by Mike Masnick
Fri, Sep 25th 2015 6:18pm
by Mike Masnick
Fri, Sep 25th 2015 8:21am
from the the-latest-in-the-saga dept
Roca itself has gone through a large number of lawyers in this process, and the company has actually ended up in court against some of its former lawyers as well. And there's even more that we've written about in the past, and much more has happened since we last wrote about them. A few times we've considered writing updates based on crazy threats or lawsuits, but just haven't had the time. However, one question that has come up a few times: why hasn't the FTC and/or the FDA cracked down on Roca's questionable claims? Via a FOIA request, we revealed that the FTC was compiling a rather large file of customer complaints about Roca Labs... and apparently, things finally reached the tipping point.
Yesterday, the FTC finally filed a complaint against Roca Labs and the people behind it: Don Juravin and George Whiting. The FTC's complaint is a worth a read, because not only does it cover some of the ground we've already discussed, it reveals some new and even more questionable behavior -- such as anonymously running a sketchy website supposedly about gastric bypass surgery, that pushed people away from gastric bypass surgery, but had an "alternatives to gastric bypass" page, that served to solely promote Roca Labs' "product" -- which everyone admits is a mix of industrial food thickeners and some other stuff. Of course, to throw people off the scent that the Gastricbypass.me site was really run by Roca Labs, the company amusingly pretends to be critical of some aspects of Roca Labs. from the complaint:
Gastricbypass.me includes, among other content, a lengthy “Surgery Failures” page, and a “Surgical Alternatives” page. The “Surgical Alternatives” page is devoted to discussing favorably the “Roca Labs Surgery Alternative® Solutions.” The Roca Labs products are the only surgical “alternative” the site discusses. For example, the page states that its authors have “challenged the company’s claim to a ‘90% success rate’ by checking some of the 654,000 video results we got when searching for, ‘YouTube Roca Labs’.” The “Surgery Alternatives” page embeds videos also found on RocaLabs.com. It states that “[i]n 97% of the videos provided, evidence that the surgical alternative is successful is evident from day one. With some averaging weight loss of 0.5 to 1 pound per day, the Roca Labs Surgery Alternative® Solution is quite impressive.” It further states that the site’s “panel of experts” say that the Roca Labs claims are trustworthy “for the most part,” and that the Roca Labs “[m]edical claims are correct, FDA regulations are observed, but not all the articles on the site are updated.” ... There is no disclosure on the GastricBypass.me site that it is operated by the Defendants, is affiliated with RLI or RLNU, or that the site’s owners or operators sell Roca Labs products.Another thing the complaint reveals: Roca Labs would tell people that it would give them discounts if they would videotape and promote their success stories on YouTube. By itself, that's not a totally crazy idea -- but nowhere did Roca tell those customers that they kind of have to admit that there's some form of compensation involved in their videos. This is the kind of thing that the FTC has been warning folks about for a few years now.
Defendants solicit “Success Videos” from purchasers by offering to pay them up to fifty percent of their money back for providing videos documenting their weight loss...And, yes, the FTC is well aware of Roca Labs' gag clause and its threats and lawsuits against people complaining customers. In fact, it notes that the gag clause that was used prior to the lawsuit against PissedConsumer was much more egregious than the $3500 bill, and actually said you'd have to pay them $100,000 and that you agree that "any report of any kind on the web will constitute defamation/slander." That's not how defamation law works, but points for creativity, I guess. The gag order even suggests that you shouldn't talk badly about Roca's product because any negative results are due to the customer's "misunderstanding."
Neither the testimonial videos about weight loss resulting from use of Defendants’ products, nor the Roca Labs Websites, social media pages, or other advertisements that include or lead to them, adequately disclose that the persons depicted in the videos were offered or paid any compensation in exchange for their testimonial.
You agree and understand that you can not [sic] talk badly about the Formula because of any frustration you might have with the support department or your misunderstanding.And, yes, the threats and the lawsuits, though as would be expected, the FTC focuses on are the ones against customers and PissedConsumer, rather than the threats and lawsuits against lawyers and reporters.
In numerous instances, Defendants have threatened to sue, for breach of the Gag Clauses, purchasers who stated that they had or would complain to third parties, such as the Better Business Bureau, or post negative comments about Defendants, their products, or their employees on internet websites. Defendants have also threatened complaining purchasers who have sought refunds by telling them that they would be subject to liability for extortion or defamation for threatening to post, or posting, truthful negative reviews about the Defendants, their products, or employees, or that their “discounts” would be revoked and that they would owe Defendants the “full” price of the Defendants’ products.But the FTC complaint also notes that Roca Labs doesn't just threaten and sue its critics, but it plays dirty, revealing private information they may have submitted as part of their "Health Application" to get Roca's powder.
Defendants in some instances have filed lawsuits against purchasers who have posted such negative comments, alleging breach of the Gag Clauses. Defendants also have sued, for allegedly inducing purchasers to breach the Gag Clauses, a company that runs an online site that allows consumers to post complaints about businesses, including the Defendants’ business, online.
Lawsuits the Defendants have filed against purchasers have included, and made public, information those purchasers provided in response to the Defendants’ Health Application. Defendants also have disclosed information purchasers submitted in response to the Defendants’ Health Application to credit card processors and banks in disputes with purchasers over credit card chargebacks.And that brings us to the actual charges. The FTC is arguing that the weight loss claims around Roca Labs and its products are "deceptive," calling them "false or misleading, or were not substantiated, at the time the representations were made." Second is a "false establishment" claim, saying that Roca Labs lied in stating that its "Formula" was "scientifically proven to have a ninety-percent success rate."
Next up: unfair use of non-disparagement provisions:
Defendants’ practices as described in paragraph 64 have caused or are likely to cause substantial injury to consumers that is not reasonably avoidable by consumers and that is not outweighed by countervailing benefits to consumers or competitionCount four is about the bogus gastricbypass.me website, where Roca didn't disclose that it was behind the site. Count five is for a failure to disclose material connections -- which appears to apply to both the "customer testimonials" Roca promotes and the fake site. What's not clear is if this also includes the sketchy celebrity endorsements we wrote about last year.
Count six is for "deceptive privacy," over the company revealing private information (including health and financial information) in the various lawsuits it has filed.
Finally, there's a claim over Roca's "deceptive discount." Remember that Roca argued that users had to agree to the gag clause in exchange for a "discount." However, as some of our own readers pointed out, it did not appear there was any realistic way to get Roca's product without agreeing to that agreement. But, the key concern of the FTC is Roca telling people that if they violate the gag order, they can be forced to pay the "full price." The FTC notes that this is a deceptive practice and "in fact, purchasers have not agreed to pay the difference between the purported “discount” price charged and the purported “full price” if they posted negative reviews about the Defendants or their products."
Given what we've seen, the FTC may have even held back on its claims. For example, while the complaint mentions the existence of "Dr. Ross" who at times claimed to be the company's "director of medical team" or, at other times, "an independent medical consultant" -- the complaint doesn't even bother to mention that Ross Finesmith was a pediatrician who lost his medical license for child porn.
The FTC has also asked for a temporary restraining order against Roca Labs, and that motion is well worth reading as well. In fact, that filing is even more direct in its attack on Roca Labs. On the claims about the "formula" the FTC states:
Unfortunately for consumers, Defendants are simply selling common, dietary fibers with exaggerated claims at a grossly inflated cost. Their weight-loss claims lack any scientific basis, and are often flat out false. The FTC retained Dr. Steven Heymsfield, an expert in obesity treatment and weight loss, who reviewed information on Roca Labs’ websites about the products and their ingredients, as well as numerous other published scientific articles on weight loss.... He found no reliable scientific evidence to support Defendants’ weight-loss claims of 21 pounds a month, or 100 pounds in seven to ten months.... According to Dr. Heymsfield, substantiating Defendants’ weight-loss claims would require well-designed and properly conducted human clinical trials on Roca Labs’ actual products (as opposed to its individual ingredients).... Individual testimonials, no matter how numerous or superlative, do not amount to reliable scientific evidence of a weight-loss product’s effect.... Defendants acknowledge that “[n]o clinical study has been performed on this product” ... and Dr. Heymsfield found no such trials.So, now what? If history is our guide, perhaps we should expect Roca Labs to start threatening the FTC Commissioners with lawsuits directly. But, the reality is that Roca Labs is now in deep, deep trouble. And, what's most interesting, is that it's a lot less likely the FTC would have taken this on had Roca Labs not actually gone out and started suing its critics.
Defendants will likely argue that some fibers in their products have been studied individually and shown to cause some weight loss; therefore aggregating those results supports their claims. But Dr. Heymsfield reviewed weight-loss studies on the individual ingredients and found very few trials that showed any effect. None of the results could in any way support the Defendants’ extravagant claims. For example, clinical trials on glucomannan, one of the fibers in Roca Labs Formula, do not show weight loss comparable to Defendants’ ad claims, and many show no weight loss at all...
Fri, Sep 4th 2015 1:07pm
from the here's-a-shovel dept
Way back in early 2014, we wrote about the revelation that Microsoft and Machinima, the popular YouTube network, had worked out some kind of arrangement in which the newly-released Xbox One would get positive coverage from Machinima personalities. Likewise, Machinima's agreements with its own personalities leaked, laying out just exactly how those personalities would be compensated for pimping the Xbox One without ever informing fans that they were doing so. This, at a very minimum, was an existential gamble wagering the trust Machinima had built for itself amongst fans for the chance at some dollars from Microsoft. It was a bad wager. Once this all became public, I'm struggling to understand why anyone would put an ounce of trust in the Machinima outlet at all.
And now the FTC is involved, taking the time to ding Machinima for the behavior and enjoining it to never do anything similar in the future.
In a press release today, the FTC announced that the two parties have come to a settlement that will prevent Machinima from pulling this sort of shadiness again. Writes the FTC: “Under the proposed settlement, Machinima is prohibited from similar deceptive conduct in the future, and the company is required to ensure its influencers clearly disclose when they have been compensated in exchange for their endorsements.”The FTC also cited specific examples of Machinima's actions, including naming personalities that were involved, helpfully torpedoing those personalities' ability to get fans to trust them in the future.
Respondent paid influencer Adam Dahlberg $15,000 for the two video reviews that he uploaded to his YouTube channel “SkyVSGaming.” In his videos, Dahlberg speaks favorably of Microsoft, Xbox One, and Ryse. Dahlberg’s videos appear to be independently produced and give the impression that they reflect his personal views. Nowhere in the videos or in the videos’ descriptions did Dahlberg disclose that Respondent paid him to create and upload them. Dahlberg’s first video received more than 360,000 views, and his second video more than 250,000 views.The FTC then goes on to expose the entire deal Machinima had with Microsoft's advertising group, Starcom, which included an initial roll out of paid positive coverage by a few personalities, but was then to evolve into a Machinima-wide program of paid-for positive coverage of the Xbox One, with payments to be based on traffic/views.
Respondent paid influencer Tom Cassell $30,000 for the two video reviews that he uploaded to his YouTube channel “TheSyndicateProject.” In his videos, Cassell speaks favorably of Microsoft, Xbox One, and Ryse. Cassell’s videos appear to be independently produced and give the impression that they reflect his personal views. Nowhere in the videos or in the videos’ descriptions did Cassell disclose that Respondent paid him to create and upload them. Cassell’s first video received more than 730,000 views, and his second video more than 300,000 views.
This, it should go without saying, was insane. In the arena of YouTube personalities in general, and perhaps more specifically with the gaming fanbase and the culture that surrounds it, you simply cannot gamble with your reputation and expect the reward to be worth it.
by Mike Masnick
Fri, Sep 4th 2015 7:31am
from the good-move dept
Encouragingly, many companies are taking meaningful steps to improve their security practices including greater use of encryption technology for data in transit and at rest, whether it be stored in the cloud or on devices. Encryption has helped protect the information of millions of consumers -- for example, protecting credit card information when a merchant is breached or protecting passwords when a popular website is hacked. The impact of major breaches may also be reduced the more that users' data and communications are encrypted end-to-end.She also discusses how any attempt to backdoor encryption could create serious harm for future innovation and our economy:
Moreover, there are more products on the market providing consumers with better security and privacy tools -- including encryption as the default for information stored on smartphones, apps that use end-to-end encryption, and services that encrypt data on devices and then back them up in the cloud. Competition in the marketplace of security and privacy technology holds considerable promise for consumers.
This debate, sometimes called the crypto wars, is hardly new -- it has been going on in some form or another for decades. But what is changing is the extent to which we are using connected technology in every facet of our daily lives. If consumers cannot trust the security of their devices, we could end up stymieing innovation and introducing needless risk into our personal security. In this environment, policy makers should carefully weigh the potential impact of any proposals that may weaken privacy and security protections for consumers.It's great to see the FTC coming out so publicly on this issue. I hope that others in other parts of the government will do the same as well. Unfortunately, thanks to the overly vocal FBI and NSA, many believe that the entire federal government believes that we should backdoor encryption, and that sets up a very unfortunate "us v. them" attitude between technologists and the government. Instead, it's clear that many, many people in government support strong encryption and are against backdoors. It's good to see more of them speaking up and making their voices heard.
by Mike Masnick
Tue, Sep 1st 2015 7:06am
from the taking-a-stand dept
Strong end-user privacy and security controls, such as device encryption and firmware passwords, not only protect personal information from unwanted access – they can also make it easier to recover lost or stolen devices as well.He notes that this actually allowed him to help track down the device, because whoever ended up with the "useless" laptop tried to bring it to an Apple Genius Bar, which resulted in Soltani receiving an email.
Last month, I had the misfortune of having a personal laptop stolen.
Fortunately for me, while I was a bit bummed about losing my two-year-old laptop, I backup regularly and always enable disk encryption which is an important step to protect the information stored on the hard-disk from unwanted access by criminals, employers, or other actors (with the exception of very sophisticated adversaries).
Fast forward to a few weeks later, when I received an email to my personal account notifying me of an upcoming Apple Genius Bar visit. I was initially confused by the email but soon realized that it's probably the thief (or the undiscerning buyer) of my laptop trying to take it into Apple for repair – likely because they’re unable to use it without knowing the firmware password I set.And thus, the FTC's CTO makes it clear that full disk encryption has benefits beyond even just keeping your own data safe:
I immediately began calling local law enforcement and the nearby Apple stores notifying them of the theft and this development. After a few phone calls and the help of a fantastic Sergeant in the Local Crimes Unit of the Sacramento Police department, I was able to coordinate an agreement whereby Apple would notify law enforcement if the new user brought the machine in for repair. After an initial disappointment on account of the suspect skipping his Genius Bar reservation, a representative from Apple Customer Relations notified me that the device was brought into another store and they were coordinating with Sacramento Police Department to return it to me. I’m unclear as to whether they were able to track down the original thief.
In the end, strong end-user controls like device encryption and firmware passwords not only protect sensitive info stored on the device, they also prevent criminals from utilizing stolen property. The more devices feature strong end-user controls, the less likely thieves can profit from their theft on the open market.Given that the FBI is supposed to be interested in preventing crime, you'd think James Comey would support that kind of thing...
by Mike Masnick
Wed, Aug 26th 2015 10:45am
from the what-the...? dept
In the past, we've covered an anti-Google video that company put out that contained so many factual errors that it was a complete joke (and was later revealed as nothing more than a stunt to sell some books). Then there was the attempt to argue that Gmail was an illegal wiretap. It's hard to take the organization seriously when it does that kind of thing.
Its latest, however, takes the crazy to new levels. John Simpson, Consumer Watchdog's resident "old man yells at cloud" impersonator, recently filed a complaint with the FTC against Google. In it, he not only argues that Google should offer the "Right to be Forgotten" in the US, but says that the failure to do that is an "unfair and deceptive practice." Really.
As you know by now, since an EU court ruling last year, Google has been forced to enable a right to be forgotten in the EU, in which it will "delink" certain results from the searches on certain names, if the people argue that the links are no longer "relevant." Some in the EU have been pressing Google to make that "right to be forgotten" global -- which Google refuses to do, noting that it would violate the First Amendment in the US and would allow the most restrictive, anti-free speech regime in the world to censor the global internet.
But, apparently John Simpson likes censorship and supporting free speech-destroying regimes. Because he argues Google must allow such censorship in the US. How could Google's refusal to implement "right to be forgotten" possibly be "deceptive"? Well, in Simpson's world, it's because Google presents itself as "being deeply committed to privacy" but then doesn't abide by a global right to be forgotten. Really.
“The Internet giant aggressively and repeatedly holds itself out to users as being deeply committed to privacy. Without a doubt requesting the removal of a search engine link from one’s name to irrelevant data under the Right To Be Forgotten (or Right to Relevancy) is an important privacy option,” Consumer Watchdog’s complaint said. “Though Google claims it is concerned about users’ privacy, it does not offer U.S. users the ability to make such a basic request. Describing yourself as championing users’ privacy and not offering a key privacy tool – indeed one offered all across Europe – is deceptive behavior.”That's, uh, not how this all works. In his complaint to the FTC, Simpson's theory is laid out in all its kooky nuttiness. Basically, because in the past we didn't have technology, and things would get forgotten thanks to obscurity -- and because Google claims to support privacy, it must magically pretend that we still live in such an age, and agree to forget stuff people want it to forget. He'd also, apparently, like Google to get off his lawn.
Here is why the Right To Be Forgotten – or Right of Relevancy – is so important to protecting consumers’ privacy in the digital age: Before the Internet if someone did something foolish when they were young – and most of us probably did – there might well be a public record of what happened. Over time, as they aged, people tended to forget whatever embarrassing things someone did in their youth. They would be judged mostly based on their current circumstances, not on information no longer relevant. If someone else were highly motivated, they could go back into paper files and folders and dig up a person’s past. Usually this required effort and motivation. For a reporter, for instance, this sort of deep digging was routine with, say, candidates for public office, not for Joe Blow citizen. This reality that our youthful indiscretions and embarrassments and other matters no longer relevant slipped from the general public’s consciousness is Privacy By Obscurity. The Digital Age has ended that. Everything – all our digital footprints – are instantly available with a few clicks on a computer or taps on a mobile device.This is an absolutely insane interpretation of "deceptive." A company that supports user privacy is not being deceptive just because its definition of privacy doesn't match your crazy definition. It's just a different policy. If Google had flat out said that it would support a "right to be forgotten" in the US and then refused to process any requests, that would be deceptive. But accurately stating what the company does is not deceptive, no matter what Simpson seems to think.
Google’s anti-consumer behavior around privacy issues is deceptive. The Internet giant holds itself out to be committed to users’ privacy, but does not honor requests that provide a key privacy protection. Google explains: “We know security and privacy are important to you – and they are important to us, too. We make it a priority to provide strong security and give you confidence that your information is safe and accessible when you need it. We’re constantly working to ensure strong security, protect your privacy, and make Google even more effective and efficient for you.” Recently Google said, “Protecting the privacy and security of our customers’ information is a top priority, and we take compliance very seriously.” In its Privacy & Terms Technologies and Principles Google claims, “We comply with privacy laws, and additionally work internally and with regulators and industry partners to develop and implement strong privacy standards… People have different privacy concerns and needs. To best serve the full range of our users, Google strives to offer them meaningful and fine-gained choices over the use of their personal information.”
In other words the Internet giant aggressively and repeatedly holds itself out to users as being deeply committed to privacy. Without a doubt requesting the removal of a search engine link from one’s name to irrelevant data under the Right To Be Forgotten (or Right to Relevancy) is an important privacy option. Though Google claims it is concerned about users’ privacy, it does not offer U.S. users the ability to make this basic request. Describing yourself as championing users’ privacy while not offering a key privacy tool – indeed one offered all across Europe – is deceptive behavior.
What about the "unfair" part of "unfair and deceptive"? I honestly can't summarize the logic because there is none. Apparently, some people might not like what searches on their name turn up, and that's bad and thus... unfair?
Not offering Americans a basic privacy tool, while providing it to millions of users across Europe, is also an unfair practice. Acts or practices by a business are unfair under Section 5 of the Federal Trade Commission Act if they cause or are likely to cause substantial injury to consumers that consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition.6 Here are some examples of people who have been harmed by Google’s refusal to honor Right of Relevancy or Right To Be Forgotten removal requests in the United States. Clearly there is no countervailing benefit in continuing to link to the items from search results. Consider these examples:I don't see how any of this is "protecting consumers." It's seems quite the opposite, actually. It seems to be assuming that the public is made up of pure idiots who can't ever figure out context or understand that sometimes bad things happen. But that's not true. People learn and adapt and adjust to new technologies, even as people like John Simpson fear them. When cameras first started becoming popular they were banned from beaches because people might take photographs of other people there. But people grew up and realized that wasn't destroying anyone's privacy. Simpson has this weird infatuation not with protecting consumers, but with censoring the internet to keep the public from knowing factual information, because apparently he thinks the public can't handle it.
- A young California woman was decapitated in a tragic auto accident. Photos from the grisly accident scene were wrongfully leaked by California Highway Patrol officers and posted to the Internet. A search on her name still returns the horrible photographs.
- A guidance counselor was fired in 2012 after modeling photos from 20 years prior surfaced. She was a lingerie model between the ages of 18-20, and she had disclosed her prior career when she first was hired. Despite this, when a photo was found online and shown to the principal of her school, she was fired.
Last week, on On The Media, host Bob Garfield pointed out to Simpson how ridiculous all of this was, and Simpson doesn't have a single reasonable response. Garfield points out that public information, even embarrassing public information, is, by definition, not private information, and thus there's no privacy violation here. And all Simpson can do is pull his nostalgia gig about how things used to be different when people would forget your embarrassing things in the past. But that doesn't answer the question at all. It just makes Simpson seem totally out of touch with the modern world.
by Mike Masnick
Tue, Aug 25th 2015 7:13am
Appeals Court: Yes, The FTC Can Go After Companies That Got Hacked Over Their Weak Security Practices
from the secure-your-sites-kids dept
The ruling doesn't fully answer the question of where can the FTC draw that line, but it certainly suggests that if your security is laughably bad then, absolutely, the FTC can go after you. And, yes, Wyndham's security was laughably bad. From the court ruling:
The company allowed Wyndham-branded hotels to store payment card information in clear readable text.So, yeah. This wasn't a situation where determined malicious hackers had to carefully dismantle a security apparatus. There was no security apparatus, basically. The ruling also mentions that the Wyndham website claimed to encrypt credit card data and use firewalls and other things -- none of which it actually did. Oops. And, of course, hackers broke in multiple times and Wyndham did basically nothing.
Wyndham allowed the use of easily guessed passwords to access the property management systems. For example, to gain “remote access to at least one hotel’s system,” which was developed by Micros Systems, Inc., the user ID and password were both “micros.”...
Wyndham failed to use “readily available security measures”—such as firewalls—to “limit access between [the] hotels’ property management systems, . . . corporate network, and the Internet.” ...
Wyndham allowed hotel property management systems to connect to its network without taking appropriate cybersecurity precautions. It did not ensure that the hotels implemented “adequate information security policies and procedures.” ... Also, it knowingly allowed at least one hotel to connect to the Wyndham network with an out-of-date operating system that had not received a security update in over three years. It allowed hotel servers to connect to Wyndham’s network even though “default user IDs and passwords were enabled . . . , which were easily available to hackers through simple Internet searches.” ... And, because it failed to maintain an “adequate inventory [of] computers connected to [Wyndham’s] network [to] manage the devices,” it was unable to identify the source of at least one of the cybersecurity attacks.
Wyndham failed to “adequately restrict” the access of third-party vendors to its network and the servers of Wyndham-branded hotels. ... For example, it did not “restrict connections to specified IP addresses or grant temporary, limited access, as necessary.”
It failed to employ “reasonable measures to detect and prevent unauthorized access” to its computer network or to “conduct security investigations.”
It did not follow “proper incident response procedures.” ... The hackers used similar methods in each attack, and yet Wyndham failed to monitor its network for malware used in the previous intrusions.
As noted, on three occasions in 2008 and 2009 hackers accessed Wyndham’s network and the property management systems of Wyndham-branded hotels. In April 2008, hackers first broke into the local network of a hotel in Phoenix, Arizona, which was connected to Wyndham’s network and the Internet. They then used the brute-force method—repeatedly guessing users’ login IDs and passwords—to access an administrator account on Wyndham’s network. This enabled them to obtain consumer data on computers throughout the network. In total, the hackers obtained unencrypted information for over 500,000 accounts, which they sent to a domain in Russia.And yet, still, Wyndham insisted that the FTC had no mandate to go after them for this rather egregious behavior. The appeals court agrees with the lower court in saying "of course the FTC can go after such behavior." The main question: Is this an "unfair" practice by Wyndham? The company argued that it's not unfair because it's the victim here. The court doesn't buy it.
In March 2009, hackers attacked again, this time by accessing Wyndham’s network through an administrative account. The FTC claims that Wyndham was unaware of the attack for two months until consumers filed complaints about fraudulent charges. Wyndham then discovered “memory-scraping malware” used in the previous attack on more than thirty hotels’ computer systems.... The FTC asserts that, due to Wyndham’s “failure to monitor [the network] for the malware used in the previous attack, hackers had unauthorized access to [its] network for approximately two months.” ... In this second attack, the hackers obtained unencrypted payment card information for approximately 50,000 consumers from the property management systems of 39 hotels.
Hackers in late 2009 breached Wyndham’s cybersecurity a third time by accessing an administrator account on one of its networks. Because Wyndham “had still not adequately limited access between . . . the Wyndham-branded hotels’ property management systems, [Wyndham’s network], and the Internet,” the hackers had access to the property management servers of multiple hotels.... Wyndham only learned of the intrusion in January 2010 when a credit card company received complaints from cardholders. In this third attack, hackers obtained payment card information for approximately 69,000 customers from the property management systems of 28 hotels.
The FTC alleges that, in total, the hackers obtained payment card information from over 619,000 consumers, which (as noted) resulted in at least $10.6 million in fraud loss. It further states that consumers suffered financial injury through “unreimbursed fraudulent charges, increased costs, and lost access to funds or credit,” ..., and that they “expended time and money resolving fraudulent charges and mitigating subsequent harm.”
Wyndham asserts that a business “does not treat its customers in an ‘unfair’ manner when the business itself is victimized by criminals.”... It offers no reasoning or authority for this principle, and we can think of none ourselves.Also: it's generally not a good thing when a court refers to your legal argument as "a reductio ad aburdum" (i.e., taking something to such an extreme as to be ridiculous).
Finally, Wyndham posits a reductio ad absurdum, arguing that if the FTC’s unfairness authority extends to Wyndham’s conduct, then the FTC also has the authority to “regulate the locks on hotel room doors, . . . to require every store in the land to post an armed guard at the door,” ... and to sue supermarkets that are “sloppy about sweeping up banana peels,” ... The argument is alarmist to say the least. And it invites the tart retort that, were Wyndham a supermarket, leaving so many banana peels all over the place that 619,000 customers fall hardly suggests it should be immune from liability under § 45(a).Going for a due process move, Wyndham tries to argue that there was not "fair notice" of what kinds of security practices the FTC required. I'm actually marginally sympathetic to this argument. If this is ever amorphous, then that is really challenging for companies who just don't know if their security practices meet the vague non-public standard of "okay" for the FTC. But, if you're running a company -- especially one as large as Wyndham Hotels -- it's not unreasonable to suggest that your tech staff at least understand some basic fundamentals about security, like not using default passwords, encrypting credit card data, and using firewalls. This isn't advanced computer security here. This is pretty basic stuff. Furthermore, the court basically says Wyndham doesn't need specific rules from the FTC, but rather just should know that the law about "unfair" practices exists.
Wyndham is entitled to a relatively low level of statutory notice for several reasons. Subsection 45(a) does not implicate any constitutional rights here.... It is a civil rather than criminal statute.... And statutes regulating economic activity receive a “less strict” test because their “subject matter is often more narrow, and because businesses, which face economic demands to plan behavior carefully, can be expected to consult relevant legislation in advance of action.”And, the court notes, Wyndham's behavior here is so egregious that no reasonable person could find it surprising that the FTC went after the company for its [lack of] security practices.
In this context, the relevant legal rule is not “so vague as to be ‘no rule or standard at all.’”... Subsection 45(n) asks whether “the act or practice causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.” While far from precise, this standard informs parties that the relevant inquiry here is a cost-benefit analysis,... that considers a number of relevant factors, including the probability and expected size of reasonably unavoidable harms to consumers given a certain level of cybersecurity and the costs to consumers that would arise from investment in stronger cybersecurity. We acknowledge there will be borderline cases where it is unclear if a particular company’s conduct falls below the requisite legal threshold. But under a due process analysis a company is not entitled to such precision as would eliminate all close calls.
As the FTC points out in its brief, the complaint does not allege that Wyndham used weak firewalls, IP address restrictions, encryption software, and passwords. Rather, it alleges that Wyndham failed to use any firewall at critical network points, did not restrict specific IP addresses at all, did not use any encryption for certain customer files, and did not require some users to change their default or factory-setting passwords at all.Which leads to the kicker in the following sentence:
Wyndham did not respond to this argument in its reply brief.Ouch.
The court also notes that maybe Wyndham's response would be more reasonable if the company had only been hacked once. But three times is a bit much:
Wyndham’s as-applied challenge is even weaker given it was hacked not one or two, but three, times. At least after the second attack, it should have been painfully clear to Wyndham that a court could find its conduct failed the cost-benefit analysis.... [C]ertainly after the second time Wyndham was hacked, it was on notice of the possibility that a court could find that its practices fail the cost-benefit analysis.And thus, while I'm still a little nervous about going after companies who get hacked, it seems in this case, where there appears to be overwhelming evidence of near total gross negligence on the part of Wyndham to secure user data, it does seem reasonable for the FTC to be able to proceed, and now both a district and appeals court agree.
by Tim Cushing
Fri, Jun 12th 2015 2:40pm
Creator Behind Crowd-Funded Boardgame That Failed To Materialize Draws Settlement Agreement From FTC
from the and-all-cries-of-'force-majeure'-were-for-naught dept
Screwing backers of crowdfunded projects may no longer be as free from consequence as it used to. The Federal Trade Commission has (finally, some might say) decided to tackle a failed Kickstarter and hold the person behind it responsible (sort of) for walking away from a dead project with over $100,000 in backers' cash.
Erik Chevalier, d/b/a The Forking Path, hit Kickstarter with a plan for a boardgame featuring "Lovecraftian urban destruction" and a goal of $35,000. By the time the clock wound down, Chevalier was sitting on $123,000 of what would turn out to be mostly donations. That was June of 2012. By July of 2013, after numerous delays and long silences, Chevalier announced the project's demise. He also promised to start refunding backers. Apparently, only the first assertion was true. In fact, a lot of what was said to backers proved to be untrue. From the FTC complaint:
In an update issued on July 23, 2013, Defendant stated that the project was being cancelled because “the intention was to start a board game company with the Kickstarter funds” and that “[a]fter paying to form the company, for the miniature statues, moving back to Portland, getting software licenses and hiring artists to do things like rule book design and art conforming[,] the money was approaching a point of no return.”Chevalier's settlement agreement with the FTC is mostly toothless. It concedes he doesn't have the funds to pay back the $112,000 he still owes backers, thus suspending this route of recourse. The other wording in the agreement simply orders him to not being a lying swindler while utilizing crowdfunding services. In other words, behave like a normal, decent human being. Why it takes a government agency to deliver this message is beyond me, especially when it could have ordered him to steer clear of these services entirely.
In reality, Defendant never hired artists for the board game and instead used the consumers’ funds for miscellaneous personal equipment, rent for a personal residence, and licenses for a separate project.
More recently, Defendant promised consumers that he would provide an accounting of his expenses, but he has not done so. Consumers continue to file complaints regarding Defendant’s failure to provide the promised products and rewards, or refunds.
Eventually, after numerous complaints from the backers and the artistic creators of the game, another game developer stepped in and published the game and gave all backers a copy of the board game but not the other, highly-prized deliverables, such as the promised pewter figurines.
To date, Defendant has neither provided the promised reward deliverables nor refunded most of the consumers.
IT IS ORDERED that Defendant, Defendant's officers, agents, employees, and attorneys, and all others in active concert or participation with any of them who receive actual notice of this Order, whether acting directly or indirectly, in connection with any crowdfunding campaign, are permanently restrained and enjoined from misrepresenting or assisting others in misrepresenting, expressly or by implication:Coupled with this are some more stringent stipulations, including the FTC's monitoring of Chevalier's crowdfunding-related activity for the next 18 years, as well as giving the agency permission to pounce on any assets it deems "hidden" for the purposes of repaying Kickstarter backers.
A. the purposes for which funds raised from consumers will be used;
B. that by making a contribution, consumers will receive a specific good, service, or other reward deliverable;
C. the performance, efficacy, nature, or central characteristics of such good, service, or other reward deliverable; or
D. the qualifications or expertise of any person associated with the crowdfunding campaign.
IT IS ORDERED that Defendant, Defendant's officers, agents, employees, and attorneys, and all others in active concert or participation with any of them who receive actual notice ofthis Order, whether acting directly or indirectly, in connection with any crowdfunding campaign, are permanently restrained and enjoined from failing to honor any stated refund, cancellation, exchange, or repurchase policy.
An additional layer of scrutiny for crowdfunding ventures is probably a good idea, but not every funded project that dies is necessarily the result of the formative entity taking the money and running. It will be tempting to believe this is true in every case, especially if leaning on the FTC proves more effective than relying on self-policing and crowdfunding platforms Terms of Service agreements. As it stands now, there aren't many effective legal routes to demanding refunds for undelivered projects, and that has proven to be a bit of a problem, albeit far less frequently than cautionary notes to potential backers would have you believe.
If the FTC is going to regulate this like any other "trade," the deterrents will have to be a bit stronger than the terms of this settlement. The agreement with Chevalier may ward off future fraudulent attempts by him and his company, but it doesn't seem likely to scare off others who see crowdfunding as a path to quick personal enrichment.
by Mike Masnick
Fri, May 29th 2015 4:01am
from the one-down dept
The FTC started looking into these practices years ago, and two years ago the Supreme Court ruled that the FTC had every right to go after drug makers using antitrust laws over these "deals." And the FTC has been filing lawsuits on an ongoing basis about these deals.
Teva has now settled one such case for a cool $1.2 billion -- giving you a sense of just how valuable it has been to these pharma companies to extend their monopoly, keep out competition and keep drug prices artificially high. With Teva, it was the sleep disorder drug provigil (and, technically, the drugmaker was Cephalon, which Teva then bought). Teva had been fighting with the FTC for years over this, and the case was scheduled to go to trial next week -- but the settlement ends that. The amount, $1.2 billion, by the way, is the largest ever settlement with the FTC. You have to imagine that there will be more of these coming considering the number of other lawsuits and the fact that "pay for delay" was a widespread practice in the pharma industry.
Of course, even with all of this abuse, some people still insist that giving monopoly rights to pharmaceutical companies is the best way to produce new medicines and to provide healthcare. Isn't it about time we began to question those assumptions?
by Mike Masnick
Fri, May 15th 2015 3:58pm
from the go-go-ftc dept
Removing these regulatory impediments may be essential to allow consumers access to new ways of shopping that have become available in many other industries.Shots fired. In response to this (and public outcry), New Jersey and some other states appeared to back down. But not Michigan, home to the big US automakers, who aren't at all happy with this new upstart competitor from California. Last fall, Michigan passed a law that made it even more difficult for direct sales like Tesla. The FTC didn't do anything specifically about that (yet), but there's a new bill under discussion in Michigan that would carve out an exception to the new ban on direct sales of vehicles, but just for a new category called "autocycles," such as those from Elio Motors. The FTC used this opportunity to question why there's a ban on direct sales of vehicles in the first place.
In a letter commenting on the Michigan proposal, FTC staff supports the movement to allow for direct sales to consumers—not only Tesla or Elio, but for any company that decides to use that business model to distribute its products. Blanket prohibitions on direct manufacturer sales to consumers are an anomaly within the larger economy. Most manufacturers and suppliers in other industries make decisions about how to design their distribution systems based on their own business considerations, responding to consumer demand. Many manufacturers choose some combination of direct sales and sales through independent retailers. Typically, no government intervention is needed to augment or alter these competitive dynamics—the market polices inefficient, unresponsive, or otherwise inadequate distribution practices on its own. If the government does intervene, it should adopt restrictions that are clearly linked to specific policy objectives that the legislature believes warrant deviation from the beneficial pressures of competition, and should be no broader than necessary to achieve those objectives.The full letter is below -- and it does a nice point-by-point debunking of the laughable arguments by those who insist bans on direct sales to consumers are necessary. Here's just a snippet:
Opening the door by a crack is a step in the right direction, and we urge policymakers in Michigan to take this small step. But beyond company-specific fixes lies a much larger issue: who should decide how consumers shop for products they want to buy? Protecting dealers from abuses by manufacturers does not justify a blanket prohibition like that in the current Michigan law, which extends to all vehicle manufacturers, even those like Tesla and Elio who have no interest in entering into a franchise agreement with any dealer.
Those who support a blanket prohibition on direct manufacturer sales have made a number of arguments that FTC staff find unpersuasive. Perhaps the central concern reflected in the current laws regulating the manufacturer-dealer relationship is that government intervention is required to protect independent dealers from abusive behavior by their suppliers. But a blanket prohibition of direct manufacturer sales is not a narrowly crafted provision to protect franchised dealers from abuse in their franchise relationships. Such a prohibition is categorical, going well beyond the many other statutory provisions that protect dealers from such abuse. It extends to every entity engaged in manufacturing, assembling, or distributing new motor vehicles, even a manufacturer that has never entered into a franchise agreement.It's nice to see the FTC continuing to monitor this situation and to speak out against clearly anti-competitive moves.
Advocates for existing dealers also argue that manufacturers that sell directly to consumers will not provide them with adequate service. This argument presupposes that automobile manufacturers in a competitive environment will act contrary to their economic self-interest. If consumers greatly value post-sale service and would be unlikely to purchase or recommend any automobile without a reasonable assurance of quality future service, then any manufacturer will have an incentive to supply such service or else see its sales decline to the benefit of its rivals. This competitive pressure is a strong motivation for manufacturers to either provide good service themselves or continue to contract with an independent service provider, such as a dealer, to do so.
Finally, advocates for a categorical ban on direct sales argue that direct-selling manufacturers would charge higher prices to consumers. In their view, consumers benefit from the “intrabrand” competition between dealers of the same brand of vehicle. In other words, rival dealers in the same area that sell the same make and model of car compete for business and competition between them can lower prices for car buyers. Manufacturers, they maintain, would not be subject to the same competitive pressures.
This view is inconsistent with modern economic learning and with the Supreme Court’s widely accepted observation that strong “interbrand” competition—competition between rival manufacturers—can suffice as a source of downward pressure on price. Manufacturers in a competitive market face acute pressure to keep prices low to keep buyers from shifting their purchases to a competing manufacturer’s product. Thus, forcing firms to use inefficient distribution methods can result in higher prices and other forms of consumer harm. As described above, this is not merely a theoretical possibility. Statistical evidence shows that states that have placed strong limitations on gasoline refiners’ ability to operate their own retail outlets tend to have higher prices than those that allow refiners to use whatever combination of dealer and company-operated stations they prefer.
A continuing ban on direct sales by manufacturers perpetuates the current closed system of motor vehicle sales in Michigan. The system limits competition among existing, well-established manufacturers, all of whom must sell through the established network of independent auto dealers. A direct sales ban deters experimentation with new and different methods of sales by current auto manufacturers, and also by future entrants to the market. Michigan’s consumers are paying the price of such a dictate. The essential mechanism that drives markets—the interaction between the supply by manufacturers and the demands of consumers—is being curbed. The market is less responsive to consumer preferences and less innovative in anticipating their evolving needs.