Facebook Dodges Potential FTC Bullet

On July 24, 2019, the FTC filed its Stipulated Order requiring that Facebook comply with newly-imposed privacy requirements for a period of twenty years.  The most noteworthy aspect of this Order, however, does not relate to the specifics of this compliance framework – which can easily be addressed with the right counsel. Rather, the requirement that is more challenging for Facebook is the one creating an “Independent Privacy Committee” within Facebook’s Board of Directors “consisting of Independent Directors, all of whom” have “(1) the ability to understand corporate compliance and accountability programs and to read and understand data protection and privacy policies and procedures, and (2) such other relevant privacy and compliance experience reasonably necessary to exercise his or her duties on the Independent Privacy Committee.” 

Such specific requirements regarding the capabilities of a Board member are more than a bit unusual.    Given the fiduciary responsibilities of Board members as well as the reputations of those willing to become members of this “Independent Privacy Committee”, this novel requirement may actually do something to curtail future privacy transgressions.

There is no doubt the FTC resolution was Facebook’s well-orchestrated attempt at rehabilitating its tattered reputation.  As stated in Facebook’s blog response:  “Billions of people around the world use our products to make their lives richer and to help their organizations thrive. That makes it especially important that the people who use our platform can trust that their information is protected. This agreement is an unambiguous commitment to do that.”  Indeed, this agreement may even be marketed as a way of bolstering dwindling user engagement.

It remains to be seen, however, whether or not the Stipulated Order provides an “unambiguous commitment” to do anything other than resolve specific violations of a prior FTC Decision and Order, In re Facebook, Inc., C-4365, 2012 FTC LEXIS 135 (F.T.C. July 27, 2012). Indeed, Commissioner Rohit Chopra – who assumed office on May 2, 2018, filed a forceful dissent objecting to the lax settlement of this violated Order: “Facebook flagrantly violated the FTC’s 2012 order by deceiving its users and allowing pay-for-play data harvesting by developers” and this settlement “imposes no meaningful changes to the company’s structure or financial incentives, which led to these violations.”

Facebook’s regulatory problems are far from over – the DOJ just announced a wide-ranging antitrust probe that includes Facebook.  Specifically, the Department of Justice’s Antitrust Division will review “whether and how market-leading online platforms have achieved market power and are engaging in practices that have reduced competition, stifled innovation, or otherwise harmed consumers.” This antitrust probe will likely end up being much more interesting and potentially damaging to Facebook than the recent FTC settlement – especially depending on what road is taken by its potential privacy-killing Calibra business unit.

Senate Banking Committee Focuses on Libra Privacy Issues

On July 16, 2019, a Senate Panel lobbed missives across the Libra bow when questioning David Marcus, the head of Facebook’s Calibra subsidiary.   As suggested by the title of the hearing – “Examining Facebook’s Proposed Digital Currency and Data Privacy Considerations”, today’s hearing was really all about Facebook and not about digital currencies or blockchain technologies in any broader context.

Using a tone that permeated for much of the hearing, Sen. John Kennedy ignored Facebook’s participation in a Swiss Association that purportedly leaves Facebook with little control over Libra and instead mocked: “Facebook wants to control the monetary supply. What could possibly go wrong?” Sen. Sherrod Brown (D-OH) reinforced this lack of trust when he said that Facebook was dangerous because it did not “respect the power of the technologies they are playing with, like a toddler who has gotten his hands on a book of matches, Facebook has burned down the house over and over, and called every arson a ‘learning experience.'”

Sen. Brian Schatz summed up the mood nicely when he recognized: “You’re making an argument for cryptocurrencies generally. The question is not, ‘Should the U.S. lead in this?’ Why in the world, of all companies, given the last couple of years, should [Facebook] do this?” 

On a more substantive side, the hearing was driven by a concern for privacy rights. As reported in The Wall Street Journal,  Mr. Marcus suggested that Facebook would not monetize users’ data related to Libra because no financial or account data from the Libra network would be shared with Facebook:  “We’ve heard loud and clear from people, they don’t want those two types of data streams connected.”

Even though it did not garner much public analysis, Chairman Crapo’s Statement provides an important privacy perspective that may also set the table for future legislative action: “Individuals are the rightful owners of their data. They should be granted a certain set of privacy rights, and the ability to protect those rights through informed consent, including full disclosure of the data that is being gathered and how it is being used.”

And, despite all of his protestations to the contrary, in his own prepared testimony, Mr. Marcus actually provides a rough roadmap detailing how the financial and transactional data obtained by Calibra could directly bolster Facebook’s data surveillance revenue.

Specifically, Mr. Marcus states: “The Calibra wallet will let users send Libra to almost anyone with a smartphone, similar to how they might send a text message, and at low-to-no cost.  We expect that the Calibra wallet will ultimately be one of many services, and one of many digital wallets, available to consumers on the Libra network.   We do not expect Calibra to make money at the outset, and Calibra customers’ account and financial information will not be shared with Facebook, Inc., and as a result cannot be used for ad targeting. Our first goal is to create utility and adoption, enabling people around the world— especially the unbanked and underbanked—to take part in the financial ecosystem.  But we expect that the Calibra wallet will be immediately beneficial to Facebook more broadly because it will allow many of the 90 million small- and medium-sized businesses that use the Facebook platform to transact more directly with Facebook’s many users, which we hope will result in consumers and businesses using Facebook more. That increased usage is likely to yield greater advertising revenue for Facebook.

To suggest that the mere ancillary use of Facebook’s platforms by Calibra users will alone cause an increase in advertising revenue makes little sense.  The only way Calibra will yield greater “advertising revenue” to Facebook is directly related to the well-understood increase in value user data would have after alignment takes place between transaction data and the other data obtained from Facebook’s platforms and services.  Indeed, advertisers have long recognized that personalization data is not nearly as useful as relevance data.

A long-term goal of Facebook’s Libra project, namely combining user data with associated financial and transactional data, should not be considered well-hidden. Mr. Marcus’ written testimony all but confirms Facebook will eventually harvest transactional and KYC data:  “Calibra will not share customers’ account information or financial data with Facebook unless people agree to permit such sharing.”  Indeed, Sen. Pat Toomey specifically asked Mr. Marcus whether Facebook intended to seek user consent to monetize Calibra-derived financial data and Mr. Marcus incredibly responded: “I can’t think of any reason right now for us to do this.” Really?

Facebook likely only has to ask and it will get whatever user permissions necessary to satisfy existing regulatory and statutory requirements.  Depending on the ultimate success of Amazon’s recent $10 offer for tracking data, Facebook may not even need to give much in return for such consent. In other words, once this particular genie is let out of the bottle there will likely be no turning back and any unencumbered launch of Libra might very well be the death knell for data privacy as we know it.

UPDATE: July 18, 2019

House Financial Services Committee Hearing of July 17, 2019

One major difference between the Senate hearing conducted on July 16, 2019 and the House Financial Services Committee hearing of July 17, 2019 was the sort of testimony provided by industry experts.  Even though the Senate smartly sought testimony from Wall Street and blockchain industry expert Caitlin Long, unlike with the House, there were no one educating the Senate on Calibra’s privacy issues.

For example, MIT Professor Gary Gensler’s prepared House testimony lays out a number of questions regarding privacy that Facebook should answer at some point:  “We know that many of the most intrusive privacy practices of concern to privacy regulators have actually been subject to some form of consumer consent. So, it will be essential to conduct a more thorough analysis of what uses of Libra data should be allowed and which uses should be prohibited. How would such restrictions be monitored and enforced? What are the limited exceptions and might Calibra broadly seek customer consent in the form of standard user agreements? It would be likely that Calibra would want to commercialize this data. At a minimum, without sharing the raw transaction data from customers’ Calibra Wallets, it would still likely analyze such data to earn money either through advertisements or by offering targeted services to wallet holders.”  

As well, in the prepared written testimony of Robert Weissman, President of Public Citizen, there is a long discussion explaining why Facebook is a “Corporate Surveillance Leviathan” that cannot be trusted with the proposed Calibra wallet.

The House Hearing also raised the issue of whether Facebook would be able to pick and choose users of the Calibra wallet – potentially forcing persons to conform their behavior to Facebook standards. In one highlight of the House Hearing, Congressman Sean Duffy waved a twenty-dollar bill in the air while making the point that anyone, including persons who say horrible things, can use a twenty-dollar bill but: “Who can use Calibra?”  In response, Mr. Marcus pointed out anyone who could satisfy Calibra KYC requirements – which then begged the loaded follow-up question from Congressman Duffy:  “Could Milo Yiannopoulos and Louis Farrakhan use Calibra [given they are both banned from Facebook]?”  In response, Mr. Marcus said that an applicable policy hasn’t yet been written but that it was “an important question that [Facebook] needed to be thoughtful about.”  

Given Facebook’s poor track record – indeed, former Facebook executives readily acknowledge Facebook holds too much market power and should not be trusted going forward, these and other “important questions” must be answered as soon as possible.

First GDPR Proposed Fine Comes in at a Whopping $229 Million

On July 8, 2019, the UK’s Information Commissioner’s Office announced its intention to fine British Airways £183.39M ($229,377,293) for data breach infringements of the General Data Protection Regulation (GDPR).  This first publicly-disclosed GDPR penalty amounts to about 1.5% of British Airways’ worldwide turnover– which is still less than the possible maximum penalty of 4%.  Alex Cruz, British Airways chairman and chief executive officer, said in a press release:  “We are surprised and disappointed in this initial finding from the ICO.  British Airways responded quickly to a criminal act to steal customers’ data. We have found no evidence of fraud/fraudulent activity on accounts linked to the theft.”

According to the ICO, the massive fine was ultimately based on the harvesting of personal data of approximately 500,000 customers only one month after GDPR became enforceable.  The ICO investigation uncovered that “a variety of information was compromised by poor security arrangements at the company, including log in, payment card, and travel booking details as well name and address information.”

Given that the ICO’s final decision will take into consideration a formal response from British Airways and other data protection authorities, the fine will likely be modified in same way – this is also likely given there were new security procedures implemented by British Airways, there is no present evidence of fraud, and British Airways has already threatened an appeal.

At the time of the attack, British Airways provided very little information regarding how it was accomplished other than to say it impacted website and app bookings from August 21 to September 5, 2018 and that it was the victim of a “sophisticated, malicious criminal attack“.  One security expert posited that malicious code was planted on the website’s payments page using a modified version of the Modernizr JavaScript library.  Others have considered this attack caused by a cross-site scripting exploit.  No matter what the attack vector or exploit, this was clearly the sort of security lapse that has dogged many companies over the years.  To now have a potential $229 million fine waiting on the sidelines can only be considered yet another massive motivation to get one’s security house in order as soon as possible.

UPDATE: July 9, 2019

A day after the British Airways proposed fine, Marriott was hit with a $123 million proposed GDPR fine for a November 2018 breach.

Will Libra Coin Kill Off Privacy For Good?

In January 2018, Facebook publicly announced it was going to take a deep dive into cryptocurrencies.   That same month, Facebook removed all ads from its platform that promote “initial coin offerings or cryptocurrency”.   Facebook’s policy was “intentionally broad” and banned “all ads related to cryptocurrencies — not just those directly trying to sell cryptocurrencies or cryptographic tokens.”  One example of a banned ad was provided by Facebook:  “Click here to learn more about our no-risk cryptocurrency that enables payments to anyone in the world”. 

In other words, Facebook’s “Libra Coin” – described as a “low-volatility cryptocurrency” for global payments in the sort of White Paper written for every ICO ever launched, began percolating at the very exact time Facebook banned ads about ICOs and cryptocurrency.  

Facebook’s crypto advertising ban and duopolistic reach pretty much sums up why potential users should be careful before jumping on the Libra bandwagon.  In what can only be considered ironic, the “Libra Coin” is not even a true cryptocurrency or even built on a blockchain – it is apparently the token for a permissioned payment network that is partially decentralized while requiring the disclosure of sensitive authentication data as well as use of the Calibra wallet owned and operated by Facebook itself.  Most importantly, as a node on the network Facebook will also have access to all consumer transaction data flowing on the network.  Like icing on a global cake, by being part owner of a de facto bank, Facebook will also get to share in any float interest.

Those premier venture firms and companies who have anted up to align with Facebook’s project may believe in the collective end game but to align now with Facebook simply because of its tremendous reach will likely be a mistake for them as well as the consuming public.

Maine Bans ISPs From Selling Personal Information Lacking in Consent

On June 6, 2019, Maine joined a chorus of state legislatures moving on data privacy – this time requiring providers of broadband Internet services to obtain express consent before using a consumer’s personal information.  Specifically, the new Maine law reads:  “A provider may use, disclose, sell or permit access to a customer’s customer personal information if the customer gives the provider express, affirmative consent to such use, disclosure, sale or access. A customer may revoke the customer’s consent under this paragraph at any time.”  

Maine’s law is even more restrictive than California’s Consumer Privacy Act which will deploy an “opt out” mechanism requiring the consumer to inform data processors of their preference.   Both Californians and Mainers will have to wait until 2020 to benefit from their respective data privacy laws – with the Maine statute taking effect on July 1, 2020. 

As reported in The Hill, tech lobbyists are now exerting their best efforts on obtaining a federal law that will moderate this and other consumer privacy state gains – which is not surprising given even stricter data privacy laws percolating in other states.   Whether or not certain data privacy provisions die in a preemption skirmish, data rights will continue their reimagination by market forces so lobbyists alone can never prevail in their clients’ war against true individual data ownership.

Will Proposed NY and NJ Data Privacy Laws Lead to Federal Preemption?

On June 5, 2019, the NY State Senate passed the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) to beef up its data breach notification law whereas a month earlier the New Jersey Governor signed into law an amendment to the New Jersey data breach notification law.  This is the first act in what may lead to significant new privacy laws emerging from these sister states.

New York now is now moving on a bill, S5642, that is even more protective than the California Consumer Privacy Act while New Jersey is in the process of merging two proposed bills that may lead in the same direction. There has been opposition to these proposed laws by those companies who have the most to lose by stringent data privacy controls.  

If passed, however, these new laws may actually prod Congress to finally move on a comprehensive privacy framework – one that might preempt aggressive laws such as the ones proposed by New York and New Jersey and the one already passed in California, in favor of a much more tempered approach.  

In other words, the Internet Association and its lobbying partners may actually win the war if these bills are enacted and it can just get Congress to act in a preemptive manner.  Thankfully, the momentum has been consistently on the side of consumer protection and any hope of bipartisan action on the part of Congress remains a long-shot given the current political environment.

OCR Snags $3 Million HIPAA Settlement For Insecure Web Server

On May 6, 2019, the Office for Civil Rights (OCR) announced that Tennessee-based Touchstone Medical Imaging agreed to pay $3,000,000 and adopt a corrective action plan that includes the adoption of business associate agreements, completion of an enterprise-wide risk analysis, and additional comprehensive policies and procedures applying HIPAA Rules. Touchstone – which provides diagnostic medical imaging services, was notified in May 2014 by the FBI that one of its FTP servers allowed uncontrolled access to protected health information (PHI).  This uncontrolled access “permitted search engines to index the PHI of Touchstone’s patients, which remained visible on the Internet even after the server was taken offline.”

During OCR’s investigation, Touchstone acknowledged that the PHI of more than 300,000 patients was exposed including, names, birth dates, social security numbers, and addresses.  OCR’s investigation found that Touchstone “did not thoroughly investigate the security incident until several months after notice of the breach”.  As a result, Touchstone’s notification to individuals affected by the breach was considered untimely.   

Given last year’s summary judgment win by OCR and the facts presented by the Touchstone incident, it is not surprising that this significant settlement – which was one of the largest to date, was reached.  FTP servers have long been a threat vector – even if set up and run properly, so not unlike the clarion calls initiated for encryption and social engineering training, back office IT support should be sophisticated enough to adopt a means of file transfer that applies state of the art security.

Is Facebook Dead Man Walking?

Whether Facebook survives as a social media platform may eventually hinge on a metric that has not been widely reported – which is ironic given what has recently been reported is hardly good news.   

On April 24, 2019, Facebook, Inc. estimated that it would incur a loss in the range of $3.0 billion to $5.0 billion as a result of privacy violations investigated by the Federal Trade Commission – which does not even take into account other pending privacy investigations including a report released on April 25, 2019 by Canadian privacy regulators.  Also, paying the FTC up to $5 billion will not save the company from the onslaught savvy class action lawyers will unleash the day after the FTC settles.  

Almost comically, on April 29, 2019, Facebook, Inc. announced what it likely thought was a successful PR coup, namely the funding of privacy research shepherded by two partner organizations, Social Science One and the Social Science Research Council.  Not surprisingly, there was no mention that Facebook would be provided specific recommendations from these organizations let alone have such recommendations eventually adopted by the company.  

Facebook’s privacy regulatory threats are not limited to those found in North America – Germany is attacking the core of Facebook, Inc.’s advertising business model and there are several potentially ruinous GDPR complaints that were filed against it the day that privacy regime became effective.   As previously stated with regards GDPR:  “Facebook will soon be in uncharted and unpredictable privacy waters where disclaimers and popup consent forms may not easily tread.”  

A different sort of threat to Facebook can be found in the decentralized Internet currently being built by start-ups such as Blockstack– which recently filed a SEC Reg A+ offering for $50 million by way of a subsidiary.  Blockstack looks to leapfrog centralized platforms such as Facebook by building tools for a “decentralized computing network and app ecosystem” that includes decentralized storage allowing for porting of app data across social media platforms as well as self-sovereign user IDs that would allow for single user identities and passwords across every online application.  

More than likely, however, the most damaging threat to Facebook in the near term is the platform’s continued drop in customer engagement.  As recognized by Lou Kerner:  “On April 24th, 2019, Facebook reported Q1 ’19 earning, and once again, Wall street applauded, sending the shares up 8%, adding another $45 billion in value. While some saw triumph, and others saw further reason to break Facebook up, all I saw was continued decline in the only metric that matters, engagement.”  

Kerner’s graphic on the steady decline of daily and monthly active Facebook users is ominous:

Notwithstanding its many privacy transgressions and current regulatory/litigation challenges as well as the future advent of a decentralized Internet, what likely will be the most direct cause of Facebook’s downfall as a platform stems from the simple fact users have been steadily moving away from using it.

Apparently, users have taken the advice of WhatsApp co-founder Brian Acton and have chosen to “delete Facebook.”  Even though Facebook, Inc.’s present cash reserve and its other popular applications would likely allow the company to continue as a viable entity for many years even without its eponymous platform, those present users who spend hours each day on Facebook – and have no desire to ever abandon it, might just not be enough to sustain the Facebook platform in the long term.  

Simply put, with shrinking levels of engagement the Facebook platform may eventually go from a MySpace to Vine.

SEC Issues First No-Action Letter for an ICO

The SEC on April 3, 2019 issued a No-Action Letter to an ICO offeror – demonstrating that its Chairman’s prior promise to devote sufficient SEC resources toward better understanding initial coin offerings has been kept. In the April 2, 2019 no-action request to the SEC, TurnKey Jet proposed, “to offer and sell blockchain-based digital assets in the form of “tokenized” jet cards.”  TurnKey plans to be the program manager for a membership program based on this token platform.  The tokens would be pegged at the US dollar “throughout the life of the Program”.  Apparently, the sole purpose in issuing tokens is to avoid financial transaction costs to the extent a credit card is used to book jet travel.  

Even though there is certainly value in eliminating the middleman in high-cost transactions – card brands, Venmo, and Paypal take note, this is not the sort of blockchain-implemented ecosystem envisioned by the early ICO issuers.  Nevertheless, this sort of use case provides a readily apparent benefit to its participants and is exactly what the blockchain/DLT community needs to move forward.  As previously argued, it is certainly not the case that all ICOs are securities so this no-action move by the SEC should be welcome by all. 

In a related positive move from the SEC, on April 3, 2019 the SEC released its Statement on “Framework for ‘Investment Contract’ Analysis of Digital Assets”.  Doing an excellent job of parsing the existing statutory interpretation of what constitutes a security, i.e., the now famous Howey test, the SEC’s FinHub Framework is a must-read for those looking to issue a digital asset.  

Notwithstanding some criticism of the SEC Framework, this release is a natural progression that should not be discounted.  More importantly, by launching this Framework the same day of its No-Action Letter, the SEC has sent a clear message that blockchain ecosystems remain open for business and the SEC will not hurl unnecessary impediments to the implementation of those use cases that actually comply with regulatory law.  

Google Cy Pres Fund Case Goes Back to District Court

On March 20, 2019, the Supreme Court deferred ruling on the settlement of a class action brought against Google.  The underlying action was based on Google’s transmission of a users’ search terms, i.e., “referrer headers”, to its actual clients.   Class counsel argued that the transmission and storage of these referrer headers was in violation of both federal and state law given those conducting the searches never gave proper consent.  

In remanding the case to address a potential lack of standing, the Court ruled “[b]ecause there remain substantial questions about whether any of the named plaintiffs has standing to sue in light of our decision in Spokeo, Inc. v. Robins, 578 U. S. ___ (2016), we vacate the judgment of the Ninth Circuit and remand for further proceedings.”  This was obviously the correct ruling given a court cannot even hear a matter unless there is proper standing to sue. Given that the Supreme Court only decides matters properly on appeal and the question of standing was not put before it, the matter required a remand.

Disregarding the tortious procedural history of this near-decade old case or the reasons why standing may not exist, this case will hopefully substantively address the court-approved settlement that would require “Google to include certain disclosures on some of its webpages and would distribute more than $5 million to cy pres recipients, more than $2 million to class counsel, and no money to absent class members.”  In other words, the Court will hopefully decide whether the lower court improperly approved the settlement given the individuals purportedly harmed would not have received a penny and the alleged improper conduct described in the complaint would have still continued unabated.  

In his Dissent, Justice Thomas believed the bare minimum threshold of standing was met and the case should have been reversed on substantive grounds because the cy pres fund settlement was violative of the Rules as it offered no compensation to the certified class.  As previously discussedcy pres fund settlements – which can provide millions to advocacy groups approved by the defendant, hardly evoke the hallmark of justice given those purportedly harmed actually receive nothing.  Indeed, the use of cy pres funds has long been “a troublesome trend in privacy class action settlements given it allows plaintiffs’ counsel to quickly file and resolve class actions before  actual damages can be made readily apparent.” It is no surprise various Attorney Generals have pushed hard against these sort of settlements.

As pointed out by one of the attorneys who appealed this Google case to the Supreme Court, today’s ruling likely “simply delays the day of reckoning for this unfair practice.”  Justice Thomas recognized today that there was something particularly odious about a settlement that only benefited lawyers and those third-party organizations acceptable to the Defendant.  Hopefully, in the near future the full Court will reach the same conclusion and put an end to this unsavory practice of rewarding a defendant’s “non-profit partners” rather than the actual litigants.

Corporate Counsel