Tag Archives: Federal Trade Commission

Security Principles: Addressing Vulnerabilities Systematically

by Staff at the Federal Trade Commission’s Office of Technology

Photo of author

Federal Trade Commission

For more than two decades, the FTC has been bringing enforcement actions for violations of national consumer protection laws due to companies’ poor security practices. These poor practices have included failure to encrypt sensitive data, storing credentials in source code, failing to test for common vulnerabilities, and failure to use multi-factor authentication, among others. To remedy these practices, the orders the FTC has obtained in these enforcement actions have required companies to improve their security practices. Last year FTC staff published a blog post on how the agency’s orders incorporate modern security best practices that take inspiration from research into the causes of risk in complex systems. This post is a continuation on the theme of effectively addressing risks in complex systems.

Continue reading

Semiconductor Chips and Cloud Computing: A Quote Book

by Staff at the Federal Trade Commission’s Office of Technology

The FTC’s Tech Summit on AI[1] highlighted three panels that reflect different layers of the AI tech stack – hardware and infrastructure, data and models, and front-end user applications. Here, we publish the first in a three-part series of “Quote Books” summarizing each of the three panels. This first quote book is focused on hardware and infrastructure, including semiconductor chips and cloud computing.

 

Continue reading

FTC Cracks Down on Mass Data Collectors: A Closer Look at Avast, X-Mode, and InMarket

by Staff at the Federal Trade Commission

Federal Trade Commission

Three recent FTC enforcement actions reflect a heightened focus on pervasive extraction and mishandling of consumers’ sensitive personal data.

Proposed Settlements with Avast[1], X-Mode[2], and InMarket[3]

In mid February, the FTC announced a proposed settlement to resolve allegations that Avast, a security software company, unfairly sold consumers’ granular and re-identifiable browsing information—information that Avast amassed through its antivirus software and browser extensions after telling consumers that Avast’s software would protect their privacy, and that any disclosure of their browsing information would only be in aggregate and anonymous form.

In January of this year, the FTC announced proposed settlements with two data aggregators, X-Mode Social and InMarket, to resolve a host of allegations stemming from how those companies handled consumers’ location data. Both companies, the FTC alleged, collected precise location data from consumers’ phones through the data aggregators’ own mobile apps and those of third parties (via software development kits, or “SDKs,” provided by the data aggregators). X-Mode, the FTC alleged, sold consumers’ location data to private government contractors without first telling consumers or obtaining consumers’ consent to do so. And InMarket, the agency alleged, used consumers’ location data to sort them into particularized audience segments—like “parents of preschoolers,” “Christian church goers,” “wealthy and not healthy,” etc.—that InMarket then provided to advertisers.

Continue reading

Consumers Are Voicing Concerns About AI

by Simon Fondrie-Teitler and Amritha Jayanti

Federal Trade Commission

This blog is part of a series authored by the FTC’s Office of Technology focused on emerging technologies and consumer and market risks, with a look across the layers of technology—from data and infrastructure to applications and design of digital systems.

Over the last several years, artificial intelligence (AI)—a term which can refer to a broad variety of technologies, as a previous FTC blog notes—has attracted an enormous amount of market and media attention. That’s in part because the potential of AI is exciting: there are opportunities for public progress by enhancing human capacity to integrate, analyze, and leverage information. But it’s also, perhaps in larger part, because the introduction of AI presents new layers of uncertainty and risk. The technology is altering the market landscape, with companies moving to provide and leverage essential inputs of AI systems, such as data and hardware – opening a window of opportunity for companies to potentially seize outsized power in this technology domain. AI is also fundamentally shifting the way we operate; it’s lurking behind the scenes (or, in some cases, operating right in our faces) and changing the mechanics by which we go about our daily lives. That can be unsettling, especially when the harms brought about by that change are tangible and felt by everyday consumers.

Continue reading

FTC Announces New Safeguards Rule Provision: Is Your Company Up on What’s Required?

by Lesley Fair

Lesley Fair (photo courtesy of the author)

October 2023 marks the 20th anniversary of the effective date of the Gramm-Leach-Bliley Safeguards Rule. Its purpose then – and its purpose now – is to protect consumers by requiring entities covered by the Rule to “develop, implement, and maintain reasonable administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information.” The FTC just announced an amendment to the Rule that will require non-banking financial institutions within the FTC’s jurisdiction to report data breaches affecting 500 or more people.

Continue reading

Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule

by the Federal Trade Commission

FTC logo

Federal Trade Commission

Does your business collect, use, or share consumer health information? When it comes to privacy and security, you’ve probably thought about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules). But did you know you also may need to comply with the Federal Trade Commission Act and the FTC’s Health Breach Notification Rule? Learn more about your obligations under these laws to maintain the privacy and security of consumers’ health information and provide notification if you experience a breach. Continue reading