Mozilla CSO demands fines to curb Big Tech surveillance

Mozilla's Chief Security Officer Marshall Erwin urged federal regulators to crack down on internet giants and web browser makers that don't protect their users' privacy — and to make them pay penalties for bad behavior.

"Privacy online is a mess, consumers are stuck in this vicious cycle in which their data is collected, often without their understanding, and then used to manipulate them," Erwin said during a US Federal Trade Commission (FTC) forum today on commercial surveillance and data security. "We see this rule-making process as a real opportunity to break that cycle."

The FTC is considering imposing stricter privacy rules on corporations to deter unwelcome online monitoring and shoddy data security. Thursday's public session was an early step in that rule-making process.

In August, the watchdog issued "advance notice of proposed rulemaking," and now, through October 21, it's seeking public comment about the "harms" related to businesses' collecting, analyzing, and monetizing people's information. 

While any proposed rule will be put to a vote by FTC commissioners, it's worth noting that the regulator's choice of words — using the term "surveillance" rather than a euphemism such as "data gathering" — along with a recent lawsuit against data broker Kochava — seem to indicate it is inclined to codify some type of privacy regulations to limit companies' appetite for information harvesting.

Politics come into play here as well: Democrats today control the commission, and its Biden-appointed chair Lina Khan is an outspoken critic of Big Tech, all of which bodes well for privacy advocates and not so much for big businesses. 

Watching the watchers

Erwin, who spoke as part of an "industry perspectives" panel on the topic and (for what it's worth) started his career in the CIA, unsurprisingly touted Mozilla's pro-privacy Firefox browser. However, "we know that a large number of companies don't take the approach that Mozilla does, and more than half of consumers today are using browsers that don't have strong tracking protections in place or strong privacy protections," he said.

And speaking of tracking, Meta was supposed to weigh in on the industry panel but for some reason was "no longer able to participate," according to the FTC. Odd, you'd think it would have something to add.

Last month, however, the US giant offered to pay $37.5 million to settle a lawsuit that claimed its social media platform Facebook illegally harvested location data even when users explicitly did not consent to it. And days later, it settled a second lawsuit, for an undisclosed amount, brought as a result of Cambridge Analytica's mass slurping of people's profile data.

Another industry panelist, Jason Kint, CEO for trade group Digital Content Next, also advocated "heightened limitations on massive companies," because simply asking netizens to provide consent is not enough, he said. 

"Do you truly provide consent if you're using a search engine and then also you're providing consent for their ad tech business? Somehow you have to have heightened limitations on companies that have dominance across browsers and operating systems and search engines," Kint said.

Erwin, like Kint, did not name any of the offending search-slash-ad-giants during his testimony. But even if these companies did improve their per-user privacy controls, "there's a set of problems that technology alone will not solve," Erwin added. 

'Consequence-free zone'

This is where the Feds need to step in, Erwin said: "So what we want to see is, in parallel, regulators taking action to create costs against bad actors in the space.

"Bad behavior is too easy and there's no consequences for it. Fundamentally, it's a consequence-free zone."

He added later, "financial penalties are a meaningful way to move the needle." 

We note that Google bankrolls Mozilla, paying hundreds of millions of dollars a year to have its search engine the default option in Firefox.

• FTC ponders proper punishment for commercial data 'surveillance' and shoddy security
• FTC sues data broker for selling millions of people's 'precise' location info
• Mozilla finds 18 of 25 popular reproductive health apps share your data
• FTC urged to probe Apple, Google for enabling 'intense system of surveillance'

Erwin called out "dark patterns," which he described as "bread and butter deception," as one area that's ripe for regulation. This also happens to be the subject of a Google lawsuit, in which a group of US states sued the search giant for allegedly using this type of deceptive user interface design to obtain customer location data without adequate consent. 

Other especially egregious privacy offenders include makers of sophisticated cross-site trackers that are used to serve up targeted advertising ad content to individual users, and opaque algorithms that seemingly discriminate against people based on their race and gender, according to Mozilla's security chief.

"A set of rules is really needed to address that harm," Erwin said. "The harm that happens when the data is collected in the first place, and the harm that happens when that data is used in abusive ways." ®