Balkinization  

Thursday, August 23, 2012

FTC Agonistes: From the Nader Report to the Wired Report

Frank Pasquale

In 1968, a group of law student researchers helped Ralph Nader publish a highly critical report on the Federal Trade Commission. They concluded that the FTC failed to "detect violations systematically," to "establish efficient priorities for its enforcement energy," to "enforce the powers it has with energy and speed," and to "seek sufficient statutory authority to make its work effective." As Tim Muris notes, the report "lambast[ed] the agency and characteriz[ed] its overall performance as 'shockingly poor.'"

The FTC has taken many important initiatives to respond to concerns identified in the report. But we must now reconsider agency's record, as the digital world changes kaleidoscopically and budget restraints hamstring even the best-intentioned FTC staff.

About the closest thing we're likely to get to another "Nader Report" was Peter Maass's expose in Wired on challenges facing privacy enforcement and consumer protection in the digital age. Here's one of the many issues he identifies:
The mismatch between FTC aspirations and abilities is exemplified by its Mobile Technology Unit, created earlier this year to oversee the exploding mobile phone sector. The six-person unit consists of a paralegal, a program specialist, two attorneys, a technologist and its director, Patricia Poss. For the FTC, the unit represents an important allocation of resources to protect the privacy rights of more than 100 million smartphone owners in America. For Silicon Valley, a six-person team is barely a garage startup. Earlier this year, the unit issued a highly publicized report on mobile apps for kids; its conclusion was reflected in the subtitle, “Current Privacy Disclosures Are Disappointing.” It was a thin report, however. Rather than actually checking the personal data accessed by the report’s sampling of 400 apps, the [17 page] report just looked at whether the apps disclose, on the sites where they are sold, the types of personal data that would be accessed and what the data would be used for.

As Maass notes, "The agency can take companies to court, but its overworked lawyers don’t really have the time to go the distance against the bottomless legal staffs in Silicon Valley." Like an SEC pushed by budget constraints to pursue mere "cost of doing business" settlements, the FTC too often has to capitulate to symbolic penalties with dubious deterrent effect.

The problem goes beyond the courtroom. The same companies that have hundreds of millions of dollars to spend blockading legal action also fund a vast ecosystem of commentators who complain about any initiative the agency may take. They also spend millions lobbying. And their soft power is, if anything, even stronger than the power plays of DC influence peddling. I once met a Congressman who could not stop gushing about how proud he was that his son had an internship at Facebook. I talk to law professors whose bottom line is essentially: "Silicon Valley is all the US economy has going for it, and no one in DC had better mess with it."

What's particularly disappointing is that some FTC leaders seem defensive about current shortcomings, rather than straightforward about the reasons for them: namely, resource constraints and lack of authority to impose fines that would actually deter wrongdoing. Many of those who frequently work with the FTC have circled the wagons, complaining that Maass was too harsh. But it's hard to believe that occasional fines amounting to four hours of revenue will result in any real change in behavior.* Nor are similarly sized judgments doing much real enforcement work, as some judges are beginning to realize.

Rethinking Enforcement

A few years go, the FTC admirably recognized that it needed to rethink privacy from the ground up. The result was a perceptive, well-written report that grappled with fundamental issues in the law of fair data practices and consumer protection. Where the law was plainly inadequate, the report said so. For example, it supported "legislation that would provide consumers with access to information held by data brokers," an increasingly important priority in a pervasively "scored society."

The FTC now needs to reconsider enforcement from the ground up. Where its technical capacity is clearly lacking, it should say so. And it should not be afraid to ask Congress for the resources it needs to detect lawbreaking. This might include a self-funding agency model, like the PTO or FDIC. Or it could ask for authorization to hire contractors to discover wrongdoing. Consider the example of CMS, which compensates contractors in a variety of ways to detect fraud and abuse:
[T]he healthcare government contractor landscape continues its transformation with an increased number of contractors actively pursuing the recovery of erroneous payments and the identification of potential patterns of fraud and abuse[, including Recovery Audit Contractors (RACs), Program Safeguard Contractors (PSCs) and Zone Program Integrity Contractors (ZPICs)]. . . .
CMS compensates RACs on a contingency fee basis based on the contractors' final determination, in dollars, of amounts improperly paid. MICs are eligible to receive, in addition to contractual fees, a bonus for strong performance, which could include an assessment of amounts returned to the program. ZPICs and PSCs also are paid a fixed contractual rate with bonuses based on performance standards for quality of service and administrative actions. Such bonuses may be tied to the amount of overpayments identified or number of fraud referrals made by ZPICs and PSCs.
If the Centers for Medicare and Medicaid Services can embrace the analytics of private contractors, the FTC should aspire to do the same. And if the SEC can ask for a self-funding model, so too should the FTC have the courage to do the same. Privacy and consumer protection are two of many areas where the US faces a crisis of regulatory capacity. Law enforcers don't do consumers any favors when they pretend to have the resources they need to do the job.
*To its credit, the FTC tends to avoid truly laughable penalties, such as the FCC's slap on the wrist in this case.

X-Posted: Concurring Opinions.

Home