News & Insights  |  Newsletters

The FTC Finds P2P Software Design to Be "Unfair"

November 2011

On October 11, the Federal Trade Commission (FTC) announced a novel settlement with Frostwire LLC, a peer-to-peer (P2P) file-sharing application developer, of charges that Frostwire had offered software that misled consumers about which downloaded files from desktop and laptop computers would be shared with a file-sharing network, and caused consumers unknowingly to expose sensitive personal files on Android mobile devices.

This case is particularly noteworthy because:

  • It is the first FTC privacy enforcement action charging that a software default setting, and the absence of a clear way to understand and adjust that setting, constitute an “unfair” practice in violation of Section 5 of the FTC Act. In other words, the FTC contended that the software's very design — in particular the default settings built into the software — was unfair.

Software developers may not be happy about the FTC's willingness to review the details of software design. However, it is consistent with the agency's advocacy over the past year of “privacy by design.” Nor is this an accident — an FTC blog post about the case suggests that software writers should ask whether their “defaults keep users safe from making serious inadvertent errors” and whether the application works “in ways consumers would reasonably expect.”

  • The FTC's “unfairness” claim rested upon non-economic consumer harms. The FTC's complaint alleged that the default software settings harmed consumers (1) by increasing their vulnerability to identity theft; (2) reducing their ability to control the dissemination of personal or proprietary information (such as their voice recordings or personal photographs) and (3) potentially increasing their legal liability based on prohibitions against making such files publicly available.

Interestingly, the first two of the three harms identified by the FTC have largely proven unsuccessful as grounds for class actions arising from breaches of data security. However, the FTC operates under a statute specifying different standards. The third alleged harm is relatively novel, and time will determine whether it holds much strength.

The takeaway is that the FTC's use of its “unfairness” jurisdiction and its reliance on general non-economic harms suggest that the agency may take an even more aggressive stance than it has in recent years. Look for its upcoming revisions to the 2010 staff report on consumer privacy to shed further light on the agency's thinking.