For months, Snapchat had been telling users that it was protecting their privacy. In fact, the messaging app — through which people could trade ephemeral, and sometimes compromising, photos online — contained a massive security flaw. On Christmas morning last year, Australian IT security experts described how gaps in Snapchat's software left user names and phone numbers vulnerable to theft.
A week later, hackers siphoned data from 4.6 million Snapchat accounts. And while Snapchat photos were said to vanish from the Internet after a few seconds, determined people could still download them, preserving any digital indiscretions.
In May, Snapchat agreed to settle Federal Trade Commission charges stemming from the misleading claims it made concerning privacy and security. It agreed to submit to outside audits of its practices for 20 years.
The Snapchat settlement was a turning point in the company's short history. But the moment was just as important for the FTC, an agency that was created as a bulwark against monopoly but that has grown into a powerful consumer watchdog. These days, it has gone after the likes of T-Mobile for putting spammy third-party charges on Americans' phone bills. It has chastised Google for inappropriately tracking users' Web habits. The FTC has even staked out new roles for itself on hacking and the bulk use of digital data.
"The Federal Trade Commission is becoming, for better or for worse, the Federal Technology Commission," said Geoffrey Manne, executive director of the International Center for Law and Economics, at a recent Washington conference.
On Friday, the FTC turns 100 years old. Here's the story of how it became Washington's go-to technology fixer.
Wyndham case tests the FTC's authority
"Cybersecurity" conjures images of dueling hackers waging invisible war, fingers flying over keyboards in the glow of a PC-filled control room. The reality is far more mundane, as Wyndham, the New Jersey-based hotel chain, discovered when its servers were hacked three times in two years.
The FTC sued Wyndham in 2012 over the breaches, alleging that the company failed to put up even basic security measures like firewalls. There were other missteps, the agency said, including the storage of customers' credit card information as plain text that any hacker could read. In the end, more than 600,000 account numbers wound up on a Web server in Russia, leading to $10 million in fraudulent charges.
The case sparked controversy over whether the FTC even had the authority to go after the hotel chain.
The agency derives much of its authority from Section 5 of the Federal Trade Commission Act, which allows it to intervene against unfair or deceptive business practices.
The FTC said both terms described Wyndham's security practices. Wyndham disagreed, saying the agency lacked authority to monitor data security. Wyndham also said it wasn't clear what was required of the company. But privacy experts point to the guidance offered in nearly 60 data security cases the FTC's prosecuted since 2000. Besides, they say, new technology doesn't change corporate obligations concerning customer information generally.
"The FTC has established a principle that companies have a responsibility to protect consumers' private data," said Ed Felten, the FTC's first chief technologist and a Princeton University professor. "The challenge there is to understand how to apply that across different technologies."
In April, a federal court sided with the FTC, denying Wyndham's attempt to have the case thrown out. While the legal fight is far from over, the case highlights how the FTC has asserted its authority in areas of technology that didn't exist a decade ago, much less 100 years ago, when the agency was created.
The monopoly crusher
When the FTC was formed in 1914, regulators were no longer concerned with simply breaking up monopolies but with preventing their rise in the first place. The Sherman Antitrust Act crushed such monopolies as Standard Oil, but the government needed something more to keep small and midsize businesses from being swallowed whole.
Some believed that putting down monopolies was too extreme.
"We can't abolish the trusts," said Woodrow Wilson in 1905, seven years before he was elected president. "We must moralize them."
With a sense that companies could be reformed — through guidance or targeted punishments — Congress developed Section 5 as a companion to the Sherman Act. Section 5 would "check monopoly in the embryo," said Sen. Francis Newlands, a Nevada Democrat, at the time. The FTC Act passed by a wide margin. On Sept. 26, 1914, Wilson signed the bill into law. It would deal with "unfair methods of competition."
The FTC has grown more active over time as Washington's business cop. In 1938, Congress expanded the FTC's authority to cover "unfair and deceptive acts or practices." By 1963, the agency had begun writing prescriptive regulations. And in the 1970s, it grew especially assertive after a series of reports found that the agency could be more effective.
Eventually, the agency overstepped its bounds. One theory held that companies violated Section 5 if they hired undocumented workers, according to former FTC antitrust director James Langenfeld and Vanderbilt University's David Scheffman. The FTC went after such major companies as Exxon and Dupont. And it charged that Kellogg overcharged consumers. Later it accused cereal makers of concealing information on the sugar content of their products.
"There was almost no perceived societal ill for which someone at the FTC did not propose an FTC Act curative," Langenfeld and Scheffman wrote in the Review of Industrial Organization.
In the campaign against cereal marketing, the FTC proposed banning TV advertising aimed at young children. A major public backlash ensued, with the public filing tens of thousands of comments. The agency was forced to abandon its rulemaking and was even shut down temporarily when Congress allowed the FTC's budget to run out.
"There were all sorts of editorials [including one by the Washington Post] accusing the FTC of trying to become the national nanny," said David Vladeck, a former director of the FTC's Bureau of Consumer Protection. "Ultimately, Congress clipped its wings."
The FTC no longer writes many regulations. These days, it's focused once again on its principal job — using its unfair-and-deceptive-practices authority to bring lawsuits against companies. The FTC also offers guidance to industries through reports to Congress and public workshops.
The FTC in the Internet age
Today, tech companies are a routine target. This year alone, the agency accused Amazon of wrongfully charging parents millions of dollars for in-app purchases their children made; the movie-ticket site Fandango, of failing to properly encrypt credit card transactions; and Yelp, the app for crowdsourced reviews, of collecting children's information without permission. As of August, the FTC had brought 57 cases against companies over data security.
"Part of the reason the FTC has gotten heavily into Internet technology, smartphones , Internet of things, algorithms," Vladeck said, "is that's where the consumer issues are migrating."
As the actions pile up, agency critics worry about government overreach again. For instance, consumers may value easy in-app purchases as a feature rather than a bug.
"One of the threats to the commission going forward is that there are very few people left that went through the trauma of the 1970s," said J. Howard Beales, who led the FTC's Bureau of Consumer Protection under President George W. Bush until 2004. "The people that went through it are universally more cautious about expansive notions of unfairness."
Even when the FTC has investigated, however, the firms in question tend to get off lightly unless they're a repeat offender. Instead of a fine, many settlements involve a consent agreement that legally commits a company to certain behaviors or restrictions. Violating the consent order could trigger fines. With provisions lasting a decade or more, agency critics say the consent orders may become a form of overregulation themselves in light of how quickly today's technology can change. The flip side, of course, is that a company that's harmed its customers in the past might not deserve a pass even if — or especially when — it has altered its product.
Then there's the FTC's evolving relationship with tech companies and the rest of the nation's capital. The agency has grown bold in its pursuit of the country's most popular tech companies, such as Google. The willingness of some of these firms to fight the FTC in court — Amazon, T-Mobile — has only raised the agency's profile. A senior FTC official, who spoke on the condition of anonymity because the litigation in both cases was ongoing, said that if the commission avoids the hard fights, "we will lose effectiveness over time."
"We need to be able to litigate and win," the official said. "If we're settling with people and we don't have the authority — it's better to find out."
Of course, the tech sector is sprawling, and the FTC sometimes finds itself jockeying with other agencies for oversight authority. One common point of interest is "net neutrality."
The Federal Communications Commission is weighing whether to regulate Internet service providers more heavily by reclassifying them as "common carriers." That move, however, would put broadband companies beyond the reach of the FTC.
"I'm concerned that if reclassification happens and the FTC is taken out of the picture, consumers, on balance, won't be better off," said FTC Commissioner Maureen Ohlhausen in a C-SPAN interview.
A great deal of the FTC's work is conducted in secret; the public rarely hears about lawsuits or settlements until the agency announces them, and the five-member commission holds its votes behind closed doors. As a result, officials say, the FTC is less internally politicized than other agencies and its decisions more often unanimous.
More consensus, in turn, means more action for an agency that's staking new claims — and not only on the mainstream technology questions of the day, such as the security and privacy of Web sites, apps and databases. From facial recognition technologies to virtual currency, the FTC sees roles for itself as good cop and bad cop — publishing some guidance here, filing a complaint there. And while the agency's techniques closely resemble those it practiced at the dawn of the First World War, it's hard to say the same about its scope.
Correction: A previous version of this article stated that the FTC's expanded mission in 1938 included unfair methods of competition. That mandate was part of the original 1914 mission of the agency.
Have more to say about this topic? We take your questions every week in our weekly livechat, Switchback, Fridays at 11 a.m. ET. The comment box is open, so submit your questions now.