this, cable operators have continued to use large amounts of their customers’ data without properly obtaining customer consent or informing subscribers of the extent of the use of their information. The Commission should enforce the relevant privacy provisions to ensure that cable operators only use subscriber information when they have the consent required by law. Cable Operators Collect and Share Large Amounts of Customer Data to Generate Targeted Advertising. The use of consumer data to target consumers for advertising is on the rise. Exactly how and to what extent cable operators are leveraging their customer’s data has been extensively documented in a recent report by the Center for Digital Democracy. Cable operators increasingly gather their customers’ personal information, share and combine that information with third parties, and use it to target customers for advertising on an individual level. Verizon, Comcast, Google, AT&T, Time Warner, Cablevision and others have incorporated powerful layers of data collection and digital marketing technologies to better target individuals. AT&T’s TV Blueprint, for example, “gives advertisers working with AT&T the ability to reach people based on factors like device, operating system, whether or not they’re heavy data users or the status of their carrier contract,” using “sophisticated second-by-second set- top box data” and other information. AT&T pulls data “from millions of set-top boxes” and analyzes consumer viewing history and uses these data to target consumers based on their viewing profile. Companies like Cablevision leverage granular data and precise details of household viewing behavior, and combine it with third-party data covering other intimate details of consumers’ lives to analyze and target specific individuals with video advertising across a range of screens. In their own words, “this set-top box level targeting lets marketers target customers that fit particular trends, profiles, demographics and attributes, and they can also pair the Cablevision data with their own or third-party data.” Cablevision and AT&T are not alone in their pervasive use of consumer data. Comcast recently acquired Visible World, which boasts of using data “from millions of enabled Smart TVs” as part of its advertising targeting service. Data points used to target consumers include income, ethnicity, education level, what kind of car they drive, purchase history, and location of their residence. Further, Comcast has acquired companies like This Technology, which is capable of inserting personalized content into network streams—including advertising messages tailored for specific individuals. These programs illustrate how cable providers give advertisers the ability to easily access and use a customer’s information, without that customer knowing the extent to which that information is being used. While these practices are broadly indicative of the ways many cable operators improperly use subscriber data, AT&T, Cablevision, and Comcast are among the most egregious. The Commission should investigate these practices and find that they violate the privacy rules. --- Full filed complaint attached below.

The Center for Digital Democracy (CDD), a nonprofit organization representing the interests of consumers in the digital marketplace, strongly supports the Federal Communication Commission’s (FCC) proposal to empower individuals to make effective decisions regarding their privacy on broadband networks. Broadband Internet access service (BIAS) plays a powerful and distinctive role in the commercial digital media marketplace, requiring precisely the set of sensible safeguards offered by the Notice of Proposed Rulemaking (NPRM). CDD believes it is entirely necessary and consistent with the Communications Act that the commission extend longstanding consumer-protection policies for the telephone network into the modern broadband context. The role of the network in the broadband marketplace has a distinct purpose compared to so-called “edge” content providers: to facilitate a fairly managed and efficient connection between the subscriber/consumer and the content and/or services of their choice. Given their network-management role, BIAS providers have unique capabilities in terms of monitoring the communications and activities of their subscribers, enabling the capture and use of an extensive array of personal and other consumer information. Positioned by necessity at the center of subscribers’ wireline or wireless broadband use, and holding a “digital key” that can help analyze much of their users’ digitally connected behaviors, BIAS providers have unlimited opportunities to influence the decisions consumers make via data-collection-related applications and services. Consumers today confront a far-reaching and largely invisible data-gathering apparatus that tracks and analyzes their every move online. For example, as the FTC has acknowledged, the growth of cross-device tracking, enabling the identification of a particular consumer’s use of personal computers, mobile phones, tablets, and increasingly even television, and combining multiple sources of data for the development of a targeting profile, illustrates how recent advances in digital data collection pose growing threats to consumer privacy. Indeed, the journal of the Association of National Advertisers explained just last month, “cross-device marketing … allows unprecedented access to individual consumers via personal or shared household devices. … Data-driven cross-device marketers gain exclusive access to a slew of advantageous marketing enhancements, including consistent messaging across all devices … .” Leading BIAS providers promise such cross-device targeting capabilities. Lacking the ability to enact regulations to protect privacy (except for children 12 and under), the FTC has been powerless to ensure consumer protection from cross-device tracking practices, let alone from the growing myriad of practices that gather consumer data from social media, mobile app, online video usage, programmatic targeting, and many other practices. Without the authority to issue regulations on privacy-related matters connected to consumer financial services, for example, the FTC has been forced to rely on its Section 5 authority related to unfair and deceptive practices. In practical terms, this has enabled the digital-data industry to recognize that there are no real constraints to their rapidly expanding collection, analysis, and use of consumer data. The FTC has long recognized that its inability to issue regulations has placed the agency at a serious disadvantage, and has called for the enactment of new regulatory authority. For example, as former FTC Chairman Jon Leibowitz testified before Congress in 2009, in order for the agency “to perform a greater and more effective role protecting consumers … changes in the law and additional authority to promulgate needed rules …” are required. As CDD explained in its March 2016 report on the growth of digital data gathering by leading ISPs (and filed separately in this proceeding), companies such as ATT, Comcast, Verizon, Cablevision, and Charter have made significant investments in their ability to capture, process, and take advantage of a consumer’s information across all the devices they use daily. They are using cloud- and IP-based management systems to deliver data-connected advertising and marketing; have invested in or allied with real-time programmatic marketing technologies that, in milliseconds, make personalized ad-related decisions on which consumers to target and for what product; and have acquired numerous companies that strengthen their hold and use of consumer information, including data gathered by their consumers’ use of apps, online video, and mobile phones... Key characteristics of the BIAS data collection apparatus include: [see attached comments for full submission]