Endpoint
8/12/2015
08:05 AM
50%
50%

FTC to Black Hat Attendees: Help Us Make Good Tech Policy

The FTC's chief technologist made a direct appeal to security, privacy, and technology communities to get involved and help shape tech laws and policies.

Government needs the help of security, privacy, and technology communities to inform policymakers and politicians on technical topics, Ashkan Soltani, chief technologist at the Federal Trade Commission, told Black Hat attendees last week.

U.S. politicians and policymakers are not well-known for being technically savvy. It's a frequent joke that many of them still don't use email or carry smartphones, and are not as immersed in technology as their constituents. And when it comes to tackling complex technology topics, such as encryption or online privacy, they typically aren't well-versed in the details.

When non-technical people debate technology policies and laws, such as the current drive to amend the Computer Fraud and Abuse Act, the debate over net neutrality, and the proposed Wassenaar rules, there is a problem. When people are discussing hot topics such as online security and privacy, information sharing, the right to be forgotten, patents, and vulnerabilities in medical devices, they need technologists to explain the implications, Soltani said.

"These are critical debates that are happening right now. It's important to be mindful of them and really engage," Soltani said, noting that his audience should feel "another call of duty" to get involved.

Soltani already advises the FTC on many issues, but the Commission needs more input from other sectors, as well.

"Make yourself heard and engage in these policy debates. It isn't about the pay, isn't the status—if you don't do this, other people will," Soltani said, noting that when left up to the non-technical people to shape policy, bad laws are inevitable.

The United States relies on an "alphabet soup" of regulations and legislation to protect consumer data and privacy online, including the Children's Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), Do Not Call, CAN-SPAM Act, Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act, Soltani said.

The FTC has recently executed a number of enforcement actions against companies for privacy and security violations, including the settlement with Snapchat for misrepresenting how its texting app handled photos and messages, as well as the settlement with Fandango and Credit Karma on how they implemented SSL in their mobile apps. These cases involved technical and security issues FTC lawyers and policymakers needed help understanding before they could proceed. The tech community's input was essential in helping the FTC build the cases and go after the violators, Terrell McSweeny, a FTC commissioner, told Black Hat attendees during the session.

McSweeny described the FTC complaint against Nomi Technologies, a company whose technology allows retailers to track consumers’ movements through their stores. Nomi promised consumers could opt out of tracking online and while in the physical stores where the tracking was taking place. However, retailers did not inform consumers when the tracking was taking place, and they also did not provide an opt-out mechanism in their stores. The technology relied on "promiscuous WiFi sniffing" of devices as consumers moved around the store as well as hashing device MAC addresses, Soltani said. Users who didn't want to be tracked would have to disable WiFi or GSM signals before entering the store.

"This is where Ashkan helps me understand what is going on," McSweeny said.

As technology continues to evolve and new products hit the market, the FTC's job will get even more complicated. The FTC acts in the consumer's interests and has to watch for when companies mischaracterize the security measures taken, or violates stated privacy policies in ways that consumers would object. The FTC needs to understand the technology behind new websites, software, and apps in order to determine whether the companies are sticking to their promises. As FTC commissioners set policy, they need researchers and technologists to keep engaging with the FTC and offer their advice on technical issues.

People tend to trust company claims, so the FTC plays an important role in making sure the promises are being kept. The Commission is not interested in regulating the technology being used or dictating how things should be done. Its focus is on making sure companies have good processes in place and are doing basic things the industry sees as "reasonable security," McSweeny said. The FTC is trying to identify key areas of research, best practices, and pitfalls, help inform consumers and companies.

“We’re here making a plug for your help,” McSweeny said.

The FTC isn't just looking for tech experts to offer advice and share knowledge. It also wants the technical skills to build products and solutions, too. The Commission was also at DEF CON as part of its Humanity Strikes Back contest. This contest encouraged developers to submit tools which could analyze call audio and identify robo-calls before transferring them to a honeypot. Two finalists showed off their applications at DEF CON, and the winner will be announced at a later date.

Soltani and McSweeny urged the audience to get involved by writing to the FTC, sending an email to [email protected], posting on Twitter to @techftc, or commening on the Commission's blog at ftc.gov/tech. There is an "open-door policy" and the commissioners will listen to good research, McSweey said.

“It’s not always fun, but on the other hand, telling a bunch of high-powered attorneys and politicians that they’re wrong can be fun sometimes,” Soltani said. 

Fahmida Y. Rashid is an analyst who has covered networking and security for a number of publications, including PCMag, eWEEK, and CRN. She has written about security, core Internet infrastructure, networking security software, hardware, cloud services, and open source. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
spyglassintel
50%
50%
spyglassintel,
User Rank: Apprentice
8/12/2015 | 9:43:39 AM
Great story!
It's very encourage, even in small doses, to see more of government turn to our community for advice and direction!
Cybersecurity's 'Broken' Hiring Process
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/11/2017
Ransomware Grabs Headlines but BEC May Be a Bigger Threat
Marc Wilczek, Digital Strategist & CIO Advisor,  10/12/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What did you expect from this SOC? A unicorn....
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.