While mobile communication is one of the most transformative technologies to develop, changing the way people speak to each other, record events, and, in particular, pay for things, it also has enabled several troubling areas of abuse, says Maureen Ohlhausen, a member of the Federal Trade Commission.
“Mobile payments offer the potential for dramatically increased convenience, security, and consumer choice for everyone with a mobile phone, as well as new competitive choices for business, both large and small,” she says. (She made these comments, speaking on her own behalf and not on behalf of the FTC, at a recent event hosted by the Electronics Transactions Association, the Federal Communications Bar Association, and the Merchant Advisory Group.)
Nevertheless, Ohlhausen outlined three specific areas that concern FTC and have been acted on: mobile cramming, in-app purchases, and data security.
• Cramming, or the placing of unauthorized third-party charges on mobile phone accounts.
“Mobile crammers sign up consumers for Premium SMS ʻsubscriptions’ without the consumers’ knowledge,” Ohlhausen says. “Such services generally consist of ringtones or text messages containing trivia or horoscopes and typically cost $9.00 per month. Unfortunately, mobile crammers have defrauded consumers of hundreds of millions of dollars using such charges.”
FTC, she says, has prosecuted more than 30 enforcement actions related to cramming in the last 15 years, focusing in the last couple of years on mobile cramming. In 2013, FTC brought five cases against merchants, resulting in more than $160 million in monetary judgments. This July, FTC filed its first mobile cramming action against a telecommunications company for allegedly deceptively concealing third-party cramming charges on billing statements and for allegedly failing to ensure that consumers had consented to such charges despite clear indications of fraud.
“I have long been concerned that fraudulent activity in this area, if unchecked could discredit mobile carrier billing and mobile payments in general,” Ohlhausen says.
• In-app purchases, in which purchasers fail to give informed consent about the charges.
Using in-app purchases, smartphone users can buy additional content, functionality, or other features within an app. The trouble comes when people are not made to understand that these are, in fact, purchases. In these cases, each of the companies received tens of thousands of complaints related to unauthorized in-app charges by children.
FTC enforcement action focuses on a failure to follow a fundamental consumer protection principle: before being charged, consumers must know what amount they are going to be charged and what action triggers that charge.
“Children spent hundreds, and in some cases, thousands of dollars on in-app purchases on their parents’ devices without the informed consent of the parents,” she says. Recent consent orders with Google and Apple (an Amazon case is in litigation) set a performance standard requiring the companies to explain, once per device, how in-app purchasing works. Express informed consent to that approach must be obtained from the account holder.
“The lesson of these cases for mobile payments more broadly is that any new technology must still comply with time-honored consumer protection principles,” Ohlhausen says.
• Data security, or trusting devices to hold and protect sensitive information.
“At the FTC, the touchstone of our data security enforcement is reasonableness: a company’s data security measures must be reasonable in light of the sensitivity and volume of consumer information it holds, the size and complexity of its data operations, and the cost of available tools to improve security and reduce vulnerabilities,” says Ohlhausen.
In this light, FTC settled a recent case with a movie ticket-purchasing app where the app developer overrode the default use of an SSL certificate validation process that helps verify the security of consumer communications, and thus insecurely transmitted payment and other information of millions of consumers.
“Mobile payment technology actually offers the potential for increased data security for financial transactions,” Ohlhausen says. “To me this is one of the most exciting things about mobile payment technology. It enables end-to-end encryptions throughout the entire payment chain, making transactions more secure than, for example, the swipe-and-sign credit card systems used in most retail outlets today.”
Again, speaking more broadly, she says, “My goal is to ensure that the FTC can help promote innovation in part by ensuring that consumers who embrace these advances can continue to rely on fundamental protections for their pocketbooks and their private information.”