Proposed Consent Agreement In the Matter of HTC America, Inc., File No. 122 3049 #00007

Submission Number:
HTC Evo 4G Victim
Initiative Name:
Proposed Consent Agreement In the Matter of HTC America, Inc., File No. 122 3049
Matter Number:

122 3049

As I offer my opinion, I appreciate the FTC’s forewarning me that my comments about the FTC’s proposed settlement with HTC will be made public and encouraging me to protect private information. The FTC recognizes that private information includes: ""sensitive personal information, such as an individual's Social Security Number; date of birth; driver's license number or other state identification number, or foreign country equivalent; passport number; financial account number; or credit or debit card number... any sensitive health information, such as medical records and other individually identifiable health information…[and] should not include any [t]rade secrets and commercial or financial information…[which is] privileged or confidential” including, we presume, user names and passwords. The FTC’s forewarning us whenever such personal and private information will be published is thoroughly responsible. It demonstrates that the FTC recognizes that such information is precious but once released persists and promulgates without prediction for various unknown purposes. Certainly the FTC is aware that HTC’s behavior lead to the unauthorized storage and release of exactly that type of information. Yet what the FTC proposes is that HTC merely agree to do what it should have done from the beginning: stop turning a blind eye to the industry’s alarms and implement a security model that precludes unauthorized access to private information. Those steps do nothing to help HTC customers—I own a HTC Evo 4G—understand what personal information HTC put at risk, who had access to that personal information, what personal information they obtained or anything else by which HTC customers can ameliorate the harm HTC caused. The harm HTC caused is palpable. HTC harmed customers who used their handsets to access systems requiring user names and passwords and now have to wonder whether HTC enabled other parties to do so, too. HTC harmed customers who stored their own and others’ private information now have to wonder who else has that information... Despite that, the FTC doesn’t require HTC to define the risks it imposed on its customers or even advise customers that their personal information was at risk and their privacy damaged. In these days when the US government makes public declarations decrying cyber-attacks and cyber-intelligence, it is incomprehensible that the FTC allows HTC to walk away from their conspicuous, continuous and careless or even consciously incompetent security model. What signal does that send to other vendors who offer products to the US market? More specifically, what is the FTC doing when, in possession of evidence so clearly demonstrating HTC’s defects, does so little to insure that HTC fixes the damages it caused? And what example is the FTC setting when vendors jeopardize private information?