Jonathan Mayer, the researcher who found Google privacy violations that the FTC missed. Photo: Peter McCollough/Wired 
Jonathan Mayer had a hunch.
The young computer scientist suspected that online advertisers might be following consumers around the web — even when they set their browsers to block the snippets of tracking code called cookies. If Mayer’s instinct was right, advertisers were eying people as they moved from one website to another even though their browsers were configured to prevent this sort of digital shadowing. Working long hours at his office, Mayer ran a series of clever tests in which he purchased ads that acted as sniffers for the sort of unauthorized cookies he was looking for. He hit the jackpot, unearthing one of the biggest privacy scandals of the past year: Google was secretly planting cookies on a vast number of iPhone browsers. Mayer thinks millions of iPhones were targeted by Google.
This is precisely the type of privacy violation the Federal Trade Commission aims to protect consumers from, and Google, which claims the cookies were not planted in an unethical way, now reportedly faces a fine of more than $10 million. But the FTC didn’t discover the violation. Mayer is a 25-year-old grad student working on law and computer science degrees at Stanford University. He shoehorned his sleuthing between classes and homework, working from an office he shares in the Gates Computer Science Building with students from New Zealand and Hong Kong. He doesn’t get paid for his work and he doesn’t get much rest.
If it seems odd that a federal regulator was scooped by a sleep-deprived student, get used to it, because the federal government is often the last to know about digital invasions of your privacy. The largest privacy scandal of the past year, also involving Google, wasn’t discovered by federal regulators, either. A privacy official in Germany forced Google to hand over the hard drives of cars equipped with 360-degree digital cameras that were taking pictures for its Street View program. The Germans discovered that Google wasn’t just shooting photos: The cars downloaded a panoply of sensitive data, including emails and passwords, from open Wi-Fi networks. Google had secretly done the same in the United States, but the FTC, as well as the Federal Communications Commission, which oversees broadcast issues, had no idea until the Germans figured it out.
Nearly every day, and often several times a day, there is fresh news of privacy invasions as companies hone their ability to imperceptibly assemble a vast amount of data about anyone with a smartphone, laptop or credit card. Retailers, search engines, social media sites, news organizations — all want to know as much as they can about their visitors and users so that ads can be targeted as precisely as possible. But data mining, which has become central to the corporate bottom line, can be downright creepy, with companies knowing what you search for, what you buy, which websites you visit, how long you browse — and more. Earlier this year, it was revealed that Target realized a teenage customer was pregnant before her father knew; the firm identifies first-term pregnancies through, among other things, purchases of scent-free products. It’s akin to someone rifling through your wallet, closet or medicine cabinet, but in the digital sphere no one picks your pocket or breaks into your house. The tracking is done mostly without your knowledge and, in many cases, despite your attempts to stop it, as Mayer discovered.
The FTC is the lead agency in the government’s effort to ensure that companies do not cross the still-hazy border between acceptable and unacceptable data collection. But the agency’s ambitions are clipped by a lack of both funding and legal authority, reflecting a broader uncertainty about the role government should play in what is arguably America’s most promising new industry. Companies like Facebook and Google are global brands for which data mining is at the core of present and future profits. How far should they go? Current laws provide few limits, mainly banning data collection from children under 13 and prohibiting the sale of personal medical data. Beyond that, it’s a digital mosh pit, and it’s likely to remain that way because more regulation tends to be regarded by politicians in both parties as meaning fewer jobs. Students will probably continue to beat the FTC to the punch: The agency has just one privacy technologist working in its Division of Privacy and Identity Protection and one in the Division of Financial Practices. “I don’t think it’s controversial to note that they seem to be understaffed,” Mayer said in a phone interview between classes. “I think that’s pretty clear.”
This isn’t the usual sort of story about regulation watered down by intimate ties between government officials and the industry they oversee. Unlike the U.S. Minerals Management Service, where not long ago a number of officials were found to have shared drugs and had sex with representatives of the oil and gas industry, key FTC officials hired by the Obama administration are privacy hawks who worked previously for consumer-rights groups like Public Citizen and the Electronic Frontier Foundation. Under Chairman Jon Liebowitz, a Democrat appointed to the FTC in 2004 and tapped as chairman by President Obama in 2009, the FTC has pushed boundaries; its first privacy technologist, hired shortly after Liebowitz became chairman, was a semifamous activist who made a name for himself by printing fake boarding passes to draw attention to airline security lapses (the FBI, which raided his house, was not pleased). The agency is working with the tech industry to create and voluntarily adopt a Do Not Track option, so that consumers can avoid some intrusive web tracking by advertising firms. And it issued a report this year that called for new legislation to define what data miners can and cannot do.
Yet the FTC is ill-equipped to find out, on its own, what companies like Google and Facebook are doing behind the scenes. For instance, ProPublica discovered that the FTC’s Privacy and Identity Protection technologist has a digital hand tied behind his back because the computer in his office has security filters that restrict access to key websites. While Mayer has an ultrafast internet connection, top-of-the-line computer, an office chair he loves and tasty lunches for free (“Stanford students do not want in any way,” he notes), the FTC technologist uses his personal laptop and, because there is no Wi-Fi at the agency, connects to the internet by tethering it to his iPhone. He browses the web at cellphone speed. There are no free lunches.