FTC Drops the Hammer on Lifelock’s False Promises
The Federal Trade Commission and 36 state Attorneys General announced yesterday an impressive $12 million settlement with the identity theft protection outfit LifeLock over charges that the company engaged in deceptive and unfair business practices. LifeLock rose to fame in recent years with a series of striking advertisements “guaranteeing” (their word) that the company could protect subscribers from identity theft. A series of notable ads for the company even included the social security number of the company’s CEO as evidence of the protection that LifeLock provided.
The FTC and the state AGs thought LifeLock was promising too much. Despite sweeping promises about the efficacy of LifeLock to protect its users from identity theft, in reality, the company only used (some say misused) publicly available free tools to make it harder for identity thieves to open new fraudulent accounts in the victim’s name. LifeLock did nothing to protect against or monitor misuse of existing financial accounts — by far the biggest source of online identity theft. Nor did the company offer any protections against other common forms of identity theft, such as use of a person’s identity to fraudulently obtain medical care or employment. The company admitted no wrongdoing as a result of the settlement, and at least one board member seems unrepentant about the company’s behavior.
This is exactly the sort of aggressive pro-consumer cases that the FTC and the states should be bringing more often. A $12 million settlement is a huge sum for a company like LifeLock (FTC Chairman Jon Leibowitz said the company “will have to pay every single dollar it has on hand”) and the injunctive relief broadly prohibits the company from making similar claims in the future. While we at CDT typically appreciate when companies offer consumers tools to help protect their privacy and security (such as we offer on our Take Back Your Privacy site) using those tools to sell a false sense of security does more harm to consumers than good.
You Can't Air, Then Hide
The case stands strongly for the proposition that companies may not make bold, misleading claims in its advertising and then try to modify or refine them in hidden fine print contracts or website disclosures that ordinary consumers are never likely to see. This has been a consistent — and important — theme in FTC actions in recent years, as unscrupulous companies have been quick to abuse the internet’s capacity for information overload, bombarding consumers with tons of “disclosure” that hides the most relevant information where a consumer is least likely to find it. LifeLock’s exaggerated and inaccurate claims that it provides protection against identity theft to “make your personal information useless to a criminal” were not subsequently cleansed or corrected by detailed, but less conspicuous, disclosures about the actual limited scope of the service on the LifeLock website.
The other substantive charge in the LifeLock case echoes another theme the FTC has emphasized in recent years: data security. In this case, the company made affirmative misstatements about the security procedures it had in place to safeguard its customers’ information, but the FTC has shown in the past that it will go after companies who merely fail to take security measures that are reasonable under the circumstances. Arguably, companies whose proclaimed raison d’etre is privacy, security, or fraud prevention should be held to a higher standard on privacy and security protection, as reasonable consumer expectations are likely to be higher for these sorts of services. In the past, the FTC has come down especially hard on purported security firms that spied on user’s internet surfing habits to deliver targeted advertising. Similarly, overseas, consumer advocates and regulators are skeptical of Phorm’s attempt to justify its use of deep packet inspection of all a user’s internet traffic for behavioral advertising by bundling it with a anti-phishing tool of questionable value. Consumers understandably don’t — and shouldn’t — expect privacy protection and data security firms to misuse or lose their personal information.
One arguable shortcoming of the settlement is the timing. Lifelock’s deceptive ads had been running for years (the FTC’s complaint notes that the deceptive ads go back to 2005). Two years ago, the company was sued separately in a consumer class action and by the credit bureau Experian over the same deceptive advertisements. And while the FTC and states AGs may in fact have taken all of LifeLock’s cash on hand to settle the suit, we have no idea how much money investors and management have taken out of the closely-held company during the nearly five years that the deceptive scheme was in place. On the injunctive side, the settlement agreement could have required the company to disclose that many (if not all) the measures the company takes to protect identity are already freely available to the public and to provide links to those free tools. (Congress and the FTC recently issued a similar requirement that commercial sites that promote credit report access such as FreeCreditReport.com must provide prominent links to the government-authorized site where consumers can (actually) get their annual credit report for free.)
These quibbles aside, this is an excellent settlement for online consumers. CDT hopes to see continued aggressive enforcement actions from both the FTC and state AGs (CDT has previously called on state AGs to take a more assertive role in online consumer protection) in the near future. While LifeLock’s 1.7 million customers may not individually see much of the $12 million settlement, the case sends an important strong message to other internet marketers about making hyperbolic promises that they cannot back up.
