 Good afternoon, everybody. Welcome on behalf of New America, what? I have a mic, there it is. Welcome, everyone, on behalf of New America and the Open Technology Institute. It's great to have everybody here. Love seeing a full room. We turned the rain off just so that everyone would come out, so I'm glad that worked. My name is Ross Schulman. I'm a senior policy technologist and senior counsel at the Open Technology Institute and along with Andy here in the front row, who you'll meet in a bit. I run the Raising the Standard project, and I'll talk a little bit about what that is in a minute, but before you understand Raising the Standard, you need to understand what the digital standard is. And some of you may know, but I'm gonna give a brief overview and then I think the panel's gonna cover it in some more detail later on. But the digital standard is an open source framework for testing and evaluation of the privacy and security of consumer internet connected devices. So it's really focusing on stuff like video cameras at home, smart thermostats, smart toasters or whatever, and how well they protect privacy and security of the people who purchase them. It covers 35 distinct tests ranging from encryption at the more technical end to terms of service and transparency reporting on the more procedural end. It was developed over the past 18 months-ish by a coalition of five groups, a lot of whom are represented here today. So consumer reports, we've got Justin Brookman, well, consumers union, was one of the major players as was Disconnect, excuse me, the Cyber Independent Testing Lab and Aspiration, as well as Ranking Digital Rights, which is a independent ranking organization that has a lot of history of doing these sorts of evaluations in the space of telecommunications and online service providers and who took that experience and applied it to the digital standard. RDR, we are proud to have as an independent sub-project of the Open Technology Institute and we love working with them, although we were not actually involved in developing the standard itself. Raising the Standard, which is the project that Andy and I have been engaged in since about January, is a OTI project focused on educating and advocating with both corporations and civil society about the digital standard. So letting companies know that it exists, letting them know how it works and why they might want to be interested in working with it, letting civil society know what it is and how they can use it in their advocacy. We're also collecting feedback from those organizations to feedback into the ongoing process of developing the digital standard, which is a living document. Our panel today is gonna explore some of the opportunities and challenges presented by different modes of security testing, including the digital standard as one of them and I'm really excited to hear what comes out of that. But first, we have the great honor of being, what I think is the first public appearance of FTC Commissioner Slaughter. She was sworn in on May 2nd of this year and since this is her first appearance, we're quite honored. Prior to FTC Commissioner Slaughter was with Senator Schumer as his chief counsel and before that was with Sidley Austin and she has some interesting stuff to share with us today. So please welcome Commissioner Slaughter. Thank you. Thanks, Ross. As Ross mentioned, this is my first public speaking event since taking the commissioner job, largely because right before I got this job, I had this baby who is still hanging out with me all the time and so I've been reticent to come out, talk in public since I am the full-time caregiver still for this child and so you guys are an experiment. I think I've gotten her to sleep. I'm gonna be doing some bouncing and swaying to make that happen and I apologize in advance if she is disruptive to you or me in our conversation today and I should add also I'm learning since it's my first public remarks that you should know that the views expressed here are mine and don't represent the views necessarily of the whole Federal Trade Commission. So thank you, thank you, Ross. Thank you to OTI and the New America Foundation for hosting today's important event. It is an honor to be here and I welcome the opportunity to talk about the need for collaborative action to safeguard consumer trust and security in the world of IoT. The year 2017 brought an estimated 8.4 billion connected things to the world. That number is expected to reach more than 20 billion by 2020. By 2025, the value of these devices and the ecosystem in which they operate is estimated to exceed $4 trillion per year. These devices touch all sectors, the military, manufacturing, healthcare, utilities, autos, and of course the home. In fact, we know that consumer applications are the largest and fastest growing category of connected devices. Like most of you, I follow these developments not just from a policy perspective, but as a consumer. I've personally benefited from the early adoption of some basic connected devices. I love being able to use my smartwatch to pay for things when I inevitably forget my wallet. I truly appreciate being able to control my thermostat from my phone when I inevitably forget to set it properly, which perhaps tells you a little bit about how my brain is functioning these days. Clearly, I would be able to make good use of looking inside a smart fridge from my phone as I trudged down the milk aisle or the ice cream aisle. And as someone who spends too much time on the road, the potential for connected cars to bring about less traffic, fewer accidents, and one day less driving altogether is very tantalizing. As a parent, I'm especially sensitive to the combination of opportunity and risk posed by connected devices for children. Yes, that's you. My bigger kids ask our home assistant to set timers that help mediate disputes over sharing toys. And I have learned the very hard way that those same devices can be asked to play some crude playground songs to my children's delight and my complete horror. As someone balancing a variety of disparate bedtimes, it has certainly crossed my mind to just ask Alexa to read Good Night Moon for the fifth time. And the educational potential of connected toys is almost limitless. But so are the risks. Imagine if someone hacked into my baby monitor and started spying on or talking to my baby. What if a company were collecting data on my children's conversations with their connected toys without our knowledge or consent? These aren't random hypotheticals. There has been public reporting on both of these cases. Those examples point to the bigger issue here. With all of this cutting edge and truly transformative technology comes legitimate concern about the potential risks these devices pose to our safety, our autonomy, and our privacy. The many benefits of IoT devices may be delayed or foreclosed if consumers cannot trust them. Building that trust starts with two fundamental components. First, ensuring that the devices are reasonably secure. And second, ensuring the consumers have a clear and accurate picture of what data their devices collect and how that data is stored and used. Poorly designed IoT devices and poor privacy controls by their manufacturers jeopardize the privacy of their users and create opportunities for hackers or attackers to steal data or assume device control. The hacking of connected devices can cause profoundly personal risks that can literally follow us into our homes. The Times recently reported a new trend in domestic abuse cases tied to the rise of smart home technology. Internet connected locks, speakers, thermostats, lights, and cameras are now also being used as a means for harassment, monitoring, revenge, and control. Imagine trying to break free from an abusive relationship in which your abuser not only imprisons you with physical and emotional intimidation, but uses your very home to control and undermine you. It is horrifying and yet terrifyingly real for too many people. While the immediate risk may seem less concrete in the area of privacy than security, the former is no less an important issue for connected devices. Our law and our rhetoric often treat privacy and security as distinct with privacy having generally to do with the protection of data that a user would prefer not to share and security generally referring to the protection of data, the release of which could risk safety. But the world of IoT shows us that the line between privacy and security is not bright. It is not even blurry. The two concepts are overlapping and intrinsically related. There can be no assurance of privacy without sound security and most security vulnerabilities pose threats to privacy as well. To play out the domestic violence example above because I find it really compelling this issue. If someone had a connected home alarm, the device manufacturer may well be collecting data on the time and frequency of its use and sharing or selling that data to a third party. That feels like a privacy issue. But without adequate privacy policies that address data collection, retention, storage and sharing and abusive partner could request, buy or even steal that information and the user's security would be jeopardized. So it's important that consumers have meaningful, accurate and understandable information about their device security as well as data sharing in order to make informed decisions. We are at a critical point in the IoT era in terms of getting privacy and security right. At the precipice of exponential growth, we have the opportunity both to thoughtfully develop products that start and stay secure and to educate consumers early on about how to assess the risks of connected devices, how to choose brands that take privacy and security seriously and how to maintain device security with patches over the lifespan of the product. I cannot overstate the importance of getting this right now. If we build appropriate security and disclosure standards into the infrastructure of this emerging ecosystem, we will not only protect consumers better from the start, we will avoid having to rebuild and redesign the rules of the road from scratch. An outcome that would be far more disruptive to both consumers and innovative product designers. Unfortunately, there are a few basic trouble spots that FTC has observed in the marketplace for connected devices. First, we're continuing to see some very basic failures in product design and pre-release testing. We encourage and expect companies to consider security at the outset, understand well-known vulnerabilities affecting their class of products and take advantage of low-cost, widely available measures to protect against them. I'm personally particularly concerned by easily avoidable problems. For example, connected devices that come with default passwords or without any password at all. Second, while pre-release testing is important, we understand that such testing will not catch all problems. Vulnerabilities will occur that companies may not have foreseen. Companies should make sure that, among other things, they have a process in place to identify and address credible alerts about potential vulnerabilities. Third, once vulnerabilities are identified after a product's release, there are often challenges in the deployment of updates and patches. In some cases, patches may be available but not deployed to customers in a timely manner. In other cases, consumers themselves may be overwhelmed about how to keep up with patches. In yet other cases, companies may not support devices at all after a certain period. In all of these cases, devices are left compromised. Companies need to think critically from the get-go about how to maintain security over the lifespan of the device and be on the same page with consumers about the length of that lifespan. We all need to work together to troubleshoot these issues. The FTC has an important role to play in prodding industry to address them, as I will detail in a minute, but our work is substantially complemented by the development of robust, meaningful assessment tools by the public and industry, and the digital standard aims to be just such a tool. The digital standard, first established in the spring of 2017, presents an opportunity for multiple stakeholders to create and continually refine a testing system to evaluate how well products are meeting consumer expectations regarding security and privacy. The FTC has long been a supporter of self-regulatory standards, provided that these efforts genuinely raise the bar for the products to which they relate, and that reliance on those standards gives consumers meaningful information. The concept of the digital standard is particularly promising because it has a consumer-facing deliverable. In other words, it's intended to be news consumers can actually use, rather than the type of legalese too many people have become accustomed to clicking through. I am hopeful that clear reliable information about device security will allow consumers to make informed decisions about the products they put in their homes before the point of purchase, and in that way, meaningful security can deliver a competitive edge to responsible producers. On the other side of the equation, product evaluation using the digital standard or similar criteria should help encourage manufacturers too as we like to say the FTC start with security. Consumer reports evaluation of smart TVs using the digital standard found that a relatively unsophisticated hacker could change channels, play offensive content, or crank up the volume on millions of TVs, smart TVs. No doubt these findings were as informative to manufacturers as they were to consumers. So what additional roles does the FTC play in this collaborative space? Perhaps most obviously we have an important enforcement mission, the exercise of which promotes privacy and security. We've brought a number of cases regarding connected devices, including routers, baby monitors, smart TVs, and most recently connected toys. And when companies claim they have adopted self-regulatory standards, we can hold them liable under our deception authority if they do not live up to those commitments. The FTC also functions as a facilitator of security innovation through research, reports, data analysis, and numerous workshops, symposia, and conferences. Recent workshop topics include smart TVs, drones, connected cars, and ed tech. We also routinely partner with other government agencies, co-hosting events, and providing comment. The FTC also challenged the public to create a technical solution that consumers could use to guard against security vulnerabilities in the IoT devices in their homes. With the assistance of an expert panel of five judges, the FTC awarded top prize to a mobile app that would scan a user's home Wi-Fi and Bluetooth networks to identify connected devices, flag devices with vulnerabilities, and provide instructions on how to update each device's out-of-date software. I'm proud of the work the FTC is doing in this area, but I also think we should always consider what we can do better. One great idea, supported by former commissioner McSweeney, is to elevate our technological expertise into a formal Bureau of Technology at the FTC. I believe that would be a valuable way to ensure we have a deep bench of technologists who can help spot issues and evaluate cases across our mission, in both competition and consumer protection. And in the spirit of self-reflection, the FTC is also hosting a series of public hearings this fall on 21st century challenges to our missions of competition and consumer protection. We're seeking public comment on these hearings, and I encourage you all to consider submitting your thoughts. In particular, your observations of challenges and opportunities in the IoT space, as well as your views on how our responsibility to protect consumers by promoting privacy and security might intersect with our mission to promote competition. Thank you again to New America and OTI for hosting this event, and I look forward to hearing from the group of true experts to discuss collaboration furthering security in the IoT space. Thank you. Thank you, Commissioner Slaughter, and thank you, Pippa. We really appreciate your comments, and we really appreciate the FTC's support of these issues. My name is Andy. I am a policy analyst here at New America at OTI, and we really appreciate all of your attendance and have a very exciting panel that's going to follow up. So I'm going to introduce first our moderator, Femida Rashid, who is the managing editor at, managing editor at DeCypher, Justin Brookman, who is coming to us from Consumers Union and is our official digital standard expert. Matt Eggers from the U.S. Chamber of Commerce, and Maurice Turner coming from CDT, the Center for Democracy and Technology, and is actually OTI tech congress alum, so we love having him back. And I'm going to go sit down. I am also speaking on the panel. So good afternoon. Thank you so much for coming. And as Andy mentioned, we are going to be talking a little bit about IoT security, what the challenges are, and making sure that we are balanced in security and privacy, as the Commissioner just mentioned. Andy said, I'm Femida Rashid. I'm the managing editor at DeCypher, where our goal is basically to really explain the implications, the why of the big issues in security. Really concerned about IoT, specifically, because all of us approach it from a dual nature. We approach it from work, we approach it professionally, as well as consumers. So I'm looking forward to the conversation today. Just to start off, I'm going to have everyone introduce themselves. Justin, if you want to just kick it off. Sure, so I'm Justin Brookman, I'm at Consumers Union. We are the advocacy arm of consumer reports. I have a kind of a dual role there. Half of my job is traditional advocacy, advocating for things like better privacy and security laws. And I do think we do need more affirmative protection to maintain reasonable data and cybersecurity. The other half of it is working with testing. Consumer reports have this long history of testing stuff, testing products, and they do a really good job of it. But over time, we've realized that these products increasingly have new elements that consumer reports wouldn't really set up to evaluate. So things like data security, wasn't the case that TVs and cars had data security issues like 10 years ago. Now they do. Privacy also, these equipped with sensors and connectivity can collect information about you in ways you might not expect. And then things like ownership, right? I mean, software runs everything. Do we even own our products anymore? It's not just a refrigerator, it's a refrigerator as a service. If it can be shut down remotely, can I repair it? Yeah, yeah, do I still own things anymore? And so we launched, as Ross described, this digital standard project to kind of articulate, if we're gonna evaluate products on privacy and security, what should we consider? And so it's out there. It's at thedigitalstandard.org. It's divided into categories like privacy, security, ownership, and governance. I invite y'all to take a look at it. It has, like Ross said, about 35 different tasks, but we're changing it all the time as we're evaluating products. We're like, and the digital standard says this, but not sure it makes sense. And so then we're trying to change it. As Commissioner Anderson-Lauder mentioned, we are starting to evaluate products based on it. So Smart TVs was our first one earlier this year. Again, found some security vulnerabilities, but also found a lot of privacy issues. All the Smart TVs we looked at wanted to watch what you were watching, so they would take screenshots of what you were watching on your TV, sending it back to their servers in order to kind of build a log of the sorts of things you were watching. We didn't turn that into ratings because we were still trying to be cautious and very thoughtful, but I'm very hopeful that we'll actually have some ratings under the digital standard within the next few weeks. And then the project is to how you scale that. How do you do that for all the stuff you evaluate going forward? It's also open sourced and people, other organizations are encouraged to use it as well. I know Mozilla used the digital standard in their holiday guide last year looking at connected toys. Just quickly on the data security side, why I think it's really important is because I think as we're seeing IoT develop, it's not really being designed with security in mind, so a lot of desktop OS, I think does a pretty good job with security, right? I mean, Microsoft supports Windows forever. They just discontinued support for Vista just like last year. So you can stack 10 plus years of service. Mobile phones, well, if you're, right? I mean, when I was at the FTC, we did a long report on mobile phones. Some get support for a long time. Some expensive flagship devices get like zero security support. And the IoT is even more of a wild west. A lot of products, there's no possibility of patching. There's no expectations of support. And so I think what we're trying to do is to actually kind of build in some expectations and some accountability for those practices. Thank you, Justin. Maurice, if you can just introduce yourself and talk a little bit about what you do. Sure, my name is Maurice Turner. I'm a senior technologist at the Center for Democracy and Technology. Well, the internet architecture team. So we spend a lot of time thinking about those foundational pieces of the internet and what it means to have standards and protocols that are gonna be around for a while. Not just a couple of years, but in some cases, decades. In addition to the standards focus that we have, I'm also focused on election cybersecurity. So going back to how do we secure our elections and make sure the devices that are in place now are still gonna be secure and allow for accurate counting when we're still using the machines maybe 10 to 15 years down the road. Matt? Yes, thanks. Thanks very much for having me. So just to kind of give you a feel for where I sit within the chamber. I'm at our national, excuse me, that's the old title. The Cyber Intelligence and Security Division, it's new. Same kind of work we do. Cyber and global supply chain, risk management work, I think, container ships and ports, and we want to facilitate trade and protect that infrastructure and cargo and so forth. My day-in-day work really involves working with our 200 plus companies and associations, state and local chambers. We've got a cyber work group, literally meets every week, typically by phone to talk about, let's say, a legislative item, a regulatory item, or a non-regulatory legislative item, such as the botnets report, what NIST might be doing around IoT. The IoT space is extremely important to us, not only from a business development and growth standpoint, and I guess I would tip my hat to my colleagues at SeaTick who really do a lot of that work to educate, inform, and promote technologies and technology adoption. I come into play in the cyber security area. I think in a lot of ways, it's really important to be here, be with you. I'm very much interested in differing views. I think if anything, we've got a shared interest in two things, making sure we've got the policy right, making sure we get some of the technical aspects of this right. I think we can't do it alone, industry protecting devices and so forth, but it starts with us, we need the lead, and I think the business community here has an opportunity to build devices more securely than have customers, households, businesses buy stronger devices, and then those folks that are building stronger devices gain in the marketplace. That's really what we wanna see, and I think at the end of the day, it takes a lot of folks to get there, and the approach that we take would really be good if it could align globally, since most of the best practices, standards, guidance, and so forth, whether we're protecting an enterprise or devices, consumer or industrial, really kinda starts at home, but it's gonna be global in nature, and we gotta do it together, and the other thing I might just say is we are trying to educate our folks to do cyber better, but we're also gonna have to look at how we address the ecosystem from devices to threats that would go after said devices, so I'll finish there. Thank you. Thank you, and Andy? My name is Andy Wilson-Thompson, I am at OTI, I already introduced myself, I work with my colleague Ross on the digital standard, raising the standard project, so a big part of what we do is about education and these conversations we have with companies, and on do cyber better, actually one of the things that we are focused on in our work is not just the hard security components of security and privacy, when we talk about making devices more secure, we talk about encryption, we talk about passwords, all of those things that are very good that we want IoT devices to have, but there's also this separate component which is business practices, which is corporate behavior, and how that affects privacy and security, and so including things like transparency reporting, data collection policies, terms of service and privacy policies, all of those are really important components of this discussion that sometimes get left out of these standard setting, metric setting processes that come from our more technical colleagues, and so a big part of the work we're doing is focusing on sort of the broad swath of how to make consumer products more secure and more private and protect individuals and give them more education about the things that they go into the store and purchase for their home, for wearables, for all of those things. Thank you. So as you can see, we have a pretty broad spectrum of expertise and knowledge. Before we even start getting into the specific areas of policy and education, I wanted to actually get a conversation going about what the commissioner was just saying about IoT being a balance of opportunity and risk. I think all of us really are aware of the kind of opportunities we're talking about, but I think there's a bit of confusion about risk. It's not always that, not everybody's risk to IoT is the same, and I'd love to get some of your insights on what you think the different types of risk we're even talking about. I'm sure with the digital standard, there's a question of, is it privacy? Is it security? Is it the same? So just to go for it. Yeah, sure. So I think there's been excitement about internet of things for a while, and I think not enough appreciation about the risk. So I remember I testified on internet of things back in 2015, and all the senators were like, wow, this is awesome, connected toothbrushes, gee whiz, this is gonna be awesome, revolutionize the world. And I was like the E.O.R. on the panel saying, well, yes, connected toothbrushes is great, but there are some threats as well, and they were looking at us from a different planet. But I think now there's growing recognition that there are some issues. I mean, I think there's a tremendous issue around privacy these days. People, I mean, our article on smart TVs was tremendously, people were tremendously interested in it. We've seen follow-up stories looking at the same things. Definitely informational threats, the capacity for baby monitors, for example, to be hacked for eavesdropping or for transmission of financial information to be collected. But then there's also the cybersecurity side too, like the functionality can just be disabled. A lot of devices rely on software now, they can just be ripped, right? Or in the case of our TVs, they can just be used for harassing. You could, someone remotely could just turn the channel, turn the volume up to 99 or to do other things just to be annoying. And then I think the other piece of it is the use of it in distributed attacks like botnets. So that was the Mariah Botnet used the Internet of Things a couple of years ago, or I think just last year. And that's a cost that's not borne either by the manufacturer or the owner. But it's my device, it probably doesn't actually hurt my device that much because it's being used to harass someone else. And again, these sort of things are probably getting a lot more attention than they got maybe three years ago, which is great. And OTI also doing a really good job trying to build out education about, yes, cool things, but also limitations when they're connected as well. So Matt, since Justin mentioned botnets, I know the chamber's been really looking at the botnets. I mean, if you can weigh in a little bit on your perspective of what the risks are. Sure, at least on the botnets piece. So we, I think to the commissioner's point, you do want to start with security and make sure that devices are capable of being patched and so forth. They're brought to market with fewer vulnerabilities and so forth, the basics, right? You want to know if you're a consumer, how long is this device going to be kind of alive and what can I count on? Those kinds of things, I think, are pretty basic. We've engaged the administration. We're very much interested in sort of that next part of what do we do next, right? The stepping off point, we've got a report, we've got goals, we've got action items. Couple of things that I think are worth noting just to maybe highlight some of our thinking. So NIST just led on the 11th and effort to look at IOT security and privacy considerations. I was very excited to see a number of industry stakeholders there, civil society and so forth. I think that is an effort that needs to continue. I think we can learn a lot from what kind of bubbles up in terms of what should then, how should that effort inform devices? And I really think we're looking forward. I think that's kind of in a nutshell, stop there. I think that's a good way to think about it. We've also been engaged on legislation. Frankly, I think the NIST effort and the work that folks at NTIA are doing on IOT and so forth should inform that kind of process. Maurice, I know that a lot of the time with these efforts from the industry as well, government, the question is how do we standardize it? How do we make sure we're even speaking about the same issues if you can weigh in on that a little bit as well? Well, I think there's definitely room for that market experimentation to have companies begin small way in and sort of find out for themselves where the sweet spot is when it comes to self-regulation. But at some point it needs to be codified at the government level. I don't think there's any industry that has gotten completely away from being able to say, okay, we're just gonna self-regulate and we're not gonna have any government regulation. And I think we're at that point, we may even be a little bit past that point when it comes to connected devices. For some people, connected devices are relatively new. They may have just purchased their first home talking assistant a couple weeks ago. For other people, they've had them in their homes for over 20 years. And so to think that we're still in this vibrant infancy phase is really doing a disservice to some of the players that have been around for quite a while and some of the users that have been experimenting for quite a while who are now onto their second and third, maybe even fourth generation of connected devices. You know, I might just jump in. At least it's kind of worth throwing out the idea that at least from our standpoint, not surprisingly, I think that trying to regulate more in this space is not the right approach. But we think that regulatory humility is the way to go. Just to give you one example. So just this week, I'm looking at some reporting that I'm looking at Rick Weber here. His organization put out about the healthcare system, Sector, excuse me, and their work on medical devices, I think involving even the S-bomb issue with the software bill of materials. That is the kind of thing that we'd like to see captured not only within that sector, but more broadly. So you've got FDA, you've got industry folks, you've probably got other private sector individuals, including from academia involved in that process. I think we need to let that move forward. And frankly, my role is to really help them kind of catalyze whatever they're gonna deliver. So if you're a healthcare device purchaser, you're going to hopefully at the end of the day be able to identify a device that serves, let's say, your hospital. And you can reliably say to your constituents that, hey, this device is gonna be more secure and so forth, then that device maker is rewarded with what? Profitability, market share and so forth. That, I think, is what we want. I think if we jump to regulation, I think it would stunt that, but that's me. I mean, it's already, sorry, please. I was gonna say, so the medical device market and these larger markets with a lot of technical capability or at least focus on it are concerning, but I think one of the things that we struggle with is a lot of the IoT devices in people's homes are either created by companies who have been creating manufacturing, washing machines, refrigerators for decades, but only recently connected one of those devices. So they might be a big company with a lot of skills, but they don't have the sort of security, privacy, expertise and infrastructure that other more established companies do. Also, there is the problem that a lot of the IoT devices that people bring into their homes are created by smaller companies. Say, you buy the cat watching camera and Kickstarter or you buy the cool new smart watch from unknown new startup and they also don't have experience with security and privacy and also really struggle with implementing these features increases time to market so it costs more, it limits the ability for them to sell their product for another six months. It's really that those organizations as much as larger more established industries like healthcare and transportation and things are really focused on this. If you count the things that people have in their houses that are internet of things, they're probably cheap and small and really a threat because if one device on your system is vulnerable, it's concerning to your whole house. So I think that they may struggle with that lack of capacity and lack of regulation but there needs to be some guidance for those organizations because... I'm just gonna interject with one thing and then jump to Justin. Just to kind of put Andy's point in perspective, there was a figure that was thrown out about a year ago that said the average American has six IoT devices in their home not counting phones and computers. So it just really does put out this space that we might be thinking, oh, I don't really have a lot of IoT but a lot of devices are already shipping with the ability to whether or not you're using it or not. So we really do need to be thinking about, okay, this isn't just big established companies or little company, it's pretty broadly across the spectrum. So... Yeah, I was just gonna follow up on Andy's point. I mean, also, I mean, jump to regulation. I mean, there is regulation, right? I mean, the FTC has enforced that as a security standard since 1995. Unfortunately, the FTC is understaffed. They don't have the ability to get penalty authority. So even they find ridiculous practices. They can order saying, you know, don't do that again in the future. Even that authority is being challenged by D-Link, right? Is that the router company of the FTC is sitting in court for what I think are objectively terrible practices but I mean, the statute is a 100-year-old statute that doesn't quite say use reasonable data security. So I think having that in place, I think would make it better for folks. I'm glad that some folks in the chamber are taking it seriously, but Andy is absolutely right that I think a lot of smaller manufacturers don't really know about the Section 5 jurisprudence. When I went to CES this year, I was the one walking around saying, how is this gonna be patched? And they're like, what? And there's this incentive structure that's aren't in place for them to do it. It is a cost center, you're absolutely right. And the things that are important, I mean, these things are not developed with even the ability to be patched. You buy an IoT device, there's no disclosure about how long it's going to function, whether it'll even fail dumb. So again, I don't like regulation for its own sake, but the way these things have developed so far, from my perspective, have been insufficient. Also, I'm gonna note that we see government regulatory processes and we also see industry-led regulation processes and OTI also submitted comments to the botnet. And one of our concerns was that some of these existing seal things like Energy Star don't have a stick, right? They have a carrot, it's great to get a good number on your washing machine, but nobody is going to write an article which criticizes your product and warns people that if they buy it, their TV might talk to them. There isn't that sort of not just FTC enforcement mechanism, but if you have a data security problem, people might not purchase the thing that you make. And so that's a more immediate and potentially, hopefully, more convincing to some companies repercussion of poor data security practices. Sure. I think there's a great deal of burden that's being assumed by the consumer to be educated. I don't think that if you were an average consumer and you walked down the store, that you'd be able to buy a dangerous coffee maker, right? We have testing that goes into that. We have an entire supply chain built around the fact that you know that if you plug it in, it's probably not gonna burn your house down. That's not the case when you're talking about connected devices. There are some legitimately dangerous connected devices and people can go out and buy them and think that they're getting a good device. The device might even have a high rating or be well reviewed, but those lingering security issues could still be there. Those vulnerabilities can be exploited even after years of use. So I think that that's where my concern is with saying okay, the answer is only to just educate consumers with a label or with some sort of a rating that goes along with it. So I, good points, helpful. So in terms of the role of the FTC, the FTC, it's almost football season. The FTC often strikes me as kind of like the safety in the backfield. They get to kind of see the lay of the land. They get to see the field and then they get to go up and kind of tackle a wide receiver running back and so forth. They kind of make an example of an entity. Rightly or wrongly, we've got different views on a number of maybe cases, but it's definitely got to roll, right? From our vantage point, I think what we're trying to do is not get too stuck in the regs, good regs, bad. We clearly are in the latter camp, but we've got a number of initiatives underway that really need to come to fruition and to the extent that we can help them, just like we'd really like to see a framework-like effort for IoT security. We'd really like to see that resourced at the highest levels. I need some kind of thing that I can take out to communities and say, here's how you wanna build. Here's how you wanna manage a device that you're gonna put in your network. I think if anything, there's a number of things that are underway that are pretty exciting. They need to kind of unfold, and whatever we're left with, we really need to remember that since we're talking about cyberspace, the internet, and so forth, policymakers and people, the solution, if you will, needs to work globally. If it works well, it will work globally, and if we have kind of an impetus for more regulating, let's say, more regulating, we're gonna have other countries say, you know what, we like what they're doing, we're gonna do that to the EUs, doing that, and so forth. So anyway, I think there's a lot of good things that we need to see move forward, and to the extent that we can help, happy to do that. I like your analogy of the FTC as a safety. Unfortunately, the FTC got a significant hamstring injury in the early 80s. I've never fully recovered from that, so they need some rehabs and work in the weight room, so maybe that would make me feel a little better. Okay. So, curious though, we've been kind of conflating security and privacy in this conversation. At the Commissioner mentioned, you can't have one without the other, but privacy is very much about data privacy, the amount of information being collected, the amount of information that being passed, transferred, and I would really love, I guess, Andy, if you can even kind of frame this entire data privacy with what we were just talking about on who had the responsibility. I mean, my grandmother turned 86, two days ago, and somebody bought her a smartwatch. Somebody ordered, I think it was my cousin, ordered a Kickstarter smartwatch that is waterproof so she can wear it to aqua-sized class, and this is a big deal. And they did not choose it because it protected her privacy. They chose it because it's a nice color and has a really big waterproof screen. And so I think it's a balance of the privacy problem and the consumer education problem. Privacy and security go together. It's very hard to separate them. Data security affects both security and privacy. The fact that IoT devices collect, for instance, said smartwatch collects biometric information, it collects location information, it has a pedometer, it, she talks into it and therefore it does things. A lot of information is collected by this type of device that is unprecedented in some ways. IoT walks around with you. And so that is a unique privacy concern. That requires companies to implement data security practices that they don't necessarily do. And when the said smartwatch was purchased, there was color, look, features, whatever, and nobody said, does this product have a data deletion policy or does this product limit data collection? Does it have retention practices? All of those things are really concerning, but privacy and security are together. All of those things affect security. It's not just, encryption isn't the only security component. And one of the reasons that I'm gonna pitch things like the digital standard today is rolling all of those components together. If we can't educate people that they should buy an encrypted device, there's no world in which we're going to be able to easily explain all of the data security concerns. It needs, you need a really salient example. And our intern Lawrence wrote, which is out today, a piece on connected toys. And so things like that are a really good relationship between privacy and security and the fact that this is scary. The privacy concerns with those connected teddy bears that talk to you are also security concerns for the people in those families. So one cannot exist without the other. And I think focusing on one or the other separately isn't appropriate. Yeah, I mean, privacy is obviously an important element of the digital standard. And then the question is, you know, how do you do it at scale, right? You know, we have a talking thing in your lab. You can often see this traffic going back and forth. If it's using encryption, that's great for security purposes. For a researcher, it's actually kind of hard to see the traffic. You know, pinning a cert on a browser is one thing. Pinning a cert on a teddy bear is entirely another. And then even if it goes into the cloud, that's not necessarily a bad thing. How do you track where the data goes in the cloud? There's just no observability into it. So then, okay, then do you look at the policies? Privacy policies are not really written in a way to intentionally convey information today. They're kind of written as a liability evasion exercise, which is fine, I understand. But when we're reading them, we're like, you actually really can't quite tell where it's going. And so if you're trying then to, oh, I'm sorry, I'm making you're sad. Then if you're trying to score that, right? I mean, do you give more credit to the company that's really precise than the privacy policy about all the maybe terrible things you're doing? Or do you like give a lower point to the one that says, we reserve to share data with partners period, right? And so I think that's the sort of thing that we're definitely working on. I mean, I think, look, I think legislation should be part of it. Legislation is tough. I think on the security side, it's easier. I mean, I think there have been, there are 10 or so states that mandate reasonable data security. FTC has always seen force to reasonable data security standard for a while. Privacy legislation is trickier. We've seen GDPR and we've seen how companies have responded to it in very odd ways. And not the way that was intended by the drafters. And so I think it's important, but in the meantime, I think we're trying to work on bringing more transparency. So Maurice, you just mentioned earlier about the burden we're putting on consumers when you are trying to talk about security and privacy. Do you think there's a different type of conversation that needs to happen or is it okay to just being like yes or no? Like... That's a difficult question. I think there's a baseline lack of understanding when it comes to technology in general for most consumers. So I think trying to educate consumers on specifics like encryption and other aspects of data security, you start like walking back and having to sort of like peel back all these layers of what you're actually talking about and that makes the discussion difficult. I'm okay at some point, sort of conflating the two because at least the conversation's happening. At least people are getting educated. That is something that they should at least be aware of if not concerned about. So I enjoy seeing the work that went into the digital standard and the fact that there is conversation happening about it and it's bringing to the forefront this awareness that yes, this is something important. This is what consumers should be paying attention to even if they don't necessarily understand it. It's like looking at automobiles. You may not understand what a front overlap crash test is or what automatic braking is. But you know that those are things that are important and are generally helpful and that you should have or at least those are features that you should consider getting if you're looking to make a decision. Oh no. I was just gonna say, the way I think I see this kind of unfolding in the next several years is whether it's a label and we can talk about what that might mean. I think that's still somewhat unclear. And then we've got software bill of material issues. That's still somewhat unclear. At least in my experience, you kind of bring up one topic and you're talking to five people and you're gonna get multiple responses, right? And that's okay. But at the end of the day, I think where I see a lot of this effort at least in the short run is where companies that are demanding stronger devices in the context of just managing cyber risk in general are gonna be the ones demanding these stronger products. And that's good. I think that is really where, at least from my vantage point, the energies and really my work lies is trying to kind of help these different parties get to that end state, right? If policymakers wanna be evolved and convened, great. For example, commerce is great. We wanna have them at the table. We need them there. But in the short run, I think, from an enterprise standpoint, we're gonna have companies needing, wanting, the electric sector, for example. They want, need stronger components. I wanna help them get those components. I wanna help the folks step up and provide those components to then sell those components and win. Not only domestically, but globally. I think in the short run, I think that's kind of how this unfolds. We wanna be helpful. The other thing, in the broader ecosystem, the one thing we haven't mentioned that I have to contend with, our members have to contend with is, these devices aren't necessarily just kind of affected by, let's say, a windstorm of fire or a hurricane. They're being hacked by individuals that, in countries that rhyme with China, Iran, North Korea, Russia. And they're often hiding in places where we can't get to them. Law enforcement has done a great job, let's say, in guiding a number of folks. But one thing that we do need to do while we're solving the security and privacy standpoint, from at least this organization's perspective, is I need some help on pushing back on bad actors. I need help in terms of pushback in ways that are prudent. I mean, one of the reasons why we've seen the advent of an active defense bill is because organizations are saying we're regulated. We're spending a lot of money and we're getting hacked. If someone, some entity's not gonna do it, let us. Now to be sure, we don't support that bill. We don't wanna see people doing that. But in the broader ecosystem, you're not gonna just solve these problems around security and privacy like we're talking about here without putting them in a broader context. I mean, right now to borrow a phrase, we're trying to kind of eat soup with a mouse. You know, the popular phrase, eating soup with a knife. We're eating soup with a mouse, if you will. We gotta work on pushing back on bad actors. Like a this mouse or like a my friend? The click kind of thing, right? So I have a question as someone who works with the chamber. As an advocate who's talking about data security and privacy and talking to companies, do you feel like where is the best lever there? Is it, it's gonna be an awful PR campaign when your devices all get turned into a botnet? Is it care about security from a health of the internet perspective? Or is it a, you know, where's sort of that touch point that is gonna be the best way to engage on? Well, in my experience, it really depends on the organization and all organizations, even within sectors are very different. But I would say, you know, when I talk with entities, I would say, do what you need to do and make sure your principles aren't in that hearing room chair. There's a long road between an incident, I should say preparedness and so forth. And that day in a hearing room chair, there's a lot of break points. Think about what you need to do to prevent that, whether it's enterprise security, IOT security, we can help and other organizations are there to help. I think in many ways it's gonna have to start with, and it does for a lot of organizations that are leading in this space, and they're really the model. You're gonna always find actors that fall short, that are outliers, always. How many companies are out there? A lot. We need to basically follow the leaders, and it starts with the top with organizations saying, to folks that have to manage these programs, what do you need to succeed? And then you have mature conversations about what budgets allow, there are trade-offs, but I think it starts with the top, and it goes out from there, at least in my experience. So I'm gonna ask you to elaborate a little bit on this point, from the chamber standpoint, we have a lot of different sectors working on the problems, and they seem to be working a little bit in isolation. You have the healthcare side, you have the peer attack, I guess, and then so what kind of coordination do you think there needs to be, or is it better that the industry kind of working independently for now? So just to kind of make it very tangible. So when I was sitting at the July 11 NIST gathering on IoT security and privacy considerations, there was a dialogue in one room like this. What kind of just baseline security controls, privacy controls, do we need? Some thought, hey, there's a few that we need across all devices. Then the folks that actually work in this space, whether it's maybe some kind of consumer device or maybe something maybe in the industrial space would say, it's not clear we can do it like that because each device fills its own niche and we can't go down too much to the baseline road without kind of losing sight of the niche specialty. I do see sectors given their experience and manage enterprise risks talking, but I think in a lot of ways I think the niche approach in some ways is useful and to the extent that it works, that's fine. To the extent that cross talk and cross education helps, great, if it needs to be kind of more nature oriented, so you're matching device to environment and the risks that that device and the company that makes that and maybe the managed service provider, which is really a key point, that's okay. So Justin, kind of thinking about it from a niche standpoint, does that over complicate your efforts to really be able to standardize everything? No, I think there's sufficient information available to us to make it. I mean, again, we're not focused on things like the healthcare space or the business to business space. I mean, we're focused very much on consumer facing products, appliances, cars. I mean, cars is an area where consumer reports have a lot of expertise and a lot of weight to throw around and they're also a very interesting area where a lot of practices are changing quickly, right? Kind of like smart TVs. They didn't used to do a lot of this stuff and now they're starting to and so I think there's a place we can actually have a significant effect on the market. The other piece that we're focused on a lot is applications again, an area where CR hasn't traditionally done a lot of work, but which do have significant privacy and security, less ownership, but definitely privacy and security elements. I'm less worried about the how they get there, the standardization process and whatnot, with the fact that whether they get there and then just looking objectively at a lot of the practices out there, whatever process is in place is clearly not working. Okay. One thing that was thrown out earlier, I think you mentioned you were a CES and you asked how do we patch? And then I apologize, but I can't remember who mentioned Vista. I think it was also you. Yeah, I also mentioned Vista. But with IoT, we need to be talking about patching. We also need to be talking about the end of life. How long are companies supposed to be supporting product? Because I can tell you right now, I still have things that are 30 years old in my house. They work great. I don't know if IoT, they're ever gonna last that long, but. Yeah, I mean like refrigerators, right? They used to last like 20, 40 years. My sister just yesterday got rid of her 2001 Pontiac Grand Prix. And how would that work in the IoT space? There ain't even a Pontiac anymore, right? I mean, like how will these things survive? And so I think right now there aren't reasonable expectations if you buy a smart TV today, like the hardware may well last for a long time, but how long will you be able to access Netflix? I mean, how long will Aegis connectivity, even like the app support? Like I have a smart device and like I used to get YouTube and YouTube's not there anymore because maybe because of the flash. I really don't know. But all I know is like the big black spot in my screen now. So I think there really aren't reasonable expectations. It's one of the things we want to actually start rating but it's really hard because no one makes any promises. So go ahead. I was just gonna say, I think that's, we were glad to host OTI folks. Yesterday on our cyber work group called the kind of highlight, hey, let's pay attention to the digital standard. There's things here we could learn. I see what's likely to happen is these, let's say just generically labeling efforts. I think that consumers will be told kind of what the lifecycle expectation is. We're not there yet. There's probably exceptions. I forgive me if there's device makers out there that are gonna say, yeah, we're doing it. But I think in the main, when I think about consumer reports and I really appreciate the product, I think when we have that day where let's say my parents and myself include, if I'm gonna be buying, I think in the future, IOT devices, it will be helpful to me to know how I discriminate in a positive way among devices. More importantly, from the chamber standpoint, hopefully that label or whatever the tool is will help businesses buy devices that go in their enterprise and they can worry a little bit less about how they're managing those risks, but they're gonna have to do it on a continual basis. I think part of the challenge here that at least I see when we're talking about lifespan is a lot of the companies that make those really big, expensive home appliances that people keep for 30 years are the ones really new to the IOT space. Refrigerator company's been making refrigerators for 50 years and they decided that the cool new connected whether I have milk or not tools in there and haven't managed to match the lifecycle support, the technical skills with the fact that that is a $1,000 device. I actually don't know how much a refrigerator costs. I've never bought a refrigerator, but it's a very expensive device and that consumers don't wanna buy a new one like they're willing to buy a new smart thing wearable something. I think from a consumer standpoint or at least personally speaking, I would see it almost as a warranty issue. If there's a one, two or even a three year warranty that ought to include security updates. But again, is a security update the same as a feature update? I know that some manufacturers use feature updates and kind of like hide the security update in there to encourage people to do it because they're more likely to want more features than want more security. But it makes sense that a security update would be available on a longer lifecycle compared to a feature updates. You can see where a business wouldn't wanna continually update the features on a device because they want you to buy the new one. But it's helpful for everyone involved if security updates are available on a longer cycle. I mean, I think it gets somewhat to the question of ownership, right? Do you even own it if you're aligned upon server support for it to work? The FTCs kind of has some precedent there where they actually have pushback on companies that have not supported products for a reasonable period of time. So I know I worked on a case where there's a company called Revolve that made a smart hub that can manage all the stuff in your house. And it was like 300 bucks. But then Nest bought Revolve and Google bought Nest and then Google's like, why do we have so many hubs? And so they decided to shut it down, right? And so like 18 months after people paid 300 bucks for it, they turned the server off and it didn't even fail dumb, it didn't do anything, right? And so the FTC wrote them a letter saying, okay, because you have agreed to give everyone their money back, we are closing this investigation. But, and like they've done the kind of similar cases along those lines, right? When companies have sold music or baseball games online, they say, you know, you were buying it, you were owning it. And then like a couple of years later, like man, this is expensive to keep the server on. So they'll turn it off and the FTC has also issued closing letters in those cases saying, okay, because you gave them all their money back, we're not going after you. But I think they're trying to establish some sort of precedent that there is some reasonable expectations, especially when you use the word ownership, that it is yours and that it will last for some period of time. But, and again, like where's that line going? I think it only goes so far. I think we're still developing what those really norms should be. Yeah, I would say this is just to add that speaking of refrigerators, I have actually spoken in the last couple of weeks with companies that do make refrigerators and they're thinking about how their products fit within the IoT space. And I said, that's good. Tell me more. And so I think one of the things that they're doing is they're thinking about how they build securely, protect privacy. I think everybody's still got questions about kind of what that means, right? You've got a number of different inputs, whether policy or customers. I think everyone's trying to find their way, but I like that example of the refrigerator maker thinking about that because that's what we want them to be doing. And then at the end of the day, we need a solution that works for them. Policy makers, I often say, I like a situation where I've got government partners over here, let's say my members and everybody's nodding. This can work and then we kind of press ahead and tell others to follow and then an approach that works globally. I think that will really be beneficial to a growing IoT space because clearly if you're expanding the attack surface, you gotta be managing that risk. The other thing, let me put in a plug from my colleague, Jordan Crenshaw, who's leading a privacy policy initiative at the chamber. I'll put TBD, but he's doing some good work on that. So I'm looking forward to that. Just before that, so we're gonna be switching to the Q&A in a few minutes. So if you have a question, kind of keep that in mind. As a follow-up to that, it's encouraging to hear that some manufacturers are recognizing the need to actually develop that talent in-house. My question is how are they recruiting? Who's in college now who's becoming a software engineer, becoming a security analyst and really gets fired up to go work on a hyper secure smart refrigerator? I mean, that doesn't seem like it's gonna be the exciting market to jump into. And right now, there just aren't enough of those folks to go around. So they'll probably have their pick of the company is to work for. So until we solve that workforce issue, I don't know how we're gonna get to a point where basically every company that makes something that connects to the internet also has talented individuals who can actually do the coding and who can work through the policy and work through the business cases, say, yes, okay, this is how we're actually gonna support this device over its expected five to senior lifecycle. And it might come down to a decision where they say, you know what, it's just gonna turn off in three years and that's what we're gonna do to survive so that we can reduce our liability. I mean, and afford to pay for it, right? Like a good security team with skilled security people is expensive because you're competing with other companies. And so if you are a small, you know, small company that, I don't know, again, I'm going on a trip, so cat cameras makes those things. You can't afford a great info sack team full of people who are going to maintain your product over time. It just isn't an option. And so we really need to get, figure out how to address the workforce issue, the cost issue, you know, in order to make this the default expectation. And is it the answer to this open source, the software that runs the cat camera, right? I don't know if people wanna tinker with that, if that's something that other consumers in the marketplaces is willing to tolerate where you basically just have, I almost call it the shade tree mechanic, but you have a cottage industry of folks who get really good at fixing certain types of devices based on what's available in the open source. And I mean, one last thing about the digital standard is one of the tests is about vulnerabilities management, vulnerabilities rewards programs, which does engage those external smart researchers who might not work for that IoT company, but bring their intelligence and their skills to supporting that device. We'll ask the folks that are designing the digital standard, if I may. How does it account for maybe DDoS mitigation? Because we've got colleagues, members working with NIST, as part of the framework to look at how do they mitigate DDoS attacks? Is that part of the standard? Or is there a close approximation to that? Because I think that's interesting work. When you say DDoS mitigation, how would it be mitigated? To design it in such ways that, I mean, obviously there's like the getting into it system, which I think the standard does address. I don't know that it addresses like internal design issues that would make it harder to attack someone just because it's not really, it's even harder to observe than in this area, like password practices, encryption, those are things I can see. Things that I can't see is really hard for us to consider, but I would like to be able to give you credit for that. My sense is that the idea behind at least one of the animating ideas is the device couldn't be commandeered as easily. That's the key. Do you have one last question? I do have one last question. Before we move into it, Q&A. But a lot of the things we're talking about is very future-looking. This is what companies need to do. This is where the industry needs to move to do. Just each one of you, one item, what can consumers do right now? What can consumers be thinking about when they're buying their devices? So if we can just kind of go through that. And then Kendall, raise your hand. So raise your hand and then I'll call you over. She'll bring the microphone and we'll start the Q&A that way. So let's go this way. So Marie, you kick it off. I always advocate for reading the manual, but that's just sort of my own nerdy little thing. I think for a regular consumer, checking the warranty period. So to make sure that there is at least some sort of coverage that is comfortable with where they want to be with that device. And knowing that there's a phone number they can call if they do need some help or have some questions about the security of their device. Justin? Update, update, update. Turn on automatic updates, update as soon as you can. Some things make it hard, so things like routers are not really well designed to do automatic updates. So it's kind of a pain, but it's worth like 20 minutes to update your router software. Matt? I guess from my vantage point, I guess if my asks are, we'd still like to see some kind of framework-like effort. Doesn't have to be a framework per se, but some kind of product, if you will, that I can help promote domestically and globally. Kind of like the framework, the cyber framework kind of has animated people's thinking around enterprise risk management. I need that kind of tool. Not to take away with the existing and a lot of good work that NIST is doing, but I think something that I can pitch and people kind of get, I think is key. The other thing is, maybe from the civil society standpoint, I can use your help in helping us push back on bad actors. We as businesses can't do it alone. And oftentimes when we try to secure networks and so forth, we will necessarily cause friction with some of the thinking that resides in organizations like this, even with among our members. But my point is, is that we could use some help on pushback on bad actors. As we're thinking about how we coach up our businesses to start with security, right? Think about privacy and so forth. Anyway, those are my two big points. Thank you. I think my last one, and I'm not gonna doom and gloom anything, but I think that consumers, the thing that they can do is think twice before they buy something and think twice before they connect something. So again, I don't wanna put the burden on people who buy things, but think are these cool features worth the potential consequences and risks here? And I like fun IoT devices and I wanna play with them too, but since there are a lot of problems with security, just think about the data exposure that using that device offers to you. So. So thank you. And I think you already had a question. So Kendall, in the, yeah. Thank you. Fantastic, fantastic panel. Just a very quick note on some work done by some of the people's room on patching, right? On patching, we asked for things that people can ask today. Guidance written to both consumers and manufacturers saying, hey, is this device possible for how long, what do I have to do? This document has been adopted by CCA there's a full list of their work. And I think there's, we talked about it at CVS. But I think there are other areas where rather than trying to solve all of security once, we can go and say, what are other areas where we can provide clear both technical and policy guidance that we're trying to get? And I'd love to hear from the panel what are some of the other areas where we can help many manufacturers and policy makers and consumers both understand the key technical details in the back end, but distill it down to simple things. Also, this is Alan who works at NTIA. For the reference. Actually, if you can, if you don't mind if you can just tell us who you're from. Then apparently there's going to be a lot of really smart people asking questions here. No. I guess I'll maybe take a shot at this. So in full disclosure, so we hosted Alan Friedman from NTIA yesterday on our cyber work group call to talk about their latest effort around software transparency, things like the software bill of materials. We're interested in where that goes. From my vantage point, it's not so much for me personally to offer input into that. But I think with the exchange of a lot of good opinion from our members and other stakeholders that should help inform how we craft things like a niche document, what policy makers on capital he'll do because even experts, when they're grappling with these issues, I find have a lot of questions and everybody's still looking for a lot of good answers. But anyway, that's my perspective. Yeah, I mean NTIA does a lot of incredible work. And I think, and I know they both, they don't outreach. And I know the FTC has done outreach with start with security and stick with security, stay with security, something. Stick. And I think just more of that, right? I mean, I think a lot of the folks get it and understand but there are, I mean, the long tail of IoT is long indeed. And so finding new ways to reach those developers is important. You had a question. Thanks. Rick Weber, Inside Cybersecurity. So a lot of talk about legislation and regulation. So I guess my question is kind of two points, legislation and regulation. So I guess for Matt, the issue of legislation, do we need legislation? Does FTC have enough authority? There's talk about revisions to section five authority. And then for the other panelists, regulation, who would regulate? Do we need to have a ban on products before they can come to market or some sort of a threshold? I mean, who's the regulator and how would that work? Rick, for me. So let me just give you a good example of kind of where we've been, at least on things like it's S1691, the Warner Gardner IoT Cybersecurity Act. We're currently neutral on that bill. We've had very good discussions with Senators Warner and Gardner staff about trying to make that bill into something that at the end of the day leans more towards some kind of international approach. I mean, some domestic solutions could work, but guidance, best practices and standards and so forth. I think that's where I hear from my membership they want to go. They're not necessarily averse to legislation per se. This bill in particular focuses on government procurement. I guess the question I would ask is how come government can't procure stronger devices now? But either way, we're neutral on that bill, but I think we want to be, we want to be part of that discussion as it unfolds. Having worked for State Attorney General and the Federal Trade Commission, I think that State Attorney General and the FTC are the obvious regulators. I think FTC obviously has been working in this issue for over 20 years now. I think they have a good expertise. I guess they need more staff. Having worked for the Office of Technology, I strongly endorse the Bureau of Technology idea. I think it's a great idea. Right now it's like seven people, not all of whom are technologists. I think building that out and bringing more technical capacity is really important, but also encapsulating a reasonable security standard in statute enforced by them. I don't think a ban is necessary. I think the beefed up safety in the backfield I think can work. Oh, comment on the legislative part. I think that the bills that we're seeing now don't really have much of an impact. Talking about the Warner Gardner bill, I'm not convinced that the US federal market is large enough to move the global market, especially when you're talking about production further down into the supply chain. If you have the bulk of the manufacturers, let's say operating in China and their profit margins are pennies per unit, adding security could mean the difference between them being in business or not being in business. And quite frankly, their business plan may only be to be around and survive for two to three years to get out a batch of products and then they go on and find a new business. So there may not be enough of that market incentive when you're talking about the lead that China has when it comes to their cybersecurity strategy and other large global markets like in India where they have local production mandates, let's say. So they're gonna be following more of the Indian model. And then we're just talking about the Smart IoT Act. It's great that commerce may wanna study the impacts of IoT, but that's like saying, what's the impact of electricity, right? It's so broad. It's almost like, well, what's the practical outcome? And I don't think that that's a good use of time or resources when you're talking about such a fast-moving marketplace. I would also be in agreement to highly endorse a Bureau of Technology. I think there's a strong need for technologists in the FTC. Probably a strong need for technologists on the Hill in general as well. So we just need to get more people who understand certain technical aspects of this, but also certain policy aspects of this who can help speed up that investigation process. You're not talking about investigations that last years. And that's even after there's a demonstrable harm that consumers incur. Rick, am I throwing at the end of that? At least I hear from members in the main, they're not typically supportive of product bands, among other things. It's a very complicated thing. And two, as the old saying is, what goes around comes around. We wouldn't want to see other countries banning our products since most of the buying public is outside of our borders. We wouldn't want that to be a really habit. That shouldn't be habit-inducing. I think that the FTC has the authority on a consumer-facing perspective to address how these things affect regular people who purchase them. And I think that's really valuable. It would be nice if large purchasers like the government had strong standards on IoT buying, but I agree that I don't think they can swing the global market. So right now I would say like enforcement of violations is a good thing to be able to do, but I think you can only regulate chunks at a time and you have to do that very carefully. Germany has banned some IoT products, right? It is illegal to own my friend Kayla in Germany. You were forced to destroy your child's doll. Which is in the article that came out today, written by OTI staff. But you also can't buy a kinder egg in America, so we take safety and security very strangely here. I am Canadian and kinder eggs are delicious, so. Long term. Yeah. Hi, my name is Danielle. I'm a development intern here at New America. I do not have a background. I know Andy, you spoke a lot about changing consumer behavior and how your cousin didn't think to ask the question, is this device encrypted? And I was just wondering, I guess in layman's terms, if you can, what kind of question should consumers be asking other than is this device encrypted? How can I know if a product that I'm considering, how do I know what the privacy and security standards are for that producer and what should I be looking into? So honestly, I'm gonna sell the digital standard this moment because it's really hard. I don't think I could make a list of all of the security and privacy concerns people would have when they buy a smart device. I don't know what they are. It's a very long and complex list. Companies don't generally make that public. So one of the values that I see in the digital standard is it rolls so many of those together to create a more comprehensive evaluation which is accessible to consumers because people working cybersecurity have talked forever about consumer education and how we need to do consumer education so they make good purchase choices. It's really hard. And not, you know, the information put out there isn't friendly to consumers doing their own research. It's also a bit of a personal. People have different levels of what they're comfortable with. I mean, I generally tend to look at a product and just ask myself, how would I feel if somebody other than myself somehow got to it? If it's my garage door opener, I just replaced my garage door and the salesman was really pushing hard for an IOT garage door opener. I said, uh-uh, somebody else, I don't care how they do it. They get into it, they get in my house. No, I don't want it. So I think it's just, that's a good baseline question. Just, how would I feel if someone else can get their hand on this? You know, how they do it is another question, but like, how would I feel? It's a good question to start with. Yeah. Hi, I'm Kelly from Wilson-Sancini. I'm wondering what you guys think the solution is for companies that are trying to balance the issue of making certain representations and facing risks of being investigated by the FTC if they don't foresee certain vulnerabilities occurring and this incentive that you all have been talking about of giving consumers all the information they need about security. Do you think there's a tension between that goal and the legal risk posed by making affirmative representations about security? Yeah, I think it's a really good question. If I were a manufacturer, I can certainly see why I would not want to say anything too concrete in order to evade liability. I personally think there actually need to be more affirmative transparency requirements under the law in order to get around that problem, right? The easiest way to get into trouble is to actually say something concrete. And so I personally would like to see privacy policies become a little more like SEC type filings. They're not for consumers, right? Therefore, like folks like me and therefore folks like regulators, they should have an obligation to say somewhere what's going on. So someone can hold you to account for it. Right now, again, the incentive structures are not sufficiently in place. I mean, I think the hearing chair is scary, but I mean, hey, you can pay the big bucks and you can deal that for like a month of temporary dip in stock price. Right now, companies can weather it and then not be held accountable. So I think the, unfortunately, I think the standard has changed. Look, we're gonna try on the demand side making information available about practices, which I think will help inform individual choices. But I think maybe just as importantly, I think can influence manufacturer behavior because they care actually what we say. Like they get really concerned when we give them a bad mark. So I think we can push things in the right direction, absent legislation, but I think legislation ultimately will be needed. I would go a step further and I'd say that we would advocate for baseline privacy legislation. So that way everyone is clear about what the expectations are on both sides. That way, you can still have the companies do that SEC type filing where you have the privacy policy for the wonks, but I think that by having a baseline privacy legislation, all consumers are aware of what the expectations are and manufacturers are aware as well. I mean, there's clear incentives for the appropriate action beforehand and then there's some clear penalties on the other end if those expectations aren't met. You know, I might say that at least from my vantage point, I think that cases that the FTC has brought kind of shows probably purposefully so what kind of their expectations are in different places. We've got members that have different views on that to be sure, but the one thing I would watch to see how this unfolds is that IoT security considerations piece. It's one key piece. It's not the only, but I think you can get it online. There's a June 28 pre-read that they put out before the July 11 event at Gaithersburg. Watch how that kind of unfolds. That and the kinds of actions that unfold from the botnets report. How these kind of questions get answered will likely be informed by those activities which is why groups like ours, yours, folks in this room are following those. I think that from my standpoint is the answer. I think we have time for one more question. Yeah. Emily Schmidlin from Infineon Technologies. So it's great that companies now are starting to really consider how they fit into the IoT landscape and the ecosystem. The problem comes when these companies are really starting to think about it seriously, but they've already been releasing these devices without realizing it. Especially for things like refrigerators and these long-term durable goods that you can't just expect people to go buy a new one pretty soon after they bought it. So what should be the approach? Or what should the approach be after the fact? So say, mandatory standards go into place maybe three years from now and someone buys a fridge next year and they spent four grand on this really high-tech fridge only to find out that it really comes nowhere close to meeting standards and they wouldn't normally buy a new one for another 15, 20 years. So what should be the approach after the fact? I'll maybe just say that I think one of the challenges clearly is the legacy device issue. I think there's a rough consensus that legacy devices may be treated differently just because I can think of a number of products that are in the marketplace. They've been, let's say, connected online, but when they were built, it wasn't designed to be connected to the internet. I think really there it's probably more of an issue of if you're gonna do that, then you need to have a game plan for managing those risks. Don't plug in without a game plan is my advocacy. Don't do it unless you know what you're gonna, what kind of challenges you're gonna face. I think that's the responsible answer. Yeah, I think if you have stuff out there that it's not gonna meet consumers' reasonable expectations about how it'll work, like even just a year or two after it, I mean given the FTC precedent and like Revolve and the content DRM cases, I think it's just error inside of giving them their money back. So that's pretty much it for time. Thank you so much for your attendance today and thank you to our panelists.