Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

FTC to Black Hat Attendees: Help Us Make Good Tech Policy

The FTC's chief technologist made a direct appeal to security, privacy, and technology communities to get involved and help shape tech laws and policies.

Government needs the help of security, privacy, and technology communities to inform policymakers and politicians on technical topics, Ashkan Soltani, chief technologist at the Federal Trade Commission, told Black Hat attendees last week.

U.S. politicians and policymakers are not well-known for being technically savvy. It's a frequent joke that many of them still don't use email or carry smartphones, and are not as immersed in technology as their constituents. And when it comes to tackling complex technology topics, such as encryption or online privacy, they typically aren't well-versed in the details.

When non-technical people debate technology policies and laws, such as the current drive to amend the Computer Fraud and Abuse Act, the debate over net neutrality, and the proposed Wassenaar rules, there is a problem. When people are discussing hot topics such as online security and privacy, information sharing, the right to be forgotten, patents, and vulnerabilities in medical devices, they need technologists to explain the implications, Soltani said.

"These are critical debates that are happening right now. It's important to be mindful of them and really engage," Soltani said, noting that his audience should feel "another call of duty" to get involved.

Soltani already advises the FTC on many issues, but the Commission needs more input from other sectors, as well.

"Make yourself heard and engage in these policy debates. It isn't about the pay, isn't the status—if you don't do this, other people will," Soltani said, noting that when left up to the non-technical people to shape policy, bad laws are inevitable.

The United States relies on an "alphabet soup" of regulations and legislation to protect consumer data and privacy online, including the Children's Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), Do Not Call, CAN-SPAM Act, Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act, Soltani said.

The FTC has recently executed a number of enforcement actions against companies for privacy and security violations, including the settlement with Snapchat for misrepresenting how its texting app handled photos and messages, as well as the settlement with Fandango and Credit Karma on how they implemented SSL in their mobile apps. These cases involved technical and security issues FTC lawyers and policymakers needed help understanding before they could proceed. The tech community's input was essential in helping the FTC build the cases and go after the violators, Terrell McSweeny, a FTC commissioner, told Black Hat attendees during the session.

McSweeny described the FTC complaint against Nomi Technologies, a company whose technology allows retailers to track consumers’ movements through their stores. Nomi promised consumers could opt out of tracking online and while in the physical stores where the tracking was taking place. However, retailers did not inform consumers when the tracking was taking place, and they also did not provide an opt-out mechanism in their stores. The technology relied on "promiscuous WiFi sniffing" of devices as consumers moved around the store as well as hashing device MAC addresses, Soltani said. Users who didn't want to be tracked would have to disable WiFi or GSM signals before entering the store.

"This is where Ashkan helps me understand what is going on," McSweeny said.

As technology continues to evolve and new products hit the market, the FTC's job will get even more complicated. The FTC acts in the consumer's interests and has to watch for when companies mischaracterize the security measures taken, or violates stated privacy policies in ways that consumers would object. The FTC needs to understand the technology behind new websites, software, and apps in order to determine whether the companies are sticking to their promises. As FTC commissioners set policy, they need researchers and technologists to keep engaging with the FTC and offer their advice on technical issues.

People tend to trust company claims, so the FTC plays an important role in making sure the promises are being kept. The Commission is not interested in regulating the technology being used or dictating how things should be done. Its focus is on making sure companies have good processes in place and are doing basic things the industry sees as "reasonable security," McSweeny said. The FTC is trying to identify key areas of research, best practices, and pitfalls, help inform consumers and companies.

“We’re here making a plug for your help,” McSweeny said.

The FTC isn't just looking for tech experts to offer advice and share knowledge. It also wants the technical skills to build products and solutions, too. The Commission was also at DEF CON as part of its Humanity Strikes Back contest. This contest encouraged developers to submit tools which could analyze call audio and identify robo-calls before transferring them to a honeypot. Two finalists showed off their applications at DEF CON, and the winner will be announced at a later date.

Soltani and McSweeny urged the audience to get involved by writing to the FTC, sending an email to [email protected], posting on Twitter to @techftc, or commening on the Commission's blog at ftc.gov/tech. There is an "open-door policy" and the commissioners will listen to good research, McSweey said.

“It’s not always fun, but on the other hand, telling a bunch of high-powered attorneys and politicians that they’re wrong can be fun sometimes,” Soltani said. 

Fahmida Y. Rashid is an analyst who has covered networking and security for a number of publications, including PCMag, eWEEK, and CRN. She has written about security, core Internet infrastructure, networking security software, hardware, cloud services, and open source. View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
spyglassintel
50%
50%
spyglassintel,
User Rank: Apprentice
8/12/2015 | 9:43:39 AM
Great story!
It's very encourage, even in small doses, to see more of government turn to our community for advice and direction!
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/1/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Attacker Dwell Time: Ransomware's Most Important Metric
Ricardo Villadiego, Founder and CEO of Lumu,  9/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24860
PUBLISHED: 2020-10-01
CMS Made Simple 2.2.14 allows an authenticated user with access to the Content Manager to edit content and put persistent XSS payload in the affected text fields. The user can get cookies from every authenticated user who visits the website.
CVE-2020-24861
PUBLISHED: 2020-10-01
GetSimple CMS 3.3.16 allows in parameter 'permalink' on the Settings page persistent Cross Site Scripting which is executed when you create and open a new page
CVE-2020-25990
PUBLISHED: 2020-10-01
WebsiteBaker 2.12.2 allows SQL Injection via parameter 'display_name' in /websitebaker/admin/preferences/save.php. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
CVE-2020-8109
PUBLISHED: 2020-10-01
A vulnerability has been discovered in the ace.xmd parser that results from a lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. This can result in denial-of-service. This issue affects: Bitdefender Engines version 7.84892 and prior vers...
CVE-2019-20902
PUBLISHED: 2020-10-01
Upgrading Crowd via XML Data Transfer can reactivate a disabled user from OpenLDAP. The affected versions are from before version 3.4.6 and from 3.5.0 before 3.5.1.