The FTC is Looking to Tackle Internet Users’ Privacy Priorities
Last Wednesday, Federal Trade Commission (FTC) Chairwoman Edith Ramirez announced that on September 9 the FTC will hold the first seminar of its “Start with Security” campaign (which we previewed in March). The campaign is aimed at helping small and medium sized companies improve their data security practices based on the knowledge the FTC has accumulated over a decade of enforcement action. Also last week, the FTC launched IdentityTheft.gov, a website that offers victims of identity theft tools to report and recover from identity theft and data breaches.
The FTC’s recent focus on privacy issues, particularly identity theft and data security, is a recognition of the priority consumers place on trust in the Internet. Trust in the integrity and security of the Internet and associated products and services is essential to its success as a platform for digital communication and commerce. One of the earliest government reports on the viability of the Internet for commerce said, in 1997, “[i]f Internet users do not have confidence that their communications and data are safe from unauthorized access or modification, they will be unlikely to use the Internet on a routine basis for commerce.”
Internet users continue to prioritize confidence in the security of digital services above all other privacy concerns online. In late 2013, CCIA commissioned a survey of Internet users that aimed to better identify the priorities and concerns of Internet users with respect to the handling of the information they share online. As far as privacy risks go, the study found that nothing is more important to Internet users than the security of their information online, in particular ensuring that their personal data is out of the hands of those who would do them harm.
The survey found that on average, users are 5 times more worried about hacking than tracking. That means that 80% of respondents say they are more worried the information they share will be hacked to cause harm or steal from them while just 16% are more worried that companies will use the information they share online to target advertising to them. This acute awareness of threats to the security of their information has resulted in a strong desire for the government to take more action to protect online security. Close to three-quarters (74%) of respondents say the federal government needs to do more to prevent and act against identity theft, including a 56% majority of those who say they feel strongly about the issue.
Given consumers’ overriding fear of identity theft, which has been the top category of complaints received by the FTC for the last 15 years (so much so that it pervades pop culture), your author is pleased to see that the FTC is taking steps to help businesses preempt threats to data security and help the victims of breaches recover from the theft of their personal information.
In its Start with Security seminar series, the FTC should offer recommendations that address those areas of most concern to consumers, in a manner that allows companies to think critically and use context to inform the choices they make about the secure design of products and services. No single digital service or consumer product is the same, so no set of standards or practices will be uniformly applicable or necessary for every circumstance—for example, apps or IoT devices that rely on user data should be expected to institute more robust security measures than those that are less reliant.
With differing product and development contexts in mind, the FTC can and should suggest certain best practices that are helpful to any digital company’s product development and life-cycles:
- Developers should consider the security implications, however remote, of every additional feature in a product
- User credentials should be generated and stored securely
- Build in multiple layers of security into systems to avoid single points of failure; 2-factor user authentication is a good example
- To the extent reasonable for the service provided, personally identifiable data, user credentials, and other sensitive information should be encrypted in transit and at rest
- Developers should set default settings to the most secure, as many users will leave them in place
For the Internet to reach its fullest potential for innovation and investment, users must understand and feel confident in the security of online platforms, especially when user data is involved. Consumers and federal policymakers have recognized that reality for almost two decades. With the importance of continued user trust in mind, these new efforts by the FTC to offer clarity and improved practices to the public and industry are an important step in the right direction.