When we talk about the internet of things and a house full of smart speakers and smart fridges and smart TVs, we focus a lot on privacy concerns. But these devices also have risks around commerce. Because they’re for shopping. That’s part of the appeal, like in this Alexa ad.
Commerce is coming inside the house, kind of like an army of door-to-door salesmen offering encyclopedias or vacuum cleaners.
And some experts have said that’s a good model for how to regulate a future filled with smart shopping — and potentially dumb decisions that stem from it.
Law professor Ryan Calo studies digital market manipulation at the University of Washington, and he looks back to the 1970s when the Federal Trade Commission created new rules to deal with door-to-door sales.
“The idea was a kind of 1950s notion that women were at home, you know, tending to the house in their curlers,” Calo said. “And all of a sudden, some sweet-talking salesperson would come to the door and sell them a bunch of encyclopedias.”
The crux was that when you’re at home, you deserve more protections than when you are actively going to a store and seeking out commerce.
“The commission decided that if you’re going to be selling stuff to people door to door, you had to follow certain rules, you had to have certain disclosures,” he said. The decision included a cooling-off period, a window of time where buyers can cancel any order placed via door-to-door sales with no penalty.
And in 1978, the U.S. Supreme Court upheld restrictions on soliciting clients in person or in their homes.
In his announcement of the opinions, Justice Lewis Powell said, “The state has a strong interest in protecting the public from the aspects of solicitation that potentially involve fraud, undue influence, overreaching and other forms of vexatious conduct.”
But what about when that potentially vexatious conduct comes from a smart speaker, say Google’s?
“We’re interacting with technology that we bring into our houses as though we were interacting interpersonally,” Calo said. “We have this new world in which corporations can reach us anytime and practically anywhere. And yet, we’re not even talking about whether the rules should be different.”
The FTC has sued some companies, including the smart TV maker Vizio, under a decades-old statute around unfair and deceptive practices.
But the agency needs more power to do more, according to Maneesha Mithal, the associate director at the FTC’s Division of Privacy and Identity Protection.
“Under our general ability to prohibit unfair deceptive practices, we do not have rulemaking authority,” Mithal said. “We have recommended that Congress pass a specific law on general privacy and then give us rulemaking authority to establish rules that more clearly identify what practices are unlawful.”
But commerce protections haven’t been part of the conversation yet.
Related links: more insight from Molly Wood
Pity the poor FTC in some ways. The agency only has 40 people working full time on privacy and data security issues. And we have to assume that all 40 of them are probably trying to deal with the Facebook situation.
Earlier this month, FTC Chairman Joseph Simons wrote to Congress to ask for more resources for policing tech companies. He said the U.K. Information Commissioner’s Office has about 500 employees and the Irish Data Protection Commissioner has 110.
Between the lack of resources, authority and a general trend in this country of not really punishing big companies for bad behavior — even when the FTC has sued companies for bad privacy or data security practices — almost all of those actions over the last 10 years have ended with settlements and not fines or penalties.
The Government Accountability Office put out a report in February saying the FTC has investigated 101 data privacy violations since 2009. And the only time it had the power to issue a fine was when there was already a settlement agreement in place.
That is, you may remember, the situation with Facebook right now.
It reached a settlement with the FTC in 2011 when the agency accused it of deceiving users by failing to keep its privacy promises. Where have we heard that before, right?
The agency couldn’t fine Facebook back then, but if it decides to now, it could fine the company $40,000 per user, per day, for every day the company might have violated the agreement.
In theory, that could add up to a lot more than Facebook’s own estimates last week that it might be fined $3 billion to $5 billion. But the New York Times reported Friday that the FTC hasn’t even agreed on whether to do that.
It’s under-resourced, yes, but the agency hasn’t exactly strapped on a superhero cape when it comes to privacy. (“Avengers” weekend!)