Hacked cheating site Ashley Madison will pay $1.6 million to FTC for breach

Enlarge
Ashley Madison, the dating website for married people seeking extramarital affairs, will pay the Federal Trade Commission (FTC) $1.6 million for its failure to protect the account information of 36 million users, for failing to delete acco…

Enlarge

Ashley Madison, the dating website for married people seeking extramarital affairs, will pay the Federal Trade Commission (FTC) $1.6 million for its failure to protect the account information of 36 million users, for failing to delete account information after regretful users paid a $19 fee, and for luring users with fake accounts of “female” users.

In a press conference call, FTC Chairwoman Edith Ramirez said the commission had secured a $17.5 million settlement, but the company will only pay $1.6 million of that amount due to inability to pay. Ashley Madison's operators are also required to implement a data security program that will be audited by a third party, according to the settlement.

The website was hacked in August 2015, and the hack resulted in the release of user names, first and last names, hacked passwords, partial credit card data, street names, phone numbers, records of transactions, and e-mail addresses. In the wake of the hack, it was discovered that many people who paid the company $20 for a “Full Delete” had been bilked—Ashley Madison parent company Avid Life Media, now Ruby Corporation, had left that data on its servers for up to 12 months after the request had been made.

Read 4 remaining paragraphs | Comments

Frequent password changes are the enemy of security, FTC technologist says

Contrary to what you’ve been told, frequent changes can be counterproductive.

Enlarge / FTC Chief Technologist Lorrie Cranor speaking at PasswordsCon 2016, part of the Bsides security conference in Las Vegas.

Shortly after Carnegie Mellon University professor Lorrie Cranor became chief technologist at the Federal Trade Commission in January, she was surprised by an official agency tweet that echoed some oft-repeated security advice. It read: "Encourage your loved ones to change passwords often, making them long, strong, and unique." Cranor wasted no time challenging it.

The reasoning behind the advice is that an organization's network may have attackers inside who have yet to be discovered. Frequent password changes lock them out. But to a university professor who focuses on security, Cranor found the advice problematic for a couple of reasons. For one, a growing body of research suggests that frequent password changes make security worse. As if repeating advice that's based more on superstition than hard data wasn't bad enough, the tweet was even more annoying because all six of the government passwords she used had to be changed every 60 days.

"I saw this tweet and I said, 'Why is it that the FTC is going around telling everyone to change their passwords?'" she said during a keynote speech at the BSides security conference in Las Vegas. "I went to the social media people and asked them that and they said, 'Well, it must be good advice because at the FTC we change our passwords every 60 days."

Read 8 remaining paragraphs | Comments

CRTC enters into MOU with FTC on spam and unlawful telemarketing

As we have noted in previous posts (here and here), the Canadian Radio-television and Telecommunications Commission (CRTC) has repeatedly highlighted its work with its international counterparts to combat spam and unlawful telemarketing, among other communications “threats”.

On March 24, CRTC Chairman Jean-Pierre Blais and US FTC Chairwoman Edith Ramirez signed a Memorandum of Understanding addressing these threats:  the MOU between the US Federal Trade Commission and the CRTC on mutual assistance in the Enforcement of Laws on commercial email and telemarketing.  The MOU states that the two organizations have already “worked closely in connection with numerous investigations and enforcement actions relating to unsolicited commercial email (spam) and automated telephone calls (robocalls); and have collaborated on promoting technological solutions to robocalls”.

The laws administered by the agencies – the FTC Act and CASL, respectively – both  contemplate sharing information with foreign enforcement agencies under certain conditions.  The new MOU recognizes that it is in the FTC’s and the CRTC’s “common public interest” to extend support across the border where this will support investigation and enforcement efforts, including:

  1. cooperate with respect to the enforcement against Covered Violations, including sharing complaints and other relevant information and providing investigative assistance;
  2. facilitate research and education related to unauthorized telemarketing and unauthorized telephone calls;
  3. facilitate mutual exchange of knowledge and expertise through training programs and staff exchanges;
  4. promote a better understanding by each Participant of economic and legal conditions and theories relevant to the enforcement of the Applicable Laws; and
  5. inform each other of developments in their respective countries that relate to this Memorandum in a timely fashion.

Accordingly, the FTC and CRTC will share information, provide investigative assistance, and coordinate enforcement against cross-border violations that both sides agree are priority cases.

The announcement is timely in at least one sense.  Industry stakeholders in Canada have complained that the CRTC’s publicized enforcement activity to date has focused largely on Canadian companies that have made mistakes in implementing CASL’s complex compliance requirements.  There has been relatively little visibility around the CRTC’s efforts to “drive spammers out of Canada” – one of CASL’s primary objectives.

As we have noted in previous posts (here and here), the Canadian Radio-television and Telecommunications Commission (CRTC) has repeatedly highlighted its work with its international counterparts to combat spam and unlawful telemarketing, among other communications “threats”.

On March 24, CRTC Chairman Jean-Pierre Blais and US FTC Chairwoman Edith Ramirez signed a Memorandum of Understanding addressing these threats:  the MOU between the US Federal Trade Commission and the CRTC on mutual assistance in the Enforcement of Laws on commercial email and telemarketing.  The MOU states that the two organizations have already “worked closely in connection with numerous investigations and enforcement actions relating to unsolicited commercial email (spam) and automated telephone calls (robocalls); and have collaborated on promoting technological solutions to robocalls”.

The laws administered by the agencies – the FTC Act and CASL, respectively – both  contemplate sharing information with foreign enforcement agencies under certain conditions.  The new MOU recognizes that it is in the FTC’s and the CRTC’s “common public interest” to extend support across the border where this will support investigation and enforcement efforts, including:

  1. cooperate with respect to the enforcement against Covered Violations, including sharing complaints and other relevant information and providing investigative assistance;
  2. facilitate research and education related to unauthorized telemarketing and unauthorized telephone calls;
  3. facilitate mutual exchange of knowledge and expertise through training programs and staff exchanges;
  4. promote a better understanding by each Participant of economic and legal conditions and theories relevant to the enforcement of the Applicable Laws; and
  5. inform each other of developments in their respective countries that relate to this Memorandum in a timely fashion.

Accordingly, the FTC and CRTC will share information, provide investigative assistance, and coordinate enforcement against cross-border violations that both sides agree are priority cases.

The announcement is timely in at least one sense.  Industry stakeholders in Canada have complained that the CRTC’s publicized enforcement activity to date has focused largely on Canadian companies that have made mistakes in implementing CASL’s complex compliance requirements.  There has been relatively little visibility around the CRTC’s efforts to “drive spammers out of Canada” – one of CASL’s primary objectives.

FTC proposes a compromise so RadioShack can sell consumer data

Bankruptcy court will still need to decide whether the compromise addresses all concerns.

On Monday the Federal Trade Commission (FTC) sent a letter to the bankruptcy court presiding over RadioShack's supervised asset sell-off suggesting a compromise that would allow RadioShack to sell its database of information from 117 million customers.

The sale of the data—which includes names, addresses, e-mail addresses, phone numbers, and purchase histories—has caused concern among consumer protection advocates. The states of Tennessee and Texas recently filed objections to RadioShack's plan to find a buyer for its database, saying that the company promised in various privacy policies that it would not resell customer data to third parties. AT&T and Apple also objected to the sale of portions of the database, saying that that information actually belongs to them and not to RadioShack as per RadioShack's business agreements with those companies.

According to FTC Consumer Protection Director Jessica Rich (PDF), RadioShack could find a way to appease consumer advocates by taking a look at a bankruptcy case from 2000 involving retailer Toysmart. In that case, Toysmart had wanted to sell off its database of customer data, but after some pushback from the FTC it agreed to certain limitations on the sale of the database. For example, the buyer could not buy the customer database alone—it had to receive it bundled in with the sale of other assets like trademarks or Web content. In addition, the information had to be sold to a business similar to Toysmart and that buyer had to agree to honor the privacy policy that Toysmart had pledged to its customers.

Read 3 remaining paragraphs | Comments