That whole sentence is even more interesting: "the FTC alleges that CafePress failed to implement reasonable security measures to protect sensitive information stored on its network, including plain text Social Security numbers, inadequately encrypted passwords, and answers to password reset questions." Why would CafePress have anyone's SSN? I suppose potentially a merchant selling on it might need to have provided banking details, but that still doesn't seem like it should include a SSN?

An individual can sell custom/branded merchandise on CafePress. If CafePress is sending more than $600 per year to an individual, they have to issue a 1099, which has to have a TIN, which is going to be an SSN for most individuals.

Sole proprietors use their SSN for tax purposes. May also apply to single-member LLCs.

Can't Sole Proprietors obtain an EIN as well though? No way I'm using my SSN for stuff like that. I always used an LLC with an EIN.

They can. I assume DBAs (Doing business as) folks are the ones that use their SSN. Just real small-time shops.

I think the W9 form says to use SSN in case of a disregarded entity (such as a single member LLC).

> You must show your individual name and you may also enter your business or DBA name on the “Business name/disregarded entity” name line. You may use either your SSN or EIN (if you have one), but the IRS encourages you to use your SSN.

That's straight from the W-9 instructions. You _can_ use an EIN. In my opinion you _should_ use an EIN.

Now I'm even more confused, heh. From the previous page:

> If you are a single-member LLC that is disregarded as an entity separate from its owner, enter the owner’s SSN (or EIN, if the owner has one). *Do not enter the disregarded entity’s EIN*

Edit: I suppose the distinction is that you should have an EIN for your name

Many sole proprietors execute under their SSN. Most will not bother to acquire an EIN.

Income reporting? If you’re a non-business merchant? Or if you’re a business the businesses tax is?

This is me stabbing in the dark, no actual knowledge or anything :)

I was curious about what legal theory they were using to enforce this. It appears that 5/7 of the counts are just false or misleading statements - CafePress claimed to have good security but didn't. Another is just tangentially related to security. The interesting one is Count III:

> As described in Paragraph 11, Respondents’ failure to employ reasonable data security measures to protect Personal Information caused or is likely to cause substantial injury to consumers that is not outweighed by countervailing benefits to consumers or competition and is not reasonably avoidable by consumers themselves. This practice is an unfair act or practice. ...

> in violation of Section 5(a) of the Federal Trade Commission Act.

If I'm reading this correctly, it is saying that the FTC interprets poor security of user's data to be in violation the FTC act even outside of any promises given to the customer. That seems like a big stretch IMO.

It's the legal theory of "agree to these things or we're going to publicly try to nail your assets to the wall" - even if they actually can't do it, do you want to pay the costs of fighting it, or give the FTC their little PR moment.

I'm a little nerd-sniped by the callout over using SHA-1; SHA-1 is broken in a way that has nothing to do with password storage security (they're not using a password KDF at all, so the thrust of the complaint isn't wrong, and no sane person would use SHA-1 to build a new password KDF in 2019, but still!)

I saw one darknet site where they didn't keep hashes, so they could go off and use all the various algos (sha, md5 etc) then see where else those users were members (by looking for password if they were dumb enough), I wonder how often that happens in the corporate world but absent a whistleblower or a helpful hacker no one would find out.

(I'm not clear if they were being run by the police when I showed up, or if that was an extortion technique, but it's been over two years since that adventure, so the CFAA has expired and if someone takes issue I tried to take down a den of hurtcore creeps because one of them obstructed my job search before the portmanteau had been popularized, form a line to my left so you don't interfere with the baristas taking orders, as I operate in the clear and I will not abide absolute scumbags who abuse their access.)

> they didn't keep hashes, so they could go off and use all the various algos (sha, md5 etc) then see where else those users were members (by looking for password if they were dumb enough), I wonder how often that happens in the corporate world

https://en.wikipedia.org/wiki/Credential_stuffing

Indeed, it's a major problem.

Oh yeah I know the re-use is common, I more meant the technique of purposefully not hashing or disabling hashing to compare hashes across services and connect users.

For all the apparent inaction and broken promises of the Biden administration, it's been very refreshing to see "technical" government agencies returning to basic competency, and in some cases apparently actively bucking long trends of regulatory capture. The bureaucrats seem surprisingly progressive this cycle (once again highlighting the fragility of a system that functions in spite of, rather than because of, the primary lawmaking body). It's a shame that they will probably be voted out next go around, possibly in favor of the prior Twitter User In Chief.

They're not going after them for that. They're going after them for that plus an incredibly long list of other basic security failures, failing to notify customers that their personal data was now in the wild, and other negligence