Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

FTC to Black Hat Attendees: Help Us Make Good Tech Policy

The FTC's chief technologist made a direct appeal to security, privacy, and technology communities to get involved and help shape tech laws and policies.

Government needs the help of security, privacy, and technology communities to inform policymakers and politicians on technical topics, Ashkan Soltani, chief technologist at the Federal Trade Commission, told Black Hat attendees last week.

U.S. politicians and policymakers are not well-known for being technically savvy. It's a frequent joke that many of them still don't use email or carry smartphones, and are not as immersed in technology as their constituents. And when it comes to tackling complex technology topics, such as encryption or online privacy, they typically aren't well-versed in the details.

When non-technical people debate technology policies and laws, such as the current drive to amend the Computer Fraud and Abuse Act, the debate over net neutrality, and the proposed Wassenaar rules, there is a problem. When people are discussing hot topics such as online security and privacy, information sharing, the right to be forgotten, patents, and vulnerabilities in medical devices, they need technologists to explain the implications, Soltani said.

"These are critical debates that are happening right now. It's important to be mindful of them and really engage," Soltani said, noting that his audience should feel "another call of duty" to get involved.

Soltani already advises the FTC on many issues, but the Commission needs more input from other sectors, as well.

"Make yourself heard and engage in these policy debates. It isn't about the pay, isn't the status—if you don't do this, other people will," Soltani said, noting that when left up to the non-technical people to shape policy, bad laws are inevitable.

The United States relies on an "alphabet soup" of regulations and legislation to protect consumer data and privacy online, including the Children's Online Privacy Protection Act (COPPA), the Fair Credit Reporting Act (FCRA), Do Not Call, CAN-SPAM Act, Health Insurance Portability and Accountability Act (HIPAA), and the Gramm-Leach-Bliley Act, Soltani said.

The FTC has recently executed a number of enforcement actions against companies for privacy and security violations, including the settlement with Snapchat for misrepresenting how its texting app handled photos and messages, as well as the settlement with Fandango and Credit Karma on how they implemented SSL in their mobile apps. These cases involved technical and security issues FTC lawyers and policymakers needed help understanding before they could proceed. The tech community's input was essential in helping the FTC build the cases and go after the violators, Terrell McSweeny, a FTC commissioner, told Black Hat attendees during the session.

McSweeny described the FTC complaint against Nomi Technologies, a company whose technology allows retailers to track consumers’ movements through their stores. Nomi promised consumers could opt out of tracking online and while in the physical stores where the tracking was taking place. However, retailers did not inform consumers when the tracking was taking place, and they also did not provide an opt-out mechanism in their stores. The technology relied on "promiscuous WiFi sniffing" of devices as consumers moved around the store as well as hashing device MAC addresses, Soltani said. Users who didn't want to be tracked would have to disable WiFi or GSM signals before entering the store.

"This is where Ashkan helps me understand what is going on," McSweeny said.

As technology continues to evolve and new products hit the market, the FTC's job will get even more complicated. The FTC acts in the consumer's interests and has to watch for when companies mischaracterize the security measures taken, or violates stated privacy policies in ways that consumers would object. The FTC needs to understand the technology behind new websites, software, and apps in order to determine whether the companies are sticking to their promises. As FTC commissioners set policy, they need researchers and technologists to keep engaging with the FTC and offer their advice on technical issues.

People tend to trust company claims, so the FTC plays an important role in making sure the promises are being kept. The Commission is not interested in regulating the technology being used or dictating how things should be done. Its focus is on making sure companies have good processes in place and are doing basic things the industry sees as "reasonable security," McSweeny said. The FTC is trying to identify key areas of research, best practices, and pitfalls, help inform consumers and companies.

“We’re here making a plug for your help,” McSweeny said.

The FTC isn't just looking for tech experts to offer advice and share knowledge. It also wants the technical skills to build products and solutions, too. The Commission was also at DEF CON as part of its Humanity Strikes Back contest. This contest encouraged developers to submit tools which could analyze call audio and identify robo-calls before transferring them to a honeypot. Two finalists showed off their applications at DEF CON, and the winner will be announced at a later date.

Soltani and McSweeny urged the audience to get involved by writing to the FTC, sending an email to [email protected], posting on Twitter to @techftc, or commening on the Commission's blog at ftc.gov/tech. There is an "open-door policy" and the commissioners will listen to good research, McSweey said.

“It’s not always fun, but on the other hand, telling a bunch of high-powered attorneys and politicians that they’re wrong can be fun sometimes,” Soltani said. 

Fahmida Y. Rashid is an analyst who has covered networking and security for a number of publications, including PCMag, eWEEK, and CRN. She has written about security, core Internet infrastructure, networking security software, hardware, cloud services, and open source. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
spyglassintel
50%
50%
spyglassintel,
User Rank: Apprentice
8/12/2015 | 9:43:39 AM
Great story!
It's very encourage, even in small doses, to see more of government turn to our community for advice and direction!
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...