How a lone grad student scooped the government—and what it means for your online privacy

The settlement process is time-consuming, however. Owing to the agency’s small legal staff, some settlements take years to complete, and by the time they’re done, the targeted companies are not what they used to be. In May, the FTC announced a privacy settlement with MySpace, which it accused of disclosing user information to third parties despite pledging not to do that. The investigation was opened in 2009, when MySpace was already a fading giant; by the time it was concluded in May, MySpace was all but a museum artifact. On Twitter, reaction to the suit included jokes to the effect of, “You mean MySpace still exists?”

Although the agency has some sway with Google and other companies that are sensitive to reputational issues—an FTC settlement might not hurt Google’s bottom line, but the bad press could—it has less influence over data mining firms like LexisNexis, Choicepoint, and RapLeaf, whose revenues come mostly from businesses rather than consumers. This is a major hole in the government’s effort to protect consumers from privacy violations, and the FTC has all but thrown up its hands in futility. The privacy report it issued earlier this year called on Congress to pass legislation that would set guidelines on acceptable practices by data miners. The odds of that happening are quite long, because of industry opposition to government oversight and the difficulty of getting agreement in Congress on what should and should not be allowed.

***

Even though he lives in university housing, Jonathan Mayer is a star in the world of digital privacy; he is the mop-haired kid who busted Google in his spare time. Silicon Valley companies seek him out to learn what he’s up to. Mayer, being clever, uses these encounters to learn about the companies. What are they thinking about the most? What do they fear the most? He has made another discovery.

“The FTC doesn’t strike fear into the heart of tech companies,” he says. “They know that as long as they stay within lax boundaries, it’s unlikely the FTC will bring enforcement actions against them.”

Yet there is a feared privacy watchdog, Mayer notes: the European Union. American companies have far less political influence in Europe, and Europeans are far more attentive to privacy issues, partly due to memories of Nazi-era totalitarianism. Because most tech services offered to Europeans are the same as offered to Americans, protections required by EU regulators are usually extended to American consumers. It’s the globalization of digital regulation: What happens in one country can affect all countries.

For instance, under Irish privacy law, citizens are entitled to know the information a company possesses on them—and this was used against Facebook by a 24-year-old Austrian, Max Schrems, who asked the company to hand over all the data it had on him. Facebook’s international headquarters are located in Dublin, so the firm had to comply. Last year it gave Schrems more than 1,200 pages of data that included just about every keystroke he had made while on the social network, including items he had deleted and location information he had never provided. Facebook had kept almost every poke and like, every friend and defriend, every invitation accepted or rejected. Schrems posted the information online and compared his Facebook dossier to the data that the East German secret police, the Stasi, had kept on millions of citizens.

In effect, Schrems exposed Facebook’s data retention practices, and this led to a big change. In May, Facebook said its 900 million customers—not just the ones in Europe—would receive far more detail on its data collection, making it easier for them to know what information was being collected and what was being done with it. The company acknowledged that the change was the result of a harsh report issued by Irish authorities looking into the Schrems case. Ireland wasn’t trying to protect the privacy rights of Americans, but its pressure on Facebook had precisely that effect.

The outsourcing of consumer data protection has been going on for a number of years. In 2008, European privacy officials asked Google, Microsoft, and Yahoo! to delete, far quicker than they were doing, the data they were retaining about user searches. In short order, the search giants complied—not only for their European customers but for Americans, too. “The EU drives regulation worldwide,” Mayer says. “While we make nods to self-regulation and cooperation, the reality is that the EU is getting all of this done.”

The power of Europe’s privacy regulators—and the weakness of America’s—was demonstrated most vividly in the Street View dustup. While there was only modest protest against Google photographing American streets and homes, the company immediately ran into big trouble when its cars began to roam around Europe. The collection and abuse of personal information also was a hallmark of communist regimes that ruled Eastern Europe during the Cold War. Throughout Europe, local and national authorities expressed concerns about Street View, and the project quickly hit a number of walls.