Opinion

Identity theft, not big data, should be at the top of the FTC’s priority list

Identity theft continues to be among consumers’ top worries. It leads the list of consumer privacy concerns in a recent Ponemon Institute survey, and for good reason. According to Javelin Strategy and Research, there were 12.6 million victims of identity theft in 2012, resulting in nearly $21 billion in consumer losses.

Not surprisingly, this threat is reflected in FTC complaint data: identity theft has been the top consumer complaint to the Federal Trade Commission for the last thirteen years, accounting for nearly one-fifth of all complaints in 2012 alone. At the same time, online tracking barely registers. A recent Zogby Analytics survey finds that only four percent of consumers consider behaviorally targeted advertising their top concern about the Internet, compared to 39 percent naming identity theft and 34 percent naming viruses and malware. And these results jive with FTC data; a recent examination of FTC consumer complaint data reveals that from 2004-2008, complaints about general privacy issues were one half of one percent (.005) of the 1.3 million complaints about identity theft.

Why then has the FTC appeared to shift its emphasis in recent years from preventing identity theft to limiting the online collection of data that has almost nothing to do with identity theft? Take the major privacy reports and workshops of the past couple years – which focus on topics like online tracking, behavioral advertising, facial recognition technology, mobile privacy disclosures – and the recently announced initiative to explore the privacy implications of the “Internet of things.” Moreover, in a recent speech on big data, FTC Chairwoman Edith Ramirez warned of the risks associated with the collection of data involving medical history, location, web sites visited, call logs, photos, and contacts.

It is clear that limiting online data collection has become a top priority of this Commission. However, the nexus between the personal data that has become the focal point of the FTC’s privacy agenda and that which an identity thief craves is weak at best; identity thieves want data that they can monetize quickly, like social security and credit card numbers, not browsing histories and information from ‘smart’ appliances.

The FTC’s raison d’etre is the prevention of consumer harm. The FTC Act prohibits unfair or deceptive acts and practices. Both proscriptions are grounded in consumer harm: a material lie harms consumers because by definition a statement is material only if it affects decision-making; and conduct is “unfair” only if it harms consumers more than it benefits them. The importance of this harm requirement cannot be overstated. It provides an objective constraint on the FTC’s enforcement authority. Absent the yardstick of consumer harm, the FTC would be left to import its own subjective judgments of which business practices are too unsavory to survive scrutiny under the FTC Act. Accordingly, FTC actions should be judged by the extent to which they address actual consumer harm.