 Hi everyone. Thank you so much for having us. We are here to present tick tick tick boom you're dead. A brief history of tech in the FTC so if you do not know me I am Whitney Merrill. I am the founder of the crypto and privacy village here at DEF CON and this is my first time speaking on a main track. I'm an attorney as well as a hacker and I'm pleased to be joined by my former bosses, bosses, bosses, boss. Well thanks for that introduction. Is this working? Yes. Hello. I'm Terrell McSweeney. I'm a federal trade commissioner at the federal trade commission which is an agency that has a lot to do with consumer protection. We also are sort of a data protection information security consumer protection agency as well and we're going to be talking a little bit about that today in our talk. I'm super thrilled that Whitney is joining me for this. I'm super sad that she has actually moved on from the FTC so she doesn't actually have to give the disclaimer that I'm about to give which is that these are not the official views of the FTC. I'm going to give you my individual views not necessarily the views shared by anybody else at the FTC so take that with a grain of salt. So what is the FTC? Why are we here? Why are we talking about this at DEF CON? Actually again the FTC has been at DEF CON for a number of years now and we're really thrilled to continue our partnership with the security researcher community because your research helps inform our cases. What do I mean by that? Well the FTC is a 100 year old consumer protection agency. It's actually about 103 years old so it's older than DEF CON at 25 years and it's older than the internet or even the worldwide web but we've had this authority basically to protect consumers from unfair deceptive acts and practices and we've taken it from the brick and mortar world and brought it into the online one. So I'm thrilled about this talk today because we're actually going to spend a minute just going back in time and looking at some of the first cases the FTC brought and then comparing them to some of the cases we're bringing today and we're going to end by talking to you a little bit about how we do investigations, how your work can help us and what we're looking for from the research community as well. It's great to have a retrospective in the 25th year of DEF CON and so we're going to take some time to do that now. We'll be looking at cases that we've brought and we're also going to be talking about other tools the FTC uses to shape policy in the US government. We hold workshops, we write reports, increasingly we do our own research and present that and we also do consumer and business education so we'll be covering all of those topics today. So we're going to take you back as Terrell was saying you know when we were discussing what kind of talk we wanted to submit to DEF CON I said we should do something that honors the 25 years of the hacker community and how can we basically look and show how the FTC has been working hand in hand basically with that community over the past 25 years. What have we done and how has it been applied? So this is a quote from an attorney probably 25 years ago at this point and says this is standard stuff it's just in a new medium. And that's exactly what we will show. Yeah so one of the first things that's incredibly standard in human behavior from the dawn of time is fraud. It is a thing that we spend a lot of time and resources going after at the FTC both in the brick and mortar world but also in the online world. The case that I'm about to talk about actually we can queue that up was one of our first cases involving fraud on the internet. This was a case in which the company was running ads on AOL offering a $99 credit repair kit that was basically worthless. For those of you free consumer tip credit repair is basically always worthless. Don't sign up for that stuff. It is a scam. So this was that kind of opportunity. Also just history lesson for the young people in the room in 1994 which is about DEF CON was about two years old at that point. America online was the way in which most Americans connected to the thing called the World Wide Web. They did that via the dial up service, you know, on a modem. They use the AOL email. I still love it if people have AOL emails today or like retro fabulous. And AOL was a primary web portal for a lot of users. So it was a really important part of protecting consumers, American consumers on the internet. So the next case I'll bring up is involved something called the mail order rule and I bet you're all sitting there going, that sounds like the driest, most boring rule in the entire world. I actually had a fortunate opportunity to work on the mail order rule type cases and it's more fascinating than you'd expect. But basically the rule says if somebody says that they are going to ship something to you by a particular date, they must do that. And if they don't do that, it's a unilateral modification of contract and you are a harmed consumer. So in this particular case was from 1996 and this was the first time this older rule was applied to business done over the internet. In this particular instance, Branzel was supplying the world with computer parts. He was offering memory chips over Usenut and ultimately never shipped those chips. And so the FTC brought a case against Branzel and got restitution for the consumers who were harmed. Okay, next, deceptive advertising. This is also an area the FTC takes a lot of time and energy and uses a lot of resources on. Essentially what deceptive advertising is all about is looking at claims that are being made, claims that are relevant to whether a reasonable person would decide whether or not to use a product and assessing whether they are true or not and the assessment of truth is called substantiation. So one of our first internet related deceptive advertising cases was a case involving a product that was coding to put on your glasses to protect you from the harmful rays coming out of your computer. Turns out there was a deep line if this were true. There wasn't a lot of science behind the harmful rays coming out of your computer claim or even the product. And so this was a site for Suarez case that the FTC brought saying look, that's deceptive advertising claim being made. So many of you may be in the room and you were enticed by the title and you didn't read the abstract and you were like, oh, this looks really crazy. I'm going to go to this talk and you're like, oh, this is about law and policy. Well. You can look now. No judgment. Other consumers may have had similar fears which were there was an advertisement run from 1992 to 1993 by Hayes Microcomputer and it looked exactly like that one. It appeared in computer magazines and networking magazines and it basically said tick tick boom, you're dead. And here they said that they were telling consumers that a time bomb might be lurking in their computer. Specifically they said well, like you're thinking what's the time bomb? And it was an accidental escape sequence. And the modem company said that if you didn't use their improved escape sequence with guard time that your data would be destroyed. Simply this was not true, theirs was no better than the competitors. But even worse they said hey, give us your information and we'll send you a free kit to test your computer to see if it's dangerous. And it was basically malware installed on a user's computer that would force the competitor's modem to hang up. The FTC specifically my mentor when I was in the San Francisco office of the federal trade commission Linda Badger who will hate that I'm giving her a shout out right now but she deserves it. Saw this ad and said this is baloney, brought the case. And so the FTC here basically said note this is not true, a modem's failure to incorporate this improved escape sequence with guard time. So fancy. Doesn't create any substantial risk of data destruction. I think what's really interesting about this is this is an early case but we still see this kind of fraudulent practice all over the place all the time. Now that takes more of the form of a tech support scam. We still have tons of cases involving scaring consumers about security vulnerabilities in their product and causing them to download malware or buy services that are useless. It's also something that companies do to entice you to buy their product. And so FUD, fear, uncertainty and doubt is not a new thing that we see in security or privacy. Here's a case from 2004 that was also using FUD to entice people to purchase a security product. How many people have seen that before in maybe your recent time? This here was the internet alert. They would pop up throughout your browsing enjoyment and basically claim that your computer might be insecure through banners and pop ups online. When they appear to consumers they'd like look like alert boxes so a consumer would be enticed to click. It would then take the user to the internet alert software website where they could purchase this software that really had no proof that the individual user's computer was insecure. So the FTC brought this case and basically prevent said to bonsai software that you cannot advertise in this particular way because it is deceptive to consumers. This is a little bit different. Also an advertisement. This product actually works I think as it was purported to work but it's really the problem with the thing in and of itself. This was Cyber Spy, a business that was selling spyware and showing people how to remotely install it without other people's knowledge or consent. I think the tagline in the ad says it all spy on anyone from anywhere. Exciting and interesting. We said look you can't be enticing people to install keylogger software on other people's computers without their consent. That's a huge problem. So it's not really that the product is illegal. It's just that you can't be using it on people in a deceptive way. So we've discussed a lot about deceptive practices and sort of the more traditional type of consumer protection cases that the an agency like the FTC would bring. We're going to talk specifically now about ones that involve security and thinking I bet some of those FUD cases look like security cases too. And the reality is that security falls into really two different branches. There's deceptive practices and then unfair security practices and so we'll kind of highlight some of those for you. But most importantly here to emphasize is like the FTC's involvement in advocating for security practices over the past 25 years. So in this particular case at the time it was called modem hijacking. It might now be considered more like ransomware. But in this particular case defendants maintained adult entertainment websites at beavisandbutthead dot com, sexygirls dot com and oneadult dot com. And when a user would visit that website they would doubt they would be told you should download this program to view more free images with an exe called david.exe. And when it was downloaded and executed the program disconnected the computer from the consumer's own access provider, turned off the consumer's modem speakers, dialed an international telephone number and then reconnected the computer to our remote foreign site. In this particular case the international call would be charged to consumers for more than $2 a minute. I don't know if anyone remembers how expensive telephone calls were way back when and how fast- Those are telephones for folks in the room who are younger. They were things that we had in our houses connected to wires. That's how people got on America online. So these charges would continue to accrue for the poor user until the computer was shut off and how many people actually shut off their computers. So consumers received telephone bills purported to be made to Moldova when in fact they were only going as so far as Canada. So the the FTC brought a series of cases against the companies that were engaging in this practice to protect consumers. Now one of the things and I'm trying to highlight, we're both trying to highlight here, is that the FTC knew the value of the internet and the value of protecting consumers on the internet in a way that really ensured that they could engage with it. Because if it became this unruly, you know, you'd order your micro trips and never receive them, no one would want to engage or use the internet. So fast forward to last year. And you know, I think no one's going to say that we don't have plenty of work to do as a consumer protection agency every day all the time which is part of why we've been trying to forge close relationships with the security research community as well because we view you all as valuable partners in our work. The Ashley Madison case I think is an interesting one. We've brought actually about 60 cases involving data security either in unfairness or deceptive practices using either one of those authorities. We wanted to highlight a couple of them that are more current. This one I think is particularly interesting because it gets to this trust point. Here we had a huge breach. And you can think, I think it's pretty safe to say that in many situations if you read about a huge breach of sensitive information chances are the FTC is probably going to take a look at what happened there and whether the security practices were reasonable in the organization. So unfortunately we had 36 million users whose identities were exposed on a social networking site that was being used by people to have extramarital affairs. Right there I don't think I need to unpack why this was sensitive information. Unfortunately it had huge consequence for many of the people whose information was exposed. Marriages were ruined. Some people committed suicide. I mean this was not just economic harm like identity theft. It was personal and emotional harm and it was pretty tragic. So we took a look along with our Canadian authorities, Australian authorities, it was actually kind of a global investigation, 13 other states at what was going on. And not surprisingly we found some pretty serious security flaws in the company. So that was part of the case. But there were some other practices we also took a look at that were deceptive. So for example there was a full delete option available on this website. And if you paid money for full delete then they were going to delete all of your information. This was explicitly said. Well turns out that didn't happen. So a lot of people paid for full deleting of information that was not deleted and then it was exposed as well. And then there was a thing that I find particularly interesting and I suspect we're going to see more of this just given all the technology that's out there. There was use of fake profiles and the reason I want to just call this out is there was a lot of marketing to attract people to the platform to thicken it that promised in some cases thousands of women in your city. Now it turned out of the 19 million American users, 16 million were men. And it's like no one in the room has survived. The women are all like yeah. Totally. So mostly it was men on the platform and the fake engagement profiles were being created by the company in order to create the impression that there were thousands of women in cities when in fact there really weren't. And so we said look that's also deceptive practice as well and one that clearly people were relying on because part of the promise of the entire thing was being able to connect with people who were interested in having affairs. Do you want to hit IOT? Yes. Asis, how many people here think internet of things is a problem? I think that's a lot. So basically the FTC has had several initiatives and trying to regulate this unwieldy insecure place that is the internet of things. And in 2016 the FTC brought a case against Asis for being insecure. I want to call out before I discuss this case really in depth is the failure to mitigate disclosed vulnerabilities. In particular Lee, the vulnerability allowed an attacker to bypass a login screen and gain complete access to a computer's connected storage device. Asis failed to encrypt consumers files in transit and personal files were public by default. So that's pretty serious vulnerabilities disclosed to a company. In this particular case in 2013 a security researcher publicly disclosed based on his research that over 15,000 Asis routers allowed for unauthorized access to a disk, basically a storage disk that you could set up in connection with Asis. In his public disclosure he claimed that he had previously reached out to Asis several times and was ignored. And so here the FTC really called that out as a bad security practice, respond to vulnerabilities, patch vulnerabilities disclosed to you. And ultimately, yeah the FTC, they had to deal with the FTC. And importantly that's not our only IoT related data security or privacy case. We have others that are already public, safe to say there are others in our pipeline. I think what's important about what Whitney just said is the presence of the security researcher here helping disclose the problems in the first place. Again incredibly valuable. And it's important to remember that in the absence of any kind of established security standards for the internet of things, the FTC is essentially using its authority again to protect consumers from unreasonable security practices which we have decided are unfair under our authority. And providing education about what we think the best practices are for reasonable security standards. So this is essentially the way in which we're trying to create incentives in the marketplace to improve IoT security. I don't think Whitney and I are standing up here saying that we think it's sufficient. But it's the FTC doing what it can with the authority that it has to try to improve the situation in IoT particularly. Privacy. Yes, so we'll kind of switch over to talk a little bit about privacy. We start with a case from 1993, DEF CON 1. And this is not your traditional privacy case in the sense that it happened online. But I want to flag it because it is one of the earliest cases where the FTC, Sudetrends Union Corporation from taking all the consumer credit data it had and selling those lists to marketers. And the FTC said you cannot take this type of data and not disclose to consumers that you are doing this. It is, you know, unfair and deceptive to that consumer to be marketed in that particular way. All right, so GeoCities. This is actually our first, yeah, AOL GeoCities. Who is on GeoCities? Anybody? Rainforest? Yeah. Okay, good. So this was our, our first official privacy case online and a really important one. It's important to remember that at the time we brought this case it was one of the most popular websites on the worldwide web with about two million users. Which at that time, while that seems tiny today, was a huge amount of people. It was a site that was allowing people to create their own home pages and grouping them into communities. And this won't surprise anybody given the way business models are today. It was asking for an incredibly amount of detailed personal information about people, adults and children, about not just their location, their addresses, but also their preferences and all kinds of things. And then it was selling that to advertisers. So what we said was okay, you have to have notice and you have to get consent if you're going to be monetizing people's sensitive information in that way. And specifically when it comes to children at the time it was under 12, we are going to require verified parental consent. Now that's going to sound really familiar to anybody that deals with children's data on a regular basis because that actually became the law of the land in the Children's Online Privacy Protection Act, which again requires parental consent for the collection and use of children's information. So the next case also involves collecting information on children as well as adult users. In this particular case in MOBI, an ad network actively undermined the privacy choices of consumers. How did they do this? Well in an individual app you could choose to opt out of location tracking. And in MOBI instead tracked consumers locations regardless of these permission settings. They used a database of wireless network location information to infer a consumer's physical location and then matched up where you were. The FTC said basically no you can't do this. This is a misrepresentation not only to consumers but also to the developers of the apps because they were not told that this was being done by MOBI. And the FTC issued a four million dollar civil penalty for violating the Children's Online Privacy Protection Act and said that a MOBI for the next 20 years must institute a comprehensive privacy program and be independently audited for every two years for the next 20 years. I think what's really important about this case is that this is a situation where there was a clever tech work around that was by that was really working around an expressed privacy choice by consumers. And that's an area that I think the FTC needs to continue to stay really focused on. These cases are hard to detect and we really can't do it without the work and help of people like yourself. So that is that is really important to us as well. Yeah. And unlike the other cases we've discussed earlier in the presentation you know you see an ad and you go this is weird. You know you don't have to be technical to necessarily understand you know the technical problems or the privacy issues of the data security issues. A lot of these newer privacy and data security issues you don't see unless you're actively researching it. And so really it takes a community to find out and search these out which is what you know really all of you are about. And the next case actually was also directly the result of research and information that we gathered and read from media reports about how smart television was working. So this is Vizio which is a case from this year. What's really important about it was that for the first time we are we have a case involving a smart television and we're also taking a careful look at the kind of disclosure that's being made because of the kind of information that's being collected. So what happened in this case was there is a technology being used by Vizio that allowed it to gather second by second viewing information from the televisions for anything that was playing on the TV. So it wasn't just whatever was coming through the cable box or whatever. It was anything on that screen was collected and then it was sent back for monetization. What people are watching when they're watching it, how long they're watching it is incredibly valuable advertising information. Now we took a look at it and it turned out there was a disclosure made to consumers about this practice. It was in the smart interactivity section and it essentially made it sound like this information was being gathered to optimize performance or provide recommendations for viewers or something like that was not at all clear that it was actually being collected and used for targeted advertising purposes and other profiling information. So we brought it we brought a case and said look you have if you're going to be collecting sensitive information in this case second by second television viewing information you have to provide a clear choice to consumers and that needs to be an opt-in choice that they can clearly understand if they're reasonable people like my mom who is a very reasonable person but not a very high tech person. She actually has an AOL account. Awesome. So one of the things we're going to point out in looking you know at the past and the present is you know the workshops and the initiatives that the FTC has done to engage with not only consumers but individual researchers and experts in the area. You know looking back as far as 1995 and 96 the FTC was asking questions about cookies. In 2007 we started to really take a deep dive into behavioral advertising. How were you being used tracked and targeted by ad companies and they've continued to do privacy and security series. Most recently a fall technology series last year involving drones, smart TVs and ransomware with terrible time. Yeah and well so smart TVs there we had a workshop we were looking at a lot of the things that were going on with smart televisions and lo and behold shortly thereafter we had a law enforcement action involving one that was the Visio case I was just talking about. But a word about workshops. Workshops are really valuable for us because they're a chance to both present our own in-house research which we're increasingly capable of doing. They're chance to talk to people in industry and in the community about the trends out there and how technology is shaping our lives. And they're a chance for us to inform ourselves because as I as we said at the outset what the FTC is doing here is trying to figure out when is something deceptive to a consumer and when is it unfair. And we need to make sure that we're being very clear about what the requirements are if we're going to be investigating people for unfair practices. So we spend a lot of time and energy both creating information for ourselves in the form of workshops and gathering it but also in putting guidance back out to businesses and to consumers so that there's information available to people about what the standards are that we are hoping people will be following. So smart TVs was one of our workshops. We've also been working on cross device tracking an area that is changing really rapidly and that we've recommended clear choices for people across their device graphs when that's happening to them. And we're studying ransomware. Don't have to tell anybody in the room that this is a big challenge for consumers. One of the things frankly that keeps me up at night is the prospect of a lot of insecure IOT really harassing people with small ransomware attacks in their daily lives. I think it could be really problematic. And the more we're continuing to rely on end user consumers who are not technically sophisticated to be the frontline defense for their IOT, I think the bigger challenge we're going to have there. That's a different talk. But we've been looking at ransomware trying to provide consumers with information about how to protect themselves and frankly it's pretty challenging. It's basically keep your software and things up to date and back up your information. And we're trying to work with businesses and industry to understand the kinds of attacks that are happening and where they're happening and how they're happening. Important to mention here along IOT and smart televisions is the change of interface you know from a traditional computer. Here you know it really matters usability security, notice and choice, all these buzz words really change when there's no way for you to interact with the device or you spent five hours trying to hang a camera in the corner. And so if it's you know part of a bot right how do you patch that and entice consumers to update. One of the things you may have noticed or seen before if you've been to DEF CON before is the FTC has had a pretty regular presence. In particular we've held contests asking the hacker community for help. How many people have gotten a robo call before? Oh yeah that should be everyone because if not you don't own a phone. I get like three a day and I'm on every list but you know this is a big problem that plagues consumers in particular we named our contests after Rachel from Cardholder Services. And the FTC came to DEF CON and said you know come up with a solution. Come up with a way to solve this problem that's technical because right now you know a do not call list is not sufficient. So we the FTC had zapping Rachel at DEF CON 22 and then at DEF CON 23 a follow up contest to that as well. And one of the applications that came out of that was NOMO ROBO from 22. And we're also just recently wrapped up a contest called the IOT home inspector challenge. So there will actually be a talk tomorrow in IOT village talking a little bit about that Erin you can raise your hand and wave Erin Alva. And really excited about that. That was a $25,000 prize that was given to a new app that will hopefully help consumers understand what IOT they even have on their home networks and whether their software on it is up to date or needs to be updated. Consumer education. This is my favorite. Does anyone know who Dewey the E turtle is? Anyone? Okay, yeah that's not surprising. He was a short lived mascot of the FTC who I actually have a little bit of love for despite his dorkiness appeal. He was introduced and he was like best friends with Clippy. Yeah, Clippy. And mascots were really in the national forest service had the bear whose name is blanking smokey. Yeah. So in 2002 the FTC said, you know, we need to make security culture a thing for children and younger people. They need to be thinking about security a lot. And while Dewey may not have been the best answer for that because clearly none of you remember him, that really goes towards our consumer education initiatives and communities that need this type of information to tell them to think about the information they're giving to communities and how to secure themselves. But other than that we've had a lot of other or the FTC, I keep saying we because I worked there until six weeks ago. We've had a lot of other initiatives to kind of teach consumers about security. And I mean I think it's important to note here that this is a huge task and why we're going to be continuing to engage in it but it's really, really hard to make sure that people have enough information out there in the marketplace because it is so dynamic and changes all the time. We also run identity theft dot gov which is a portal that we have been continually updating to make sure that people who are experiencing a breach or an identity theft situation have a streamlined remediation process that they can use online. And I'm pretty happy to say that in the last year we were able to update that so that now that you can almost automatically walk through all the steps of filing reports and helping secure your credit whether that's putting a freeze on your credit report to actually filing a claim. We have it all there on one website identity theft dot gov. So we're always spending time and energy trying to get consumers the best information possible because consumers are their first best line of defense in an insecure world. But we recognize that it's a huge ongoing challenge. We haven't found the right mascot for it yet. So we'll take a look at the present, not now, not that anything in the past is work that the FTC isn't still continuing to do this day. But these are some particular initiatives that the FTC has been working on. Oh yeah, I'm supposed to do this. So again we've been talking about the role of workshop and conferences. We've been particularly focused in the last few months on working with NHTSA on connected cars. We're also working generally with other government agencies that are sort of expert regulators in their industries thinking about how to incorporate some of the learning from the last 25 years on privacy and security that the FTC has into what they're doing. We work closely with NTIA and their multi-stakeholder processes around these issues. We have very helpful information that we harmonize with the NIST critical infrastructure framework so that we can say look we're all advocating a process based approach to security. We call ours start with security. We have guides available to businesses about learning from our cases and our putting out actually blogs every Friday now that are really helpful tips based on hypotheticals that we've seen in investigations of data security situations that are following on start with security guide. I think we're calling it stick with security. I can't remember. Basically trying to get as much information about the current best practices out into the marketplace as quickly as we can because we recognize that the situation is always evolving so we're putting that out. And we're hoping to have another privacy con next year. This is the thing we started a couple of years ago. We present research on privacy and data security at an annual con in D.C. called Privacy Con. And I think our call for papers is currently open for that and that's on our website. So really briefly some of the questions are running low on time. We will talk about how and why the FTC brings cases. So one way is you can file a report. You go to FTC.gov. You click on file a consumer report. I can tell you people actually read these. I actually read consumer complaints. They do matter and it is how the FTC brings cases. I say viewers like you. The security researcher community, the case in Moby mentioned previously was actually brought because of academic research done by a series of researchers in France. The FTC brings cases through tips, news reports, security and privacy blogs and vulnerability reports. But really it's you folks who can shape the type of cases that the FTC brings. And I just note that in our complaint system, which we do read by the way, anybody can complain. We also are working closely with other organizations, state attorney generals, the better business bureaus who are collecting complaints as well and feeding them into our system. So we are trying to form as many partnerships as possible on these issues. So I bet you're wondering, oh, I have this great idea. How do I share my research? Like what really matters? What may matter naturally to you is great. But the FTC looks for particular things in bringing cases. In particular, they're very interested in representation, representations made to consumers, you know, screenshots of where you bought the device software and evidence of what the consumer or the user might have seen. If it's a vulnerability, what is it? What does it impact? What kind of information is at risk? And when you discuss the impact, and I know these are cut off, but I think they'll be out in the world, be creative. Don't just provide reasonable, you know, don't oversell it, but provide very real impact that it has on consumers. And the vulnerability disclosure timeline, if any, is really important. And the content, you know, did you send them emails? You can provide those as well. And where do you send this? Yeah, so just a word on that. One, the more you send us, the easier it is for us to figure out or recreate what it is in the first place, which can be really important. But secondly, if we decide to open an investigation, at that point the presence of that investigation becomes non public, which means we can't say anything about it back out into the world because we want to keep it confidential that we're investigating a company. That's because not all of our investigations result in cases and we don't want someone to have a bad reputation just for us having opened an investigation on them. So we are a bit of a black box if we decide to open an investigation. This is the email address you can email with research or if you're interested in doing research or participating with the FTC. This is a mailbox that's actively looked at by researchers within the FTC and they'd love to hear from you. And I think that's pretty much it. Yeah, so we hope you've gotten an overview on our talk about the history of the FTC, what we're doing here in the first place, and a bit of flavor for the kinds of cases that we bring. We're hoping that you can use this information to help us with our consumer protection mission. We're serious when we say please do stay in touch, participate in our workshops, in our cons, reach out to research at FTC.gov, follow us on Twitter. We are really interested in continuing the important partnership that we have with the DEF CON community. I think we have a couple minutes for questions and then if we don't get to all of them we're happy to hang out in the hallway. Yeah. Recently a Danish company installed Bluetooth trackers amongst the city to track they could optimize routes and light timings and stuff. But they're doing that because cars are always broadcasting the Bluetooth identity. But that is something that FTC would be interested in if the state and the US and the city were to employ something like that. It could probably be just the information. Alright so the question is, Danish city using Bluetooth trackers to track car location for mapping and traffic flow presumably right? So the question is, would the FTC be interested? Yes but we don't have jurisdictions over what state or local governments do because we're the federal government. So if a government decided to do something we don't really have jurisdiction over them. You know we would say consistent with our guidance that tracking people's precise geolocation and identifiable way is probably a thing people need to have give consent on. But you know I'm assuming probably the technology here is, well I'm not going to assume anything about what it is but I think the facts would matter. And I think we're going to continue to have this conversation in a lot of communities as we think about how we put increasingly autonomous vehicles on the road which is not all together a bad thing right? We want to figure out how to bring this technology which has some real value into the marketplace while making sure that people continue to have some privacy. Yes okay when the FTC, I'll answer the questions were what are your thoughts on consumer class action lawsuits and why are we not going to private law firms to bring cases on behalf of a similarly similarly situated class to get them money because you get money from private class actions. So one I will debunk that the FTC when they receive money from individual cases we actually don't keep that. It goes to consumers. One case in particular was against butterfly labs and the money that they paid ended up being restitution for consumers so you'd file a claim. So one so that's positive. Two class action attorneys are generally limited by arbitration clauses for particular types of violations. The FTC luckily can bring cases on behalf of consumers without having to kind of deal with arbitration. It's also a very expensive foray for some consumers and so you have to take on the depositions and everything that means to be put to be part of that. I mean I think we're here talking about the FTC because it's the agency we know well but there's more than one solution out there for consumers and of course there's state attorney generals who are excellent and doing terrific work as well and we partner with them. They're about to haul us off the stage so congratulations Whitney on your first DEF CON talk. Well thanks Carol. Thank you everyone.