Staffing at the Division of Privacy and Identity Protection, which does the bulk of the FTC's privacy work and is under Vladeck's control, slid from 51 in 2011 to 50 in 2012, even though the data mining industry it oversees has rapidly expanded; it now employs more than 100,000 people and has revenues close to $5 billion, according to industry analyst and newsletter publisher Gregory Piatetsky-Shapiro. There are about 20 lawyers working on privacy cases at the FTC. "The bottlenecks are the lawyers for the most part," Soghoian said. And the FTC has another problem: Republican Rep. John Mica, chairman of the House Committee on Transportation and Infrastructure, is trying to evict the agency from its headquarters, which is on a prime block of Pennsylvania Avenue.

Vladeck has improvised. He described his strategy as similar to highway cops 2014 the point isn't to catch every car that breaks the speed limit, but enough to signal to the others that they can't get away with much. He goes after the shiniest cars.

"When we sue a company like Google and get them under order for doing what we thought was a plain violation of the FTC Act, which was making material changes to their privacy policy without notifying people and getting their consent, the message we hope we sent loud and clear was, 'You can't do that. If we're going to go after Google, which is one of the biggest corporations in the world, you can bet were going to go after you too.'"

Yet those cases demonstrated the FTC's limits, too. The agency was created in 1914 to prevent unfair and deceptive practices in commerce. Unfairness is harder to prove in privacy 2014 what's inappropriate data collection to one person might be fair and harmless to another 2014 so the FTC is focusing enforcement efforts on deception. That means a company has to say one thing about its data-collection practices and do another. But many companies have privacy policies that say very little 2014 in which case, they aren't deceiving consumers if they do things that might be untoward.

Ironically, the best way for a company to avoid privacy tussles with the FTC is to not say much about their privacy practices. On the other side of things, many companies protect themselves from prosecution by fully disclosing their policies in dense legal jargon that few consumers bother to read or, when they do, they have a hard time understanding that their personal data will be collected and shared in nearly infinite ways. Companies that follow these strategies 2014 and many do 2014 are difficult targets for the FTC.

Big firms like Google and Facebook, which depend on consumers using their services, cannot get away with having no policy at all or hiding behind legal hieroglyphics. They are the shiny cars that the FTC pulls over when it can. The agency pounced when Google introduced its Buzz social network because Gmail users were more or less swept into Buzz without their consent, even though Google had previously said it would not take unilateral action of that sort. The agency can take companies to court, but its overworked lawyers don't really have the time to go the distance against the bottomless legal staffs in Silicon Valley. The FTC settled the Buzz case with Google, which agreed to annual privacy audits for 20 years and promised to not lie to consumers about what the company does with their data. If Google violates the settlement, it then faces financial penalties that could be quite large 2014 this is akin to a two-strike rule.