 Thanks so much for having me. I'm trying to make sure if my mic is actually on here And we're gonna do this a little bit of a fireside chat conversation. So I hope you don't mind me saying down And we're very lucky to be joined by Commissioner McSweeney who's been at the FTC He's since April of 2014 in on a term that will expire in 2017 You know before joining in the FTC She was over at the US Department into justice antitrust division and and also served within the Administration and before that at with senator well been senator Biden's office And she's been really sort of out on front of where the FTC stands on the internet of things And that's really what we're going to dive in here today and to open that conversation up I'd love to really start by asking exactly the role that the FTC hasn't in that space Sure. Well, I want to start by thanking everybody for being here and thinking you for being here and thinking New America for putting together This important conversation today. The Federal Trade Commission is actually a hundred year old consumer protection Agency, but it has adapted its mission over the last 25 years to cover Consumers as they move from consuming in a brick-and-mortar world to an online and interconnected one So that's really the FTC is nexus to this conversation The agency has brought more than a hundred privacy and data security cases Using its statute which allows it to protect consumers from unfair deceptive acts and practices So as we examine The security practices around consumer data and the practices around consumer privacy as it relates to the internet of things It's primarily that statute that we're using in our enforcement mission But we also have Authority to study sectors which we do periodically last year. We actually issued a report on the internet of things And you know it again, it's very important for us to understand Kind of what's happening to consumers in real time. So we spent quite a lot of time Investigating trends in the marketplace and trying to understand them so that we can make sure that we have the right tools and the right enforcement mission You know speaking of your enforcement mission one of your latest cases I found was really interesting and involved the security the major router manufacturer We talked about routers are sort of the hub that you expect everything that the internet of things, you know Whether it's your smart coffee maker your smartphone basically everything in your house to actually connect through so you actually really want to Make sure that things locked down, right? but how should consumers expect that The maker of that smart coffee maker who probably doesn't have quite as much experience with security as Say a router manufacturer or does is going to be able to keep that safe if even the router makers aren't doing their jobs Well, this is to me the 21st century data security issue of the internet of things, right? How do we get the balance right and how do we make sure that? companies that are previously making Kind of for lack of a better word dumb unconnected Appliances that are now making computer connected internet connected Appliances Understand what data security practices are and why they should apply even to that connected coffee pot So yes, you're right We actually recently just a couple of weeks ago announced a consent decree with a major router manufacturer And in that case we were looking at the security practices that the router manufacturer had and of course routers are terrific Frontline defense to your home network. That's why we think it's very important that if router manufacturers making security Representations that those be truthful and we think it's very important that they have reasonable security practices But what we can't just rely on the router is the first line of defense The fact is that a connected appliance to your home network can be a portal into your home network We've seen this. I don't know connected tea kettles sharing Wi-Fi passwords, right? So and once you get into that network You can really Explore it and so that's one of one of the issues I also think it raises an additional really interesting consumer protection issue And this is something that the trade commission identified in its Internet of Things report last year Which is how long is that product going to be supported by the company that's Manufacturing it and what information do consumers need to have when they're going to a store to choose a new coffee pot or a new Toaster oven they might like to see this fun exciting Interconnected new capability associated with it But will they understand that that might mean that that product will only be supported for five years or six years? And and what do they need to know at that time of purchase? I've had my toaster oven for about 15 years I suspect if I bought an internet connected one it probably wouldn't make a lot of sense for the company making it to support It for that long so should I should I have information at that time of purchase to understand that this thing that I would have Previously lasted me a much longer period of time Is maybe not going to last quite as long and I'm really glad you brought up this sort of update Situation because you know when I talk with security researchers about the Internet of Things Probably the joke I hear the most often is oh the Internet of Things that can be hacked or oh the Internet of Things That can be hacked to kill you when you talk about things like connected cars or medical devices, which really If compromise could have some really pernicious outcomes And you know in fact, I believe gosh I think it was last year may have even been the year before the FDA came out and said hey hospitals stop using this one specific kind of drug pump because there's a really Potentially a harmful vulnerability in it and they're not going to fix it Where do you see sort of physical safety coming in when we talk about the Internet of Things? Well physical safety is obviously a really important aspect of this And if you think about certain connected aspects of your home right it might actually undermine the physical safety of your home if you're thinking about Connected alarm systems or connected locks or cameras and that kind of thing You know, there's another aspect to this security of these devices that I think is really important you know, it's if they if they Are compromised? They might not work properly And it might be that they could also be used to launch denial of service attack either on your home network Or be incorporated into a larger attack So there's this other aspect of securing them that I think is really really important and should be part of this conversation as well When it comes to things like cars, I think, you know, the automobile industry has a real opportunity to Understand and learn from the information technology industry about how to secure its systems It's absolutely critical as we've seen in the last year in the conversation around really high-profile automobile hacks because the public health and safety issues are so prominent in that kind of consumer product So we've seen some of the connected wealth not connected cars per se But auto manufacturers generally move into the space of offering like bug bounty programs like Tesla GM also has done some interesting stuff. I believe actually with hacker one. Yeah About having third-party researchers to them with problems. Is that a model that you think is effective? Absolutely, and you know, I've been I should say at this point in our conversation I probably should have said that the outset I'm here speaking on behalf of myself and not my colleagues at the Commission or the Trade Commission Officially, I've been pretty outspoken on this point actually You know last year we saw in the NHTSA reauthorization a pretty poorly conceived approach to this Issue which was to outlaw the White Hat Security Researchers from doing research on connected vehicles. I think that's a giant mistake You know, we absolutely need to have the White Hat community the security researcher community out there Helping the new industries that are new to connected consumer products understand how to secure them And that's not just good security practice in my mind and having a good program that allows you to receive vulnerability reports having a good program if it makes sense for you that is a bounty program or a Conference program or a hackathon program or working with a platform like like hacker one You know, that's not not just good security policy I think it is also one of the most efficient ways to improve the security of your products And that's not just my point of view There's actually some economic research out there that supports that that crowd sourcing and understanding How to where your vulnerabilities are and how to fix them is a very efficient cybersecurity investment So and you just brought up now Where it says on some of this stuff or at least was at the time of those comments How exactly does the FTC work with other agencies that are also interfacing with these kinds of issues? I mean when you talk about like the FAA and drones you talk about how it's obviously in the Department of Transportation And in connected cars What's that communication like and where do you see over her lap that and how do you manage that? Well, alright, so I don't want to blame NITSA for a proposal that I think was floated in Congress I Don't know where they are on these issues But I do think the FTC has a real obligation to work with a lot of these Expert sector regulators that are now finding privacy and security issues emerging in their mission So that's one thing that the FTC I think can really Do as an agency and that we ought to do it's part of good government, of course Which is take our 25 years of learning and knowledge about privacy and security practices and help other agencies Understand what our approach has been and and how and why we have adopted the approach that we've we've adopted We have also seen in the last week some of our sister consumer protection enforcement agencies bringing data security cases the CFPB obviously Bringing its first case, you know in general I think that We are in an environment where consumer data security is so essential for the success of the Internet of Things and for all of these Incredible innovations that are going to bring such wonderful new products into our lives That I don't think it's the case that there needs to be you know simply one cop on the beat We all need to understand why this is so important and and be able to share that information So you know it's also speaking of other agencies. I'm going to bring up the e-word Encryption which I think we're going to be talking about a lot today for some reason So it does seem like there's a little bit of a gulf between where the FTC comes out talking about how we want to make things as Secure as possible and where some security researchers say that what the FBI is asking In Apple to do in the San Bernardino case could potentially undermine in the security of devices How would you sort of describe that difference? What exactly does the FTC think is the most effective password when it comes to encryption? Well, so again, I'm going to be sure to caveat what I'm saying by saying I'm speaking on behalf of myself here Since I'll just be the one to get myself in trouble as opposed to my entire agency you know I I Think what's really interesting about this and this actually came up in our routers case recently And it's come up in some other cases that have been recent data security cases the FTC has brought You know we we don't dictate what kind of technology Companies should use to secure consumer data and I think staying technology neutral is absolutely critical because this is such a Dynamic space that said we have certainly noted that encryption can be an incredibly useful tool in securing data at rest and in transit We have brought cases when a company companies have claimed They are using strong security measures or strong encryption measures when they haven't configured them properly or when they are not in fact using them and so I think that is Indicates really that encryption in in the FTC's view is a very very very valuable tool in consume in protecting consumer data I think it is even more valuable if we think about all of the wonderful big data analytics that might be Possible in the future if we're if we're also trying to protect consumer privacy The prospect of being able to take large pieces of data that are encrypted and compared them to other data Without ever invading the consumer privacy in that data is really really exciting to me So I think that we need to make sure that we aren't Undermining the strength of that technology because I think it's going to underpin a lot of our data security and privacy In this brave new interconnected world that we're in so that's why this debate around the iPhone case is so incredibly important In my view, I don't think it actually should be resolved by by one case I think it's far too important And critical a set of issues and the trade-offs here for consumer data security are particularly are potentially very very very significant so I you know I watch with interest the development of Legislation that would suggest a commission. I think that might not be a bad approach to trying to find the right balance with the caveat that I Think any Conclusion that we ought to mandate backdoors would just be a disaster for consumer data security. So I feel pretty passionately on that point So you're speaking of legislation I know that in the past there hasn't been a lot of movement on specific data security Regulation and coming out of Congress and it almost seems as though there's been more Movement on privacy issues at the state level over and at the national level How does the FTC plan sort of move forward in this space without necessarily the clear sort of guidance that you might expect when approaching, you know Some pretty important areas, right? Well, so you're right. There isn't comprehensive data security legislation I think actually the FTC as a whole has supported such legislation not just to have one set of Standards around how breach notification occurs, but also to have a set of standards around these this IOT space that is clear We don't have that. I think we'll continue to support that and we can continue to make the case for it I think the the fact that consumer trust in the security of their interconnected products is Emerging as a very significant issue when you look at the consumer survey data when you look at the Accenture report on adoption You see that trust and security is is becoming a very prominent issue in this space. So that might help Both create the incentives for companies to make the appropriate investments and it might also help ultimately support legislation in this space as well But without legislation I think you can fully expect the FTC to continue using its enforcement tool to try to Bring cases where there are not reasonable reasonable security practices in place And I think we'll continue to advocate as we do in our various initiatives We have the start with security initiative, which is an initiative that sort of lays out 10 principles of what reasonable security looks like based on the 60-plus enforcement cases that we've brought and I think that's a really important contribution to this process as well You know sometimes we hear oh, we don't really understand what reasonable security is. What do you mean by that? And and I'm kind of incredulous about when I hear it because I think wow in this at this point, you know in 2016 It should be pretty clear what what security looks like. It looks like having a process in place It looks like having people responsible for it. It looks like having training in place. It looks like Having some ability to collect vulnerability reports and respond to them in a reasonable amount of time You know, we have a lot of information that is now out there Whether it's the NIST critical infrastructure framework, whether it's the start with security guide, whether it's our enforcement cases And you know, I think this is a really really rich space where there's a lot of really valuable advice for people And we're going to continue to try to push it out there as much as we possibly can You know, it's not our goal to catch people You know and bring cases against them. It's our goal to try to protect consumer data security We're we really really want to make sure that anybody that's trying to do the right thing has the best set of tools possible to do that So one of the major roles of the FTC is to be an enforcement agency So you but you're not sympathetic to the idea that some companies may not necessarily Understand what the rules are in the current set up. Yeah, I'm deeply sympathetic to that But if they aren't making any attempts at reasonable security They are doing that at their own risk So I guess my point is Sympathetic to the notion I just think you know go on our website Easy information. It's written in plain English Talk to a security professional Talk to anybody that can give you advice and I think that the steps here are pretty clear, you know at the FTC We sometimes say Well, you know reasonable security isn't perfect security. We understand that attacks happen breaches occur So our standard isn't perfection here. That would be a huge mistake and that's impossible as any security professional will tell you So, you know that the standard here is reasonable it means having security by design processes and procedures in place and making Reasonable attempt to secure the information that you have and The bottom line is if you put your customers at risk you put yourself at risk of ending up in the FTC's sites Yes, and if you represent that you have that you're handling information securely and you're not that can be a problem. I Want to switch topics just a little bit to another sort of internet of things thing that I just find really fun So I sort of feel like when we are talking about things like Siri or the Amazon echo which I guess this is the part where I make like the awkward side disclosure Which is made by Amazon and Amazon CEO Jeff Bezos also owns the Washington Post I do it if I was writing about it, so I try and do it when I talk about it, too It can kind of feel like Star Trek, you know You're just talking into the void and you know say make it so and you know you play the music that you want How do you feel like the FTC will go forward and talking about voice privacy like this when we're entering an area where you know We already carried microphones around in our pockets But now we're having devices that are always listening to a certain extent. Well, I think it's a really fascinating issue You know our our touchstone for all of these issues is notice choice Consent so I think that that's got to be a part of this conversation making sure that consumers understand how the technology Is collecting their voice when it's on when it's off that kind of thing is I think part of notice And transparency so it starts there these products also are you know, they're fantastic But they also can create some interesting consumer protection challenges We saw that for example in the in-app purchase cases that the FTC brought about two years ago There's this great innovation in the app space where you Could more seamlessly especially if you were a kid buy a lot of stuff in a game Turns out parents were caught off guard with the hundreds of dollars of charges their kids quickly racked up And so we brought some cases against Apple and Google and actually we're ongoing litigation against Amazon on this one Where we said like that's not that's not okay people need to have better better mechanisms to control that so when we have these new products That are fantastic, you know the first question. I asked was how is it going to be? How am I going to prevent my kids from going Alexa buy me an iPhone? Exactly what's gonna happen in like the first five minutes of this product being in my house So that's a part of the conversation that I think we need to have with industry And I think it's a feature of some of these innovations that I'm really hoping folks in the product development phases are thinking about You know, that's what security by design privacy by design is it's Bringing in people with privacy security and then I would also argue data ethics values early in the product development life cycle and and having those values reflect the In the innovation and you know, that can be a really terrific outcome for consumers We can have fantastic new privacy data security products and features that will help us Take advantage of all this innovation while protecting our privacy So I think you know done properly all of these problems You know aren't really problems at all Getcha. Well, I have been monopolizing you. There's been a lot of fun for me, but probably not as much fun for the audience So does anybody have any questions for the commissioner? I Think they're coming with a mic for you if you can hold on for just one second Whether it might make sense to use the IRS tax forms Sort of like a notification with all the websites, etc Because all businesses and all adults are getting things than they are as you know annually and so that While a lot of the outreach programs are very good I'm always surprised by what people don't know That's a really interesting idea I Don't think we've considered that and I'm I know the IRS has a lot on its plate But you know, I think we do what we do try to do is Convene around the country with non-traditional partners to get our information out You know that the most of the information The information that's sort of most popular on the FTC website is our idtheft.gov resources Which we've recently revamped which are a kind of one-stop shop for people that are either concerned about identity theft or Experiencing some form of identity theft and we're improving the remediation process there So you're right that might also be a given the problem of tax id theft that is persisting That might be a way that we share that resource It's very common if you've been a victim of a breach you've probably and gotten a breach notification within the notification I generally find having now gotten a few myself that the companies refer to our FTC resources in that letter as well Which I think can be very helpful He mentioned he mentioned essentially Notifying people through the IRS form and so this directly kind of segues into my question about privacy So if people like hacker one or any researcher will tell you that when you say IRS and then that that people scream They get terrified and so the question I would actually I have this is there a working definition of privacy That is basically being used in the industry or if the researchers come up with and I know we have a lot of intellectuals in this space here today and what privacy what do they do is the FTC uses the working definition do we even have one? Well, thanks for the easy question So the FTC has used I mean this is you're putting your finger on you know the the pulse, right? This is a big problem The FTC has used the FIPS approach to privacy, right? So notice choice transparency Those kinds of issues there is that you know a huge debate in the policy space around what personal information should be held, you know is is Sensitive personal information in this country. We've adopted a sector-based approach to it, right? So we have HIPAA to cover cover health information, although importantly not health information You are sharing with your wearable just stuff that you have with a HIPAA covered entity We have decided that children under 13 deserve some special protection. So we have COPPA We think your financial information deserves some special protection. So we have GLB. We think student information deserves some special protections It's a little unclear exactly what so we have FERPA and a bunch of states You know, these are very very hot debate these issues of facial recognition geo location information, right? your voice information That is this wide-open space that we are having I think a really rich Conversation about we need to continue to have one and we need to be really mindful of Kind of commercial surveillance in that space and how it's occurring You know, the FTC has studied this issue and cross-device tracking. We've studied it in wearables We're going to continue to deeply engage on it But it is a it's a big broad tricky set of issues and You know, I think I think we're going to continue to have a conversation about it One thing the FTC does tend to focus on is when consumers are surprised by Unanticipated uses of their information and I think that that can be an area that that we Definitely will continue to explore and and I and we've brought cases in the surveillance space When companies have said they're going to offer an opt-out the know me case for example But didn't actually provide that in retail locations, right? So that's where a company is tracking your Your location for the retailer They suggest that on their website, they're going to provide you an opt-out on their website But also at the retail locations using the tech, but they don't actually do that So then we said well that was deceptive It's not illegal to do that by the way if you you don't deceive people, but sure I think we have time. Yeah, a few more minutes. I can probably get him maybe two three more questions max We've got some folks in the back here, and I don't want to like give everything to the side of the room, sorry So in the very back there Hello, my name is Ari Basin come from the University of Exeter in England My question for you is what's the FTC's role in preventing backdoors being installed in hardware produced in China or other places? Which don't have the greatest privacy regulations Yeah, well we we don't really have a role in that we can say Look, we think backdoors really undermine consumer data security we can potentially take action if if maybe Company incorporates that hardware with and you know Especially if they know the vulnerability exists and then they make a bunch of claims about how secure and private it all is if it's not That might be deceptive But but we don't have jurisdiction to go after conduct. That's happening off-sure Unfortunately, I think I actually overestimated our time a little bit and maybe out. Oh Yeah, this is a stop in the back Thank you so much for your time. Thanks for having me. It's a pleasure to be here