On September 5, 2017, the Federal Trade Commission (FTC) announced that it and 32 state attorneys general had settled charges with Lenovo, Inc., regarding the company’s practice of pre-loading advertising software on its laptops that compromised consumers’ cybersecurity and privacy.1 In many respects, the case was reasonably straightforward: the facts as alleged were clear, and the terms of the settlement were not unusual. But what makes this case interesting are the dueling concurrences issued by Acting Chairman Ohlhausen and Commissioner McSweeny regarding the FTC’s authority to challenge omissions. These concurrences continue a debate that has been stirring on and off at the FTC for more than 30 years, and they raise important questions about the agency’s future enforcement priorities.
Beginning in August 2014, Lenovo included an advertising software solution called VisualDiscovery as part of standard, pre-installed software packages on its laptops. VisualDiscovery delivered pop-up ads from its retail partners when users hovered their cursor over similar items on websites. According to the FTC’s complaint, VisualDiscovery used a “man-in-the-middle” technique to deliver its ads, allowing the software to view all of the data transmitted between the user and a website. The complaint alleges that VisualDiscovery collected a limited amount of information—the websites the user browsed and the consumer’s IP address—but the software had the ability to collect much more information, including credit card information, passwords, and Social Security numbers. The FTC also alleged that the software used an insecure method to replace digital certificates on encrypted websites without adequately verifying the websites’ digital certificates, and the “same, easy-to-crack password on all affected laptops,” leaving users’ laptops subject to attack and undermining the ability of web browsers to warn users of potentially insecure websites.
The FTC’s complaint charged VisualDiscovery with preventing consumers from having the benefit of basic security features provided by their Internet browsers for encrypted HTTPS connections. The complaint includes three counts, all alleging security related violations of Section 5 of the FTC Act:
A deceptive failure to disclose that VisualDiscovery was enabled on the laptop and that it would present ads and serve as a proxy “middle man”
Unfair pre-installation of VisualDiscovery without adequate notice or informed consent that the software acted as a man-in-the middle
Unfair security practices based on Lenovo’s failure to take reasonable measures to address security risks from this software
Even though Acting Chairman Ohlhausen and Commissioner McSweeny both voted to issue the FTC’s complaint and accept the settlement, they issued conflicting concurring statements about the scope of the FTC’s authority to bring deceptive omission cases. Commissioner McSweeny took the position that Lenovo’s unlawful conduct went beyond the data security allegations in the complaint. Her concurrence focused on Lenovo’s failure to disclose to consumers that the pre-installed software would inject pop-up ads and that such activity would disrupt their web browsing by reducing download and upload speeds. She argued that the failure to disclose this information constituted a deceptive omission of material facts relevant to consumers, asserting that “Lenovo deceptively omitted that VisualDiscovery would alter the very Internet experience for which most consumers buy a computer.”2
Acting Chairman Ohlhausen, on the other hand, cautioned against an overly broad application of the FTC’s deceptive omission authority. Specifically, she took the position that Lenovo’s silence about VisualDiscovery’s ad-placement issues and web-browsing effects, while perhaps irritating to consumers, did not rise to the level of a deceptive omission. Ohlhausen further stated that it is critical for the FTC to maintain a clear distinction between deceptive omissions and unfair omissions and that “[w]hen evaluating the legality of a party’s silence, [the FTC] must be careful not to circumvent unfairness’s higher evidentiary burden by simply restyling an unfair omission as a deceptive omission.”3
Acting Chairman Ohlhausen and Commissioner McSweeny both referenced the FTC’s 1984 opinion in a litigated administrative case, International Harvester Co.,4 which lays out the analytical framework that the commission has relied on in considering how to treat omissions.
The facts in Harvester were reasonably straightforward: International Harvester tractors were subject to dangerous “fuel geysering” when, subject to heat from the tractor’s operation, the fuel began to boil. When the operator opened the fuel cap, the fuel could blast out of the tank up to 20 feet and cause serious injury to the operator. The FTC found that there were about 90 incidents of fuel geysering, including 12 serious injuries and one death. The commission also found that the company was aware of the problem and that there were a number of simple, easy to implement safety features that the company did not take advantage of.
In its analysis of liability, the FTC presented a thorough examination of the legal framework for considering an omission to be deceptive or unfair. The commission identified two circumstances where an omission may be deceptive: (1) when a seller tells a half-truth, but fails to disclose information that qualifies or limits the statement and prevents it from being deceptive;5 and (2) where a seller remains silent under circumstances that create a false impression. According to the FTC, a seller’s silence may violate Section 5, but only where the information at issue relates to “ordinary consumer expectations as to the irreducible minimum performance standards for a particular class of goods.”6 Notably, both the Acting Chairman and Commissioner McSweeny cited this line in their Lenovo concurrences.
The FTC also found that “pure omissions”—where a seller has said nothing and, under the circumstances, there is no particular meaning that can be attributed to the silence— should not be analyzed under the deception framework for two reasons. First, doing so could easily expand the notion of deception to include virtually anything, since different consumers could have mistaken pre-conceived notions about almost anything. Second, a pure omission does not necessarily reflect a deliberate act and there is no basis for thinking that a remedial order will produce any benefits. Pure omissions are analyzed, instead, under the FTC’s unfairness authority, which requires a full cost benefit analysis.
The FTC ultimately found that International Harvester’s failure to warn consumers about fuel geysering was unfair given the modest cost involved in disclosing the issue and the very substantial and real injury that was caused.
The concurrences in Lenovo seem to center on the Harvester issue of what “ordinary consumer expectations as to the irreducible minimum performance standards for a particular class of goods” really means. Commissioner McSweeny’s statement suggests that the ordinary consumer would expect their laptop to be free of any software that would inject pop-up ads and slow down their browsing speed. Acting Chairman Ohlhausen, on the other hand, admits that these features may be “annoyances” but do not frustrate the “irreducible minimum performance standards” that a consumer would expect.
At their root, the concurrences disagree over where to draw the line on deceptive omissions: when do companies’ practices rise to the level of requiring a disclosure, and when are they merely irritating or unfriendly to consumers? To answer this question, it can be helpful to examine the practice at issue in light of what is common in the industry. For example, new computers and mobile phones often include pre-installed software, including marketing software, that has some impact on device performance. While some consumers may not want all of the software, the existence of pre-installed software on a computer or mobile phone is a common practice that a reasonable consumer should expect, and does not rise to the level of frustrating the very purpose for which the consumer purchased the machine (indeed, the consumer may be hard pressed to find a machine that does not include such software). On the other hand, if, as in Lenovo, the pre-installed software contains unusual security risks that may not be present in similar products, this information should probably be disclosed. A reasonable consumer, even one who is familiar with pre-installed marketing software, would not expect that the software would frustrate the consumer’s ability to securely access encrypted websites.
Acting Chairman Ohlhausen’s statement also signals her commitment to focus more on instances of actual injury over practices that may be undesirable to a consumer but not necessarily injurious. While the FTC grapples with what should constitute actual harm in the privacy and security space, Ohlhausen’s concurrence at least signals one clear message: mandating disclosure in the absence of a practice that causes actual injury to consumers can result in unnecessary over-disclosure. It remains to be seen how this policy position plays out in other areas of the FTC’s enforcement agenda.
1 See our September 2017 WSGR Alert reporting on the settlement.
2 See Statement of Commissioner Terrell McSweeny, In the Matter of Lenovo, Inc. (September 5, 2017), available at https://www.ftc.gov/system/files/documents/public_statements/1250843/1523134lenovotmstatement2.pdf.
3 See Statement of Acting Chairman Maureen K. Ohlhausen, In the Matter of Lenovo, Inc. (September 5, 2017), available at https://www.ftc.gov/system/files/documents/public_statements/1250833/1523134lenovomkostatement.pdf
4 International Harvester Co., 104 FTC 949 (1984).
5 For example, a claim that a company is offering a 30 day money back guarantee, but fails to disclose that there is a 50 percent restocking fee.
6 International Harvester, 104 FTC at 1058.