Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?



Data Collection Debate: FTC Privacy Measures Could Impact Efficacy of IT Security

How the FTC’s Privacy Measures Could Impact the Efforts of IT Security and Fraud Detection

How the FTC’s Privacy Measures Could Impact the Efforts of IT Security and Fraud Detection

To anyone interested in advancing the state of online consumer privacy, the notion of the U.S. Federal Trade Commission further limiting the types of information that companies can collect about specific users and/or their devices – or forcing those companies to detail the data they gather more openly – seems like a beneficial idea.

FTC Privacy Bill However, as some IT security industry experts have pointed out, the FTC’s latest efforts – detailed in the agency’s “Preliminary Report on Protecting Consumer Privacy” (published in Dec. 2010) – may actually hurt or hinder the ability of certain security vendors and/or applications to carry out their own work in protecting end users.

The report, which sets forth a set of more stringent practices for both limiting data collection and forcing businesses to provide greater transparency into the specific information they are aggregating, certainly holds a lot of merit at first glance.

Forcing companies to tell us more about what data they’re actually keeping, and why, is just the type of legislation that consumer privacy advocates have been clamoring for since the initial boom of e-commerce sites over a decade ago.

But the measures could also make it harder for security technologies that depend on such information to have maximum impact to stop attacks, or enable criminals to engineer new ways around these forms of protection, as some have already observed.

Consider online banking tools that take into account issues such as a device’s geographical location or the speed at which users enter their passwords to help prevent e-banking fraud.

Removing some of that capability, or providing technical details about its use to the public (namely attackers themselves), could clearly prove problematic.

Advertisement. Scroll to continue reading.

One of the most detailed criticisms of the FTC efforts arrived in the form of a letter sent to the agency (and republished by the company on its site) by online anti-fraud and authentication vendor ThreatMetrix.

The same rules that are applied to companies using consumer/device information to target advertising – a primary target of the FTC work – shouldn’t be leveled upon security applications providers, argues ThreatMetrix VP of Marketing Bert Rankin in the missive.

“The importance of cyber security, and the nature of the data collected, requires that it be treated differently than the treatment accorded consumer data collected for behavioral advertising purposes,” he writes. “Detailed disclosure creates a number of adverse impacts to electronic commerce while not adding materially to privacy protection. Detailed disclosure may reduce consumer welfare by providing fraudsters with critical information to circumvent cyber security.”

If the FTC ultimately decides not exclude or make exceptions for security firms, then disclosure required for security purposes should be “standardized to be limited solely to a statement that data provided by a consumer or the consumer’s device will be used for fraud detection,” the ThreatMetrix official contends.

As you might have guessed, the company’s tools, which promise to offer device recognition with and without cookies, including cloud-based services, would likely be somewhat compromised if the FTC measures are adopted.

And anyone who uses online banking applications such as those offered by industry giant Bank of America knows that many large businesses have adopted similar tools to help protect against account hijacking and fraud.

If you live in New York and someone in Moscow is suddenly trying to log into your account, it’s very helpful for the bank to be able to see that activity and intervene. In fact, every year when I go on vacation to Montreal for the F1 races, I end up having to call my own bank when they shut down my ATM card once I start using it to make large cash withdrawals late at night.

It bothers me that they can’t figure out that I follow the same patterns every year, but at the same time I’ll take inconvenience over the alternative.

Meanwhile, in addition to the FTC efforts, both the Obama Administration and members of Congress such as former presidential candidate Sen. John Kerry (D-MA) are in the process of crafting their own recommendations for stricter control over data collection.

Balancing matters of security and privacy has always been a complex issue, but as legislators seek to limit unsavory or unauthorized data collection it’s clear that there’s still a lot of work on both sides that needs to be done to reach some sort of conclusion.

Otherwise we may sacrifice security for privacy, and that doesn’t seem to make much sense at all.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The three primary drivers for cyber regulations are voter privacy, the economy, and national security – with the complication that the first is often...

Cybersecurity Funding

Los Gatos, Calif-based data protection and privacy firm Titaniam has raised $6 million seed funding from Refinery Ventures, with participation from Fusion Fund, Shasta...


Many in the United States see TikTok, the highly popular video-sharing app owned by Beijing-based ByteDance, as a threat to national security.The following is...

Artificial Intelligence

Two of humanity’s greatest drivers, greed and curiosity, will push AI development forward. Our only hope is that we can control it.


Employees of Chinese tech giant ByteDance improperly accessed data from social media platform TikTok to track journalists in a bid to identify the source...

Mobile & Wireless

As smartphone manufacturers are improving the ear speakers in their devices, it can become easier for malicious actors to leverage a particular side-channel for...

Cloud Security

AWS has announced that server-side encryption (SSE-S3) is now enabled by default for all Simple Storage Service (S3) buckets.