The Federal Trade Commission’s Bureau of Consumer Protection has scored a couple of victories in Internet-related cases concerning security and privacy, convincing a judge to shut down a “rogue” ISP for distributing malware and reaching a settlement with Sears over a longstanding complaint over deceptive data collection practices.
A federal judge in the U.S. District Court’s Northern California District issued a temporary restraining order that froze the assets of Pricewert, a holding company that runs the ISP Triple Fiber Network, or 3FN, and ordered its servers to be disconnected from the Internet.
The FTC’s complaint alleged Pricewert was actively engaged in a wide variety of online criminal activity, including hosting child pornography, operating botnets and distributing spam.
In a memo presenting its case, the FTC detailed Pricewert’s alleged criminal activity, including excerpts of online exchanges over the messaging service ICQ between 3FN employees and its partners discussing plans to deploy botnets.
The memo alleged that Pricewert actively recruited and colluded with criminals, providing a “full-service Internet hosting facility that welcomes content no legitimate Internet Service Provider would ever willingly host.”
“This content includes a witches’ brew of child pornography, botnet command and control servers, spyware, viruses, trojans, phishing-related sites and pornography featuring violence, bestiality and incest.”
Pricewert is incorporated in Oregon with a data center and several mailing addresses in San Jose, but the FTC alleged that its U.S. operations are controlled by an overseas criminal network with extensive ties to Ukraine, Russia and Eastern Europe.
“They have what we consider a sham corporation based in Oregon,” FTC spokeswoman Claudia Bourne Farrell told InternetNews.com. “We have reason to believe that the principals in this are based in the Ukraine and in Russia.”
In its corporate filings, Pricewert reported its primary place of business as an address in Belize City, Belize, which the FTC believes serves only as a mail-drop.
A Pricewert employee, who spoke on the condition of anonymity because she was not authorized to talk to the press, told InternetNews.com, “We do plan to appeal.”
Spokespersons for the company declined to comment.
The court’s ruling called for a June 15 hearing, which would determine whether to extend the preliminary injunction pending the outcome of a full trial.
In the meantime, the Web sites of Pricewert, 3FN and other affiliates have been taken offline.
Pricewert apparently did not learn of the investigation until shortly before the FTC filed its lawsuit June 1. The agency kept the probe close to its vest, consulting with several security experts to mount what it considers a formidable body of evidence against Pricewert.
In cases like the Pricewert investigation, the FTC often does not notify the subject until it has already built its case, fearing that the company might shut down, destroy evidence or ship its assets overseas.
Sears settlement
Separately, the FTC has reached a settlement with Sears over a complaint about deceptive tracking of users’ Web browsing.
Under the proposed settlement, Sears agreed to destroy the information it collected through its “My SHC Community” site, and provide consumers clear and explicit notice about any online data-collection initiatives it launches going forward.
Sears Holdings Management Corporation, jointly owned by Sears, Roebuck and Company and Kmart, offered SHC members $10 if they agreed to download software that would track their online browsing.
Sears said the software was for “research” purposes, and promised users that the information would be kept confidential, but last January, security researchers claimed that Sears failed to provide adequate notice about the extent of the information it was collecting and how it was used.
The resulting FTC complaint alleged that Sears was collecting information such as bank statements, drug prescription records and the contents of online shopping carts through the program, and then sharing that data with third parties.
The details of the scope of the data collection were buried in the lengthy license agreement for the My SHC Community, which users only saw at the end of a multi-step registration process, the complaint alleged.
The FTC, now led by privacy-conscious Chairman Jon Leibowitz, has been sending signals recently that Web companies will have to provide clearer notice to consumers about their data-collection practices if they want to stave off government regulation.
The FTC is collecting public comment on the proposed settlement through July 6.
