FTC Finds Extensive Data Security Violations In Online Marketplace

FTC Finds Extensive Data Security Violations In Online Marketplace
Photo by F Delventhal on Flickr

This is the week's free edition.

Subscribe today for all the paywalled material posted on The Wavelength. Subscriptions are available for $250 a month and less for an annual subscription. I think you'll find the value to cost ratio is high with The Wavelength.

You can find previously posted content on technology policy, politics, and law on Substack and my blog.

Two weeks ago, the United States (U.S.) Federal Trade Commission (FTC) reached settlement with the previous and current owners of CafePress, “a platform that allows consumers to purchase customized merchandise such as t-shirts and coffee mugs from other consumers or “shopkeepers.” The agency voted unanimously to issue the administrative complaint against the companies and to accept the agreed upon settlements. Moreover, the previous owner agreed to pay a $500,000 settlement. In this case, none of the differences between the Republican and Democratic Commissioners mattered because the companies’ conduct was so egregious as to be unmistakable violations of the FTC Act’s prohibition of unfair and deceptive practices.

In fact, one could easily imagine the leadership of the FTC in the recent past coming down on these companies in similar style with similar consent orders. One also wonders what a settlement might look like once the FTC has a fifth commissioner who will almost certainly be a Democrat inclined to more muscular enforcement of the kind former Commissioner Rohit Chopra routinely called for much larger fines, meaningful compensation for the harmed, an admission of guilt, and possibly requiring company leaders to be punished personally. If the FTC soon has three Democratic Commissioners, this could be the sorts of settlements we see for substantially the same conduct as CafePress and the like.

In the complaint, the FTC alleged that CafePress’s previous and current owners (Residual Pumpkin and PlanetArt) were sitting on a hoard of sensitive personal information:

names, email addresses, telephone numbers, birth dates, gender, photos, social media handles, security questions and answers, passwords, PayPal addresses, the last four digits and expiration dates of credit cards, and Social Security or tax identification numbers of shopkeeper

The company collected and stored these data in the normal course of its business, which does not make it much different from many others. But what did set CafePress apart was its outdated and inadequate data security practices, which one hopes does make it different from other companies.

The FTC does not get into whether it would have been wiser for the company to limit data collection and retention to that which is absolutely necessary and the prudence of destroying or rendering useless personal data that was no longer needed. Now that the FTC has started ordering companies to delete algorithms and associated data that were derived and obtained in contravention of Section 5, one wonders if the FTC will consider order companies in settlements to scrub their stores of data for those that are no longer needed and required proper disposal. The closest the agency comes to this is the provision in the settlement regarding the mandated information security program that must include “[p]olicies and procedures to minimize data collection, storage, and retention, including data deletion or retention policies and procedures.”

The FTC then gets into how the company violated the FTC Act and quoted its privacy policy:

We do our best to provide you with a safe and convenient shopping experience. Our Websites incorporate physical, technical, and administrative safeguards to protect the confidentiality of the information we collect through the Websites, including the use of encryption, firewalls, limited access and other controls where appropriate.

The company added a strange disclaimer that “[w]hile we use these precautions to safeguard your personal information, we cannot guarantee the security of the networks, systems, servers, devices, and databases we operate or that are operated on our behalf.” Of course, when companies fail to live up to their privacy and data security practices is where they may run afoul of the FTC Act’s bar on deceptive and unfair practices.

The agency found that CafePress’ data security practices fell far short of its claims. Among the shoddy data security practices CafePress was using, the FTC alleged the company failed to:

§  implement readily-available protections, including many low-cost protections, against well-known and reasonably foreseeable vulnerabilities, such as “Structured Query Language” (“SQL”) injection, Cascading Style Sheets (“CSS”) and HTML injection, cross-site scripting (“XSS”), and cross-site request forgery (“CSRF”) attacks, that could be exploited to gain unauthorized access to Personal Information on its network;

§  implement reasonable measures to protect passwords, such as using the SHA-1 hashing algorithm, deprecated by the National Institute of Standards and Technology in 2011, instead of more secure algorithms, and failing to use a “salt”—random data that makes attacks (e.g., brute force, rainbow tables) against cryptographically protected passwords harder;

§  implement a process for receiving and addressing security vulnerability reports from third-party researchers, academics, or other members of the public, thereby delaying its opportunity to correct discovered vulnerabilities or respond to reported incidents;

§  implement patch management policies and procedures to ensure the timely remediation of critical security vulnerabilities and used obsolete versions of database and web server software that no longer received patches;

§  establish or enforce rules sufficient to make user credentials (such as user name and password) hard to guess. For example, employees and consumers, including shopkeepers, were not required to use complex passwords. Accordingly, they could select the same word, including common dictionary words, as both the password and user ID, or a close variant of the user ID as the password;

Just judging from the above practices, CafePress was ripe for an attack or incident, and such a hacker penetrated the company’s systems:

The hacker found Personal Information stored on Residual Pumpkin’s network, including: more than twenty million unencrypted email addresses and encrypted passwords; millions of unencrypted names, physical addresses, and security questions and answers; more than 180,000 unencrypted Social Security numbers; and, for tens of thousands of payment cards, the unencrypted last four digits of the card together with the unencrypted expiration dates.

This occurred in or around February 2019, and on March 11, 2019, CafePress received notice of a security incident involving an intrusion into its network.” The FTC explained that “[a]n individual stated that he “believe[s] hackers have access to your customer [database]…[and] [t]he data is currently for sale in certain circles.” The company acted with some hast in confirming that the person who contacted them had turned up a real vulnerability and then proceeded to patch the vulnerability the next day. Roughly two weeks later, the company saw a spike in fraudulent credit card orders, and as the agency explains at length those who traffic in stolen credit card credentials like “cardable” sites where stolen cards can be used easily.

In early April 2019, “received an email from a foreign government with an attached letter stating that a hacker had illegally obtained access to CafePress user account information from January 2014 to January 2019…[that] included an attachment with CafePress account logins and passwords and said the hacker had sold the information to a large number of “carders.”” Moreover, “[t]he letter requested that Residual Pumpkin notify users of compromised accounts to “prevent[] further compromise of accounts owned by users.” Inexplicably, CafePress did not distribute such notices at that time and did not until it had been splashed all over the internet that the company’s user data had been exfiltrated by hackers. Finally, in September 2019 the company “sent breach notification letters and emails to government agencies and affected consumers and posted a notice of the breach via a banner at the top of the CafePress website from September 5, 2019 to October 12, 2019.” Residual Pumpkin/CafePress “offered two years of free identity theft insurance and credit monitoring services to consumers whose Social Security numbers or tax identification numbers were exposed.”

The FTC detailed other security shortcomings unrelated to this episode, including a number of malware infections and phishing attacks the company handled contrary to established best practices.

Moreover, CafePress claimed it complied with the EU-US Privacy Shield Framework and the Swiss-US Privacy Shield Framework, and once a U.S. company makes this claim it must do so or face regulatory action from the FTC and other agencies. The company lied in its notice about email addresses being used only for order notification and receipts and did not disclose that these email addresses would be used for marketing emails. The company also refused to honor deletion requests from residents of the European Economic Area and Swiss Federation even though its public representations about complying with the two aforementioned regimes required the company to do so.

As a result, the FTC alleged that CafePress violated Section 5 of the FTC Act through its data security misrepresentations, breach response misrepresentations, unfair data security practices, data collection and use misrepresentation, Privacy Shields misrepresentations, and others. These allegations are based on longstanding FTC precedent and are straight forward.

In the settlements to which Residual Pumpkin and PlanetArt agreed, the FTC explains that CafePress (i.e. the Respondent) cannot make misleading statements about:

§  Respondent’s privacy and security measures to prevent unauthorized access to Personal Information;

§  The extent to which Respondent is a member of, adheres to, complies with, is certified by, is endorsed by, or otherwise participates in any privacy or security program sponsored by a government or any self-regulatory or standard-setting organization;

§  Respondent’s privacy and security measures to honor the privacy choices exercised by users;

§  Respondent’s information deletion and retention practices; and

§  The extent to which Respondent otherwise protects the privacy, security, availability, confidentiality, or integrity of Personal Information.

It must be mentioned that both the current owner of CafePress, PlanetArt, and previous owner, Residual Pumpkin, agreed to settlements that obligate both to adopt all the following.

The FTC directs CafePress “to establish and implement, and thereafter maintain, a comprehensive information security program (“Information Security Program”) that protects the privacy, security, confidentiality, and integrity of such Personal Information” with detailed minimum requirements. Moreover, the company must undertake third party assessments and provide annual certifications to the FTC it is complying the order. CafePress must report any “covered incidents” to the FTC within 30 days, which means any instances where there is an unauthorized accessing of personal information the company has that triggers a federal, state, or local reporting requirement. Finally, the order runs for 20 years.

Of course, whether the FTC can adequately monitor all the compliance reports and certifications that companies under settlement send the agency is another matter. A former senior official testified before Congress recently that the agency cannot handle this flow of paper, suggesting that some companies that agreed to better data security standards are not, in fact, maintaining them. This goes to the issue of resources for the FTC, and its leadership regularly tells Congress it lacks the funding to enforce all its current remits. This state of affairs is likely acceptable to many stakeholders inside and outside Congress because, in their view, a hobbled regulator is better for business, growth, and innovation. As has been shown with many recent cases like Facebook/Cambridge Analytica, the media will need to shine light on new violations in order for the agency to catch non-compliance with a settlement.

Nonetheless, the FTC went further and posted on its blog about the lessons from the CafePress case and highlighted the top three “compliance nuggets:

§  Don’t make it easy for data thieves to steal customer information. Hack happens, but there are numerous, cost-effective steps companies can take so their networks aren’t low-hanging fruit. The FTC offers to-the-point guidance on data security fundamentals, with special cybersecurity resources for small businesses.

§  Take security warnings seriously. If customers, government agencies, or others are telling you that you may have been hacked, investigate immediately.

§  Respond to security episodes honestly, transparently – and quickly.  If your company has experienced a breach, respond with candor and speed. Move swiftly to implement a rapid response plan that honors your obligations under federal and state law. Read Data Breach Response: A Guide for Business for advice on how to secure your operations, fix vulnerabilities, and contact the people who need to know.

These would seem straight forward. However, it is not entirely clear where the FTC is drawing the line with respect to the “numerous, cost-effective steps companies can take so their networks aren’t low-hanging fruit.” This has often been a criticism of the agency’s case-by-case approach to data protection, data privacy, and data security. However, if a company takes sensible, widely recommended steps like encrypting sensitive data, it reduces the chances of being on the wrong end of a FTC investigation. Likewise, any company ignoring warnings from reputable entities that it has serious security issues is all but begging for an FTC investigation. The FTC is also calling for quick and transparent responses to events like breaches. Many companies prefer to delay if not bury such incidents for a number of reasons. In fact, Okta failed to disclose its recent breach by British hackers for two months, a detail that has emerged and has made matters more difficult for the company from reputational, client, and compliance perspectives.

Other Developments

Photo by Joakim Honkasalo on Unsplash

The United States (U.S.) Senate agreed by a 51-50 vote to a motion to discharge the nomination of Alvaro Bedoya to a Commissioner on the Federal Trade Commission from the Senate Commerce, Science, and Transportation Committee which deadlocked on the nomination by a 14-14 vote. It is expected that the Senate will confirm Bedoya to be the third Democratic Commissioner on the FTC, allowing Chair Lina Khan to initiate more aggressive action.

The United States (U.S.) Department of the Treasury’s Office of Foreign Assets Control (OFAC) “designat[ed] 21 entities and 13 individuals as part of its crackdown on the Kremlin’s sanctions evasion networks and technology companies, which are instrumental to the Russian Federation’s war machine.”

The United States (U.S.) Department of Defense transmitted the classified 2022 National Defense Strategy (NDS) to Congress and in a fact sheet named as the top “Defense priority:” “[d]efending the homeland, paced to the growing multi-domain threat posed by the People’s Republic of China (PRC).”

The European Court of Auditors “found that, overall, EU institutions, bodies and agencies’ (EUIBA) level of preparedness is not commensurate with the threats, and that they have very different levels of cybersecurity maturity” and “recommend that the Commission improve EUIBAs’ preparedness by proposing the introduction of binding cybersecurity rules and an increase in resources for the Computer Emergency Response Team (CERT-EU).” The European Commission, CERT-EU, and the European Union Agency for Cybersecurity (ENISA) responded to the findings and recommendations.

The United Kingdom’s (UK) National Cyber Security Centre’s (NCSC) Technical Director Ian Levy updated 2017 advice on using Russian technology products and services and asserted that “[t]he war has proven many widely-held beliefs wrong and the situation remains highly unpredictable…[and] [i]n our view, it would be prudent to plan for the possibility that” “the Russian state intends to suborn Russian commercial products and services to cause damage to UK interests.”

The United States (U.S.) Government Accountability Office (GAO)published reports titled “Artificial Intelligence: DOD Should Improve Strategies, Inventory Process, and Collaboration Guidance,” “Cybersecurity: OMB Should Update Inspector General Reporting Guidance to Increase Rating Consistency and Precision,” and “Defense Acquisitions: Cyber Command Needs to Develop Metrics to Assess Warfighting Capabilities.”

A United States (U.S.) federal court granted the U.S. Postal Service’s (USPS) motion to dismiss a suit brought by the Electronic Privacy Information Center (EPIC) alleging that the USPS used Clearview AI facial recognition technology without conducting a privacy impact assessment as the E-Government Act requires. In a memorandum opinion, the court explained its dismissal because EPIC “has not met its burden to show a cognizable injury in fact.”

The National Association of Attorneys General (NAAG) wrote TikTok and Snapchat urging the companies “to give parents the ability to monitor their children’s social media usage and protect their children from online threats using parental control apps.”

In his speech on the budget, Australia’s Treasurer Josh Frydenberg MP announced “a new 10 year, $9.9 billion AUD (roughly $7.4 USD) investment in Australia’s offensive and defensive cyber capabilities…the biggest ever investment in Australia’s cyber preparedness.”

The Integrity Institute issued a report analyzing Facebook’s Widely Viewed Content Report and found, among other conclusions, “[b]y empowering content producers that fail the most basic media literacy checks with huge audiences, Facebook is exposing communities and users on their platform to large risks from bad actors wishing to exploit them for narrow self interest.”

The United States (U.S.) Department of the Treasury’s Federal Insurance Office (FIO) is seeking input on the Terrorism Risk Insurance Program as part of its annual reporting requirements, in particular on the cyber insurance market.

The United States (U.S.) Information Security Oversight Office published a direct final rule “to permit digital signatures that meet certain requirements on the Standard Form (SF) 312, which is the non-disclosure agreement required prior to accessing classified information.”

The United States (U.S.) General Services Administration (GSA) Office of Government-wide Policy (OGP) announced the release of the modernized federal IT dashboard, “which provides public visibility into how the government spends IT dollars.”

The Tech Oversight Project has started a “Big Tech Wiki” with information about the lobbying and influence activities of the largest technology companies in the United States.

Irish Council for Civil Liberties released the European Data Protection Board’s “Internal EDPB Document 6/2020 on preliminary steps to handle a complaint: admissibility and vetting of complaints” obtained through a Freedom of Information request.

Tweet of the Day

Further Reading

Photo by VasenkaPhotography on Flickr

'I can fight with a keyboard': How one Ukrainian IT specialist exposed a notorious Russian ransomware gang” By Sean Lyngaas — CNN

Wyden Concerned Crypto Companies are Using Low-Income Zones As Tax Havens” By Alexandra Kelley — Nextgov

Social media is a bad predictor of demographics in Latin America” By Alex González Ormerod — Rest of the World

Leaked Details of the Lapsus$ Hack Make Okta’s Slow Response Look More Bizarre” By Lily Hay Newman — WIRED

Ukraine suffered two cyberattacks in the lead-up to Russia's invasion” By Aaron Schaffer — Washington Post

A bilateral data-sharing deal with U.S. better than status quo, says privacy watchdog” By James McCarten — Toronto Star

You Can Now Sign Away Rights to Your Biometric Data” by Janus Rose — Vice

NSO says Israeli police got 'weaker' variant of Pegasus phone hacking tool” By Dan Williams — Reuters

Hackers hit popular video game, stealing more than $600 million in cryptocurrency” By Steven Zeitchik — Washington Post

Pentagon expects to award up to $9 billion in cloud contracts in December” By Amanda Macias and Jordan Novet — CNBC

4,000 letters and four hours of sleep: Ukrainian leader wages digital war” By Cat Zakrzewski — Washington Post

EU agencies must ramp up cybersecurity measures, auditors say” By Foo Yun Chee — Reuters

Russia accuses U.S. of massive 'cyber aggression'” — Reuters

Verizon blames ‘bad actors’ for the spam text you got from your own number” By Chris Welch — The Verge

Proposal to Sanction Russian Cybersecurity Firm Over Ukraine Invasion Splits Biden Administration” By Vivian Salama and Dustin Volz — Wall Street Journal

The real reason Will Smith’s Oscars outburst was censored on U.S. broadcasts” By Cristiano Lima — Washington Post

Google Workspace will re-enable tracking for many users today” By Ron Amadeo — Ars Technica

Russian regulators threaten YouTube with fines for ‘information war’” By Gerrit De Vynck — Washington Post

Ben McKenzie Would Like a Word With the Crypto Bros” By David Yaffe-Bellany — New York Times

Spyware Vendor FinFisher Claims Insolvency Amid Investigation” By Ryan Gallagher — Bloomberg

Coming Events

Photo by Aditya Chinchure on Unsplash

§  31 March

o   The United Kingdom’s (UK) House of Commons Digital, Culture, Media and Sport Committee will hold a pre-appointment hearing on The Lord Grade of Yarmouth CBE as the government’s choice for Chair of the Office of Communications.

o   The United Kingdom’s (UK) House of Lords Fraud Act 2006 and Digital Fraud Committee will hold a formal meeting (oral evidence session) regarding “what measures should be taken to tackle the increase in cases of fraud.”

o   The United States (U.S.) House Energy and Commerce Committee’s Communications and Technology Subcommittee will hold a hearing titled "Connecting America: Overisght of the FCC."

o   The United Kingdom’s (UK) House of Lords Communications and Digital Committee may hold a formal meeting (oral evidence session) on “Lawfare and free speech.”

o   New Zealand’s Parliament’s Economic Development, Science and Innovation Committee will hold a hearing on the Digital Identity Services Trust Framework Bill.

§  4 April

o   United States Assistant Attorney General Jonathan Kanter and Federal Trade Commission Chair Lina M. Khan, as well as senior staff from both agencies, will co-host the Enforcers Summit that “will cover two themes: 1) merger reform to meet the challenges and realities of the modern economy, and 2) lessons for interagency collaboration.”

§  6 April

o   The European Data Protection Board will hold a plenary meeting.

§  21 April

o The United States (U.S.) Federal Communications Commission (FCC) will hold an open meeting.

§  15-16 May

o   The United States-European Union Trade and Technology Council will reportedly meet in France.

§  16-17 June

o   The European Data Protection Supervisor will hold a conference titled “The future of data protection: effective enforcement in the digital world.”