X

Whoops! Ask.com complaint to FTC is an EPIC mistake

Electronic Privacy Information Center and Center for Digital Democracy want feds to change Ask.com's supposedly privacy-invading practices. Alas, the practices don't exist.

Declan McCullagh Former Senior Writer
Declan McCullagh is the chief political correspondent for CNET. You can e-mail him or follow him on Twitter as declanm. Declan previously was a reporter for Time and the Washington bureau chief for Wired and wrote the Taking Liberties section and Other People's Money column for CBS News' Web site.
Declan McCullagh
5 min read

A zealous band of pro-regulation privacy groups made a valiant effort a few days ago to convince the Feds to forcibly pull the plug on a new feature on the Ask.com search engine.

The groups, which include the Electronic Privacy Information Center and the Center for Digital Democracy, told the Federal Trade Commission on Saturday that a formal injunction was necessary to halt some supposedly pernicious practices on the part of Ask.com.

The only problem? Those supposedly pernicious practices don't actually exist.

Ask.com already had voluntarily changed the way it handled its new privacy feature weeks earlier. This self-appointed posse of liberal nonprofits, which also includes Consumer Action, was riding to bring to justice a problem that had long since vanished (and that's assuming it existed in the first place).

By way of background, this particular posse disagreed with the way Ask.com implemented a privacy feature called AskEraser. The idea is that instead of recording your search terms for a year or two the way other search engines do (see our survey from August), Ask.com was offering never to save them at all.

AskEraser is turned on or off by a link on Ask.com that changes the value of a cookie titled, reasonably enough, "askeraser." Originally, when AskEraser launched last month, the value of the cookie was set to the time that the service was activated.

Instead of applauding the idea as perhaps flawed but better than the status quo, EPIC et al. worked themselves into a state of high dudgeon. (These are the same groups that once claimed Google's Gmail service was illegal.) They to Ask.com on December 19 saying the timestamp--down to the second, but not a fraction of a second--could be used as a kind of unique tracking number.

They had a point. If Ask.com encounters a thousand people signing up for AskEraser per second, the potential privacy intrusion is minimal (everyone has the same timestamp). If only one person per second signs up for AskEraser, however, the potential privacy intrusion is higher (the timestamp is unique).

Which is why Ask.com changed the cookie value in early January to be just "off" or "on"--meaning there's no longer the same kind of privacy issue. Unfortunately for the pro-regulatory privacy activists, they never actually checked before firing off their this-illegal-practice-must-be-halted missive on Saturday. It said that the FTC must:

- Order Ask.com to withdraw AskEraser from the marketplace.

- Order Ask.com to cease engaging in and unfair deceptive trade practices.

- Require Ask.com, as a condition of offering AskEraser in the future to:
a) Cease using the opt-out cookie
b) Cease creating a Persistent Identifier on customers
c) Provide meaningful notice if the service will be disabled...

- Order Ask.com to delete all previously retained information, before the implementation of AskEraser.

- Order Ask.com to inform all current users of AskEraser, by prominent notice displayed on the Ask.com Web site, that they should delete the Ask.com AskEraser cookie.

And so on. Now, I admit that anyone can err. And in fact I've known the folks at EPIC to be careful, honest, and principled, even if I may disagree with them from time to time. I think this is an honest mistake.

But this episode is useful to note because it exposes how the Washington practice of advocacy groups using federal agencies to sabotage political enemies can be bereft of facts and logic. (From EPIC's perspective, this was supposed to be a no-lose situation: it's a win if AskEraser is taken off the market, and if the Republican-led FTC refuses to do so, the FTC and the Republican appointees can be slammed as insufficiently sensitive to "privacy interests.")

For his part, Ask.com spokesman Nicholas Graham told me on Tuesday:

EPIC's weekend filing regarding AskEraser is both flawed and unfortunate. It's unfortunate in the sense that Ask.com tried to engage in a constructive dialogue with the group last week, and was rebuffed. Privacy is an issue that demands collaboration and partnership between online companies and advocates, for the benefit of all consumers. Ask.com's relationship with the Center for Democracy & Technology is proof-positive of that.

EPIC's filing is flawed in the sense that the document they filed is factually inaccurate, and simply shows a fundamental misunderstanding of the functionality of our product. In addition, many of the issues they raise are outdated, while others are completely misguided from the outset, and others deal with changes that Ask.com already made to AskEraser weeks ago, and were subsequently posted publicly on our website.

EPIC Executive Director Marc Rotenberg replied to me in e-mail on Tuesday evening:

If Ask has now fixed the problem, (1) that means we were right, (2) they should have responded to our letter. But that doesn't solve the problem with opt-out cookies, which I think you will agree is a nutty approach that does not scale, i.e. it requires users to keep cookies for all the companies they don't want to be tracked by. Even the FTC should be able to see the problem.

Rotenberg is right that using opt-out cookies may not be the cleanest design technique. If I were coding it, I'd have created a special "ask.com/eraser" site--the same way Google set up its google.com/unclesam government search -- or a private.ask.com subdomain. No cookies would be needed.

Then again, I'm not privy to how Ask.com's software is designed and the trade-offs that would be involved. More to the point, probably, companies should have flexibility in how they try to offer new privacy features--and it's hardly clear that a bunch of permanent Washington insiders or FTC bureaucrats know more about scalable software engineering than, well, actual software engineers. As long as Ask.com is honest about what it's doing, and it seems to be in its FAQ, it should be allowed to keep on offering new features.

There's one more question worth asking: if EPIC and CDD and their ideological allies believed they had such a strong case, why not file an actual lawsuit instead of asking the FTC to undertake an investigation that would likely take half a year or more to complete?

After all, EPIC is staffed by attorneys, and their complaint to the FTC alleges that AskEraser is, beyond any doubt, "an unfair business practice." If true, that would violate state consumer protection laws, including California's section 17200, which says private attorneys may sue a company engaging in "unfair" business practices.

I think I know what the answer is. Judges have little patience for plaintiffs that waste their time. If this had been a lawsuit, a judge might well have fined EPIC et al. for wasting his time with frivolous claims, and its staff attorneys might even have been subject to individual sanctions.

Lawsuits, in other words, have risks. Firing off an inaccurate letter to the federal bureaucracy, on the other hand, merely results in the sender looking a little silly. The next time you see them complaining to the FTC about some alleged wrongdoing, remember these attorneys' odd reluctance to litigate.