Endpoint
8/12/2015
08:05 AM
50%
50%

FTC to Black Hat Attendees: Help Us Make Good Tech Policy

The FTC's chief technologist made a direct appeal to security, privacy, and technology communities to get involved and help shape tech laws and policies.

Government needs the help of security, privacy, and technology communities to inform policymakers and politicians on technical topics, Ashkan Soltani, chief technologist at the Federal Trade Commission, told Black Hat attendees last week.

U.S. politicians and policymakers are not well-known for being technically savvy. It's a frequent joke that many of them still don't use email or carry smartphones, and are not as immersed in technology as their constituents. And when it comes to tackling complex technology topics, such as encryption or online privacy, they typically aren't well-versed in the details.

When non-technical people debate technology policies and laws, such as the current drive to amend the Computer Fraud and Abuse Act, the debate over net neutrality, and the proposed Wassenaar rules, there is a problem. When people are discussing hot topics such as online security and privacy, information sharing, the right to be forgotten, patents, and vulnerabilities in medical devices, they need technologists to explain the implications, Soltani said.

"These are critical debates that are happening right now. It's important to be mindful of them and really engage," Soltani said, noting that his audience should feel "another call of duty" to get involved.

Soltani already advises the FTC on many issues, but the Commission needs more input from other sectors, as well.

"Make yourself heard and engage in these policy debates. It isn't about the pay, isn't the status—if you don't do this, other people will," Soltani said, noting that when left up to the non-technical people to shape policy, bad laws are inevitable.

The United States relies on an "alphabet soup" of regulations and legislation to protect consumer data and privacy online, including the Children's Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), Do Not Call, CAN-SPAM Act, Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act, Soltani said.

The FTC has recently executed a number of enforcement actions against companies for privacy and security violations, including the settlement with Snapchat for misrepresenting how its texting app handled photos and messages, as well as the settlement with Fandango and Credit Karma on how they implemented SSL in their mobile apps. These cases involved technical and security issues FTC lawyers and policymakers needed help understanding before they could proceed. The tech community's input was essential in helping the FTC build the cases and go after the violators, Terrell McSweeny, a FTC commissioner, told Black Hat attendees during the session.

McSweeny described the FTC complaint against Nomi Technologies, a company whose technology allows retailers to track consumers’ movements through their stores. Nomi promised consumers could opt out of tracking online and while in the physical stores where the tracking was taking place. However, retailers did not inform consumers when the tracking was taking place, and they also did not provide an opt-out mechanism in their stores. The technology relied on "promiscuous WiFi sniffing" of devices as consumers moved around the store as well as hashing device MAC addresses, Soltani said. Users who didn't want to be tracked would have to disable WiFi or GSM signals before entering the store.

"This is where Ashkan helps me understand what is going on," McSweeny said.

As technology continues to evolve and new products hit the market, the FTC's job will get even more complicated. The FTC acts in the consumer's interests and has to watch for when companies mischaracterize the security measures taken, or violates stated privacy policies in ways that consumers would object. The FTC needs to understand the technology behind new websites, software, and apps in order to determine whether the companies are sticking to their promises. As FTC commissioners set policy, they need researchers and technologists to keep engaging with the FTC and offer their advice on technical issues.

People tend to trust company claims, so the FTC plays an important role in making sure the promises are being kept. The Commission is not interested in regulating the technology being used or dictating how things should be done. Its focus is on making sure companies have good processes in place and are doing basic things the industry sees as "reasonable security," McSweeny said. The FTC is trying to identify key areas of research, best practices, and pitfalls, help inform consumers and companies.

“We’re here making a plug for your help,” McSweeny said.

The FTC isn't just looking for tech experts to offer advice and share knowledge. It also wants the technical skills to build products and solutions, too. The Commission was also at DEF CON as part of its Humanity Strikes Back contest. This contest encouraged developers to submit tools which could analyze call audio and identify robo-calls before transferring them to a honeypot. Two finalists showed off their applications at DEF CON, and the winner will be announced at a later date.

Soltani and McSweeny urged the audience to get involved by writing to the FTC, sending an email to [email protected], posting on Twitter to @techftc, or commening on the Commission's blog at ftc.gov/tech. There is an "open-door policy" and the commissioners will listen to good research, McSweey said.

“It’s not always fun, but on the other hand, telling a bunch of high-powered attorneys and politicians that they’re wrong can be fun sometimes,” Soltani said. 

Fahmida Y. Rashid is an analyst who has covered networking and security for a number of publications, including PCMag, eWEEK, and CRN. She has written about security, core Internet infrastructure, networking security software, hardware, cloud services, and open source. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
spyglassintel
50%
50%
spyglassintel,
User Rank: Apprentice
8/12/2015 | 9:43:39 AM
Great story!
It's very encourage, even in small doses, to see more of government turn to our community for advice and direction!
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.