 Well thanks for everybody for coming out for this talk. Um the FTC is kind of the it's it's the federal agency everybody can actually love. Yeah? Uh the FTC has been doing really cool stuff and um they're here to give everybody some really good news um and talk about some new programs that they've got going on. So let's give them uh give them our support and uh give them a big round of applause. Awesome PowerPoint but uh it's not coming up right now so maybe it'll come on during our presentation. Um if if you could see it right now it would say that the title of our talk is research on the machines. Uh help the FTC protect privacy and security of consumers. Um and then the next slide would say uh who we are but we'll just cover that. I'm Carol McSweeney. I'm a federal trade commissioner. Um I'm an attorney um and I'm really interested in protecting consumer privacy and data security. And I'm Lori Craner. I'm the chief technologist at the FTC. I've been there uh since January and I've been doing a lot of security and privacy related work. So the machines um you know estimates vary. I I see these wide range of different statistics. It looks like we have about 25 million connected devices right now and we're on our way to about 50 billion consumer facing connected devices in 2020. Um you know some people call this the internet of things. I think that term is a little bit overused. I think it's internet of a lot of stuff um but really what's going on here is that we are connecting ourselves and the stuff in our lives in new and exciting ways. That's bringing a huge amount of innovation to consumers and we want to make sure that consumers get the advantage of it but I don't need to tell anybody in the room that it's also creating a huge amount of insecurity for consumers and raising a lot of privacy issues. So uh one of the things that's all that's also happening and we saw this on display terrifically yesterday in the DARPA competition is that the machines are getting smarter as well. So at the FTC we're really worried about trying to protect consumers in this increasingly interconnected environment. One of the things that we're very focused on is the potential security and privacy risk to consumers. And I'd also note that I think uh increasingly consumers themselves are very very concerned about trusting these devices. So we see some survey data that really indicates, oh slide! Yes! It says you're going to slide ahead of where I am. There we go. Machines, right? Okay. Um and and so we see some consumer survey data that really indicates um that consumers themselves are maybe not adopting some of these new technologies because they're worried about the security of them. Uh you know I've been attending DEF CON for the last three years and I I see a lot of really creative, really interesting work presented here and I think you know consumers are right to be a little bit concerned about the security of these devices. So we're starting to see that reflected as well. Um so what we're going to cover today um is really how we're trying to approach this challenge of protecting consumers in this environment. Um it's easy to sort of adopt this attitude of like abandon all hope ye who enter here. There's like no way we're ever going to fix this. It's just a disaster for privacy and security. But I really prefer to approach this issue using the teachings of another great master. There is do or do not. There is no try, right? So I we're going to talk a little bit about the do part of this and what we are trying to do at the FTC today. Uh so quick overview um we can go. Oh right. I'm sorry. Issues of the day. Um we also um in addition to bringing a bunch of enforcement cases are also really trying to focus on the broader policy debate. And we're going to talk about how we need your help. We're going to talk about some of the events that we're holding and some of the ways that you can help us. So how do we respond to the rise of the machines when the machines are everywhere? Well the FTC and and we we're using its acronym the federal trade commission um actually has almost nothing to do with trade policy. Thank God and everything to do with being a consumer protection and competition enforcer. So primarily what we do is bring cases against companies. These are civil cases. It means we sue people. We get settlements. We put them under order and then we uh operate and make sure they comply with the orders that we put put them under. That's really different than other parts of the government that are more focused on writing rules or regulations which isn't so much what we do with the exception of uh writing rules about children's privacy online under the COPPA Act. So we uh primarily bring cases involving privacy and data security and by last count we've actually brought more than 400 of these cases since we began bringing privacy related cases almost 25 years ago. So it's not a new issue for us the federal trade commission. We do it by by using two authorities in the FTC Act. Uh first we look at whether a practice is unfair and it can be unfair legally if it's uh going to create a substantial injury to consumers. It's not avoidable reasonably avoidable by them and not outweighed by some other pro competitive or consumer benefit. Or we bring cases in situations where something has happened that has deceived consumers in a meaningful and material way. And and so those are the two primary ways in which we have really engaged in an active enforcement mission to protect consumer privacy and data security. So what does this mean? Example. Yes um so we're going to tell you about a few cases here. Uh so Facebook uh had had settings for users to control their privacy settings and they promised that if you limited access to some of the personal information you posted that um that it would not be viewed by by people that you did not grant access to it wouldn't be shared with um third parties. And they also said that if you uh deleted your account then the photos that you had posted would no longer be accessible. But as it turned out that some of the information people posted was accessible to other people in third parties beyond the settings that they had set. And some of the photos were accessible even after people deleted their accounts. It was deceptive and it also turned out that uh we brought an unfairness count in that case because some of the data that had been designated private uh Facebook sort of retroactively changed how it was handled and made it public. And we said wow that's super unfair. Again consumers can't avoid that and it can cause them a real harm. So that's that's the legal theory for that kind of case. So uh in the case of Google they had promised people that their Gmail contacts wouldn't be used for anything other than as part of Gmail. However when they launched their new Buzz uh social media service they populated Buzz with the Google contacts uh from Gmail. Um and uh and so that exposed people's contact information um on Google Buzz. Yeah actually a broader case as well involving a number of accounts but mostly they're all deception based um uh um accounts there. So the misreps are you are you're uh sharing information under one set of terms but actually they don't live up to that set of terms so that's that's a misrep case misrepresentation case for us it's deceptive to the consumers. So and I guess I should note here as well that that was these are um cases from like 2011 they're a little bit older but this was the first case where the FTC remedy actually requires comprehensive privacy policy be implemented by the company and the result of these cases are orders that are we call them consent orders resolving the claims um that put these companies under 20 year orders and then we go back every couple of years and look at how they're doing also gives us an additional um a way in which to make sure they're complying with the orders uh because sometimes uh things happen and uh if they are in violation of the order they're in contempt of it we can then uh penalize them monetarily which can be meaningful in some cases. So Snapchat uh had promised that the images that you send on Snapchat would disappear after a short period of time and that if somebody tried to take take a screenshot of them you would get a notification but actually there were a number of ways that you could save a Snapchat image um and you could also circumvent the notification feature. Yeah so it doesn't disappear deceptive. Pretty simple. So um Wyndham the hotel chain had three data breaches that unfairly exposed consumers payment card information. They had a number of security failures that led to these data breaches including uh storing payment card information in the clear and not patching and not monitoring their systems for malware. Yeah so this is an important case because actually we proceeded using our unfairness authority saying the data security practices were unfair to consumers. Uh Wyndham disagreed with us. We engaged in extensive litigation and this year uh we won at the circuit court level the use of our authority to bring data security cases to protect consumers. So that's a really important validation of the Federal Trade Commission being in this space and using our authorities. Okay Oracle provided a Java update to correct important security flaws and they promised consumers that if they installed this update they would be safe and secure. However the installer did not automatically remove all of the old versions of Java leaving users vulnerable. Uh again um an important data security case and I and I think we'll transition now into uh another really important data security area for us and that's the internet of things stop. Yeah so uh ASIS made uh routers and they promised consumers that their routers would protect consumers local networks. However the routers were vulnerable to an exploit that can provided complete access to a consumers connected storage devices without needing any credentials. They also did not address security flaws in a timely manner which allowed attackers to change router security configuration without a consumers knowledge. And I just note here I mean routers are just an incredibly important feature of protecting all the connected devices that you might have on your home network. So making sure that the companies that are making claims about the security of them are actually making valid claims is really really important. So I think this was a super important case. Another feature of it was um and we've seen this in a couple of our other enforcement actions configuration of encryption whether it was properly used and properly configured or not and when it's not uh we've actually brought cases as well. So Fandango is a is another one of those. Uh there's several other examples that we could we could use but for the sake of time I think we'll just say these are examples of how we use our authority and we thought they were important to share so that as we have a conversation about how we can work with you to help bring cases you understand the kind of legal lease that goes along with them. Uh so how do we bring cases? Well uh we rely on researchers and research so that's going to be an important part of our talk today. We also read media reports and find those very interesting a lot of the time. Um and we actually get uh cases through consumer complaints and other complaints that are filed with us. Uh we have a whole network actually it's called the Sentinel network and it helps us bring in complaint data from consumers also from state law enforcement agencies from better business bureaus and from a variety of places. This network actually works for our whole mission. A bulk of what we do is also protect consumers from scams and frauds and things that are very low tech uh but I but it has a has a tech component of it as well. So you know I think uh we've been spending the first part of our talk talking about enforcement. It is one of the most important things that the FTC does but we're really mindful that all of this amazing connectivity in consumers lives um is raising a host of issues that are that go far beyond simply whether the security practices are unfair to them or whether they're being deceived about what the products are actually doing. So the FTC is not just an enforcer it's also kind of an advocate and we're trying to work with other government agencies and with other communities to make sure that we're we're putting in place the strongest possible policies and responses both to help keep consumers informed but make improvements to our laws as well so that as all of this great tech kind of cascades over us in our daily lives um we have better and stronger protections for consumers. So I'm going to talk about an example of uh of something that we worked on and this started with a personal incident that happened to me uh shortly after I started working for the FTC my mobile phone account was hijacked and I discovered this when my phone stopped working and on the same day my husband's phone stopped working and we called our carrier and um our carrier said oh is that your new iPhones that stopped working and we said we don't have new iPhones and they said well in our database it says you have new iPhones uh so they sent us to the phone store to get new SIM cards and eventually um uh they figured out that there had been fraud on our account it turns out that somebody went into a phone store with a fake ID claimed to be me asked to upgrade the phones um and the phone company uh happily gave them two new brand new iPhones uh charged them to my account and put our phone numbers on them uh so uh when this happened to me I cleaned cleaned up the mess but I was really interested in how often does this happen to other people and what could be done to prevent this uh so I talked to all of the major carriers about what they were doing uh to prevent it um and uh and the type of authentication uh procedures that they're using uh they they are relying mostly on that driver's license um and uh a phone store employee who's not necessarily well trained in how to spot fake IDs. I looked at our consumer sentinel um database to uh try to understand how often this was happening. Now uh consumer sentinel you know gets all these reports that the people send in um and in this case these are mostly reports that come in through identitytheft.gov and we know that this is just the tip of the iceberg because most people don't even know that they can submit their identity theft complaints we're trying to get the word out so tell your friends um but we we we expect that this is um only maybe 1% or so of the total identity thefts that are happening we see. So I went back through this data and if you look three years ago in a typical month say January 2013 we got about a thousand reports of this mobile phone hijacking or a similar thing called sim swap um so we had about a thousand reports and that made up about 3% of all of our identity theft reports that month um then we looked three years later and we find 2600 reports and that is about 6% of all identity theft reports that month. So we're definitely seeing a trend here of this becoming an increasing a large problem uh I also did a lot of looking for media reports and saw that there were um a lot of reports of people having similar things happen to them. Uh perhaps even worse uh besides just using this to get free phones some of the attackers are using this to get access to the victim's phone number so that they can intercept their two-factor authentication uh so shortly after this happened to me it happened to Duree McKesson who is a well known Black Lives Matter activist he has something like 400,000 Twitter followers and somebody wanted to get into his Twitter account so they could tweet as him um and this is something that is becoming increasingly common um I understand that in Europe uh they're doing this to get access to people's bank accounts and um and the attackers are successfully able to get in and actually clean out people's bank accounts. So is it any wonder that consumers have trust and security issues? Uh I will note that our consumer consumer sentinel data that complaint data that we've been talking about reflects that identity theft is the number one consumer complaint for the last five years we get hundreds of thousands of these complaints so it's not just this kind of spoofing but it's a wider problem as well uh it doesn't show any signs not surprisingly of of lessening unfortunately um so obviously there's a huge amount of defenseless data out there we have this alphabet soup approach to our privacy protections in the US many of you in this room are probably familiar with it it uh it's like the the the TL you know DR version of this is like FTC act FERPA, COPPA, HIPPA, Communications Act, GLB uh state laws right but there's no comprehensive privacy law there's no uh comprehensive data security law so that's the the atmosphere that we're we're operating in which is why uh the FTC doesn't just do enforcement it does a tremendous amount of education convening and trying to work broadly uh to address these issues one of the initiatives that we've had in the last year is something called start with security uh which is really trying to get our message out about what good security practices look like I probably don't need to tell anybody in this room that a lot of the consumer facing technology uh um is pretty porous and and um in fact many of the people who are creating it probably have no idea uh what starting with security actually looks like so we're trying to get that message out as broadly as we possibly can some of the the biggest problems we're continuing to see are ignored reports of vulnerabilities uh slow response time to vulnerability reports lack of data minimization where appropriate uh failure to store passwords um securely lack of training of employees lack of proper configuration um you know so we continue to see a host of problems uh in that space as well we're also trying to increase our in-house capabilities and our in-house expertise um to understand how the technology is working and to be a better environment for uh people like you to bring research to us um so actually we have some of our awesome office of technology research and investigation folks here today uh Joe and Erin if you want to raise your hand um and if you want to do like shirts like this yeah yeah so shirts like this you want to do an IOT deep dive uh Joe and I are actually going to be an IOT village later on uh this afternoon at four o'clock so we would love to talk to you then and also hear of any issues and research that you've you've already been doing in the IOT space uh so we also have um an internship program and we're trying to bring more technologists in through that as well uh one of the uh things that uh the office of technology OTEC uh is doing is they are putting together a fall technology series um and so we have coming up in September a workshop on ransomware in October we have a workshop on drones and December a workshop on smart TVs uh there's information about all of these workshops on our website we're very interested if you have expertise in these areas you have research reports anything you'd like to share with us there's information on how you can share that with us either before or after the workshops uh if you're in the DC area please come uh the workshops are free and open to the public if you're not in the DC area um or even if you are you're welcome to watch our um live webcast of the workshops um and the videos will also be archived uh so these are our good ways for us to uh collect information on these topics focused on the security and privacy issues and to better understand what consumer protection issues uh there are in these spaces another workshop we have coming up and this is one that I've been working a lot on is putting disclosures to the test uh so my interest in this started when I was doing work on privacy policies which are a type of consumer disclosure uh but I realized that there are a lot of other types of disclosures um which the FTC is interested in which have some of the same problems that privacy policies do as far as being long and hard to understand and we would really like them to be more effective and so uh the purpose of this workshop is to bring in researchers who do usability user studies and evaluate disclosures to try to figure out how to make them actually communicate well with consumers and so uh we'll be hearing from uh people who have done work on privacy notices but also nutrition labels and drug facts and all sorts of other types of disclosures I thought this was covered so incredibly well this morning by Sarah and Mudge and they're talk about the cyber independent testing lab that they're putting together this need to have consumers have more transparency so that they can make educated choices about the products that they're buying the software that they're buying the apps that they're buying and just to understand what some of the risks might be associated with them so we're trying to really um improve and increase and expand our knowledge of about the kind of communications that work with consumers and are effective with them oh privacy con too so this is our second annual privacy con this year this is also a forum for researchers especially researchers are doing privacy research to come presented to us um we had an incredibly successful first privacy con last year we're going to do it again this year um and I first of all learned a huge amount which was great um it definitely affects our enforcement but it also I think really affects the broader policy discussion that we're having on privacy in the country as well so that's coming up in January there will be information about how to participate um that is actually currently on our website it's currently on our website and we are seeking research papers uh in the privacy area right now um the deadline I believe is in October sometime uh so definitely um think about submitting things and think about uh coming or tuning in um this should be a really great event so research uh this talk talking about the research with wishlist that Laurie has been putting together which I'm really excited about because I feel like sometimes we have a very abstract conversation about what it is that would really help us to understand better with the academic community with the researcher community so this is our attempt um and it's going to be uh uh an attempt that we keep pursuing right to sort of refine the kinds of issues that we think are really going to be helpful to us to understand and to really solicit research um and in academia and elsewhere for for uh these kinds of topics um we also are going to make sure that we have time for questions too so I'll okay yeah yeah yeah so I I spent some time working with the OTEC folks and we went and talked to people in every division of the agency about their research needs um so that we could then go out and talk to researchers about ways you might be able to help us um I don't have time to go through the entire wish list but we're going to focus on some of the security and privacy items here um so we're very interested in research on how to assess the risks um that are posed by breaches and vulnerabilities you know we we know that there are risks um but we want to look at exactly what metrics can we use to assess them um we also are very interested in protecting consumers from ransomware from malvertizing and and other risks and so um we're interested in research that helps us protect consumers um we're also interested in being able to trace exposed data to specific breaches and we're looking for research to help us do that uh we're looking at research that is at the intersection of economics and security how can we make certain types of attacks less profitable and therefore less um less desirable for an attacker to pursue um and then we're also very interested in protecting consumers from fraud and so we're interested in ways that we can automate the process of spotting fraud um detecting fraud quickly um IOT devices is an emerging area um and we're very interested in in research related to that um we would like to help IOT device manufacturers and platforms have better security and so we're very interested in research along those lines um we're also interested in defensive measures so that if there is a problem with an IOT device it won't compromise the entire network other emerging trends um uh there are increasing uh devices that have sensors in them including devices for children Barbie dolls that talk to you and things like that uh we're very interested in how to prevent these devices from compromising consumer privacy and children's privacy um we're very interested in how to isolate critical systems for example in connected cars um bots that's a new thing um increasingly we have uh bots other artificial intelligence um and when consumers interact with these bots we wonder do they even know that they are interacting with a machine um and so we want research on how consumers can uh become aware of that and what they know about this um virtual reality is a new area that uh we're we've seen a lot of progress in lately a lot more consumer devices available in the virtual reality space and there hasn't been a whole lot of discussion of the security and privacy issues you know it's fun it's entertaining but we want to stay out ahead of that and try to make sure that we protect consumers as well um new tools and techniques uh we're very interested in a variety of different types of tools uh we're interested in hearing about tools that consumers can use to control their personal information and especially across context as personal information is now increasingly shared across context your phone versus you know shares with your tv and whatnot um we're also um uh interested in tools that help consumers observe what data their devices are sharing um we are interested in uh tools that allow us to analyze apps and to understand the type of data that they are sharing and um and are associating with third-party libraries um we're interested in algorithms that are used um uh to make decisions about people and may actually um either on purpose or inadvertently discriminate against people uh we're interested in identifying when cross-device tracking is occurring um and we're interested in tools that will help us identify vulnerabilities in iot devices and money many more this is uh just a quick sampling of some of the research areas that we're interested in and that you'll we hope you will come talk to us about uh if you have insights um so what happens if you do um uh come talk to us about it um so uh our otek folks um will take a look at the research uh that we receive they will look um across the agency to find um people for whom this is relevant and try to direct that to them so that we can see if it's going to be um of use uh to to the work that we're doing or whether we should start a new project in an area that somebody brings something to our attention um sometimes you bring something to us and then we actually end up bringing a case so it can result in uh in a lawsuit against a company as well um that's happened uh some of the time so actually segue as well into the we want you slide the creepy uncle sam um you know I think what we're trying to really uh if you have one take away from this talk make clear here is that uh we actually can't solve all of the challenges that are going to be confronting consumers in a hyper connected environment without a lot of partnership particularly with the security researcher community so we're trying to do the most that we can do to try to uh develop those partnerships and have it inform not only our enforcement mission but also the the research that we do the studies that we conduct the workshops that we conduct and the ways in which the FTC tries to actually make sure that um policymakers and others in the broader space are seeing these issues that might harm consumers yeah so um we have set up the email address research at ftc.gov uh please use that to send us research and that will uh be examined by our folks in Otec um and uh for pointers to all of the workshops that I mentioned and all the other things uh that I've talked about here please take a look at ftc.gov slash tech that that's the tech blog um lots of other interesting stuff there too so check it out uh I think we're ready for questions yeah and you can follow us on twitter too you're at lori tweet I yeah I'm at lori tweet and I'm at T. McSweeney ftc so uh thank you alright so we have we left plenty of extra time for questions so we'd love to field some questions and um and I think we have like what five or ten minutes hi uh great brief you mentioned discriminatory algorithms that you are concerned about we know what in the news I think it was uh two or three months ago with Facebook and their news feed there's also been recently in the other the other uh major social media site twitter banning people because they did a bad movie review of uh a ghost buster uh movie and they had their account ban of uh a uh from Breitbart News it was Milo uh also there's been uh other censorship against a talk show host for mentioning repeating what happened in Germany I won't mention religion because I don't want to be censored here uh an attack that he lost his um Facebook account what are you doing for situations like that or is that in your um swarm lanes thanks so some of that um raises a host of really interesting sort of broader first amendment concerns um you know I think one of the things that we're trying to really focus on when we're thinking about algorithms and data and especially like machine learning on top of all of that is the extent to which uh choices are being curated and offered to consumers in such a way that might limit their choice or even result in a disparate impact on them so one of the things that we haven't really gone into yet is the extent to which those algorithms are are kind of manipulating the the overall news that they're getting which is I think your question um but but we are interested in the extent to which um it might be impacting the credit offerings that consumers are getting the housing offerings employment offerings some of those core economic choices now we do have laws on the books uh comfortingly civil rights laws equal opportunity laws right that already protect people in the brick and mortar world from this kind of discrimination but one of the things that is really hard in the increasingly digital world is figuring out when that's even happening at all um and that's some of the work that we really need help with right now I heard a lot of emphasis in this presentation on on regulation basically or actions against companies and consumers but I feel that more and more government is becoming a service or consumers and it used to be you go into an office and deal with someone and that was a real interaction but now the services are so broad and dynamic because government is trying to offer electronic services on the forefront and I'd argue that they're not necessarily the most expert at it and data breaches and such these are all things that apply to this to government as much as they do as private companies so what's your regulatory or or involvement with government services yeah well uh we are the government but we don't actually regulate the other parts of the government so that's actually good for us because that's as you point out a big challenge I mean I think you see this administration taking action to really try to improve both the privacy and security talent and policies throughout the government so the question for people in the back was you know what are you doing FTC about the government and its problems and the short answer is we're focused on protecting consumers but you know I think we are collaborating with the other parts of the government we have our own chief privacy officer our own chief security officer we're very mindful of of these issues um and I and I think one of the other things that you really see happening in this administration is um uh government wide emphasis on bringing technologists into government that's something the FTC has been a real leader on we actually have been doing this for a number of years because what we recognize is that when we're dealing with protecting consumers in an increasingly digital world we need technologists to help us understand what is even happening in that world which is why we have people like Lori uh but why we've also expanded to develop an entire office that is staffed by researchers and technologists as well I think we need to grow those resources uh but we need to do it throughout the government as well and when we're having big debates like encryption debates we need to make sure that technologists are at the table for those debates because uh a lot of the time the policy talk in Washington isn't so well informed probably no one here is surprised to hear that yeah and there is now a government wide privacy council which the FTC participates in actively and is helping to educate other agencies early in your talk you mentioned about Google and Facebook and how they were you caught them for something changing their end user agreement in these ULAs it often says that we can change the ULAs terms anytime we want to so then how can you kind of accuse them of unfairness if a user has agreed to these terms yeah so this is a great question the question is if you have a user agreement that covers everything um how can you then come back and bring a deception case about about something that's sort of covered in the 60 90 page user agreement well the answer is context matters and I think what we're trying to make very clear in our FTC enforcement is if users share information under one set of rules and in a way that makes sense given the kind of stuff they're doing with an app right then uh then you know that's covered by the user agreement if if you do something that's super tricky right are really impossible for consumers to figure out or you change how that information is being handled without really giving them a clear explanation of what those changes are or if you set up your thing to defeat what their settings were to begin with right that's a case we just brought called inmobi uh that that we actually can bring a deception case in that situation last fall you had a workshop about cross-device tracking yeah and I know you sent some warning letters to developers this spring uh that we're using a tool kit that might be used for cross-device tracking what additional is it seems like this is an area that is probably going to grow rather than shrink uh is there additional activity going on at FTC to continue to track this and what are you doing in the future yeah so thank you this is a question about cross-device tracking which is an issue that we're definitely trying to understand a lot more clearly uh it's already informed a little bit our enforcement efforts right so the inmobi case which I was just talking about is a case where a mobile ad company that is um incredibly widely used um company that said it would only track if you opted in and in fact it tracked whether or not um opt-ins were set and had really created a whole system to kind of go around the opt-in to begin with in order to track consumers using uh geolocation and other things so we said that's that's that's unfair and deceptive um we also you noted the silver push letter so the silver push technology which um for those of you that didn't see our letter because I get it we're you know out there in Washington um we issued a warning letter to app developers saying that if you installed silver push which is a piece of software that can monitor device microphones and listen to the audio beacons that are coming off of advertisements on tv so basically um is a technology that allows them to gather what someone's uh viewing habits are based on uh what their telephone microphone is picking up from these audio beacons that are embedded in the advertisements we said that we were uh very skeptical um that that this kind of technology should be included in apps so I think that should serve as a pretty uh bright line warning letter that we're worried that consumers really don't have adequate notice and transparency about what that tech is we're also looking at many of the ways in which people are being passively uh I I could say surveilled it's a bit loaded but passively uh having information gathered about them uh last year we brought a case called NOMI which was a company that was um tracking people's locations and retail locations and they said they would offer an opt out in retail locations but they didn't in fact uh compel the retailers using the technology to offer the opt out so there was no opt out and there's no way a consumer can know that's happening really unless you have some kind of uh clear notice that it's occurring and some kind of choice um so there we said look if you're gonna say you're gonna offer an opt out you have to really have privacy law in this country so there's nothing that says that that kind of thing uh can't happen without uh consumers choosing or having a choice about it so um it's a it's an area that we're continuing to monitor very carefully. Spring morning off of the uh the previous questions about consumer privacy and the transparency that goes on between other government agencies um is your commitment to transparency uh documented if say an exploit is discovered and say do you want me to take this one probably go for it so um we are a civil enforcement agency and um I could imagine that there would be situations in which uh we wouldn't be in that in that dialogue um for a variety of reasons um if if something is disclosed to us uh we what we then do is try to understand whether um we have enough facts to actually bring a case using our existing authorities about um the practices that led to uh especially if it's exploited or whether um in some cases we have brought cases win uh something was disclosed and then um the recipient of that didn't really react at all right so if you don't have a mature disclosure program in your company to receive exploits and respond to them that can be a factor in our analysis about whether you have any data security practices in your company but I'm not really answering like your direct question um which is which is the broader like national security question because we're a little bit less the broader civil liberties question as well too because what if I discover an exploit and then I get slapped with a notice to not mention it because the government wants to use it for something else what's my protection or the protection of consumers so this is an area of maturity of our laws in the U.S. and how we're handling it because the FTC thinks that we need to have really good clear partnerships with security researchers so that people who are doing the work on behalf of consumers to help us understand how the technology is actually working um are able to do that work without you know fear of reprisals now understand this is a balancing act right that there are bad actors out there conversation that we need to have and the FTC maybe not all of the FTC I'll say at this point I'm speaking on behalf of myself right you know I think some of us really feel strongly that we need to modernize how we're handling computer fraud and abuse act and some other things so that we can have a more mature system in place for handling how research is handled and how exploits are handled when they're disclosed Hi it's great that the FTC trying to get ahead of privacy risks in IoT and virtual reality which are new technologies but can you talk more about what you're doing with routers I know about the ASUS case but routers are so important to consumers many of them don't realize it it's the gateway into their private networks and where everything shared and the practices the security practices with router vendor or router vendors have been so bad for so long and many of the same vendors are now doing as well so what are you doing there to convince vendors to improve those practices that have been going on for so many years so for starters we're bringing cases I don't want to talk about any pending cases but I would say that we take we take the security of routers and the claims being made around them very very seriously and are taking a careful look I don't know if you want to add to that yeah all right well I think we're out of time again if there's one takeaway it's that we really want to forge a good partnership we want to hear from you we want to participate with you if you think there are things that we're missing we would love to hear about it and add it to our call to research list so thank you for your attendance and time and happy DEF CON this is awesome yeah thanks for coming