January 30, 2014 — January 30, 2014 — LabMD, a business that provides cancer-screening services for physicians, has stopped testing specimens and is winding down operations because of government regulators. No, it has not been accused of malpractice. No, it has not been convicted of anything. Rather, the Federal Trade Commission has harassed it for years, and now Michael Daugherty, its owner, has decided that the financial costs of running his enterprise while defending himself against malicious federal persecutors are too high.
Daugherty has documented his plight and fight in a new book, The Devil Inside the Beltway. LabMD’s story highlights one of the nation’s most urgent yet underappreciated problems: out-of-control government bureaucracies wielding arbitrary, destructive power.
A missing file
It all started in May 2008 when LabMD received a call from a cyber-security company telling Daugherty that it had discovered, somewhere out in cyberspace, a LabMD electronic file containing confidential patient information. The company provided few details but offered to deal with the problem as part of a security contract.
The LabMD team could not find the file anywhere on the World Wide Web. They concluded that it wasn’t out there waiting for identity thieves to seize it, and Daugherty did not take up the security contract offer. Months later the security firm informed LabMD that it might be in touch with the Federal Trade Commission about the situation.
But Daugherty’s team meanwhile had identified the security problem. An employee, against company policy, had downloaded music-sharing software to one LabMD computer. Such so-called peer-to-peer (P2P) software allows files to be shared, not only for downloading music but for business purposes. But as with much software, security problems with P2P came to be recognized as its use spread. Of course, LabMD had the software
Enter the FTC
Daugherty thought his company had dealt with the security problem, but in January 2010 the FTC came calling, asking for a data dump from LabMD as part of an inquiry into the business’s security. At substantial cost in staff time, money, and lost productivity, LabMD complied. Daugherty thought his company had nothing to hide and complying in full would be the best way to prove it.
But the story soon got darker. The FTC now was pursuing a wider, open-ended inquiry into LabMD. Now Daugherty balked. What was really going on? What was the FTC after?
The FTC is charged in law with protecting consumers from unfair acts or practices. Under Section 5 of the law, the FTC argues that such practices include collecting and storing very sensitive consumer information and failing to use reasonable and appropriate security measures to prevent the information from being disclosed without proper authorization. But the FTC Act explicitly says that an act or practice is “unfair” when it “causes or is likely to cause [emphasis added] substantial consumer injury.”
Daugherty says none of LabMD’s patients’ identities had been released or made public and, in any case, LabMD had taken care of its security leak. The FTC still might argue that downloading music-sharing software onto a LabMD computer was “likely to cause substantial consumer injury,” and that LabMD should be held responsible for it even though it was done by one employee against company policy and remedied promptly when discovered. Quite a stretch, but this was the government.
If the FTC really sought to protect consumers, surely it should have been working with businesses like LabMD to help them make their security as tight as possible.
Behind closed doors
Daugherty says he eventually figured out what kind of game the FTC was playing: It hadn’t filed an administrative complaint, let alone gotten prosecutors to file a criminal indictment against LabMD, but it was using its authority to waste more and more of the company’s and Daugherty’s time extracting information during what seemed pointless inquiries. What were Daugherty’s avenues of appeal?
Because of the nature of the agency, any appeals would be handled by the agency itself. It would be prosecutor, judge, and jury. It would take many steps and much time and money for LabMD to take such appeals to regular federal courts; courts are usually reluctant to step in until a party has exhausted the administrative process within the FTC. The trouble was, this process would exhaust LabMD’s and Daugherty’s assets as well.
In the process of battling the FTC, Daugherty says he made another disturbing discovery: Tiversa, the company that started the whole mess, was acting on a Department of Homeland Security grant to essentially go on a fishing expedition, to look for leaks in P2P networks, in the process using veiled threats to shake down businesses for security contracts.
After several years of fights with LabMD, the FTC did file a formal administrative complaint against Daugherty’s company.
No rules, not right
LabMD, of course, wanted to protect its patients’ privacy and to comply with the law. The problem was that there was no law to comply with. Specifically, the FTC had no rules that spelled out the security arrangements that would be acceptable.
This fact was made clear in a September 25, 2013 hearing over the FTC complaint before administrative law judge Michael Chappell. The judge asked the FTC attorney Alain Sheer, “Has the Commission issued guidelines for companies to utilize to protect this information, or is there something out there for a company to look to?” Sheer’s answer was “There is nothing out there for a company to look to.” The judge also asked, “Is there a rulemaking going on at this time or are there rules that have been issued in this area?” Sheer responded that “There is no rulemaking, and no rules have been issued.”
Sheer revealed the FTC’s real agenda—and its abuse of power—when he explained to the judge that “The Commission has entered into almost 57 negotiations and consent agreements that set out a series of vulnerabilities that firms should be aware of, as well as the method by which the Commission assesses reasonableness.”
So it seems that the FTC wanted Daugherty, in signing onto in a consent agreement, to affirm something like the following: “Though I’m not guilty of violating any specific laws or regulations, you want me essentially to admit to some sort of wrongdoing, and then agree to comply with whatever security mandates you offer in the future.”
There are procedures in our system of government by which regulators establish rules and even guidelines—hence the inquiry from the administrative judge. Proposed rules are posted, there are public comment periods, and agencies must report about how their rules satisfy legislative mandates. But the FTC had not gone through this process to establish security rules with which Daugherty could have complied. It seemed to be trying to establish standards by using drawn-out, costly inquiries to bully businesses into accepting “consent agreements.”
Part of the agreement the FTC wanted Daugherty to sign would have committed him to checks of his business’s security every two years for perhaps twenty years to ensure it continued to meet the FTC’s non-existent criteria.
Of course, Daugherty, like all conscientious business folks, can only keep clients and customers by ensuring, among other things, that their security is protected. But the idea of agreeing to twenty years of FTC oversight of security when the FTC cannot even provide standards for present issues would make no business sense. And signing on to twenty years of security in our fast-changing communications and information age only opens an enterprise to an even more uncertain future. Consider that twenty years ago there were fewer than 16 million internet users worldwide, compared to nearly 3 billion today. Twenty years ago Steve Jobs was still in exile from Apple; smartphones and iPads were a decade away. Google did not exist, nor did Amazon.com. What turns technology will take twenty months from now—to say nothing of twenty years—is impossible to predict. Even with some current standards spelled out by the FTC, in the long run entrusting security to arbitrary government bureaucrats or appointees would endanger any business.
It seems that the FTC has focused so much on persecuting Michael Daugherty because he has refused to play the government’s game. He has refused to roll over and have his rights violated. He has stood up to the agency’s attempt to make law by bullying.
There is much more to this story: it can be found in Daugherty’s book. And his fight with the FTC is not over. But anyone who cares about free markets, business rights, and due process should take two lessons from LabMD’s fight. First, at minimum, all government regulatory agencies should be brought under the rule of law and their arbitrary power eliminated. And second, we should question whether we need such agencies to begin with, and whether such functions as customer security are best left to private companies and their customers.