This story first appeared on the ProPublica website, where it was copublished with Wired.
Jonathan Mayer had a hunch.
A gifted computer scientist, Mayer suspected that online advertisers might be getting around browser settings that are designed to block tracking devices known as cookies. If his instinct was right, advertisers were following people as they moved from one website to another even though their browsers were configured to prevent this sort of digital shadowing. Working long hours at his office, Mayer ran a series of clever tests in which he purchased ads that acted as sniffers for the sort of unauthorized cookies he was looking for. He hit the jackpot, unearthing one of the biggest privacy scandals of the past year: Google was secretly planting cookies on a vast number of iPhone browsers. Mayer thinks millions of iPhones were targeted by Google.
This is precisely the type of privacy violation the Federal Trade Commission aims to protect consumers from, and Google, which claims the cookies were not planted in an unethical way, now reportedly faces a fine of more than $10 million. But the FTC didn't discover the violation. Mayer is a 25-year-old student working on law and computer science degrees at Stanford University. He shoehorned his sleuthing between classes and homework, working from an office he shares in the Gates Computer Science Building with students from New Zealand and Hong Kong. He doesn't get paid for his work and he doesn't get much rest.
If it seems odd that a federal regulator was scooped by a sleep-deprived student, get used to it, because the federal government is often the last to know about digital invasions of your privacy. The largest privacy scandal of the past year, also involving Google, wasn't discovered by federal regulators, either. A privacy official in Germany forced Google to hand over the hard drives of cars equipped with 360-degree digital cameras that were taking pictures for its Street View program. The Germans discovered that Google wasn't just shooting photos: The cars downloaded a panoply of sensitive data, including emails and passwords, from open wifi networks. Google had secretly done the same in the United States, but the FTC, as well as the Federal Communications Commission, which oversees broadcast issues, had no idea until the Germans figured it out.
Nearly every day, and often several times a day, there is fresh news of privacy invasions as companies hone their ability to imperceptibly assemble a vast amount of data about anyone with a smartphone, laptop or credit card. Retailers, search engines, social media sites, news organizations—all want to know as much as they can about their visitors and users so that ads can be targeted as precisely as possible. But data mining, which has become central to the corporate bottom line, can be downright creepy, with companies knowing what you search for, what you buy, which websites you visit, how long you browse—and more. Earlier this year, it was revealed that Target realized a teenage customer was pregnant before her father knew; the firm identifies first-term pregnancies through, among other things, purchases of scent-free products. It's akin to someone rifling through your wallet, closet or medicine cabinet, but in the digital sphere no one picks your pocket or breaks into your house. The tracking is done mostly without your knowledge and, in many cases, despite your attempts to stop it, as Mayer discovered.
The FTC is the lead agency in the government's effort to ensure that companies do not cross the still-hazy border between acceptable and unacceptable data collection. But the agency's ambitions are clipped by a lack of both funding and legal authority, reflecting a broader uncertainty about the role government should play in what is arguably America's most promising new industry. Companies like Facebook and Google are global brands for which data mining is at the core of present and future profits. How far should they go? Current laws provide few limits, mainly banning data collection from children under 13 and prohibiting the sale of personal medical data. Beyond that, it's a digital mosh pit, and it's likely to remain that way because more regulation tends to be regarded by politicians in both parties as meaning fewer jobs. Students will probably continue to beat the FTC to the punch: The agency just has one privacy technologist working in its Division of Privacy and Identity Protection and one in the Division of Financial Practices. "I don't think it's controversial to note that they seem to be understaffed," Mayer said in a phone interview between classes. "I think that's pretty clear."
This isn't the usual sort of story about regulation watered down by intimate ties between government officials and the industry they oversee. Unlike the US Minerals Management Service, where not long ago a number of officials were found to have shared drugs and had sex with representatives of the oil and gas industry, key FTC officials hired by the Obama administration are privacy hawks who worked previously for consumer-rights groups like Public Citizen and the Electronic Frontier Foundation. Under Chairman Jon Liebowitz, a Democrat appointed to the FTC in 2004 and tapped as chairman by President Obama in 2009, the FTC has pushed boundaries; its first privacy technologist, hired shortly after Liebowitz became chairman, was a semifamous activist who made a name for himself by printing fake boarding passes to draw attention to airline security lapses (the FBI, which raided his house, was not pleased). The agency is working with the tech industry to create and voluntarily adopt a Do Not Track option, so that consumers can avoid some intrusive web tracking by advertising firms. And it issued a report this year that called for new legislation to define what data miners can and cannot do.
Yet the FTC is ill-equipped to find out, on its own, what companies like Google and Facebook are doing behind the scenes. For instance, ProPublica discovered that the FTC's Privacy and Identity Protection technologist has a digital hand tied behind his back because the computer in his office has security filters that restrict access to key websites. While Mayer has an ultrafast internet connection, top-of-the-line computer, an office chair he loves and tasty lunches for free ("Stanford students do not want in any way," he notes), the FTC technologist uses his personal laptop and, because there is no wifi at the agency, connects to the internet by tethering it to his iPhone. He browses the web at cellphone speed. There are no free lunches.
The FTC is headquartered in a landmarked building on Pennsylvania Avenue flanked by two sculptures of a man trying to restrain a muscle-bound horse that is straining to gallop away. The sculptures, completed in 1942, are entitled "Man Controlling Trade," and they explain a lot about the FTC's current dilemma. The notion of controlling trade, popular when the sculptures were erected a half-century ago, is not a vote-winner today. The FTC was an early battleground of the movement that began in the Reagan era to reduce government regulation. The agency had more than 1,700 employees in the 1970s, but is down to 1,176 today, even though the economy has more than doubled in that span. The FTC's responsibilities are vast: It must police everything from financial scams to antitrust activity, identity theft and misleading advertising.
Especially among Republicans, there is little interest in providing more resources. California Rep. Mary Bono-Mack, at a recent hearing on privacy legislation, warned that the government "has this really bad habit of overreaching whenever it comes to new regulations." Although the American Civil Liberties Union may see an epidemic of privacy violations, Bono-Mack said, "I haven't gotten a single letter from anyone back home urging me to pass a privacy bill." The skepticism is not just an outside-the-building phenomenon; it comes from within the FTC, too. One of the agency's five commissioners, Republican Thomas Rosch, dissented from its 2013 budget request, which asks for less money than the prior year budget of $312 million. Rosch said he believed the FTC still wanted too much. "In these austere times we should do more…with fewer resources," his dissent said.
The cold shoulder is not entirely Republican. Earlier this year the Obama administration unveiled a "Privacy Bill of Rights" that sets a variety of enviable standards for consumer privacy. "American consumers can't wait any longer for clear rules of the road that ensure their personal information is safe online," President Obama said. The document, which among other things would allow individuals to control the data collected on them, was welcomed by consumer groups. But it's not legislation. It's a wish-list. The administration hopes that some of its wishes, like a Do Not Track list, will be granted through voluntary industry standards. But many of the wishes require Congress to pass laws that it is unlikely to pass anytime soon. The FTC's meager budget request would seem to be the best indication yet of the prospects for significantly greater federal privacy protection.
It's an old story with a new twist. Few industries have as many admirers in Washington, DC, as Silicon Valley, which unlike the oil industry has what appears to be an equally large number of friends on both sides of the aisle. The tech industry is generally regarded as liberal-leaning—for instance, Eric Schmidt, the Google chairman, was an Obama campaign adviser and serves on the president's Council of Advisors on Science and Technology. But Sen. John McCain (R-Ariz.) was counseled in his presidential bid by both Carly Fiorina, the former CEO of Hewlett-Packard, and by Meg Whitman, the former CEO of eBay who now heads HP. Silicon Valley is one of the country's few global growth industries; politicians are reluctant to put restrictions on what it can and cannot do.