How a lone grad student scooped the government—and what it means for your online privacy

Vladeck’s appointment, in 2009, was welcomed by consumer-rights activists because of the nearly three decades he worked as a crusading lawyer for Public Citizen, which was founded by Ralph Nader; Vladeck has advocated long and hard for better government regulation. A conversation with Vladeck, who has argued four cases before the U.S. Supreme Court and won three of them, is akin to a combative courtroom session. He often leans across the table and speaks in a high-pitched bellow. During an interview in his office, he said that when he arrived at the FTC, “We weren’t geared up for this battle.” That’s partly because the Bush-era FTC was not terribly aggressive on privacy but also because data mining has particularly taken off in the past few years.

“No regulator is ever going to tell you that he or she is satisfied with the resources,” Vladeck said. “Would I like more resources? Of course, and I think I could put them to good use. But let me toot our own horn. We’ve gotten an enormous amount done in three years. I think we are sending a strong signal to the industry—you’ve got to straighten up and do the right thing.”

Since he arrived, the FTC has reached privacy settlements with the some of the largest tech firms, including Facebook, Google, and Twitter, though in each case, there were no fines, because the FTC’s authority to issue fines on a first offense is limited. The agency is like a runner with two sprained ankles, because in addition to its narrow legal power, it has a surprisingly small staff to pursue its legal cases.

Staffing at the Division of Privacy and Identity Protection, which does the bulk of the FTC’s privacy work and is under Vladeck’s control, slid from 51 in 2011 to 50 in 2012, even though the data mining industry it oversees has rapidly expanded; it now employs more than 100,000 people and has revenues close to $5 billion, according to industry analyst and newsletter publisher Gregory Piatetsky-Shapiro. There are about 20 lawyers working on privacy cases at the FTC. “The bottlenecks are the lawyers for the most part,” Soghoian said. And the FTC has another problem: Republican Rep. John Mica, chairman of the House Committee on Transportation and Infrastructure, is trying to evict the agency from its headquarters, which is on a prime block of Pennsylvania Avenue.

Vladeck has improvised. He described his strategy as similar to highway cops—the point isn’t to catch every car that breaks the speed limit, but enough to signal to the others that they can’t get away with much. He goes after the shiniest cars.

“When we sue a company like Google and get them under order for doing what we thought was a plain violation of the FTC Act, which was making material changes to their privacy policy without notifying people and getting their consent, the message we hope we sent loud and clear was, ‘You can’t do that. If we’re going to go after Google, which is one of the biggest corporations in the world, you can bet were going to go after you, too.'”

Yet those cases demonstrated the FTC’s limits, too. The agency was created in 1914 to prevent unfair and deceptive practices in commerce. Unfairness is harder to prove in privacy—what’s inappropriate data collection to one person might be fair and harmless to another—so the FTC is focusing enforcement efforts on deception. That means a company has to say one thing about its data-collection practices and do another. But many companies have privacy policies that say very little—in which case, they aren’t deceiving consumers if they do things that might be untoward.

Ironically, the best way for a company to avoid privacy tussles with the FTC is to not say much about their privacy practices. On the other side of things, many companies protect themselves from prosecution by fully disclosing their policies in dense legal jargon that few consumers bother to read or, when they do, they have a hard time understanding that their personal data will be collected and shared in nearly infinite ways. Companies that follow these strategies—and many do—are difficult targets for the FTC.

Big firms like Google and Facebook, which depend on consumers using their services, cannot get away with having no policy at all or hiding behind legal hieroglyphics. They are the shiny cars that the FTC pulls over when it can. The agency pounced when Google introduced its Buzz social network because Gmail users were more or less swept into Buzz without their consent, even though Google had previously said it would not take unilateral action of that sort. The agency can take companies to court, but its overworked lawyers don’t really have the time to go the distance against the bottomless legal staffs in Silicon Valley. The FTC settled the Buzz case with Google, which agreed to annual privacy audits for 20 years and promised to not lie to consumers about what the company does with their data. If Google violates the settlement, it then faces financial penalties that could be quite large—this is akin to a two-strike rule.