MoviePass Lawsuit Confirms Company Changed Most Active Subscribers' Passwords to Slow Usage

You couldn't get more popular than MoviePass when the service initially rolled out, and it's easy [...]

You couldn't get more popular than MoviePass when the service initially rolled out, and it's easy to see why. Paying just $10 a month to see as many movies as you want seems too good to be true, and while it did work out for customers the first few months, it turned out it was indeed too good. Eventually, MoviePass had to shut down and its parent company filed for bankruptcy, but between its inception and its ultimate demise the company tried just about everything to stay afloat, and that included frauding its customers out of what the service promised by changing passwords so that its most active subscribers couldn't, you know, buy tickets. Now all the details of that decision have come out thanks to a U.S. Federal Trade Commission action, and it's surreal (via Bloomberg).

The action details the settlement that MoviePass and its parent company have agreed upon, and the order to change the most active users' passwords to slow down the usage of the service came from the top. In fact, this was actually a smaller rollout of the practice than they initially wanted, as CEO Mitch Lowe initially wanted to enable this on a higher amount of accounts, but got pushback.

The Federal Trade Commission action reads "The operators of the MoviePass subscription service have agreed to settle Federal Trade Commission allegations they took steps to block subscribers from using the service as advertised, while also failing to secure subscribers' personal data.

Under the proposed settlement, MoviePass, Inc., its parent company Helios and Matheson Analytics, Inc. (Helios), and their principals, Mitchell Lowe and Theodore Farnsworth, will be barred from misrepresenting their business and data security practices. In addition, any businesses controlled by MoviePass, Helios, or Lowe must implement comprehensive information security programs.

'MoviePass and its executives went to great lengths to deny consumers access to the service they paid for while also failing to secure their personal information,' said Daniel Kaufman, the FTC's Acting Director of the Bureau of Consumer Protection. 'The FTC will continue working to protect consumers from deception and to ensure that businesses deliver on their promises.'

In its complaint, the FTC alleges that MoviePass, Inc.—along with its CEO, Lowe, as well as Helios and Farnsworth, CEO of Helios—deceptively marketed its "one movie per day" service promised to subscribers who paid for its $9.95 monthly service. According to the FTC, MoviePass's operators invalidated subscriber passwords while falsely claiming to have detected 'suspicious activity or potential fraud' on the accounts. MoviePass's operators did this even though some of its own executives raised questions about the scheme, according to the complaint."

The action continues to shed light on the password disruption program, as 75,000 subscribers who used the service most frequently were singled out and had their passwords changed due to what the company said at the time was "suspicious activity or potential fraud". They then made it incredibly difficult to reset their passwords.

"Under Respondents' password disruption program, Respondents invalidated the passwords of the 75,000 subscribers who used the service most frequently while claiming that 'we have detected suspicious activity or potential fraud' on the affected subscribers' accounts The password disruption program impeded subscribers' ability to view movies because MoviePass's password reset process often failed.

Indeed, when discussing the password disruption program, a MoviePass executive acknowledged that subscribers using a common smartphone operating system would encounter technical difficulty in resetting their passwords. When subscribers attempted to contact MoviePass's customer service about their inability to reset their MoviePass passwords, Respondents often responded weeks later or not at all," the action goes on to say.

This was proposed on April 11th, 2018, and Lowe chose the number of users that would be affected. Executives were worried about this alerting the FTC and causing more issues with them, so the initial number of affected accounts was lowered to 2% of the highest volume users.

"On April 11, 2018, an employee of Respondent Helios, writing from Farnsworth's personal email address and expressly 'on behalf of Ted [Farnsworth]" to Lowe and others, proposed a notice that informed subscribers that their account passwords were required to be reset due to "suspicious activity or potential fraud.' Lowe circulated the proposed notice to MoviePass executives for comment and personally ordered subscribers' passwords to be disrupted in accordance with this plan. Lowe also personally chose the number of consumers who would be affected by the program.

When Lowe and Farnsworth presented the disruption program to other executives of Respondent MoviePass, one executive warned that the password disruption program 'would be targeting all of our heavy users' and that 'there is a high risk this would catch the FTC's attention (and State AG's attention) and could reinvigorate their questioning of MoviePass, this time from a Consumer Protection standpoint.' (Emphasis in original).

Another executive agreed, warning of 'FTC Fears: All [the other MoviePass executive's] notes about FTC and PR [public relations] fire are my main concerns as I think the PR backlash will flame the FTC stuff.' (Emphasis in original). In response to these concerns, Lowe responded, 'Ok I get it. So let[']s try this with a small group. Let[']s say 2% of our highest volume users.' Respondents MoviePass and Lowe tracked the effect of password disruption on subscribers' use of the service. For example, Respondents MoviePass and Lowe found that only one-half of affected subscribers had successfully reset their passwords one week after they executed their plan."

As for the settlement, MoviePass and its parent company did not have to pay a fine but will be barred from misrepresenting their business and data security practices. They will also have to implement comprehensive information security programs in any future business controlled by MoviePass, Helios and Matheson Analytics, Inc, or Lowe.

0comments