It's the opinion here that the HTC settlement with the FTC that was announced Friday is the most significant FTC case in the past 5 years. There are multiple reasons for this, including what appear to be substantial new requirements for hardware and software developers. The HTC Complaint essentially announces a lower bar for noncompliance (basically a negligence standard on issues of security), formally enshrines the role of independent researchers with no affiliation with the FTC (something we've been talking about for some time now), and delves deeply into complex security areas where it has no special expertise--and which seems to fall significantly outside the FTC's delegated, consumer-centric jurisdiction from Congress—and finds violations where there has been no evidence of actual harm, compromise or loss. The FTC is in new territory, and its administrative actions in this area appear to be ripe for potential judicial challenge. Nevertheless, in the absence of a successful challenge, this is the new world in which industry must attempt to achieve compliance. Here are some of the dramatic changes in the wake of the HTC decision:
1. Formalizing the Role of Independent Researchers. What media reports have missed is that the FTC, in its Complaint, found that HTC had acted unfairly toward consumers when it failed to provide a mechanism for the submission and review of comments on products and software by independent researchers. Although this appears to come from out of the blue, a closer look at the FTC's evolution over the past 5 years shows the increasing importance of independent researchers to the FTC's mission. We noted in November, on these pages, that "significant portions of the technical research and investigative function have been effectively crowd-sourced to talented private researchers . . . ." http://www.hklaw.com/PrivacyBlog/Corporate-Privacy-Compliance-Becomes-More-Tech-Focused-11-05-2012/ These independent researchers have now been structurally incorporated as a watchdog mechanism so as to become the eyes and ears of the FTC. Indeed, by way of the HTC decision, the FTC has put industry on notice that processes need to be in place that will ensure that the voices of independent researchers are heard as part of the cycle of software improvement and bug killing.
2. For Security, Section 5 "Unfairness" Really Means Mere Negligence. The FTC's historical test for unfairness is well-settled. First, the test for unfairness has historically turned on whether there is a violation of public policy or unethical or unscrupulous conduct. Second, the FTC enabling statute goes so far as to divest the FTC of jurisdiction over commercial practices except when a practice "causes or is likely to cause substantial injury to consumers." Third "substantial" injury typically involves monetary harm, as when sellers coerce consumers into purchasing unwanted goods or services or when consumers buy defective goods or services on credit but are unable to assert against the creditor claims or defenses arising from the transaction.
In the HTC matter, the engineering conduct at issue was not unethical or unscrupulous, at least not as those words are commonly understood in the consumer context. Instead, the FTC characterized HTC's conduct as a failure "to employ reasonable and appropriate security in the design and customization of the software on its mobile devices." In other words, there was no real conduct involving sharp marketing or sales practices, but rather an engineering mistake or mistakes, according to the FTC. In one stroke, the FTC has gone from regulating consumer transactions to policing engineering negligence.
Second, as to whether HTC's conduct "caused, or was likely to cause" injury, the allegations pertain to between 12 million and 18 million devices, depending on the specific category of flaws alleged by the FTC in the HTC matter. The FTC's complaint, however, fails to recount even a single incident where the alleged failure translated into an actual exploit. There is no universe in which zero incidents over a baseline of 12 million devices translates into "likely" injury. In fact, if anything, it is compelling evidence that such exploits or compromise were "unlikely." For all practical purposes, the "caused or likely to cause" standard has vanished.
Finally, because the FTC has failed to identify likely injury, one does not even get to the question of whether the potential injury would be substantial.
3. Apps That Cause Platform Notices to Be Inaccurate Are Deemed to Be Inherently Unfair or Deceptive. The FTC's complaint notes that HTC's pre-installed custom apps inadvertently created a situation where third-party apps without certain device permissions could nevertheless access the capabilities associated with those permissions. This means that if the end-user downloaded an app that had no network permissions, the app could nevertheless obtain those capabilities by exploiting HTC's preinstalled custom apps. This is extremely significant for both Android and iOS (even though iOS was not at issue in this complaint) because situations exist on both platforms where app design can cause platform notices or representations to be incorrect. In the wake of the HTC decision, those scenarios now raise a major red flag and constitute a serious compliance risk.
Similarly, the FTC found that the inadvertent collection of location information, contrary to a notice that was given to the consumer, was inherently deceptive, despite the absence of any showing regarding harm or that the collected information was repurposed or misused.
In the absence of a successful judicial challenge in the intermediate terms to the FTC's new tack, it would appear that the new expanded purview of the FTC may be here to stay. And what an expansion it is.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.