About web

This author has not yet filled in any details.
So far web has created 110 blog entries.

On Dan Lyons’ Disrupted

Dan Lyons’ Disrupted, the tell all about a prominent journalist’s experience working at Hubspot, a marketing company, is a train-wreck of a read. I could not put it down and have accomplished little work this week as a result 🙂 Lyons details a hundred examples of plain naïveté and pathology within the company. Lyons comes across so harsh that some have dismissed the book, but doing so is a mistake. Ignore the specifics about Hubspot—Lyons’ more important contribution concerns the state of the companies that can attract venture funding and successful IPOs.

Lyons’ book could have used a bit of framing to better highlight some troubling themes, many of which are not specific to Hubspot. First, Lyons paints the company’s executives as out to lunch, and its employees as suffering from the Dunning-Kruger effect, leading to a bozo explosion. So the question arises, how could a company so misdirected and poorly constituted attract big investment? Lyons’ argues that we’re “feeding the ducks.” Investors demand startups that look like Facebook, with young employees and drop-out-of-Stanford leaders. And so our economy is creating hollow imitations of Facebook and Google that keep the ducks satiated.

Second, of course there are incompetent companies out there. But most collapse and the losses are internalized to a small number of actors. Lyons discussions of Hubspot and other companies that have not posted profit (in some cases, not even revenue), sounds a lot to me like the explosion of NINJA loans in the 2000s. Back then, we were feeding the ducks—giving home mortgages to anyone in order to feed investor demand. The logic of the mortgage market was both inscrutable yet unquestionable. Switching to today, Lyons explains how founders and venture capital firms stand to benefit from boosting these firms, and how employees and investors will end up holding the bag. In these bubble situations, even good, smart people will tend to the ducks and attack those questioning the situation. Let us just hope that when the charade ends, the losses do not require a bailout.

Third, while Lyons is preoccupied with his age, (he is a journalist in his early 50s starting a new career at a company where the average employee is 26) the reaction of others to him is troubling. Lyons portrays his Hubspot colleagues as passive aggressive, as dismissive of expertise or experience, as having paper-thin skin, as the kind of people who would fail a philosophy course—or file a harassment case about it—because the argumentation would be too traumatic. Lyons portrays the Hubspot employees’ disgust as palpable. “Culture fit” was first a thinly-veiled, but then explicitly-expressed preference for employees in their 20s.

Finally, Lyons delivers a warning about cloud services and how we have entrusted our data to them. Recall that Hubspot fired a high-level employee and another had resigned concerning an apparent attempt to obtain a copy of the pre-release manuscript of Disrupted. Lyons adds up the evidence—HP’s investigation of a reporter; Uber’s intimations about the power to investigate a journalist; the god-modes built into many social network services; Facebook’s PR scheme against Google; the powerful incentives of venture capitalists to get quick hits; and so on. He explains that the market is set up so that “trust” ensures good behavior with data. That is, the desire for commercial success should police the worst behavior and stop petty abuses with data. His experience at Hubspot has changed his mind:

So we figure we’re safe. We figure we can trust the people who run online services not to snoop on us. I used to believe that. I don’t anymore. The

[Hubspot executives] were not random nerds going rogue in some data center. They were top executives of a publicly traded company. They’re the ones who were supposed to be keeping an eye on the others. During my time at Hubspot, I was shocked to see how badly managed the company was and how packs of inexperienced twenty-something employees were being turned loose and given huge responsibility with little or no oversight. In the world of start-ups that is now the norm, not the exception.

All your data are belong to a bunch of bozos! What could possibly go wrong?


August 3rd, 2016|History|

FTC on the Radio Part 2: Celebrities on Contracts, Advertising, Door-to-Door Sales

coverHere’s another example of the FTC’s dynamism and innovation—sometime in the early 1970s, it created radio spots to inform consumers of various marketplace problems. This album, titled, Shop Wisely Think Before You Buy, includes tracks (listen below) from: Shirley Jones, Leonard Nimoy, Karen Valentine, Sebastian Cabot, Burt Reynolds, Clu Gulager, Carol Burnett, Lloyd Haynes, and Beverly Garland.

Many of the tracks include the word “gypped,” a term that the FTC would be unlikely to use today!

I’ve asked all the FTC old-timers I know about this album, but none knows about it. It would be interesting to learn how the FTC secured the participation of all these celebrities. The spots are not terribly polished, and some actors are not doing their best in them. Perhaps they were performing to get out from under a FTC investigation 🙂

Also interesting: many of the problems discussed in the spots are now governed by various specific rules (unordered merchandise, holder in due course, cooling off, BOGO offers), instead of leaving it to the consumer.

The album (AAVP 70139) is undated, but it is accompanied by a letter from Chairman Miles Kirkpatrick, who served from September 1970 until February 1973. The letter from Chairman Kirkpatrick reads:

Dear Program Director:

“Consumerism is sweeping the country.

Roman Law of 2000 years ago, “Let the buyer beware” is being changed to “Let the seller beware.” The consumer protection movement – with new laws at local, state and national levels – has become a strong restraining factor on those given to making products and services.

We ask your cooperation in presenting these radio public service announcements. Through your efforts you will be helping your listeners to look for more value in what they buy. As consumers they have certain rights. Your station can help to inform them of these rights and tell them of some of the pitfalls of the marketplace by scheduling these important messages as often as possible.


Miles W. Kirkpatrick

And here are the tracks, in order:

Shirley Jones: beware 2 for 1 offers, bulk sizes


Announcer: credit isn’t free!


Leonard Nimoy: beware door-to-door, high-pressure sales


Announcer: beware authenticity of textiles, furs, and wool products


Karen Valentine: carefully examine warranties


Announcer: get a free booklet by writing to “don’t be gypped, FTC, Washington, DC 20580”


Sebastian Cabot: what to do about unsolicited merchandise that one receives in the mail?


Announcer: “be cool, don’t be a sucker for phony advertising.”


Burt Reynolds: “contracts can be very confusing…”


Announcer: know the cost of credit before you buy


Clu Gulager: beware the holder doctrine


Announcer: labeling of furs


Carol Burnett: beware of contests–especially ones you did not enter!


Lloyd Haynes: compare APRs…credit means things cost much more


Peggy Lipton: do not fall all the “smiling faces” that try to get you to buy


Announcer: be skeptical of “free” … the “FTC doesn’t want you to get gypped”


Beverly Garland: don’t believe everything you see or hear


The friendly salesman: a two-minute long spot featuring a pushy door-to-door salesperson posing as a survey researcher





There is also a separate “consumer education spot announcements” album on used car sales.

August 1st, 2016|History|

Antonio García Martínez’s Chaos Monkeys and Privacy

Here’s something you may not know: every time you go to Facebook or ESPN.com or wherever, you’re unleashing a mad scramble of money, data, and pixels that involves undersea fiber-optic cables, the world’s best database technologies, and everything that is known about you by greedy strangers.

Every. Single. Time.

The Federal Trade Commission staff recently recommended that Internet users use ad blockers to control online tracking. This no doubt, will attract controversy from the advertising Industry. Yet, the Commission could justify the recommendation by pointing to a new book written by Facebook’s (FB) former product manager for advertising, Antonio García Martínez (AGM).

AGM’s Chaos Monkeys: Obscene Fortune and Random Failure in Silicon Valley, is an outrageous, fantastic book. Some early reviews discuss its relevance to the advertising/publishing world. Indeed, if you are interested in learning why and how online advertising is a huge swindle, why publishers like the Times “live at the pleasure” of advertising platforms, and other sage advice, such as how to evaluate a startup, AGM’s book is a great read. Be forewarned: there’s a great deal of sexism, score settling, and braggadocio in the book. But I still liked it because AGM is a great writer. He even has a command of classical literature. There are few techies who can find a way to quote both Polybius and Debord in the same work.

There’s another reason to read this book: it provides insight into how FB’s product manager for ads thought about privacy. This is an important viewpoint, because product designers—not the lawyers and CPOs—are the ones who call the shots at many companies. AGM explains:

For my entire career at Facebook, I was embroiled in a rolling debate with the Facebook privacy and legal teams about what we could and couldn’t get away with, chiseling away at their legal trepidation, and trying to find some legal rubric that would forgive (or at least defensibly excuse) our next depredation with user data.

Michael Zimmer and I have argued that FB had mastered the public relations of privacy—that Zuckerberg was a “privacy Machiavelli.” A different view emerges from AGM; a confused attitude that ranges from indifference to privacy to finger pointing. How could Facebook be indifferent to privacy? AGM—like Zuckerberg—sees FB as a utility. Taken as such, it is not responsible for privacy problems. AGM argues that you do not blame the postal service for junk mail, nor AT&T for telemarketing. Similarly, the privacy invasions online are driven by advertisers, not FB. Facebook simply routes messages to you, whereas advertisers know what to route to you because they have watched you for decades through credit card purchases. AGM explains:

I submit that the role of modern-day Big Brother is actually played by companies you’ve likely never heard about. Companies with names like Axciom (sic), Experian, Epsilon, Merkle, and Neustar (among others). These are the companies that since the dawn of the direct-marketing age in the sixties and seventies have been tracking all of consumer America…


And how did this enormous nationwide surveillance apparatus…come to exist? The mail, ladies and gentlemen…

AGM is correct that the direct mailers are voracious in their data collection. But does that mean that FB gets a pass? Well, according to AGM, early targeting on FB just didn’t work. This is because most of your activities have no commercial relevance:

Now imagine you have a written transcript of every conversation taking place…Sounds like a lot, doesn’t it?

Well, it isn’t. Ask yourselves how often you mention anything of commercial import when you’re with friends…Actually, I know exactly how often; it’s one of the earliest studies we did when I got to Facebook.

The short version is “not terribly often at all.” Nobody says things like “I really love how these Adidas Adizero Boston Boost 5 shoes felt today…”

And there’s the problem of sarcasm and derogatory invocations of possibly commercially-relevant terms. AGM argues that “Obama,” for instance, is often proceeded by “fucking,” making it a less than opportune keyword for most advertising.

But FB’s inability to turn our conversations into gold does not absolve the company from its role in tracking everything. This is especially the case because as AGM explains, that joining personal data to cookies has reached a pinnacle with FB and Google:

…Facebook and companies like Acxiom and Datalogix have compared personal data (with none sharing actual data with the other, again via the miracle of hashing), and joined the universal FB user ID to the analogous IDs inside Acxiom, Datalogix, and Epsilon.


Facebook, Google, and others have achieved the holy grail of all marketers: a high-fidelity, persistent, and immutable pseudonym for every consumer online. Even better, they’ve joined that to your real-world persona…”

Later, AGM explains that the data join is ultimately about unifying the view of the customer—an extension of the old one-to-one marketing from the direct mail days:

That personal information is stored in a database, along with the browser cookies that corresponds to it, forming a bridge from real-world you to the browser version of you. It’s probably in hashed form, but that’s just privacy theater; if everyone agrees on the same hash function, it doesn’t matter how it’s stored.”

That join, between a cookie and personal information, is then sold and resold a bazillion times a day to whoever is willing to pay for it…

There’s nothing really new here. But wow, it is stated much more clearly than a privacy policy!

Here’s another attitude I hear in person but rarely see in print—that privacy people are just whiners who can be fooled about information flows by just suppressing ads. These whiners complain about ads, but won’t pay for the service. So why care about their concerns?

…Like infants who haven’t learned object permanence yet, Facebook whiners see an ad, the Facebook logo, and assume it’s all connected. Make the ad go away, and they don’t even think about it. Of course, what they should really be thinking about is how that ad got addressed, and what the advertiser, and not Facebook, knows about them.

Facebook is actually the least of their worries, and it’s about the only dog in the fight that ultimately cares about the user. Unsurprisingly, those who kvetch the most about irrelevant ads are also the same bellyachers who complain when ads are too good, and seem creepy. No doubt, the slightly technically savvy among them are also running ad-blocking software, and advocate against the increased data collection that would improve ads and make them more relevant. If they were to publish content themselves, or work in the business of delivering all of humanity’s digitized social life 24/7 all over the world, they’d realize there’s a human cost to that blue-framed browser tab, and it most certainly is not free. Ad blocking is tantamount to theft, or at the very least running a toll booth without paying.

Oh, and spare me your claims that you’d be willing to pay for Facebook instead of seeing ads…”

There’s much to quibble with here. AGM’s view misses a basic point from STS: that technical systems have values. In fact, we should blame the Postal Service for junk mail—the entire agency has long been devoted to delivering it; and as my early work showed, telephone companies played both sides of the telemarketing battle, selling both anti-sales call technologies and ones that could evade countermeasures. It would be a big mistake to overlook FB’s role in shaping its own system to complement the big/little brothers in data brokerage. In fact, that’s much of what AGM’s book is about!

AGM’s exposition is one of the strongest reasons to run a “tracker blocker,” as the FTC puts it. Too much coverage of Silicon Valley comes at the cost of “access journalism”—the reporters who whitewash or adopt a company’s frame on controversial issues. AGM’s unvarnished view, which too must be read with some skepticism, reveals the logic behind the total information awareness machines that Silicon Valley mints.

July 5th, 2016|History|
Read More

FTCPL&P Reviewed in EDPL

Federal Trade Commission Privacy Law and Policy is reviewed in the current issue (Vol. 2, Issue 2) of the European Data Protection Law Review by Professor Alessandro Mantelero. Professor Mantelero says:

In his book on the Federal Trade Commission (FTC), Hoofnagle gives the European reader more than a historical overview of the origins and vicissitudes of the FTC. Through his analysis of the role played by the courts, Congress, and the Commission itself, he
illustrates the doctrines and dynamics that have contributed to shaping this agency. This makes the book a valuable tool for European privacy experts who wish to better understand the US regulatory approach to privacy protection and understand how political and social forces have affected the powers given to the Commission.


…Hoofnagle leads the reader through the life and logic of the most important US agency in consumer privacy protection, to give us a clearer understanding of the US privacy framework and an important counterpart in the transatlantic data protection dialogue…

July 3rd, 2016|History|

When the FTC Was Not That Controversial

Toilet BrushesA historical look at the FTC reveals that it spent decades doing lame work. Just consider the years of “trade practice conferences.” Commissioners would fly all over the country, giving their blessing to self-regulatory agreements on the most trivial of topics. One commissioner famously raved about his post at the FTC to Philip Elman because it allowed him to travel in style and do no work. Looking back at the 1930 and 1940s, we see the FTC spending a lot of time on things like trade practice conferences for the “toilet brush manufacturing industry,” the “house dress and wash frock manufacturing industry,” and for the “shrinkage of woven yard goods industry.” An uncontroversial FTC is a lame one.

Consider how different today’s FTC is. It is focused on cutting-edge technologies and their application to subtly invade technology. It’s a different, more controversial, yet in-tune body that is striving to live up to its mandate.

July 1st, 2016|History|

Big Increase in Civil Penalties at the FTC

News to me–the FTC was required by Congress to adjust civil penalties so that they catch up with inflation. The new maximum is $40,000 per day/per violation (up from $16,000). Interestingly, if fully adjusted for inflation, the maximum would have gone up to $52k for violations of orders, but alas, Congress capped the increase to 150% of the current max.

Screen Shot 2016-06-29 at 5.55.00 PM

June 29th, 2016|History|

70% of Security Investigations Closed?

Jeremy Snow of Fedscoop reports that the FTC closes approximately 70% of investigations into information security violations. The figure comes from a speech by Commissioner Maureen Ohlhausen. Ohlhausen emphasized that the FTC’s approach overall emphasizes reasonableness. This means that, as Snow reports, “If a company’s security is ‘reasonable, or even good,’ Ohlhausen said, and solves the problem quickly, the commission could close the investigation even if there is a single major specific failure. What matters most is the overall security of the program.”

Could Commissioner Ohlhausen be correct? It’s hard to be certain. When investigations become official, they are enrolled in a system at the FTC. They thus become countable by the leadership of the Agency. But my interviews with privacy attorneys indicated that the lawyers keep many “investigations” off the books. They may be screening a score of companies, looking for a case that would be interesting because it would set new policy, because it was egregious, because of the size of the defendant, and so on. Thus, Commissioner Ohlhausen’s estimate could be low, in the sense that the more informal inquiries go unpursued and uncounted (but are seen as real investigations by the companies that have to answer them!).

June 29th, 2016|History|

The Historical Importance of FTC Investigations

National Census BureauLeafing through pages and pages of historical records on the FTC, one is frustrated by both its volume, and by what it is missing. For much of the FTC’s history the agency quietly settled matters with companies using assurances of voluntary compliance (“AVCs”). One result is that there are very interesting docket entries in the FTC history but almost no information about the alleged wrongdoing.

Here’s an example—a 1937 investigation against a company operating as “National Census Bureau.” We do not get to learn who the et al. were or the subject matter of the investigation. The respondent’s name is perfect for deceptive information collection—could this be the FTC’s first information privacy case? We’ll never know.

June 28th, 2016|History|

The FTC’s Historical–and Enduring–Challenges

Law360 published the “early challenges” essay from FTC Privacy Law and Policy here. Here is the full version in PDF and plain text (below) for those without a Lexis subscription.


June 7th, 2016|History|

Bryan Cave on Consumer Complaints to the FTC

The law firm Bryan Cave offers some good advice for companies about consumer complaints to the FTC:

…a massive database of consumer complaints known as “Consumer Sentinel” … is used by the FTC and other consumer protection regulators to identify and investigate enforcement targets.


the FTC also creates a “Top Violator” report and a “Surge” report that track those organizations that the FTC believes may have a suspicious pattern of consumer complaints. The end result is that the vast majority of FTC enforcement actions target companies identified within the FTC’s database.

Presumably, you could hire Bryan Cave to monitor these violator and surge reports and get on top of these complaints before the FTC opens a case. I think it is absolutely the case that some divisions use these reports. But different divisions of the FTC choose cases differently. A 2014 Inspector General Report noted the use of five different rationales among the BCP divisions in case selection. These included consumer harm; whether related matters were being litigated; the volume of sales made by a respondent; whether the respondent was a repeat offender; and whether the behavior was egregious.[1]

From my interviews with FTC staff, the privacy cases are not complaint-driven. A large number–perhaps most–are brought to the Commission’s attention by competitors. And if you think about it, consumers cannot make privacy complaints because they cannot know about companies’ uses of information. Just consider important cases such as Nomi (consumer tracking through their wireless phones) or the secret software installed on “rent-to-own” computers in Aaron’s. I found that instead of looking at complaints to find targets, the FTC’s privacy attorneys were reading the newspapers, going to industry conferences, and scanning the class action litigation landscape to identify defendants.

And it gets worse for companies: FTC attorneys engage in undercover investigation by making test accounts on websites and other services, and the attorneys even engage in “test shopping” (for instance, buying information from investigatory targets). As early as the 1990s, the FTC developed consumer aliases (complete with credit card accounts) to make purchases from websites in the course of an investigation. These test activities always occur before voluntary or compulsory processes have been sent. You won’t see them coming, because the agency uses a privacy-protecting VPN to mask its IP address.

[1]FTC Office of Inspector General, Evaluation of the Federal Trade Commission’s Bureau of Consumer Protection Resources, OIG Evaluation Report No. 14-003, October 2, 2014.

June 1st, 2016|History|