Shhhhh…Whisper Faces Lawmaker Scrutiny Over Privacy Claims
Just how safe is the purported “safest place on the Internet”?
Sen. Jay Rockefeller (D-W.Va.) wants to find out. The Chair of the Senate Committee on Commerce, Science, and Transportation wrote to Michael Heyward, the CEO of social networking app Whisper, requesting information about the company’s privacy practices.
The self-described “safest place on the Internet” touts itself as a service where users are “free to anonymously share their thoughts with the world.” But a series of reports published by The Guardian “have raised serious questions regarding Whisper’s practices and commitment to the terms of its own privacy policy,” Sen. Rockefeller wrote.
Three practices caught the attention of the legislator. First, Whisper allegedly tracked the approximate location of users, even when they opted out of geolocation tracking and in contravention of its own posted privacy policy, which stated “permission to our access to and tracking of your location-based information is purely voluntary.”
Whisper’s privacy policy also claimed that the company processes and stores all user information in the United States. But The Guardian stories stated that the company operated a location in the Philippines to review user data.
Finally, Whisper reportedly provides access to its content to media outlets pursuant to various deals. “It is questionable, at best, whether users seeking to post anonymously on the ‘safest place on the Internet’ would expect that Whisper has information sharing relationships with third parties such as media organizations,” Sen. Rockefeller wrote. “While Whisper may provide its users a unique social experience, the allegations in recent media accounts are serious, and users are entitled to privacy policies that are transparent, disclosed, and followed by the company.”
Sen. Rockefeller requested a Committee staff briefing from Whisper focused on issues such as whether and how Whisper tracks the location of users who have opted out of geolocation services, as well as how the company uses the information collected.
Whisper’s practices regarding data sharing with third parties, the extent to which it retains data and the locations where data is processed and retained, as well as how the company notifies users about its privacy and data security policies – including changes to the policies – also need to be addressed at the briefing, the lawmaker said.
To read Sen. Rockefeller’s letter, click here.
Why it matters: The letter and request for a Committee staff briefing signal Sen. Rockefeller’s continuing focus on privacy and data security issues. “I take this matter seriously,” he wrote to Whisper’s CEO. “As Chairman, I have made consumer privacy a top priority, and the Committee has actively exercised its jurisdiction over commercial data practices and data security.”
back to top
Record $10M Data Security Fine by FCC
In the agency’s first data security enforcement effort, the Federal Communications Commission (FCC) announced that it took action against TerraCom, Inc., and YourTel America, Inc., for failing to protect consumer data.
The two telecommunications carriers will pay a total of $10 million for posting the personal information of customers on unprotected servers that were accessible by the public in violation of Section 222 of the Communications Act.
According to the FCC, the companies gathered personal information (such as Social Security numbers, names, addresses, and driver’s license numbers) to determine customer eligibility for the Lifeline program of discounted phone services.
Although the privacy policies for both companies stated they had in place “technology and security features to safeguard the privacy of your customer specific information from unauthorized access or improper use,” the FCC alleged the companies stored the collected information “in a format accessible via the Internet and readable by anyone” for approximately eight months.
Even after the companies recognized their “lax data security practices,” the FCC said the 305,000 customers affected were not all notified, and were therefore deprived of the opportunity to protect themselves.
“The Commission alleges that the carriers’ failure to reasonably secure their customers’ personal information violates the companies’ statutory duty under the Communications Act to protect that information, and also constitutes an unjust and unreasonable practice in violation of the Act, given that their data security practices lacked even the most basic and readily available technologies and security features and thus creates an unreasonable risk of unauthorized access,” according to the FCC.
The agency imposed a $10 million fine on TerraCom and YourTel for their “deceptive and misleading representations of customer privacy protections, and their subsequent failure to notify their customers of the security breach.”
Why it matters: With the two enforcement actions – and the largest fine in Commission history – the FCC has jumped onto the data security bandwagon and looks to be staying put. “Consumers trust that when phone companies ask for their Social Security number, driver’s license, and other personal information, these companies will not put that information on the Internet or otherwise expose it to the world,” Travis LeBlanc, Chief of the FCC’s Enforcement Bureau, said in a statement. “When carriers break that trust, the Commission will take action to ensure that they are held accountable for unjust and unreasonable data security practices.” Two Commissioners dissented from the decision to fine the companies, however, writing that the agency engaged in “sentence first, verdict afterward” decision making, and questioning whether the agency has the authority to regulate data security under Section 222 of the FCC Act.
back to top
California AG Releases Data Breach Report
California Attorney General Kamala Harris released the state’s second Data Breach Report that confirms a rise in breaches and offers nine recommendations that will decrease the chances of security problems.
According to the report, there were 167 data breaches, a 28 percent rise over the prior year. The number of impacted records similarly increased, up 600 percent to a total of 18.5 million. The retail industry suffered the most breaches (84%), with an estimated 15.4 million state residents whose records were impacted.
Skewing the numbers for 2013 somewhat were two “very large” retailer incidents, the AG’s office acknowledged. However, even if those breaches were excluded, the number of records affected in 2013 would still have constituted a 35 percent increase over 2012.
More than half of the breaches were attributed to hackers or malware, followed by the loss or theft of laptops with unencrypted personal information (26 percent), unintentional error (18 percent), and intentional misuse by insiders (4 percent).
The report made nine recommendations, three of which were geared toward all industries. Harris advised that organizations conduct at least annual risk assessments and update their privacy and security practices accordingly, utilize “strong encryption to protect personal information in transit,” and make breach notices more readable.
With the bulk of breaches occurring at retailers, the report made five specific suggestions, including requirements that sales terminals be chip-enabled, that appropriate tokenization solutions be implemented, and that data capture be encrypted until the completion of a transaction. Retailers should also “respond promptly” to a data breach and notify affected consumers as quickly as possible. Financial institutions and retailers should work together to protect consumers, the report added.
Harris urged the healthcare sector – the industry hardest hit after retailers and finance and insurance – to encrypt sensitive patient information.
The report also proposed two items for lawmakers. California legislators should consider establishing a system to provide security funding for small retailers, which have been the target of breaches and cyberattacks. Harris further suggested that legislators should “amend the breach notice law to strengthen the substitute notice procedure, clarify the roles and responsibilities of data owners and data maintainers and require a final breach report” to the AG’s office.
To read the California Data Breach Report, click here.
Why it matters: AG Harris has been a leader in the privacy ecosystem and has advocated for mandatory privacy policies and releasing the state’s first Data Breach Report last year. Businesses, particularly retailers, should take note of the AG’s findings and recommendations, particularly as two of the suggestions in the last report have since been codified into law.
back to top
Third-Party Customer Service Falls Under VPPA Exception, Seventh Circuit Rules
Considering the case for a second time, the Seventh U.S. Circuit Court of Appeals affirmed summary judgment for Redbox in a class action suit alleging that the company violated the Video Privacy Protection Act (VPPA).
Customer service is part of a video rental company’s “ordinary course of business” whether the business is a brick-and-mortar store or a rental kiosk operated by software, the federal appellate panel concluded.
Kevin Sterk originally filed suit against Redbox seeking damages based on claims that the company violated the VPPA by keeping users’ rental histories longer than the time period allowed by the statute. A panel of the Seventh Circuit determined that violations of that provision allowed for injunctive relief only and not monetary damages.
The case remained alive on Sterk’s allegations that Redbox illegally shared user information, including viewing history, with Stream Global Services, a third party that handles customer service operations for Redbox. When a user encounters technical problems at a Redbox self-service kiosk, Stream provides a live person to help.
To perform such functions, Redbox has granted Stream access to the database in which Redbox stores its customer information.
While the VPPA prohibits the disclosure of personally identifiable information, the unanimous panel looked to an exception in the statute for disclosures incident to the video tape service provider’s ordinary course of business activities, which are limited to “debt collection activities, order fulfillment, request processing, and the transfer of ownership.”
In rejecting the plaintiff’s attempt to carve out customer service from a video rental company’s ordinary course of business, the court said that Stream’s customer service activities fell neatly within the category of “request processing.”
When Congress enacted the VPPA in 1988 – before the advent of automated kiosks – the “ordinary course of business” at a brick-and-mortar video rental store would have included a clerk accessing an individual customer’s rental history and other personal information during the check-out process if the customer experienced technical problems with a VHS when he returned home, the panel noted.
“All of these interactions, occurring within the store’s ordinary course of business, constitute that customer’s ‘request processing’ and ‘order fulfillment,’ if ordinary meaning is assigned to those terms,” the court said. “[W]hen the VPPA was enacted, we can safely assume that Congress contemplated customer service as part and parcel of the ordinary rental experience. That Redbox has replaced most live customer service interactions with a computer interface does not change this.”
The panel found no problem with the fact that Redbox preemptively disclosed its entire customer database to Stream rather than waiting until an individual customer called with a problem. The plaintiff’s attempt to distinguish proactive disclosure from reactive disclosure was “meaningless because the permissibility of disclosure under the VPPA turns on the underlying purpose for which Redbox provides the information to a third party. And whether proactive or reactive, Redbox’s purpose for disclosing the information to Stream is the same.”
Affirming summary judgment for Redbox, the panel did agree with the plaintiff that he established standing under the statute by alleging that his personally identifiable information was disclosed.
To read the opinion in Sterk v. Redbox Automated Retail, click here.
Why it matters: Consumers have tried in a myriad of ways to apply the VPPA to 21st century technology with mixed results. Sterk has now lost twice on theories against Redbox, while plaintiffs have had some success with allegations against a magazine publisher under a state analogue to the statute.
back to top