It was pointed out that government agencies conducting far more secret operations—such as the Pentagon and the Central Intelligence Agency—often allow journalists and other outsiders to visit classified facilities. The embedding program during the Iraq war gave reporters the chance to report on the planning and execution of secret military operations. The FTC's labs would not seem to rival the technology displayed when journalists ride aboard nuclear-powered submarines, for instance.
Vladeck would not bend.
"We don't trust anybody," he said.
Current and former FTC officials say the labs are the size of suburban living rooms, with computers and accessories that do not look much different from what would be seen at a Kinko's. "There's nothing special there," Soghoian said. "It looks like a computer room in a public library or middle school."
Vladeck's appointment, in 2009, was welcomed by consumer-rights activists because of the nearly three decades he worked as a crusading lawyer for Public Citizen, which was founded by Ralph Nader; Vladeck has advocated long and hard for better government regulation. A conversation with Vladeck, who has argued four cases before the U.S. Supreme Court and won three of them, is akin to a combative courtroom session. He often leans across the table and speaks in a high-pitched bellow. During an interview in his office, he said that when he arrived at the FTC, "We weren't geared up for this battle." That's partly because the Bush-era FTC was not terribly aggressive on privacy but also because data mining has particularly taken off in the past few years.
"No regulator is ever going to tell you that he or she is satisfied with the resources," Vladeck said. "Would I like more resources? Of course, and I think I could put them to good use. But let me toot our own horn. We've gotten an enormous amount done in three years. I think we are sending a strong signal to the industry—you've got to straighten up and do the right thing."
Since he arrived, the FTC has reached privacy settlements with the some of the largest tech firms, including Facebook, Google and Twitter, though in each case, there were no fines, because the FTC's authority to issue fines on a first offense is limited. The agency is like a runner with two sprained ankles, because in addition to its narrow legal power, it has a surprisingly small staff to pursue its legal cases.
Staffing at the Division of Privacy and Identity Protection, which does the bulk of the FTC's privacy work and is under Vladeck's control, slid from 51 in 2011 to 50 in 2012, even though the data mining industry it oversees has rapidly expanded; it now employs more than 100,000 people and has revenues close to $5 billion, according to industry analyst and newsletter publisher Gregory Piatetsky-Shapiro. There are about 20 lawyers working on privacy cases at the FTC. "The bottlenecks are the lawyers for the most part," Soghoian said. And the FTC has another problem: Republican Rep. John Mica, chairman of the House Committee on Transportation and Infrastructure, is trying to evict the agency from its headquarters, which is on a prime block of Pennsylvania Avenue.
Vladeck has improvised. He described his strategy as similar to highway cops—the point isn't to catch every car that breaks the speed limit, but enough to signal to the others that they can't get away with much. He goes after the shiniest cars.
Yet those cases demonstrated the FTC's limits, too. The agency was created in 1914 to prevent unfair and deceptive practices in commerce. Unfairness is harder to prove in privacy—what's inappropriate data collection to one person might be fair and harmless to another—so the FTC is focusing enforcement efforts on deception. That means a company has to say one thing about its data-collection practices and do another. But many companies have privacy policies that say very little—in which case, they aren't deceiving consumers if they do things that might be untoward.
Ironically, the best way for a company to avoid privacy tussles with the FTC is to not say much about their privacy practices. On the other side of things, many companies protect themselves from prosecution by fully disclosing their policies in dense legal jargon that few consumers bother to read or, when they do, they have a hard time understanding that their personal data will be collected and shared in nearly infinite ways. Companies that follow these strategies—and many do—are difficult targets for the FTC.
Big firms like Google and Facebook, which depend on consumers using their services, cannot get away with having no policy at all or hiding behind legal hieroglyphics. They are the shiny cars that the FTC pulls over when it can. The agency pounced when Google introduced its Buzz social network because Gmail users were more or less swept into Buzz without their consent, even though Google had previously said it would not take unilateral action of that sort. The agency can take companies to court, but its overworked lawyers don't really have the time to go the distance against the bottomless legal staffs in Silicon Valley. The FTC settled the Buzz case with Google, which agreed to annual privacy audits for 20 years and promised to not lie to consumers about what the company does with their data. If Google violates the settlement, it then faces financial penalties that could be quite large—this is akin to a two-strike rule.
The settlement process is time-consuming, however. Due to the agency's small legal staff, some settlements take years to complete, and by the time they're done, the targeted companies are not what they used to be. Last month, the FTC announced a privacy settlement with Myspace, which it accused of disclosing user information to third parties despite pledging not to do that. The investigation was opened in 2009, when Myspace was already a fading giant; by the time it was concluded in May, Myspace was all but a museum artifact. On Twitter, reaction to the suit included jokes to the effect of, "You mean Myspace still exists?"