 Okay, well thanks for being here. I don't know if this is actually working that well if you can't hear in the back now. This is just a microphone. Let's put it back down. Can you guys hear me? Okay, I'll try to talk this loud. I'm Terrell McSweeney. I'm a Federal Trade Commissioner. I'm Joe Calendrino. I'm the Research Director of the Federal Trade Commission's OTEC Group, which is their Office of Technology Research and Investigation. I tend to be a little bit of a low talker, so definitely just yell at me if I'm not speaking loud enough for you. Yeah, so do I. I think the title of this talk was originally like, is your internet light on or something like that, but what we wanted to do was really talk a little bit about what the FDC has been doing as it relates to the security of IOT products and then engage in a conversation and answer any questions about the kinds of things that we're really looking to partner with the research community on. I guess we also have to disclaim that we're here speaking in our individual capacities, not on behalf of the FTC, because like that way we get to have a candid conversation about this stuff. So the first thing I would say is the Federal Trade Commission is a consumer protection agency. We're a hundred years old, so what the heck are we doing having to talk at DEFCON about IOT data security? Well, it's a good question. We basically bring cases when we think that consumers are going to be harmed. So we use an authority using the FTC Act to bring cases against unfair deceptive acts and practices. And what that means in the IOT space is if data security is unreasonable and consumers are harmed, we can bring a case. Or if someone is making claims about the security of their product, but those aren't accurate claims, those are deceptive claims, we can bring a case. So we've actually started to bring a number of IOT related cases. We've been studying IOT very carefully and I think it's probably no surprise to anybody in the room that we found that this is a very poorest security environment for consumers. So you want to say a little bit about why you're here? Okay. So I'm here because I'm a technologist like most of the other people in the room. My background is that I have a doctorate in computer science that's focused on security and privacy. And I've been with the FTC about four months now, so I'm still pretty much a newbie. And I'm part of a new group that's kind of like the research arm of the FTC. Our focus is on actually kind of trying to be able to use our understanding of technology to help drive the policy of the FTC. So being able to engage with communities like this is of great importance to us. Also we're still a pretty small group and there's a large amount of things that we need to be able to look into. So we need a lot of help from the people in this room. So one of the things that we've been really working on at the FTC over the last five years especially is really thinking about do we have the resources in-house to be able to protect consumers in an increasingly interconnected world as the wave of IoT products sort of washes out into the marketplace and over all of us. So pretty quickly we realized that one of the key things that we needed to do at the Federal Trade Commission was bring in some expertise in the technology sector in-house but then also form partnerships outside of in the outside community as well. So Joe's living and breathing example of bringing a security researcher in-house. One of the things we also did was start the office of technology research and investigations. Why that's important is that we actually are creating in-house our own capabilities of replicating research and determining kind of what's happening with some of these products. Basically one of the things we need to really find out and this is also where research partnerships really help us is how is the technology working? Does it work the way that the company is claiming it works? Or does it do something different? And if it's doing something different that's actually a target-rich environment for us as enforcers. So we started, we call it OTEC in-house. Am I allowed to say that publicly? I just don't know. I like it. And so one of the important pieces of OTEC is actually making sure that we have people in-house that can help us even translate some of the highway technical work that gets done and presented even at conferences like DefCon because I'm a lawyer. I'm not a computer scientist. And while I'm really interested in the field, there's some things I just don't understand. And so I rely on Joe and the OTEC folks to help me understand how the tech is working or why the issue is even a significant issue if it's coming in our door. Yeah, absolutely. I mean I think it really just is important to be able to clarify technical explanations and so on and to have people in-house who are able to call BS on explanations that are provided that just don't actually make any sense in practice. And even just beyond that, having people in-house that can do things like setting up mid-improxies or stuff like that is really important when you're trying to figure out how IoT devices and other devices are actually working in practice. Also, I think that just generally having people in-house that this type of technical expertise is good for keeping us ahead of the curve. I mean all of us have seen articles before in the news where it talks about some vulnerability in some product and all of us knew about it like three or four months ago if not years before. And we want to make sure that as an agency we're staying ahead of the curve on these types of things and preferably not just a few months ahead of the curve but seeing what's coming years ahead ahead of time. So when we're thinking about bringing an actual enforcement action against an IoT product, say it's something that's vulnerable or it's having some sort of privacy implication that is not clear to consumers or is the opposite of what the company is representing the thing actually does, we look for those cases in a variety of ways. We get them from media reports, we get them from actual complaints that are filed in our complaint database system, and we get them from researchers. One of the things that happens when we see research that's interesting or sometimes people bring in to us is that then we can engage with it and try to understand it. Now it's a little bit of a black box so I thought maybe you could talk a little bit about kind of what that's like when research comes in the door and how we handle it. Sure, absolutely. So even before I joined the FTC I'd actually mentioned issues to them in the past and it was really interesting actually coming to the FTC and seeing what came of things that I told them. In many cases it was just kind of like putting something into a black box. I didn't hear much about it and there's pretty good reasons for a lot of that. We can't just go talking about everything that gets reported to us. Like literally, legally, this is the actual law. This is where I'd be a lawyer on you. These are actual laws that prevent us from kind of revealing investigations. There's really good reason for that right because sometimes we don't end up bringing a case and if we were revealing information about target companies then that could really harm them and if we don't bring a case then that's confusing for everybody. So we are really strict about what communications can come back out once we open an investigation. Yeah, absolutely. Yes, absolutely. So some of our IoT cases have been primarily privacy cases especially in the cases of design where trend net where we had cases where cameras were being turned on in people's homes without them understanding that those the cameras were being turned on that kind of thing which is primarily a privacy problem and then some of them have also been security practices as well. Sometimes the security practices are lead to privacy problems as well. Yeah, absolutely. Yes, so we actually have agreements with a number of consumer protection enforcers around the world that allow us to cooperate with them through various mechanisms. The FTC has really been a bit ahead of really other consumer protection agencies not just in the U.S. but around the world because we've been bringing privacy and data security cases basically for the last 25 years. It started with concerns consumers were having buying things on the worldwide web and now has expanded as things are increasingly interconnected in our daily lives. So we've been we've been doing this work for a really long time and one of the things that I've really found as I go around the world talking with other enforcers that we work with is that they're very interested in the work that we've been doing and how they can replicate it in their own agencies and the first thing I tell them is get technologists, find ways to build relationships with them and bring them into your organization because you need to understand the tech. Yeah and this is something that we really do want to do just over this past summer we had a safe web fella from the French Data Protection Authority spends several months with us and it was a fantastic experience kind of seeing how he was looking at issues and sharing how we look at issues. So we do a couple of things we provide a huge amount of business education we're not just an enforcement agency we have our start with security initiative we put out a guide about our privacy cases so we put out a lot of business facing information about when we're bringing cases and why we're doing that and what the best practices are that we would like to see industry to adopt and then we make that publicly available around the world. We I mean I think we are we are trying to forge kind of a more collaborative environment it's I find that a lot of agencies and other places are very new to this work and one thing that's really different about the US system here is that we are we are really in this in this country we don't have comprehensive privacy laws we don't have comprehensive data security laws now we do have laws they they're sector they're based on the kind of information for example Graham Leach-Bliley for financial information HIPAA for health information but it's a very sector-based approach and then we have this generalist consumer protection enforcement authority to protect consumers from all these other things and many other countries adopt a different model which is a more regulatory approach at the outset and it's less enforcement based on the back end so it's it's sometimes translating an enforcement-based approach to these challenges to protect consumers into an environment that's more like a regulatory approach. There are no laws pretty much related I think I OD data and no privacy laws in the EU which covers the specific data so are you seeing any moment in the EU or China or any other countries so in the EU of course you're probably familiar with the fundamental right of privacy so usually when I'm in Europe they say there's no privacy laws in the US but we have them here because we have a fundamental right but they also have the European data protection supervisor putting together a whole privacy framework that will go into place in 2018 in the EU so some of our conversation is very much about how we're going to facilitate cross-border data flows between the European framework and the US framework which is why we operate something called privacy shield which I will get into if anybody wants to talk about that but it's super boring about how we move data back and forth important but boring um you know we've seen uh Japan for example is in the process of updating its approach to privacy I think Korea is as well just trying to think of agencies I've talked to recently um you know it's not a conversation we have a lot with China I'm just gonna leave that there and and I think that it's certainly when we think of our ASEAN partners one that we're very engaged in around Asia and I should also note that this is supposed to be basically an open dialogue so yeah that was good let's keep dialoguing no thank you for the questions so the question is are you interested only in IoT things or all things um so we're an IoT village which is why I'm talking a lot about the IoT but we actually um the bulk of our data security and privacy cases um deal with probably software and platforms um more so than than strictly IoT but that's just partly a function of the fact that IoT is relatively new I think um and we have a much longer history of dealing with websites and that kind of thing um we are also a a broad consumer protection enforcer so we work on all kinds of consumer frauds we also police advertising practices children's privacy online um so we handle a whole range of different kinds of issues yeah and you can get some sense for the diversity of issues that we care about even by virtue of the workshops that we have come up in the fall we have ones that relate to ransomware to drones to disclosures which are going to be a big deal on IoT devices um to things like have fraud and other things affect different communities with changing demographics in this country um smart TV smart TVs yeah that's another big one um and we even have a general sort of privacy con that's going to be going on in January that would encourage people to submit work to um and that also kind of emphasizes why we need the people in this room for instance we have people looking into smart TVs and trying to figure out exactly who they're communicating with and what they're communicating and that can be really tricky when you're dealing with fairly locked down devices where you can't actually see the communication directly um and we need the skills of people even if we had a lot of people ourselves with the skills to actually try to figure this out there are so many different devices out there and keeping tabs on any on everything really does require relationships with quite a few people beyond just our own agency we've also this year we've brought some uh we've brought a routers case um involving the lack of security and routers I mean I think that's going to continue to be an area that's for us um we are also looking at fintech issues as well so it's a little bit outside of simply privacy issues but we see um you know a whole range of different consumer protection related issues um coming up in a variety of different sectors right now any uh IoT safety products any website any IoT safety products that ease your career colors to the consumer safety no we don't do safety so we protect consumers sort of generally from frauds and deceptions from making unauthorized payments that kind of thing from advertising fraud but we actually have a separate commission in the U.S. government that does consumer product safety uh now of course as we went through the world of IoT safety becomes a consumer harm so we can take action when consumers are harmed and I think that safety is a big dynamic in IoT so whether or not you can unlock connected blocks and made someone's home uh really exposes them to to a certain kind of harm that's a safety related harm car hacking uh you know the security of cars exposes people to privacy harms but also safety harms and and certainly in that space um you're aware of of these concepts and for us it's it's the harm but we don't test for whether the product is safe that's the consumer product safety position and there also can be deception issues possibly there too like even all the health apps that make certain claims about what they can do if you can't if you actually have the science to back it up even though we don't typically get into health quite as much overall that would be an area that we might get into yeah uh yeah the long and short of it is I I don't work so closely with the consumer product safety commission to know exactly how they're handling the technology issues one of the things that we're really doing with a bunch of the other government regulators that have kind of overlapping interests so um you know if if DOT and FAA are looking at drones and cars the the FDA is looking at medical devices we partner with them when we're thinking about the privacy and data security implications of those products and try to make sure that they have the information that we have about about how the how those products are functioning because some of these older agencies are confronting these issues for really the first time right so the automobile industry for example has we have a very long history of an expert regulator that's handling the safety of automobiles but it has to get very fast now about the safety of the computers that are driving the automobiles right and that's like a whole new world sorry there's a bunch of questions how about in the back first all right sorry I was actually talking to you sir in the fast so this is the question is can you talk a little bit more about the router case and kind of the expectation around it and maybe what we're hoping to achieve do you want to start with it or okay so the router case I mean I can give a brief description of my memory of the case so I don't actually have it all in my mind I've only been with the FTCs over a fairly short period so my recollection of all of our cases is still is still growing but my understanding was that it was a an ASIS consumer or ASIS provided routers or rather ASIS tech and those routers had in them a number of deficiencies that would enable somebody to be able to access things like consumer storage as well as potentially even do things like change sort of the DNS mappings and so on and those deficiencies had been in there for quite a while and people even had reported them to the company and the company had not taken any action and didn't have a program in place to be able to respond to those types of reports so in terms of what actually the standards would be in that case I would say that those were fairly fairly clear harm yeah but so they they didn't have I mean one of the things that really jumped out to me as being unreasonable security practice is the fact that they had known you know widely reported vulnerabilities that were pretty pretty problematic and were very very slow or didn't respond at all to them they were also running some they were adding some offerings to the router package the claiming that they were using the best encryption possible but not properly configuring the encryption which is a big red flag I think as well when you're making that kind of marketing claim about configuring your encryption like do it properly right this is a this is a theme we've done this and we've had a couple of other cases Fandango comes to mind there was one other one credit karma credit karma right where the security certificate verification was like not configured right so just yeah wow that's a big problem so so that was that was a big issue as well for me in that case now as you point out routers are are maybe the the consumers like gaily into their home network so protecting them adequately and trying to make sure that we're in an environment where the data security practices of the folks that are making those routers are good is a really big priority for the FTC and so we've been looking very carefully at some of these different consumer offerings and trying to understand some of the problems that we're seeing I mean I think that's a really good example the aces case of where we were watching very carefully some of the research and discussion about the vulnerabilities and taking it really seriously it takes us a little bit of time to bring a case so sometimes people get frustrated that we can't bring a case you know in six months or something and I think this time it took us about a year to to do all of that work and you both might say yeah so we we actually we put companies under order and within the order they are required to have security programs to have to notify customers but you're you're highlighting a thing that I actually think is kind of the next frontier for IoT products and consumer protection which is how do we make sure that as a part of protecting all of these products consumers are getting accurate information about the how long the product is going to survive as a connected product and a secure one and how do we make sure that consumers are getting information if a company's bricks its product relatively early so we actually took a close look at this for example I don't know if you followed the revolving nest kind of kerfuffle but basically nest brick the revolved product early I suppose you could say we have a closing letter we issue those when we we decide not to bring a case but we've looked at something carefully and in the closing letter it says you know this could have been problem that I'm summarizing so read the closing letter it's like this could have been very problematic you know by the time we issued the letter nested refunded customers and they had a program in place to address the concerns that were raised by the customers and I think that's the kind of thing that that you need to think about in the IoT space that that having a way to make consumers whole when their connected thing is no longer supported especially that's no longer supported a lot earlier than what maybe a reasonable consumer could expect right it's going to be a consumer protection issue for us so we're watching that so we don't have great extraterritorial reach which is too bad I mean probably good overall but so we we can we can't really there are other agencies in the government that can can you know stop importation of things and have have kind of a policy where they can reach things more broadly in other countries we can really only focus on kind of what's happening here in the US so we don't I don't think we probably shut anybody down we I think we're aware of the supply chain issue and yeah I mean we make strong efforts to like freeze assets and do other things such that somebody can't just essentially somebody's committee fraud for instance can't just basically get shut down and then do the same thing again over I mean it can certainly happen but we are aware of that kind of concern it's hard I mean and we can we can go after the conduct that's happening in the US but it's hard for us to reach an entity if it's totally offshore yeah and if it's doing business in the US then we certainly can it's just finding that nexus yeah that one's a really tricky area it's I mean it's the the game of consumer protection and protecting consumers from frauds and scams is inherently a whack-a-mole game unfortunately because one thing we found over a hundred years of consumer protection is that there are bad actors that will find new and exciting ways to exploit people one of the reasons why the FTC got involved in connected technology products relatively early was they became a way for people to steal consumers payment information right I mean our early cases are all about making sure consumers like had enough trust in something called the worldwide web that they would buy something on it right and that's kind of how we got into this business to begin with the question is a really good question which is sort of when do we bring a case against a company because of its security practices am I summarizing that right and the answer is the test that we use is whether or not the security practice was reasonable or unreasonable which turns out to be a very lawyerly thing so as a lawyer on the panel I will translate it for you the bar of reasonable is to be honest not an extremely high bar I kind of sometimes wish it were a bit higher but more or less what we look for are the security practices by the company now breaches and things like that can be really good indications that there was a problem but they're not this positive of whether we would bring a case so when we see something then we start taking a look which is why having people like Joe is really helpful and we try to understand well what was the company's security process what were their procedures we actually have a guide I'll do a little here's a little plug our start with security guide it's actually a 10 step guide in plain English that's really designed to communicate with people who are not security experts but maybe as security experts it could be very helpful in dealing with them where we talk about based on the 16 reasons we brought what the best practices are some of the problems that we've really seen lately that I think are relatively unreasonable when we start seeing them in this environment is the extent to which you have some sort of vulnerability reporting program the extent to which you are able to classify those vulnerabilities in terms of their the the importance of patching them and fixing them the response time on those whether you're properly configuring things like encryption if you're using it um whether you're training your employees whether you're keeping passwords in a folder marked passwords in plain text right that's actually a case we brought um so we're looking for uh you know essentially I mean essentially I would say we bring a case when um a security expert would look at the practice and say that's ridiculous how did they let that happen yeah so I mean basically like if there's some flaw in some library that everybody's been using for the past decade and has been looking at carefully and it pops up and it affects a couple different companies products and everybody everybody's been using this and has been looking at it carefully and it was just something random like I would suspect that we're not necessarily going to go after that particular case but also um one thing that's worth noting is that what's reasonable might actually evolve over time um which is part of the reason why we actually are trying to give guidance to companies so that they can figure out what is reasonable even as things evolve um but it's part of the reason also why we need people telling us when norms seem to be evolving based on what they're seeing um and the reason is I mean again I don't know if you tell anybody in this room security is a highly dynamic field so what best practices are today are a bit different than best practices were five years ago we don't expect people to have perfect security but what we're looking for is is reasonable security and what's reasonable given kind of what we know and where we are in the field unfortunately I mean I we also wrote a report and been studying IoT for the last couple of years I mean I think what we've seen is that there's just a wide range here um some companies with relatively mature security systems and and concepts and procedures uh in entering you know the space and then some companies that have never thought about it have been making relatively dumb things and they're making them connected and they and they bring them to market and they still haven't really thought about it yeah that's problematic and it's a tricky area to be is there a lot of sort of mom and pop type shops essentially that are creating their own new IoT devices and don't really have as much experience with security and this is somewhere where once again I keep on pointing this back to the people in the room but people in this room also can play a role in terms of helping to build platforms and so on that help for people that might not necessarily have as much security expertise do things correctly so I think the question is to do are we are we kind of providing guides at the enterprise level or in the sort of business to business market right versus simply just uh yeah so one of the questions that commonly comes up in the business to business space is how accountable are you for your subcontractors and their security practices and one of the things that I think we've been really clear about is that actually you're you're going to be fairly accountable for those practices um so we the security issues for us at the enterprise level um tend to deal more in that space I would say I don't know yeah I would think so I mean it also is worth noting that we are consumer focused in the end so like something that doesn't necessarily have an impact on a consumer yeah we're a little bit less likely to get directly into and also if you're looking for sort of whether we have very specific technical expertise one thing that I'm reluctant to do would be for us to give very very low level like you should have a certain setting in a certain file or use a certain specific language for doing something because I mean that would that would be somewhat constraining on business and we're not here to try to stifle what people are doing right so I mean another way that we say that um especially in the policy debate is we say look it's important to be tech neutral about the advice we're giving because this is such a dynamic field so we're talking about the processes and procedures that we think are the right ones to have but we're not dictating what kind of tech is the right thing because um I you know I think that's just not our role sure we um so in terms of consumer side supporting service um we run a number of websites and put materials together for consumers um the biggest thing that we provide consumers I think probably is our id theft.gov website where we have a one-stop process for remediating identity theft issues um and it's actually tailored with a flow chart so that people can deal with whatever specific identity theft related kind of problem they're having and then get the right information about how to remediate it and a lot of it's automated to make that a easier process for people um and we put out a lot of consumer facing blogs and information about different scams and problems and issues that that we're seeing you know one thing that we lack and I I've actually um was really psyched to see much as presentation this morning is a good way of providing easy consumer friendly information about the risk associated with the product or the level of security of it right so right now in the marketplace especially in the iot marketplace most consumers don't really have a metric by which they can evaluate whether this baby monitor is more secure than this baby monitor and factor that into their choice when they're buying the product so one of the things I really like to see is is more and better availability of that kind of thing so that consumers have a chance to literally you know affect demand based on the security of of the product as well right now that's very very opaque to consumers they have almost no way of knowing how good the security is of a connected product yeah we don't so we don't provide we accept consumer complaint information but we don't have like a call center that takes there I mean we have a call center that takes the complaint but we don't have like a response yes so this is a great question that's what is what is the view of the whether the consumer owns their data and this is actually like a huge topic of debate around the world right now gets really to this core problem of of how how much notice and choice should people have when their data is being kind of consumed taken up in different spaces you know in in the US for example you can passively gather information about people there isn't actually a restriction on that except for children if you're marketing to them I guess and and and so that would actually require a lot of law change really but one of the things that we have done when that's happening is make sure that if the company is making promises about the kinds of choices they're going to offer consumers that they live up to them so we have a case against a company called gnomie that was retailers were using to gather location information about people and you know to understand where their customers were but they said look well we'll provide an opt-out in the retail location that are using this which they didn't do and so we said look you can't say you're going to provide an opt-out and notice to people and then not offer it and so that was that was deception for us but it's important to note that in the US at least the the existence of that technology and the use of it is is not does not require some sort of positive opt-in for the consumers it's an interesting question I mean on the one hand you want the innovation you want the smart cities you want all of the ability to have all of that work really well and on the other hand you want consumers to have some control of the choice it's a fascinating set of challenges we've also been looking at cross-device tracking as well and how that's working for because I think that there's a lot of interesting tech that's about making sure that advertisers can know what you want a number of platforms right and the extent to which you know that that how that's operating is the thing that's interesting to us yeah so I think we're we're like two minutes away any last questions see I have one then two I'll do them fast do you want to take that one I'm sorry I didn't get it so you're talking about when there's a widespread vulnerability and something but it's really hard to replace them I didn't quite hear the last part I mean I think it would even depend upon what the consumer's expectation was of the product at that point like if you have like a device that's if you have a 30 year old device in your home and you find out that it isn't insecure or that essentially the firmware and it was insecure or something else like that it would be challenging actually to figure out exactly what the right thing would be to do in that case in particular because the company might not even be around anymore this is part of the reason why I think it is actually useful where at the time when a consumer potentially is purchasing a product to have some idea about what what they can expect in terms of support and so on going on from the product so at the time when I purchased a product I know that maybe 10 years from now this product might might just be essentially bricked or I will need to get rid of it and patches will no longer be provided but essentially the more that the consumer knows the less likely that we are to get into a position like that sorry and you had a question then we'll wrap up so you mentioned voter ability reporting programs so is that pretty important as far as to an IT company doesn't have that it says like I would put it right up there on like my top five like good security hygiene practices right some mechanism I mean I'm not saying everybody has to have a bounding program although I think they're awesome because crowdsourcing is a really good thing to do but having some mechanism to get the reports in and then respond to them is sort of basic and it's really important I don't know yeah I mean if so I mean I could imagine there being like a fairly new for instance website or something else where they just have some general contact information but if somebody says listen your site's leaking social security numbers left and right or something else and you contact that email address I would expect there to be some sort of a prompt response so there should at least be some way of getting in touch if there's something wrong with your product and I think that with IoT devices it seems it seems pretty reasonable to me to expect that there's some way of getting in touch especially if you're dealing with things that are sensitive enough that somebody might need to get in touch with you quickly so thanks a lot for coming to our talk we're happy to continue to answer any questions that remain again if I can make a one big pitch it would be we have an open door policy we're really interested to hear what's happening out there we also are actually completely happy to answer questions and do so all the time from businesses that are trying to do the right thing so our staff is awesome they're accessible we could have put up a slide I guess I'm on Twitter at team xweeney fdc you're in plain text at in plain text right we also have an email address is it research at fdc.gov research at fdc.gov I actually read the things that come to that email address so send you a good research but maybe not too much of it but yes research just singular yeah and we will make an effort like even in the case I mentioned earlier where I reported things and I it appeared to be going into a black box people actually behind the scenes were really looking into those issues I found out when I got there like really really looking into them so we do care when we hear about things fear whatever happened you choose to contact us and sometimes you know the resolution of them is that we open an investigation we go look very carefully we decide we don't have enough to bring a case but in the meantime the fact that we've opened the investigation and and the company's having to look at itself very carefully through that process actually effectuates change as well so sometimes if the research doesn't end up in an actual case then it may very well influence our ability to open the investigation which may in turn result in really good changes for consumers which is everybody's goal all right well thanks very much appreciate your time