The Washington PostDemocracy Dies in Darkness

With this hire, the FCC could soon get tougher on privacy and security

(Andrew Harrer/Bloomberg News)

The Federal Communications Commission has hired Jonathan Mayer, a rising star in privacy circles, to serve as its technical lead for investigations into telephone, television and Internet service providers.

He will work primarily on consumer protection issues, especially those having to do with security and privacy, agency spokeswoman Shannon Gilson confirmed.

Mayer is not your average bureaucrat: He's a privacy practitioner with a track record of shining light on questionable corporate behavior. And his hiring is a sign that the FCC hopes to bring an increasingly aggressive approach to protecting consumers’ personal data and their privacy to the next level.

His arrival also comes as the FCC and the Federal Trade Commission, long the government’s de facto online privacy watchdog, are trying to cooperate on handling online privacy and security issues.

The agencies have traditionally had different roles — with the FCC crafting rules for industry, while the FTC focuses more on law enforcement. But now they have shared territory.

The relationship between the two agencies grew more complicated this year when the FCC began regulating Internet providers like traditional telephone companies, a decision that opened broadband firms, such as Verizon and Comcast, to potential new privacy obligations. The move, aimed at preventing Internet providers from unfairly favoring preferred Web sites, threatened to limit the FTC’s ability to police the industry.

And the FCC has recently stepped up its enforcement of data security issues, going after telecom and cable companies for breaches of personal information for the first time. This year the agency’s Enforcement Bureau has collected roughly $30 million in fines for such cases.

Mayer will now serve as the chief technologist of that bureau. The 28-year-old computer scientist and lawyer was one of the minds behind a browser technology called "Do Not Track," which sought to give consumers more control over the way companies track their online activities. The FCC declined to make Mayer available. Mayer declined comment for this story.

Mayer is well known for original research. In 2012, Mayer spotted Google bypassing the privacy settings of Apple's Safari browser, effectively letting them better track the online activities of millions of people. The search giant later agreed to pay $22.5 million to settle FTC charges related to the practice.

And this January, Mayer revealed that an online advertising company used a unique code — which Verizon Wireless inserts into each customer's mobile browsing activities — to create undeletable "zombie cookies." The zombie cookies reappeared even if users tried to clear them from their browsers, better allowing the ad company to track people's online habits.

The finding conflicted with earlier claims from Verizon that its tracking mechanism, which it uses for its own digital advertising programs, would not be hijacked by other companies. After Mayer's research came out, Verizon let users opt out of having the tracker, called a "supercookie" by privacy advocates, inserted into their browsing activity — and the FCC said it was investigating wireless carriers’ use of supercookies.

Mayer studied at Princeton under now-Deputy U.S. Chief Technology Officer Ed Felten, and later at Stanford, which he only recently left for Washington. While in California, he consulted with current FCC enforcement bureau chief Travis LeBlanc on privacy issues at the California attorney general's office. The bureau has become more aggressive on consumer protection, issuing a series of fines against AT&T, Cox Communications and other companies for recent data breaches.

But that proactive approach has in some cases prompted probing questions from lawmakers.

"We are concerned that the [enforcement bureau] is exceeding its authority by undertaking 'fishing expeditions' rather than investigating specific violations based upon tangible evidence of misconduct," a group of GOP senators wrote to the FCC last week.

The senators underscored their case by pointing to a recent example that they said showed the FCC extending its jurisdiction to technology "that does not fall under any existing FCC rules."

Questions of the bureau's authority, and its limits, will only become more intense as the FCC moves to implement its net neutrality rules. The regulations subjected broadband providers to new privacy scrutiny as a side effect, prompting the FCC to rework and adapt its privacy rules to the Internet age. That process is still ongoing amid a debate about how to update regulations written for legacy phone companies.

As a result, the agency's net neutrality decision this year could lead to even more enforcement from the agency on privacy and security. And with those actions could come more financial penalties for violators.

That's different from the Federal Trade Commission, which generally doesn't write rules. Instead, it cracks down on misbehaving companies using its authority to police unfair or deceptive practices. For online privacy and security, that often means bringing actions against companies who have violated their own privacy policies. And even then there are limits on when it can levy fines.

Thanks to a quirk of the legislation behind the FTC, the net neutrality reclassification effectively barred the FTC from using its enforcement powers against the network activities of broadband providers.

The FTC has pushed to change that rule. "While the FCC gets penalties, we get redress actions. We think consumers lose out when we are not also the cop on the beat," said Jessica Rich, the head of the FTC's Bureau of Consumer Protection, at an event with LeBlanc this fall.

But a recent memorandum of understanding between the two agencies committed them to work together to protect consumer privacy and data security — and confirmed that the FTC has the ability to go after “non-carrier” activities of Internet service providers.

Last month, the FCC also signaled that it wouldn’t dig into privacy issues of companies that merely use the Internet to operate, rather than operate the Internet, when it said no to a petition asking it to make companies like Facebook and Google respect when a user’s browser sends the “Do Not Track” signals Mayer helped shape.

But even if the “Do Not Track” debate is off Mayer’s plate at the FCC, his combined legal and technical expertise could prove particularly helpful when drafting new regulations and identifying violations.

“Understanding the tools it takes to promulgate policy is an added advantage,” said George Triantis, a Stanford law professor who worked with Mayer as the co-director of the university’s Cyber Initiative. “He can see the legal obstacles and also be able to evaluate the range of instruments available."