A recent proposed FTC consent judgment sends a warning to avoid default program settings that compromise privacy when setup routines create the impression they do not. The FTC’s underlying complaint against Frostwire LLC, developer of P2P file-sharing applications, alleged that the firm’s software for the Android platform “was likely to cause a significant number of consumers installing and running it to unwittingly share personal files stored on their mobile computing devices with the public.” It’s desktop software allegedly “conveyed a misleading impression to consumers” that certain downloaded files would not be shared, when in fact they were.
The FTC alleged that the Android application was an “unfair design” because the default configuration immediately shared many files already stored on the device with no indication that the files were being transferred. This, the FTC noted, was inconsistent with the way many file sharing applications worked by default, including Frostwire’s desktop client. Moreover, claimed the FTC, if users wanted to share a specific file, they would first have to share a general category (and thus potentially numerous files) and then de-select those that were not to be shared through a “laborious process”–with all of the files available for sharing until the task was complete.
In the case of the desktop software, Frostwire was apparently consistent with many other file sharing applications in making available for sharing files downloaded from other users in the file sharing network. Even though this behavior was arguably expected (as suggested by the discussion of the Android application), the FTC alleged that the default program settings (shown when a user followed a setup wizard) created the opposite impression–effectively representing to the user that downloaded files were not shared by default. Similar issues existed in the user interface for indicating what files were shared (the indicators were alleged to be unclear at best) as well as in program behavior when file sharing was shut off (the choice only applied to files created after the choice was made, a point not at all clear).
The complaint includes numerous screen shots that exhibit the configuration dialogs and status displays that the FTC argued were unfair and misleading. Although far from models of clarity, what is striking is the similarity the interfaces of both applications bear to the operation of other software. While it is not clear from the complaint whether user documentation existed and, if it did, whether it provided a more complete and clear picture of the operation of the software, it appears that even if it did, that would have done little to change the outcome.
In sum, the short lesson is privacy by default–at least as a starting point