FTC and Online Privacy, Fall 2013

From Techdel
Jump to: navigation, search

This is the syllabus for the Fall 2013 FTC and Online Privacy Seminar, taught by Deirdre K. Mulligan (dkm@ischool).

Class meeting: Monday 2-5pm (first meeting September 9th); 107 South Hall

Office hours: Monday 11:30-12:30; 212 South Hall

Course description

Seal of the US Federal Trade Commission

The US Federal Trade Commission (FTC) has emerged as the primary regulator of online privacy and security practices of the corporate sector. Through consent decrees, reports, and other agency-centered activity the FTC continues to shape the privacy field despite persistent legislative inaction to enact new privacy or security laws. The State Attorney Generals play an important role as well, similarly using their investigatory, enforcement, and convening powers to advance more privacy protective practices in the corporate sector. These consumer protection regulators have broken with the simple caveat emptor approach of common law courts that left consumers at the absolute mercy of corporate privacy policies and terms of services, drawing other factors into the consideration of whether a given privacy related practice is consistent with a fair marketplace. Most recently, they have turned their attention to matters of technical design. The FTC has argued that interfaces can create legal liability by exposing consumers’ to unavoidable privacy risks, just as failing to patch known security vulnerabilities in a database unfairly exposes personal data to theft and misuse. The CA AG, as well as the FTC, have begun to consider the defaults of platforms, operating systems, and marketplaces as well as their responsibility for the privacy practices of the actors who may access consumers’ personal information through them.

The work of the FTC and the State AGs is increasingly dependent on technical experts. The FTC recently hired its first Chief Technologist, several iSchool alumni have worked directly with the FTC as employees, consultants, and, expert witnesses, and others still have provided briefings, testimony and expert advice as the agencies have worked to understand the implications of various technologies for their consumer protection agenda.

This course will provide a grounding in relevant privacy and security law and practice at the FTC and CA AG, with particular attention paid to the role of technical experts in various aspects of the agencies work. Attorneys and technologists from the agencies, as well as iSchool PhD candidates and alumni with experience working with these and other regulators on privacy and security matters will provide guest lectures throughout the semester.

Students are encouraged to consider externships with the agencies during the Fall or Spring Semesters as a compliment to this course for the additional credit.

Class schedule

Syllabus undergoing changes/updates.

Date Topic
September 2nd No class (Labor Day)
September 9th Basic Authorities, and Anatomy of an Investigation

Guest Lecturers: Laura Berger FTC, Adam Miller CA AG


  • UCL, Bus. & Prof. Code secs. 17200 et seq [4]
  • California and Federal privacy laws [5]
September 16th Internal and External Technical Experts and the FTC’s and CA AG’s Privacy and Security Activities

Guest Lecturers: Nick Doty, Nathan Good

September 23rd Deception
  • Eli Lilly [6] and exhibits [7]
  • Annual Report to Congress of Breaches to Unsecured Protected Health Information under the HiTech Act [8]
  • Jay Cline, "Are medical-data breaches overreported?" Computer World," September 20, 2011 [9]
  • In the matter of Google [10] and exhibits [11]
  • Letter from Data Protection Authorities to Eric Schmidt [12]
  • Jeff Sovern, Protecting Privacy with Deceptive Trade Practices Legislation, 69 Fordham Law Review 1305 (2001) pp. 1320-1339 read opening and section on Deception [13]
September 30th Unfairness
  • In re Gateway, Complaint, FTC File No. 042-3047, [14]
  • In re Facebook, Complaint, FTC File No. 092 3184, [15]
  • In the Matter of CardSystems Solutions, Inc., and Solidus Networks, Inc., Doing Business as Pay By Touch Solutions (2006) [16]
  • 2012 Data Breach Report [17]
  • People v. Citibank Complaint [08.29.13_Complaint_for_Injunction.pdf] and Final JudgmentFile:08.29.13 Final Judgment.pdf
  • Jeff Sovern, Protecting Privacy with Deceptive Trade Practices Legislation, 69 Fordham Law Review 1305 (2001) pp. 1320-1339 review opening and read section on Unfairness [18]
October 7th Deceptive user experience

Guest Lecturers: Jen King and Evan Rose FTC

  • In the Matter of Sears Holdings Management Corporation, a corporation. FTC File No. 082 3099 Complaint, Exhibits, Decision and Order [19]
  • Antispyware Coalition Best Practices [20]
  • Antispyware Coalition Risk Model [21]
  • FTC v. Commerce Planet, Inc., a corporation, Michael Hill, Charles Gugliuzza, and Aaron Gravitz, individually and as officers of Commerce Planet, Inc., (United States District Court Central District of California) Civil Action No. 09-CV-01324

FTC File No. 072 3129 [22]

  • FTC v. Commerce Planet, Inc., 878 F. Supp. 2d 1048 (C.D.Cal. 2012) §III A 3 (all subsections) [23]
October 14th Unfair by Design

Guest Lecturers: Nathan Good and Carl Settlemyer FTC

  • Nathaniel S. Good and Aaron Krekelberg, Usability and privacy: a study of kazaa p2p file-sharing. In CHI '03: Proceedings of the SIGCHI conference on Human factors in computing systems, pages 137-144, New York, NY, USA, 2003. ACM Press.
  • FTC v. Frostwire, LLC, No. 11-cv-23643 (S.D. Fla. Oct. 12, 2011) [24]
  • In re Sony BMG, Complaint, FTC File No. 062-3019, [25] (2007).
  • limewire Closing letter [26]
  • Nathaniel S. Good, A Brief History of Inadvertent Sharing on P2P Networks: Causes, Current Solutions and Future Directions File:Good Inadvertent Sharing Final.pdf
October 21st COPPA (Children's Online Privacy Protection Act)
  • COPPA Regulations, 16 CFR § 312 et seq. [27]
  • Interview a kid or parent about use of mobile apps (we'll provide a list of questions)
  • Brief presentations of topics for first assignment
October 28th Platforms, Stores, Defaults and Conflicts

Guest Lecturer: Ashkan Soltani

November 4th Deconstructing Outcomes: A comparison of FTC, State AG, and Class Action litigation on Consumer Privacy and Security

Guest Lecture: Dave Stampley KamberLaw

  • Dave Stampley, a partner at KamberLaw in New York, has handled consumer privacy and security matters for over 13 years. In his current position, he has represented plaintiffs in key class actions involving tracking of consumers on various technology platforms. Previously, as an Assistant Attorney General in New York, he led New York and multistate actions to enforce consumers’ online privacy and security rights in cases involving DoubleClick, Eli Lilly (prozac.com), Ziff Davis Media, and AOL/Netscape (SmartDownload). He was general counsel and compliance consultant for information security and forensics consultancy, Neohapsis, and served as director of privacy for B2B technology provider, Reynolds & Reynolds. He is a graduate of the University of Virginia School of Law.
  • Speed talks about first assignment
November 11th No class (Veterans Day)
  • First Assignment Due
November 18th Online Behavioral Advertising

Guest Lecturer: Nick Doty

  • 2010 FTC report
  • the DNT specs

Working Drafts: http://www.w3.org/TR/2013/WD-tracking-dnt-20130912/ http://www.w3.org/TR/2013/WD-tracking-compliance-20130912/ Skip over anything technical you don't understand.

November 25th Privacy-by-Design
  • FTC Report § IV B http://www.ftc.gov/os/2012/03/120326privacyreport.pdf
  • Proposal for a Regulation of the European Parliament and of the Council On the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), COM(2012) 11 final, Art. 23 (Jan . 25, 2012), [33]
  • CA AG Privacy on the Go
  • Deirdre K. Mulligan and Jennifer King, “Bridging the Gap between Privacy and Design,” 14 U. PA. J. CONST. L. 989, pp. 1016-1026 (2011-2012).File:MulliganKing14U.Pa.J.Const.L.989(2012).pdf
  • S. F. G¨urses, C. Troncoso, and C. Diaz, “Engineering privacy by design,” in Computers, Privacy & Data Protection, 2011.
  • Rubinstein, Ira and Good, Nathan, Privacy by Design: A Counterfactual Analysis of Google and Facebook Privacy Incidents, § II. C. (August 11, 2012). Berkeley Technology Law Journal, Forthcoming; NYU School of Law, Public Law Research Paper No. 12-43. [34]
  • L. Kagal and H. Abelson, "Access Control is an Inadequate Framework for Privacy Protection," [35]
  • Eran Toch, Yang Wang, Lorrie Faith Cranor, "Personalization and privacy: a survey of privacy risks and remedies in personalization-based systems," [36]
  • Heather Richter Lipford, et al., "Visible Flows: Contextual Integrity and the Design of Privacy Mechanisms on Social

Network Sites," Proceedings of the 2009 International Conference on Computational Science and Engineering (2009) [http://ieeexplore.ieee.org/stamp/stamp.jsp?tp=&arnumber=5283751

  • Scott Lederer, et al., "Personal Privacy through Understanding and Action: Five Pitfalls for Designers," in 8 PERSONAL & UBIQUITOUS COMPUTING 440 (2004). [37]
December 2nd Institutional Competence and Legitimacy
December 9th Class Presentations
  • Final Projects Due

Assignments and Grading

Thirty percent of your grade will be based upon your in-class discussion and participation; thirty percent will be based upon your short assignment, and forty percent upon your final assignment.

  • Class participation (30%) includes your oral participation in class discussion as well as participation on the class listserv and/or blog. This class is designed to hone your critical inquiry skills. You are expected to fully participate--present, actively listen, engage with your classmates and the materials, bring your own insights to the discussion, share your experience and knowledge. Please come prepared to argue, explain, revise, borrow, refine, and of course junk your ideas. Thinking out loud is encouraged. This is how one learns. The success of this class depends upon student's diligent preparation and active participation—both listening and speaking—in class.

There is no textbook on this topic. All readings are on the wiki.


In addition to class participation, you will:

  • Assignment 1 (30%): Prepare an analysis of the privacy or security issues in an emerging industry practice for submission to the FTC or State AG. Several possible topics are included at the end of this syllabus. This analysis should conclude with policy and/or enforcement recommendations for the agency. It should comport with the agency’s jurisdiction, substantive authorities, and rules.
  • Assignment 2 (40%): Using the law and investigative and methodological approaches you’ve learned investigate the privacy and/or security implications of an application, service, or device of your choosing. Based on your investigation provide a written analysis of your findings and recommendations about whether the application, service, or device should alter its design, interface, defaults, policies, etc. to comply with existing FTC and AG privacy and security guidance (laws, guidance, consent decrees, etc.)
  • Potential topics

facial recognition and biometrics generally (i.e fingerprint readers, etc); device/browser fingerprinting; internet of things/embedded computing in every day objects, default settings; mobile advertising; children use of apps; in store location tracking services; technical assessment of Do Not Track and a method for investigating companies as CA begins to enforce its new law; etc....


Students are encouraged to consider externships with the agencies during the Fall or Spring Semesters as a compliment to this course for the additional credit.

Federal Trade Commission San Francisco Regional Office Externship opportunity

The Federal Trade Commission is seeking unpaid externs to work on research and cases related to privacy and website usability. The extern would work approximately 10 hours per week in the FTC's San Francisco Regional Office, for a period of 15 weeks. Potential projects may include:

  • assisting staff to identify websites that collect or share information contrary to users' browser privacy settings;
  • performing usability analysis of websites;
  • reading and interpreting code used to operate websites and applications;
  • determining what information is being shared with whom in mobile cases;
  • reviewing, interpreting, and explaining technical documents that companies provide to staff during privacy and data security investigations;
  • analyzing how companies in various industries are implementing Privacy by Design;
  • assisting staff to determine how a given company’s privacy or data security practices may compare to industry norms; and
  • identifying current research that may indicate problematic privacy practices.

California Attorney General’s Office Externship opportunity

The California Attorney General’s Privacy Enforcement and Protection Unit is seeking unpaid externs to assist on investigations related to mobile applications and websites. The extern(s) would work approximately 10 hours per week in San Francisco, for a period of 15 weeks. Potential projects may include assisting staff in:

  • testing mobile devices using “man-in-the middle” software such as mitmproxy to analyze data packets to determine whether users’ Personally Identifiable Information is being collected by mobile apps;
  • identifying websites and mobile apps that collect or share information contrary to users' browser privacy settings or posted privacy policy;
  • reading and interpreting code used to operate websites and mobile apps;
  • reviewing, interpreting, and explaining technical and forensic documentation provided by investigation subjects; and
  • identifying current technology news and research that may indicate problematic privacy practices.