John Lopatka, a former consultant to the FTC who now teaches antitrust law at Penn State, told ProPublica that the Microsoft actions detailed in the news organization’s recent reporting followed “a very familiar pattern” of behavior.
“It does echo the Microsoft case” from decades ago, said Lopatka, who co-authored a book on that case.
In the new investigation, the FTC has sent Microsoft a civil investigative demand, the agency’s version of a subpoena, compelling the company to turn over information, people familiar with the probe said. Microsoft confirmed that it received the document.
Company spokesperson David Cuddy did not comment on the specifics of the investigation but said the FTC’s demand is “broad, wide ranging, and requests things that are out of the realm of possibility to even be logical.” He declined to provide on-the-record examples. The FTC declined to comment.
The agency’s investigation follows a public comment period in 2023 during which it sought information on the business practices of cloud computing providers. When that concluded, the FTC said it had ongoing interest in whether “certain business practices are inhibiting competition.”
The recent demand to Microsoft represents one of FTC Commissioner Lina Khan’s final moves as chair, and the probe appears to be picking up steam as the Biden administration winds down. The commission’s new leadership, however, will decide the future of the investigation.
President-elect Donald Trump said this month that he will elevate Commissioner Andrew Ferguson, a Republican attorney, to lead the agency. Following the announcement, Ferguson said in a post on X, “At the FTC, we will end Big Tech’s vendetta against competition and free speech. We will make sure that America is the world’s technological leader and the best place for innovators to bring new ideas to life.”
Trump also said he would nominate Republican lawyer Mark Meador as a commissioner, describing him as an “antitrust enforcer” who previously worked at the FTC and the Justice Department. Meador is also a former aide to Sen. Mike Lee, a Utah Republican who introduced legislation to break up Google.
Google reportedly wants the US Federal Trade Commission (FTC) to end Microsoft’s exclusive cloud deal with OpenAI that requires anyone wanting access to OpenAI’s models to go through Microsoft’s servers.
Someone “directly involved” in Google’s effort told The Information that Google’s request came after the FTC began broadly probing how Microsoft’s cloud computing business practices may be harming competition.
As part of the FTC’s investigation, the agency apparently asked Microsoft’s biggest rivals if the exclusive OpenAI deal was “preventing them from competing in the burgeoning artificial intelligence market,” multiple sources told The Information. Google reportedly was among those arguing that the deal harms competition by saddling rivals with extra costs and blocking them from hosting OpenAI’s latest models themselves.
In 2024 alone, Microsoft generated about $1 billion from reselling OpenAI’s large language models (LLMs), The Information reported, while rivals were stuck paying to train staff to move data to Microsoft servers if their customers wanted access to OpenAI technology. For one customer, Intuit, it cost millions monthly to access OpenAI models on Microsoft’s servers, The Information reported.
Microsoft benefits from the arrangement—which is not necessarily illegal—of increased revenue from reselling LLMs and renting out more cloud servers. It also takes a 20 percent cut of OpenAI’s revenue. Last year, OpenAI made approximately $3 billion selling its LLMs to customers like T-Mobile and Walmart, The Information reported.
Microsoft’s agreement with OpenAI could be viewed as anti-competitive if businesses convince the FTC that the costs of switching to Microsoft’s servers to access OpenAI technology is so burdensome that it’s unfairly disadvantaging rivals. It could also be considered harming the market and hampering innovation by seemingly disincentivizing Microsoft from competing with OpenAI in the market.
To avoid any disruption to the deal, however, Microsoft could simply point to AI models sold by Google and Amazon as proof of “robust competition,” The Information noted. The FTC may not buy that defense, though, since rivals’ AI models significantly fall behind OpenAI’s models in sales. Any perception that the AI market is being foreclosed by an entrenched major player could trigger intense scrutiny as the US seeks to become a world leader in AI technology development.
No more jumping through endless hoops to cancel subscriptions, FTC rule says.
It will soon be easy to “click to cancel” subscriptions after the US Federal Trade Commission (FTC) adopted a final rule on Wednesday that makes it challenging for businesses to opt out of easy cancellation methods.
“Too often, businesses make people jump through endless hoops just to cancel a subscription,” FTC chair Lina Khan said in a press release. “The FTC’s rule will end these tricks and traps, saving Americans time and money. Nobody should be stuck paying for a service they no longer want.”
The heart of the new rule requires businesses to provide simple ways to cancel subscriptions. Under the rule, any subscription that can be signed up for online must be able to be canceled online. And cancellation paths for in-person sign-ups must be just as easy, offered either by phone or online.
In guidance released Wednesday, the FTC recommended that businesses keep “three guardrails in mind” to ensure cancellation methods comply with the law. First, customers cannot be required to talk to a live agent or chatbot to cancel if that wasn’t required for sign-up. Next, any phone cancellation methods cannot include charges and must be offered during normal business hours. And finally, canceling services in person must always be optional.
To comply with the rule, businesses offering “negative option marketing” such as subscriptions, automatic renewals, and free trial offers—to both consumers and other businesses—are prohibited from misleading customers. They must clearly disclose all terms of the deal prior to accepting payment, including explaining how much and how often customers will be charged, when free trials or promotions end, any deadlines to avoid charges, and, importantly, how to cancel.
“All this information should be clear, conspicuous, and available to your customers before they enroll. And certain key information related to charges and cancellation must appear right when and where the customer agrees to the negative option, every time,” the FTC said.
Under the “click to cancel” rule, businesses must also get consumers’ informed consent before issuing charges and maintain records of consent for a minimum of three years. Those records could be in the form of a ticked checkbox or a signature, the FTC said, noting the agency offers “some flexibility on what that proof looks like.”
“Don’t try to distract people with other information,” the FTC said. “Get proof of consent and maintain it for at least three years.”
That provision is designed to end unfair and deceptive practices that the FTC found, such as inadequate disclosures about free trials or sneaky auto-enrollments. Those “practices have been a persistent source of consumer harm for decades,” the FTC’s notice on the final rule said, “saddling shoppers with recurring payments for products and services they never intended to purchase nor wanted to continue buying.”
The FTC confirmed that some provisions of the final rule will go into effect within 60 days, but most will take effect after 180 days. Violators risk civil penalties and other forms of consumer redress that weren’t previously available under the FTC act, the notice in the federal register said.
Some frustrated individual commenters asked for stiff penalties, the FTC’s notice said.
“There needs to be a substantial penalty when a service is requested to be cancelled, but the charges continue,” one commenter urged the FTC. “I dropped my TV service from Comcast three months ago and they continue to charge me. Every time I need to re-contact them, I waste an hour.”
FTC made few concessions to critics
More than 16,000 comments were submitted during proposed rulemaking, including concerns raised by cable firms who worried that the FTC’s rule might make it so easy to cancel a subscription that customers miss out on benefits, including deals often offered to retain their business.
At that time, Michael Powell, CEO of The Internet & Television Association (NCTA), defended using live agents to process cancellation requests. He warned that “a consumer may easily misunderstand the consequences of canceling,” incurring unexpected costs in situations like “canceling part of a discounted bundle” that “may increase the price for remaining services.”
Powell further argued that the rule could raise costs for customers, alleging that the FTC had significantly underestimated compliance costs that “could easily exceed $100 million for initial implementation by” the cable industry alone.
But the FTC strongly disagreed with some estimates of compliance costs. For example, in the notice in the federal register, the FTC noted that “because NCTA members who enroll consumers online already, clearly, have websites, the Commission rejects the notion that adding ‘click to cancel’ functionality to websites that already include an order path for enrolling, and likely also include functionality for registering a payment mechanism for automated billing, would cost $12–$25 million.”
Ultimately, the FTC disputed the NCTA’s data and rejected the notion that the rule would “require building online cancellation systems virtually from the ground up and expensive ongoing recordkeeping requirements across all services,” pointing any concerned commenters to “the detailed cost-benefit analysis” of the rule provided in the federal register notice.
There were only a few major changes to the final rule following the public commenting period. Notably, the FTC dropped a provision that would have required businesses to send annual reminders about recurring charges, as well as another prohibiting promotions or deals offered during the cancellation process in efforts to retain customers without customers opting in to seeing those offers.
The FTC said that it’s only dropped these provisions for now, noting that the Commission plans to keep the record “open on these issues” and may seek additional comments.
Exemptions available but seem unlikely
Perhaps of greatest interest to businesses, the FTC also added “a provision allowing requests for exemptions.” But those will likely be reserved for businesses already complying with the rule, the FTC said, while explaining that each request for exemptions will be weighed individually.
“Because such decisions are highly fact dependent, the Commission must consider exemptions, even of larger groups, on an individualized basis pursuant to the FTC’s Rules of Practice,” the FTC’s notice said.
Some businesses may qualify for recordkeeping exemptions, the FTC said, but only if “it is technologically feasible to make it impossible for customers to enroll without providing unambiguously affirmative consent.”
“Sellers must either maintain records of each consumer’s unambiguously affirmative consent or demonstrate they satisfy the technological exemption provision,” the FTC’s notice said.
The Commission specifically confirmed that it will not be granting “blanket exemptions to sellers who contract with third parties while offering subscription services.” While some businesses claimed this leaves them on the hook for cancellations they cannot process, the FTC found that “an exemption for all sellers who contract with third parties to manage aspects of their negative option programs would effectively nullify the Rule by incentivizing less than legitimate sellers to contract with actors engaged in deceptive practices to maximize negative option enrollments and frustrate cancellation with impunity.”
“A seller cannot evade its responsibility to deal honestly with consumers by contracting with a third party who does not,” the FTC’s notice said.
Official: FTC rule “may not survive legal challenge”
The final rule narrowly passed by a vote of 3–2, with commissioner Melissa Holyoak providing a dissenting statement accusing the agency of rushing the rule to score political points for the Biden administration ahead of the presidential election.
Vice President Kamala Harris will likely continue Biden’s war on “junk fees” if elected, Reuters reported, and Holyoak claimed that Khan pushed for the rule’s adoption to help follow “through on a campaign pledge made by the Chair’s favored presidential candidate.”
According to Holyoak, the final rule is deeply flawed, “improperly generalizing” unfair and deceptive practices “from narrow industry-specific complaints and evidence to the entire American economy.” She argued that the FTC only based the rule on 35 cases, which is allegedly not enough to establish that harmful practices are “prevalent.”
“Whatever the merits of the past cases, the Majority does not remotely come close to explaining how the evidence in those limited cases are similar to the myriad contexts an economy-wide rule would inevitably apply to,” Holyoak suggested.
She also claimed that “if similarity among complaints and cases only at the highest level of generality constitutes the ‘prevalence’ sufficient to ground an economy-wide rulemaking, then a ‘prevalence’ determination is in fact no meaningful guardrail on the Commission’s conduct at all.”
In the press release, the FTC discussed the wide reach of harms, noting that it “receives thousands of complaints about negative option and recurring subscription practices each year,” with the number “steadily increasing over the past five years.”
But Holyoak insisted that the final rule is such an overreach that it “may not survive legal challenge.”
“The Chair has put political expediency over getting things right,” Holyoak said, raising “the possibility that foreordained outcomes and political goals curtailed considering the rulemaking record with an open mind and without prejudgment, as law requires.”
A key legal flaw, Holyoak claimed, is that the rule prohibits any misrepresentations of a negative option, not just those relating to “deceptive terms.” That means businesses risk civil penalties for any material fact deemed misleading, which she alleged “fails to meet” the level of “specificity” required for FTC rulemaking. That seeming textual oversight “will no doubt invite serious legal challenge on this basis,” Holyoak predicted.
Should any portion of the rule be struck down through a legal challenge, the FTC included a provision on severability, allowing the remainder of the rule to remain in force.
Too soon to guess impact on subscription prices
According to Holyoak, the broad final rule “tilts the playing field in ways that are likely to pervert business incentives,” perhaps leading businesses to stop offering negative option billing models, “even when businesses and consumers could derive significant value from them.”
“Even honest businesses will have reason to reconsider the use of negative option billing now that it means subjecting themselves to potential civil penalties for misreading Commission tea leaves,” Holyoak said.
Further, she alleged that consumers could be harmed if the rule preempts state laws or potentially increases transaction costs for businesses that potentially stop offering cheaper negative option billing. Businesses could also pass on to customers the costs of legal fees incurred in efforts to obtain an exemption, Holyoak suggested.
“Raising the transaction costs will reduce a business’ sales and the utility consumers derive from these services. In other words, in our good intentions, we may harm the consumers and competition we are supposed to protect,” Holyoak warned.
But while Holyoak seems sure that consumers could be harmed by the rule potentially limiting negative option billing and spiking subscription costs, the FTC argued that “consumers cannot realize these benefits when sellers make material misrepresentations to induce consumers to enroll in such programs, fail to provide important information, bill consumers without their consent, or make cancellation difficult or impossible.”
At least one individual customer the FTC notice cited insisted that the rule was necessary to end a wide range of abusive charges draining the wallets of many Americans.
“Implementing this consumer-protection rule has the potential to save American consumers millions of dollars and prevent unscrupulous companies from using byzantine cancellation procedures to squeeze unwarranted funds out of their customers,” the commenter said.
Ashley is a senior policy reporter for Ars Technica, dedicated to tracking social impacts of emerging policies and new technologies. She is a Chicago-based journalist with 20 years of experience.
Similarly, the report’s authors describe concerns that the CTV industry’s extensive data collection and tracking could potentially have a political impact. It asserts that political candidates could use such data to run “covert personalized campaigns” leveraging information on things like political orientations and “emotional states”:
With no transparency or oversight, these practices could unleash millions of personalized, manipulative and highly targeted political ads, spread disinformation, and further exacerbate the political polarization that threatens a healthy democratic culture in the US.
“Potential discriminatory impacts”
The CDD’s report claims that Black, Hispanic, and Asian-Americans in the US are being “singled out by marketers as highly lucrative targets,” due to fast adoption of new digital media services and brand loyalty. Black and Hispanic communities are key advertising targets for FAST channels, per the report. Chester told Ars:
There are major potential discriminatory impacts from CTV’s harvesting of data from communities of color.
He pointed to “growing widespread racial and ethnic data” collection for ad targeting and marketing.
“We believe this is sensitive information that should not be applied to the data profiles used for targeting on CTV and across other platforms. … Its use in political advertising on CTV will enable widespread disinformation and voter suppression campaigns targeting these communities,” Chester said.
Regulation
In a letter sent to the FTC, FCC, California attorney general, and CPPA , the CDD asked for an investigation into the US’ CTV industry, “including on antitrust, consumer protection, and privacy grounds.” The CDD emphasized the challenges that streamers—including those who pay for ad-free streaming—face in protecting their data from advertisers.
“Connected television has taken root and grown as an unregulated medium in the United States, along with the other platforms, devices, and applications that are part of the massive internet industry,” the report says.
The group asks for the FTC and FCC to investigate CTV practices and consider building on current legislation, like the 1988 Video Privacy Protection Act. They also request that antitrust regulators delve deeply into the business practices of CTV players like Amazon, Comcast, and Disney to help build “competition and diversity in the digital and connected TV marketplace.”
Among the first AI companies that the Federal Trade Commission has exposed as deceiving consumers is DoNotPay—which initially was advertised as “the world’s first robot lawyer” with the ability to “sue anyone with the click of a button.”
On Wednesday, the FTC announced that it took action to stop DoNotPay from making bogus claims after learning that the AI startup conducted no testing “to determine whether its AI chatbot’s output was equal to the level of a human lawyer.” DoNotPay also did not “hire or retain any attorneys” to help verify AI outputs or validate DoNotPay’s legal claims.
DoNotPay accepted no liability. But to settle the charges that DoNotPay violated the FTC Act, the AI startup agreed to pay $193,000, if the FTC’s consent agreement is confirmed following a 30-day public comment period. Additionally, DoNotPay agreed to warn “consumers who subscribed to the service between 2021 and 2023” about the “limitations of law-related features on the service,” the FTC said.
Moving forward, DoNotPay would also be prohibited under the settlement from making baseless claims that any of its features can be substituted for any professional service.
A DoNotPay spokesperson told Ars that the company “is pleased to have worked constructively with the FTC to settle this case and fully resolve these issues, without admitting liability.”
“The complaint relates to the usage of a few hundred customers some years ago (out of millions of people), with services that have long been discontinued,” DoNotPay’s spokesperson said.
The FTC’s settlement with DoNotPay is part of a larger agency effort to crack down on deceptive AI claims. Four other AI companies were hit with enforcement actions Wednesday, the FTC said, and FTC Chair Lina Khan confirmed that the agency’s so-called “Operation AI Comply” will continue monitoring companies’ attempts to “lure consumers into bogus schemes” or use AI tools to “turbocharge deception.”
“Using AI tools to trick, mislead, or defraud people is illegal,” Khan said. “The FTC’s enforcement actions make clear that there is no AI exemption from the laws on the books. By cracking down on unfair or deceptive practices in these markets, FTC is ensuring that honest businesses and innovators can get a fair shot and consumers are being protected.”
DoNotPay never tested robot lawyer
DoNotPay was initially released in 2015 as a free way to contest parking tickets. Soon after, it quickly expanded its services to supposedly cover 200 areas of law—aiding with everything from breach of contract claims to restraining orders to insurance claims and divorce settlements.
As DoNotPay’s legal services expanded, the company defended its innovative approach to replacing lawyers while acknowledging that it was on seemingly shaky grounds. In 2018, DoNotPay CEO Joshua Browder confirmed to the ABA Journal that the legal services were provided with “no lawyer oversight.” But he said that he was only “a bit worried” about threats to sue DoNotPay for unlicensed practice of law. Because DoNotPay was free, he expected he could avoid some legal challenges.
According to the FTC complaint, DoNotPay began charging subscribers $36 every two months in 2019 while making several false claims in ads to apparently drive up subscriptions.
The Federal Trade Commission’s Office of Technology has issued a warning to automakers that sell connected cars. Companies that offer such products “do not have the free license to monetize people’s information beyond purposes needed to provide their requested product or service,” it wrote in a blog post on Tuesday. Just because executives and investors want recurring revenue streams, that does not “outweigh the need for meaningful privacy safeguards,” the FTC wrote.
Based on your feedback, connected cars might be one of the least-popular modern inventions among the Ars readership. And who can blame them? Last January, a security researcher revealed that a vehicle identification number was sufficient to access remote services for multiple different makes, and yet more had APIs that were easily hackable.
Later, in 2023, the Mozilla Foundation published an extensive report examining the various automakers’ policies regarding the use of data from connected cars; the report concluded that “cars are the worst product category we have ever reviewed for privacy.”
Those were rather abstract cases, but earlier this year, we saw a very concrete misuse of connected car data. Writing for The New York Times, Kash Hill learned that owners of connected vehicles made by General Motors had been unwittingly enrolled in OnStar’s Smart Driver program and that their driving data had been shared with their insurance company, resulting in soaring insurance premiums.
The FTC is not taking specific action against any automaker at this point. Instead, the blog post is meant to be a warning to the industry. It says that “connected cars have been on the FTC’s radar for years,” although the agency appears to have done very little other than hold workshops in 2013 and 2018, as well as publishing guidance for consumers reminding them to wipe the data from their cars before selling them.
(By contrast, the California Privacy Protection Agency announced last year that its enforcement division had begun making inquiries with automakers to ensure they complied with the state’s 2018 Consumer Privacy Act.)
The FTC says that automakers and other businesses must protect users’ data against illegal collection, use, and disclosure. It points to recent enforcement actions against companies in other sectors that have illegally collected or used geolocation data, surreptitiously disclosed sensitive user data, and illegally used sensitive data for automated decisions.
The FTC says the easiest way to comply is to not collect the data in the first place.
The Daily Show host Jon Stewart’s interview with FTC Chair Lina Khan. The conversation about Apple begins around 16: 30 in the video.
Before the cancellation of The Problem with Jon Stewart on Apple TV+, Apple forbade the inclusion of Federal Trade Commission Chair Lina Khan as a guest and steered the show away from confronting issues related to artificial intelligence, according to Jon Stewart.
This isn’t the first we’ve heard of this rift between Apple and Stewart. When the Apple TV+ show was canceled last October, reports circulated that he told his staff that creative differences over guests and topics were a factor in the decision.
The New York Times reported that both China and AI were sticking points between Apple and Stewart. Stewart confirmed the broad strokes of that narrative in a CBS Morning Show interview after it was announced that he would return to The Daily Show.
“They decided that they felt that they didn’t want me to say things that might get me into trouble,” he explained.
Stewart’s comments during his interview with Khan yesterday were the first time he’s gotten more specific publicly.
“I’ve got to tell you, I wanted to have you on a podcast, and Apple asked us not to do it—to have you. They literally said, ‘Please don’t talk to her,'” Stewart said while interviewing Khan on the April 1, 2024, episode of The Daily Show.
Khan appeared on the show to explain and evangelize the FTC’s efforts to battle corporate monopolies both in and outside the tech industry in the US and to explain the challenges the organization faces.
She became the FTC chair in 2021 and has since garnered a reputation for an aggressive and critical stance against monopolistic tendencies or practices among Big Tech companies like Amazon and Meta.
Stewart also confirmed previous reports that AI was a sensitive topic for Apple. “They wouldn’t let us do that dumb thing we did in the first act on AI,” he said, referring to the desk monologue segment that preceded the Khan interview in the episode.
The segment on AI in the first act of the episode mocked various tech executives for their utopian framing of AI and interspersed those claims with acknowledgments from many of the same leaders that AI would replace many people’s jobs. (It did not mention Apple or its leadership, though.)
Stewart and The Daily Show‘s staff also included clips of current tech leaders suggesting that workers be retrained to work with or on AI when their current roles are disrupted by it. That was followed by a montage of US political leaders promising to retrain workers after various technological and economic disruptions over the years, with the implication that those retraining efforts were rarely as successful as promised.
The segment effectively lampooned some of the doublespeak about AI, though Stewart stopped short of venturing any solutions or alternatives to the current path, so it mostly just prompted outrage and laughs.
The Daily Show host Jon Stewart’s segment criticizing tech and political leaders on the topic of AI.
Apple currently uses AI-related technologies in its software, services, and devices, but so far it has not launched anything tapping into generative AI, which is the new frontier in AI that has attracted worry, optimism, and criticism from various parties.
However, the company is expected to roll out its first generative AI features as part of iOS 18, a new operating system update for iPhones. iOS 18 will likely be detailed during Apple’s annual developer conference in June and will reach users’ devices sometime in the fall.
Enlarge/ Taylor’s C709 Soft Serve Freezer isn’t so much mechanically complicated as it is a software and diagnostic trap for anyone without authorized access.
Many devices have been made difficult or financially nonviable to repair, whether by design or because of a lack of parts, manuals, or specialty tools. Machines that make ice cream, however, seem to have a special place in the hearts of lawmakers. Those machines are often broken and locked down for only the most profitable repairs.
The Federal Trade Commission and the antitrust division of the Department of Justice have asked the US Copyright Office (PDF) to exempt “commercial soft serve machines” from the anti-circumvention rules of Section 1201 of the Digital Millennium Copyright Act (DMCA). The governing bodies also submitted proprietary diagnostic kits, programmable logic controllers, and enterprise IT devices for DMCA exemptions.
“In each case, an exemption would give users more choices for third-party and self-repair and would likely lead to cost savings and a better return on investment in commercial and industrial equipment,” the joint comment states. Those markets would also see greater competition in the repair market, and companies would be prevented from using DMCA laws to enforce monopolies on repair, according to the comment.
The joint comment builds upon a petition filed by repair vendor and advocate iFixit and interest group Public Knowledge, which advocated for broad reforms while keeping a relatable, ingestible example at its center. McDonald’s soft serve ice cream machines, which are famously frequently broken, are supplied by industrial vendor Taylor. Taylor’s C709 Soft Serve Freezer requires lengthy, finicky warm-up and cleaning cycles, produces obtuse error codes, and, perhaps not coincidentally, costs $350 per 15 minutes of service for a Taylor technician to fix. iFixit tore down such a machine, confirming the lengthy process between plugging in and soft serving.
After one company built a Raspberry Pi-powered device, the Kytch, that could provide better diagnostics and insights, Taylor moved to ban franchisees from installing the device, then offered up its own competing product. Kytch has sued Taylor for $900 million in a case that is still pending.
Beyond ice cream, the petitions to the Copyright Office would provide more broad exemptions for industrial and commercial repairs that require some kind of workaround, decryption, or other software tinkering. Going past technological protection measures (TPMs) was made illegal by the 1998 DMCA, which was put in place largely because of the concerns of media firms facing what they considered rampant piracy.
Every three years, the Copyright Office allows for petitions to exempt certain exceptions to DMCA violations (and renew prior exemptions). Repair advocates have won exemptions for farm equipment repair, video game consoles, cars, and certain medical gear. The exemption is often granted for device fixing if a repair person can work past its locks, but not for the distribution of tools that would make such a repair far easier. The esoteric nature of such “release valve” offerings has led groups like the EFF to push for the DMCA’s abolishment.
DMCA exemptions occur on a parallel track to state right-to-repair bills and broader federal action. President Biden issued an executive order that included a push for repair reforms. The FTC has issued studies that call out unnecessary repair restrictions and has taken action against firms like Harley-Davidson, Westinghouse, and grill maker Weber for tying warranties to an authorized repair service.
Disclosure: Kevin Purdy previously worked for iFixit. He has no financial ties to the company.
Avast, a name known for its security research and antivirus apps, has long offered Chrome extensions, mobile apps, and other tools aimed at increasing privacy.
Avast’s apps would “block annoying tracking cookies that collect data on your browsing activities,” and prevent web services from “tracking your online activity.” Deep in its privacy policy, Avast said information that it collected would be “anonymous and aggregate.” In its fiercest rhetoric, Avast’s desktop software claimed it would stop “hackers making money off your searches.”
All of that language was offered up while Avast was collecting users’ browser information from 2014 to 2020, then selling it to more than 100 other companies through a since-shuttered entity known as Jumpshot, according to the Federal Trade Commission. Under a proposed recent FTC order (PDF), Avast must pay $16.5 million, which is “expected to be used to provide redress to consumers,” according to the FTC. Avast will also be prohibited from selling future browsing data, must obtain express consent on future data gathering, notify customers about prior data sales, and implement a “comprehensive privacy program” to address prior conduct.
Reached for comment, Avast provided a statement that noted the company’s closure of Jumpshot in early 2020. “We are committed to our mission of protecting and empowering people’s digital lives. While we disagree with the FTC’s allegations and characterization of the facts, we are pleased to resolve this matter and look forward to continuing to serve our millions of customers around the world,” the statement reads.
Data was far from anonymous
The FTC’s complaint (PDF) notes that after Avast acquired then-antivirus competitor Jumpshot in early 2014, it rebranded the company as an analytics seller. Jumpshot advertised that it offered “unique insights” into the habits of “[m]ore than 100 million online consumers worldwide.” That included the ability to “[s]ee where your audience is going before and after they visit your site or your competitors’ sites, and even track those who visit a specific URL.”
While Avast and Jumpshot claimed that the data had identifying information removed, the FTC argues this was “not sufficient.” Jumpshot offerings included a unique device identifier for each browser, included in data like an “All Clicks Feed,” “Search Plus Click Feed,” “Transaction Feed,” and more. The FTC’s complaint detailed how various companies would purchase these feeds, often with the express purpose of pairing them with a company’s own data, down to an individual user basis. Some Jumpshot contracts attempted to prohibit re-identifying Avast users, but “those prohibitions were limited,” the complaint notes.
The connection between Avast and Jumpshot became broadly known in January 2020, after reporting by Vice and PC Magazine revealed that clients, including Home Depot, Google, Microsoft, Pepsi, and McKinsey, were buying data from Jumpshot, as seen in confidential contracts. Data obtained by the publications showed that buyers could purchase data including Google Maps look-ups, individual LinkedIn and YouTube pages, porn sites, and more. “It’s very granular, and it’s great data for these companies, because it’s down to the device level with a timestamp,” one source told Vice.
The FTC’s complaint provides more detail on how Avast, on its own web forums, sought to downplay its Jumpshot presence. Avast suggested both that only non-aggregated data was provided to Jumpshot and that users were informed during product installation about collecting data to “better understand new and interesting trends.” Neither of these claims proved true, the FTC suggests. And the data collected was far from harmless, given its re-identifiable nature:
For example, a sample of just 100 entries out of trillions retained by Respondents showed visits by consumers to the following pages: an academic paper on a study of symptoms of breast cancer; Sen. Elizabeth Warren’s presidential candidacy announcement; a CLE course on tax exemptions; government jobs in Fort Meade, Maryland with a salary greater than $100,000; a link (then broken) to the mid-point of a FAFSA (financial aid) application; directions on Google Maps from one location to another; a Spanish-language children’s YouTube video; a link to a French dating website, including a unique member ID; and cosplay erotica.
In a blog post accompanying its announcement, FTC Senior Attorney Lesley Fair writes that, in addition to the dual nature of Avast’s privacy products and Jumpshot’s extensive tracking, the FTC is increasingly viewing browsing data as “highly sensitive information that demands the utmost care.” “Data about the websites a person visits isn’t just another corporate asset open to unfettered commercial exploitation,” Fair writes.
FTC commissioners voted 3-0 to issue the complaint and accept the proposed consent agreement. Chair Lina Khan, along with commissioners Rebecca Slaughter and Alvaro Bedoya, issued a statement on their vote.
Since the time of the FTC’s complaint and its Jumpshot business, Avast has been acquired by Gen Digital, a firm that contains Norton, Avast, LifeLock, Avira, AVG, CCLeaner, and ReputationDefender, among other security businesses.
Disclosure: Condé Nast, Ars Technica’s parent company, received data from Jumpshot before its closure.
On Saturday, US District Judge Lynn Winmill denied Kochava’s motion to dismiss an amended FTC complaint, which he said plausibly argued that “Kochava’s data sales invade consumers’ privacy and expose them to risks of secondary harms by third parties.”
Winmill’s ruling reversed a dismissal of the FTC’s initial complaint, which the court previously said failed to adequately allege that Kochava’s data sales cause or are likely to cause a “substantial” injury to consumers.
The FTC has accused Kochava of selling “a substantial amount of data obtained from millions of mobile devices across the world”—allegedly combining precise geolocation data with a “staggering amount of sensitive and identifying information” without users’ knowledge or informed consent. This data, the FTC alleged, “is not anonymized and is linked or easily linkable to individual consumers” without mining “other sources of data.”
Kochava’s data sales allegedly allow its customers—whom the FTC noted often pay tens of thousands of dollars monthly—to target specific individuals by combining Kochava data sets. Using just Kochava data, marketers can create “highly granular” portraits of ad targets such as “a woman who visits a particular building, the woman’s name, email address, and home address, and whether the woman is African-American, a parent (and if so, how many children), or has an app identifying symptoms of cancer on her phone.” Just one of Kochava’s databases “contains ‘comprehensive profiles of individual consumers,’ with up to ‘300 data points’ for ‘over 300 million unique individuals,'” the FTC reported.
This harms consumers, the FTC alleged, in “two distinct ways”—by invading their privacy and by causing “an increased risk of suffering secondary harms, such as stigma, discrimination, physical violence, and emotional distress.”
In its amended complaint, the FTC overcame deficiencies in its initial complaint by citing specific examples of consumers already known to have been harmed by brokers sharing sensitive data without their consent. That included a Catholic priest who resigned after he was outed by a group using precise mobile geolocation data to track his personal use of Grindr and his movements to “LGBTQ+-associated locations.” The FTC also pointed to invasive practices by journalists using precise mobile geolocation data to identify and track military and law enforcement officers over time, as well as data brokers tracking “abortion-minded women” who visited reproductive health clinics to target them with ads about abortion and alternatives to abortion.
“Kochava’s practices intrude into the most private areas of consumers’ lives and cause or are likely to cause substantial injury to consumers,” the FTC’s amended complaint said.
The FTC is seeking a permanent injunction to stop Kochava from allegedly selling sensitive data without user consent.
Kochava considers the examples of consumer harms in the FTC’s amended complaint as “anecdotes” disconnected from its own activities. The data broker was seemingly so confident that Winmill would agree to dismiss the FTC’s amended complaint that the company sought sanctions against the FTC for what it construed as a “baseless” filing. According to Kochava, many of the FTC’s allegations were “knowingly false.”
Ultimately, the court found no evidence that the FTC’s complaints were baseless. Instead of dismissing the case and ordering the FTC to pay sanctions, Winmill wrote in his order that Kochava’s motion to dismiss “misses the point” of the FTC’s filing, which was to allege that Kochava’s data sales are “likely” to cause alleged harms. Because the FTC had “significantly” expanded factual allegations, the agency “easily” satisfied the plausibility standard to allege substantial harms were likely, Winmill said.
Kochava CEO and founder Charles Manning said in a statement provided to Ars that Kochava “expected” Winmill’s ruling and is “confident” that Kochava “will prevail on the merits.”
“This case is really about the FTC attempting to make an end-run around Congress to create data privacy law,” Manning said. “The FTC’s salacious hypotheticals in its amended complaint are mere scare tactics. Kochava has always operated consistently and proactively in compliance with all rules and laws, including those specific to privacy.”
“Where consumers seek out health care, receive counseling, or celebrate their faith is private information that shouldn’t be sold to the highest bidder,” Levine said. “The FTC is taking Kochava to court to protect people’s privacy and halt the sale of their sensitive geolocation information.”
The Federal Trade Commission (FTC) is currently seeking comments on new rules that would further restrict platforms’ efforts to monetize children’s data.
Through the Children’s Online Privacy Protection Act (COPPA), the FTC initially sought to give parents more control over what kinds of information that various websites and apps can collect from their kids. Now, the FTC wants to update COPPA and “shift the burden from parents to providers to ensure that digital services are safe and secure for children,” the FTC’s press release said.
“By requiring firms to better safeguard kids’ data, our proposal places affirmative obligations on service providers and prohibits them from outsourcing their responsibilities to parents,” FTC chair Lina Khan said.
Among proposed rules, the FTC would require websites to turn off targeted advertising by default and prohibit sending push notifications to encourage kids to use services more than they want to. Surveillance in schools would be further restricted, so that data is only collected for educational purposes. And data security would be strengthened by mandating that websites and apps “establish, implement, and maintain a written children’s personal information security program that contains safeguards that are appropriate to the sensitivity of the personal information collected from children.”
Perhaps most significantly, COPPA would also be updated to stop companies from retaining children’s data forever, explicitly stating that “operators cannot retain the information indefinitely.” In a statement, commissioner Alvaro Bedoya called this a “critical protection” at a time when “new, machine learning-fueled systems require ever larger amounts of training data.”
These proposed changes were designed to address “the evolving ways personal information is being collected, used, and disclosed, including to monetize children’s data,” the FTC said.
Keeping up with advancing technology, the FTC said, also requires expanding COPPA’s definition of “personal information” to include biometric identifiers. That change was likely inspired by charges brought against Amazon earlier this year, when the FTC accused Amazon of violating COPPA by retaining tens of thousands of children’s Alexa voice recordings forever.
Once the notice of proposed rulemaking is published to the Federal Register, the public will have 60 days to submit comments. The FTC likely anticipates thousands of parents and stakeholders to weigh in, noting that the last time COPPA was updated in 2019, more than 175,000 comments were submitted.
Endless tracking of kids not a “victimless crime”
Bedoya said that updating the already-expansive children’s privacy law would prevent known harms. He also expressed concern that increasingly these harms are being overlooked, citing a federal judge in California who preliminarily enjoined California’s Age-Appropriate Design Code” in September. That judge had suggested that California’s law was “actually likely to exacerbate” online harm to kids, but Bedoya challenged that decision as reinforcing a “critique that has quietly proliferated around children’s privacy: the idea that many privacy invasions do not actually hurt children.”
For decades, COPPA has protected against the unauthorized or unnecessary collection, use, retention, and disclosure of children’s information, which Bedoya said “endangers children’s safety,” “exposes children and families to hacks and data breaches,” and “allows third-party companies to develop commercial relationships with children that prey on their trust and vulnerability.”
“I think each of these harms, particularly the latter, undermines the idea that the pervasive tracking of children online is [a] ‘victimless crime,'” Bedoya said, adding that “the harms that COPPA sought to prevent remain real, and COPPA remains relevant and profoundly important.”
According to Bedoya, COPPA is more vital than ever, as “we are only at the beginning of an era of biometric fraud.”
Khan characterized the proposed changes as “much-needed” in an “era where online tools are essential for navigating daily life—and where firms are deploying increasingly sophisticated digital tools to surveil children.”
“Kids must be able to play and learn online without being endlessly tracked by companies looking to hoard and monetize their personal data,” Khan said.
In 2021 Meta announced it was set to acquire Within, the studio behind popular VR fitness app Supernatural, however the reportedly $400 million deal became subject to investigations by the Federal Trade Commission (FTC) in respect to Meta’s supposed monopolization of the VR fitness space. Now, according to a Bloombergreport, it appears the FTC has lost an important suit to block Meta’s acquisition of Within.
Unreleased documents from the closed court proceedings appear to vindicate Meta’s acquisition of Within, Bloomberg reports, citing people familiar with the ruling. The sealed decision was made Wednesday morning by US District Judge Edward Davila in San Jose, California, which effectively denies the FTC’s request for a preliminary injunction to block the acquisition.
The final outcome of the trial isn’t entirely official just yet though. It’s said Judge Davila also issued a temporary restraining order with the aim of pausing Meta from closing the transaction for a further week, allowing time for the FTC to make an appeal. Provided the reports are accurate, the chances of the FTC potentially clawing back from the loss seem fairly slim at this point.
Last July, the FTC under sitting Chair Lina Khan revealed it had filed a motion aimed at blocking the deal with a federal court in a 3–2 decision, which aimed at reigning in Meta’s ability to “buy market position instead of earning it on the merits,” FTC Bureau of Competition Deputy Director John Newman said at the time.
Neither Meta nor the FTC has commented on the report regarding Meta’s win. In a statement to the New York Times about the matter in July, Meta called the FTC’s position “based on ideology and speculation, not evidence. The idea that this acquisition would lead to anticompetitive outcomes in a dynamic space with as much entry and growth as online and connected fitness is simply not credible.” Adding that the lawsuit would send “a chilling message to anyone who wishes to innovate in VR.”
Over the past four years, Meta has gone unchallenged in several VR studio acquisitions, including Beat Games (Beat Saber), Sanzaru Games (Asgard’s Wrath), Ready at Dawn (Lone Echo & Echo Arena), Downpour Interactive (Onward), BigBox VR (Population: One), Camouflaj (Marvel’s Iron Man VR), Twisted Pixel (Wilson’s Heart, Path of the Warrior), and Armature Studio (Resident Evil 4 VR port for Quest 2).
In particular, the FTC used Meta’s acquisition of Beat Saber as evidence that the company already had engineers with the skill set to both expand Beat Saber into fitness and to build a VR dedicated fitness app from scratch, an FTC court filing stated, maintaining that buying Within “was not the only way Meta could have developed the production capabilities and expertise needed to create a premium VR fitness experience.”
