Page 2 of 4

How a Lone Grad Student Scooped the Government and What It Means for Your Online Privacy

The FTC is going after big tech companies with no wifi, outdated BlackBerries, and computers that can't even access the websites they're supposed to watch over.

| Fri Jun. 29, 2012 5:00 AM EDT

The FTC tries to do the best with what it has. In 2009, with new Obama-era appointees aboard, it hired Christopher Soghoian, a privacy technologist who could perform the sort of sophisticated forensics that Mayer conducted on Google. A year later, in 2010, the FTC hired its first chief technologist, Edward Felten, a Princeton computer scientist who is highly regarded in tech policy circles. But the three men who have filled the privacy technologist job that Soghoian filled first (each have served for about a year) faced an awkward problem: The desktop in their office is digitally shackled by security filters that make it impossible to freely browse the web. Crucial websites are off-limits, due to concerns of computer viruses infecting the FTC's network, and there are severe restrictions on software downloads. When Soghoian tried to download a wifi-sniffing app, his boss told him within a few minutes that he had tripped a security alarm; he could not use the app on his computer. It had to be deleted immediately.

To defend against hackers, filtered computers are standard in the government, but they are problematic for officials who are trying to discover dishonest activity on the web; it's a bit like telling a cop he can't patrol in high-crime neighborhoods. A handful of unfiltered computers are available in restricted labs at the FTC's headquarters on Pennsylvania Avenue and its satellite offices on New Jersey Avenue and M Street, but this is an ungainly setup. Rather than leaving their office, waiting for an elevator, swiping their ID badges across a sensor at the lab's locked door and logging into a computer soaked with malware (because the lab computers are used to test suspicious applications and websites), the technologists have instead stayed in their office and tethered their personal laptops to their personal cellphones. The office does not have a window, and the cell signals are not strong; even by phone standards, their web connection is slow.

Soghoian and the current privacy technologist, Michael Brennan, tried to get an unfiltered desktop installed in their office. Each time—Soghoian in 2010, Brennan in 2011—they got tantalizingly close, with new machines delivered to them. But the computers were never connected to the internet. Someone at the agency—they don't know who—got cold feet. "I basically had a $2,000 computer doing nothing," Soghoian said. Brennan isn't even at the office so much these days; he is a part-timer who lives in Philadelphia, where he is getting a Ph.D. in computer science at Drexel University. When he works in Washington, the FTC's privacy gunslinger crashes at a friend's house.

Only one FTC official has an unfiltered desktop: Felten, the chief technologist. He is the sort of unconventional public servant the FTC has hired in recent years. He was an expert witness in the landmark antitrust suit against Microsoft, a board member of the Electronic Frontier Foundation, and in April he participated in a privacy hackathon with his teenage daughter. Felten, hired mainly to provide policy advice to the FTC chairman, also conducts investigations of suspicious websites or apps—this is what he uses the unshackled computer for. During an interview, he pointed to it, a bit like a museum guide gesturing toward a priceless artwork, and said, "This is rare. I think this is the only one."

He acknowledged the agency is hindered by a shortage of technical experts who can find the sorts of violations that Mayer stumbled on.

"We could for sure do more if we had more people," he said while sitting in his office, which is nearly bare, with a few FTC posters on the walls, a small table and chairs, and a large desk for his two computers. "There are a lot of opportunities that we have to let go by because we don't have the people to seize them…opportunities to measure and evaluate what's happening every day in people's computers and phones."

Felten, who plans to resume full-time teaching at Princeton in the fall, was asked whether he has better technological resources there.

"Oh yes," he replied. "That's certainly the case."

***

The mismatch between FTC aspirations and abilities is exemplified by its Mobile Technology Unit, created earlier this year to oversee the exploding mobile phone sector. The six-person unit consists of a paralegal, a program specialist, two attorneys, a technologist and its director, Patricia Poss. For the FTC, the unit represents an important allocation of resources to protect the privacy rights of more than 100 million smartphone owners in America. For Silicon Valley, a six-person team is barely a garage startup. Earlier this year, the unit issued a highly publicized report on mobile apps for kids; its conclusion was reflected in the subtitle, "Current Privacy Disclosures Are Disappointing." It was a thin report, however. Rather than actually checking the personal data accessed by the report's sampling of 400 apps, the report just looked at whether the apps disclose, on the sites where they are sold, the types of personal data that would be accessed and what the data would be used for. The body of the report is just 17 pages. (The FTC says it will do deeper research in future reports.)

The mobile unit has an equipment problem, too. Like most government agencies, the FTC issues BlackBerries to key officials. Poss, the unit's director, has one. The BlackBerry dominated when Al Gore ran for president, but today it's barely an also-ran with just 12 percent of the smartphone market. That's not a problem if you only use your BlackBerry for texts, emails and calls. But it's a problem if, like Poss, your job is to keep track of what's happening in the smartphone market. Most consumers use Androids or iPhones, and most of the apps written for them are not available on the BlackBerry.

If Poss wants to learn what's going on in the 88 percent of the smartphone market that her BlackBerry cannot access, she would need to leave her office and go to one of the FTC labs, where she can use or check out an iPhone or Android. It's a clunky setup, so she resorts to a familiar workaround: She uses her personal smartphones. She has an iPhone as well as an Android.

A moment after she mentioned this in an interview, she added, "I probably shouldn't be saying that."

FTC officials are reluctant to talk about their lack of funding, partly because public whining, especially during hard economic times, is infrequently rewarded. It's also politically unwise. A vocal portion of the electorate believes the government and its regulatory arms have too much money and power as it is. Additionally, the FTC is trying to keep the tech industry honest by hinting that the feds are watching everything. It does not help if Silicon Valley realizes the FTC possesses just a handful of iPhones and Androids that are kept under lock and key in the basement.

The interview with Poss was conducted in an office on the third floor of the FTC's headquarters, with an FTC spokeswoman on hand. When Poss was asked whether it wouldn't make sense for the director of the Mobile Technology Unit to have a government-issued iPhone or Android, the spokeswoman, Claudia Farrell, interceded.

"He's trying to get you to bitch, Patti. Don't do it."

Poss, a lawyer who has worked at the FTC for more than 12 years, began to look uncomfortable, as though she was in the witness box, unsure what she was supposed to say. She made amends by noting she can use her office computer to look at the smartphone app descriptions posted on the websites where they are sold. Then she reversed herself.

"Actually, you can't," Poss said. "We have some restrictions on the sites we can visit on government computers."

She hesitantly mentioned that Apple's app store is among the sites blocked by the FTC's security system. If she wants to look at the most popular websites for mobile apps, she has to go to a basement lab.

Farrell joined the conversation again.

"You're not going to make this a gut-wrenching story about how Patti has to leave the confines of her office to do her work?"

***

The FTC maintains an aura of secrecy about its internet testing labs in Washington. Their location is known but not much else. Officials would not talk about the equipment in the labs. Poss and Farrell refused to divulge the number of iPhones and Androids, though it appears to be not much more than a handful. "I don't want to lead you to think we have an unlimited supply," Poss acknowledged before being discouraged from acknowledging anything more.

It is hard for outsiders to know more because the FTC refuses to let reporters visit the labs.

"We're not going to show it to you, no way," said David Vladeck, who directs the agency's Bureau of Consumer Protection and controls access to the labs.

Page 2 of 4