Government needs the help of security, privacy, and technology communities to inform policymakers and politicians on technical topics, Ashkan Soltani, chief technologist at the Federal Trade Commission, told Black Hat attendees last week.
U.S. politicians and policymakers are not well-known for being technically savvy. It's a frequent joke that many of them still don't use email or carry smartphones, and are not as immersed in technology as their constituents. And when it comes to tackling complex technology topics, such as encryption or online privacy, they typically aren't well-versed in the details.
When non-technical people debate technology policies and laws, such as the current drive to amend the Computer Fraud and Abuse Act, the debate over net neutrality, and the proposed Wassenaar rules, there is a problem. When people are discussing hot topics such as online security and privacy, information sharing, the right to be forgotten, patents, and vulnerabilities in medical devices, they need technologists to explain the implications, Soltani said.
"These are critical debates that are happening right now. It's important to be mindful of them and really engage," Soltani said, noting that his audience should feel "another call of duty" to get involved.
Soltani already advises the FTC on many issues, but the Commission needs more input from other sectors, as well.
"Make yourself heard and engage in these policy debates. It isn't about the pay, isn't the status—if you don't do this, other people will," Soltani said, noting that when left up to the non-technical people to shape policy, bad laws are inevitable.
The United States relies on an "alphabet soup" of regulations and legislation to protect consumer data and privacy online, including the Children's Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), Do Not Call, CAN-SPAM Act, Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act, Soltani said.
The FTC has recently executed a number of enforcement actions against companies for privacy and security violations, including the settlement with Snapchat for misrepresenting how its texting app handled photos and messages, as well as the settlement with Fandango and Credit Karma on how they implemented SSL in their mobile apps. These cases involved technical and security issues FTC lawyers and policymakers needed help understanding before they could proceed. The tech community's input was essential in helping the FTC build the cases and go after the violators, Terrell McSweeny, a FTC commissioner, told Black Hat attendees during the session.
McSweeny described the FTC complaint against Nomi Technologies, a company whose technology allows retailers to track consumers’ movements through their stores. Nomi promised consumers could opt out of tracking online and while in the physical stores where the tracking was taking place. However, retailers did not inform consumers when the tracking was taking place, and they also did not provide an opt-out mechanism in their stores. The technology relied on "promiscuous WiFi sniffing" of devices as consumers moved around the store as well as hashing device MAC addresses, Soltani said. Users who didn't want to be tracked would have to disable WiFi or GSM signals before entering the store.
"This is where Ashkan helps me understand what is going on," McSweeny said.
As technology continues to evolve and new products hit the market, the FTC's job will get even more complicated. The FTC acts in the consumer's interests and has to watch for when companies mischaracterize the security measures taken, or violates stated privacy policies in ways that consumers would object. The FTC needs to understand the technology behind new websites, software, and apps in order to determine whether the companies are sticking to their promises. As FTC commissioners set policy, they need researchers and technologists to keep engaging with the FTC and offer their advice on technical issues.
People tend to trust company claims, so the FTC plays an important role in making sure the promises are being kept. The Commission is not interested in regulating the technology being used or dictating how things should be done. Its focus is on making sure companies have good processes in place and are doing basic things the industry sees as "reasonable security," McSweeny said. The FTC is trying to identify key areas of research, best practices, and pitfalls, help inform consumers and companies.
“We’re here making a plug for your help,” McSweeny said.
The FTC isn't just looking for tech experts to offer advice and share knowledge. It also wants the technical skills to build products and solutions, too. The Commission was also at DEF CON as part of its Humanity Strikes Back contest. This contest encouraged developers to submit tools which could analyze call audio and identify robo-calls before transferring them to a honeypot. Two finalists showed off their applications at DEF CON, and the winner will be announced at a later date.
Soltani and McSweeny urged the audience to get involved by writing to the FTC, sending an email to [email protected], posting on Twitter to @techftc, or commening on the Commission's blog at ftc.gov/tech. There is an "open-door policy" and the commissioners will listen to good research, McSweey said.
“It’s not always fun, but on the other hand, telling a bunch of high-powered attorneys and politicians that they’re wrong can be fun sometimes,” Soltani said.