 Mae hi fel yw'r pryd ynghyd yn ei fod yn gyfodol ar gyfwyrdd. ac mae'r ffordd o'r bwysig twdd ar gyfodol yn gyfodol ar gyfer Ysgrifennu Nofonol a Ysgrifennu Ffarfyn Ffyrdd ydraig mae'r cael ei gilydd yn ei edrych yn ddodol Ysgrifennu Ffyrdd y Llyfr o'r Gweithihyd Ac ydw'r Gweith Genedlau Mae'r Gweith Ysgrifennu Torol Maxwini Mae'n rhaid i'n meddwl, mae'n gwneud o'r rôl. Mae'n gwoes i Arland, yn yr oedd, rydyn ni'n gweithio'r llyfr yn eu gwirionedd ar y gade, ac mae'n deall, mae'n deall, yna'r ysgrifenni. Mae'n meddwl i'n meddwl. Mae'n meddwl i'n meddwl i'r rôl i'n meddwl i'r gweithio. Mae'n meddwl i'n meddwl i'r rôl i'r gweithio. Mae'r ddechrau erbyn ymddangos, Tyrrl has served in a number of positions. Deputy Assistant to President Obama and the Antitrust Division, Domestic Policy Adviser to Vice President Joe Biden on a whole variety of areas like innovation, IP, energy, education, women's rights and in fact other areas as well. She's also been the Chief Council for Competition Policy and Intergovernmental Relations and in 2014 she was appointed Commissioner of the Federal Trade Commission. So you can see with her background she's brought together an amazing amount of experience and expertise to take this position. It's a very warm welcome to you to the Institute at Tyrrl and we look forward to your presentation which is entitled in a very nice title, a US Enforcer's Perspective on Innovation and Technology Policy. We look forward to your presentation, thank you. Thank you so much for having me and that incredibly kind introduction and very warm welcome. I can't tell you how absolutely thrilled my dad was when I said I am going to stop in Dublin and I have an invitation to speak at the Institute for International European Affairs and he said, oh that sounds amazing. I said no so am I. So I really appreciate both the invitation and the exchange of ideas but also the really rich work that you're doing here on these provocative issues and leading the conversation and policy dialogue so thank you for your commitment to that work as well. I think these are issues that we all need to be in a conversation about because they are very complex and they're profoundly important to how we're going to organize ourselves in the digital economy. So I'm going to talk a little bit about what I know which is how the US Federal Trade Commission works in this space. Some of the things that I think are good about it, some of the things that might be not as good and a little bit about where some of the frontiers are that I think we all need to be collectively thinking about and working on together and along with some of the tools that I'm familiar with in the US toolbox that I think might be helpful as well and I think we have time for questions. So I'll try to move through things quickly. I have to start with a usual disclaimer which is that I am a US Federal Trade Commissioner but I am here today giving you my own opinion, not necessarily the official views of the FTC or views that are even possibly shared by my colleague acting chairman Oelhausen. But since we're down to two members of a five member commission I can safely tell you that these are the views of 50% of the FTC. And I would note because we're in Dublin that my colleague Maureen Oelhausen is actually also Irish-American so it's also an all Irish-American FTC which is pretty awesome. So I'm going to start a little bit with the evolution of the Federal Trade Commission. I'm going to review again some of the strengths and weaknesses of the approach the FTC has used and conclude with the frontiers. But first I want to talk a little bit about time. Everybody's probably like, why are you talking about time? Because I want to start there for a second because I feel like these conversations use a lot of words. Some of them very technical. We start making generalizations about technology. We throw around things like neural network and algorithm and data and a lot of other terminology to describe the transformation in the global economy that is underway in this fourth industrial revolution that we're now in. And it's very easy to get confused by those words or to use them, I mean platform, what's that even mean anymore, right? Use them in sort of generalized way. I'll be doing it a lot today. But I think the thing to focus on is actually a very simple thing which is a thing we all have a lot of experience in. One of the key differences in what's happening now versus what was happening before is actually the velocity at which it's happening. And that's a time type of issue. And I think we are all familiar with that because we sense it in our daily lives. We sense the pace of the technology that we're using and the impact that it's having on our own lives. And I think that speeding up, if you will, made possible by all this amazing transformational technology is also one of the reasons we are sensing in a very personal and human way our loss of control of it around us. And I think that's the sort of underpinning of a lot of the policy conversation that we're all having in this space. So FTC, I'll get back to time later, but think of it as the change underway is really one of time, almost literally feeling like it's speeding up and us as humans having very hard time managing that change. The FTC is about 103 years old, which in America is very old, and it's especially old for an independent regulator. We've actually survived longer than any other commissions like us. The rest of them have been eliminated over time. And I think the only older one is probably the Fed. So I think that's cool because the FTC was actually founded at a time in our country where we were very worried about the economic power of these large vertically integrated companies that were owned by a very small number of very powerful individuals and controlled by them too. It's a thing that sounds very familiar in 2017 as a set of concerns. It was given at the time a very broad mandate to protect consumers from unfair competition. And ultimately we were added an additional authority to protect consumers from unfair deceptive acts and practices that didn't actually happen until about 1930. But it came along as an idea of having a generalized consumer protection enforcer who is going to step in and try to fix some of the inequities and imbalances and problems associated with the trusts and oligopolies that were running the economy. And so how did it happen that a commission established for that 103 years ago is now a commission that sometimes is referred to as a federal technology commission that serves as a data protection commission that has an office of technology researchers and holds workshops on ransomware and does all of this technology policy work? Well it's actually pretty simple which is that the FTC I think quite wisely over time focused on protecting consumers from harms in the marketplace and it kept moving with them as they moved from a brick and mortar world into the digital world that we're now in. So that's how the FTC landed where it landed with just a very broad mandate that it sort of used and adapted and evolved. And that is the most fundamental and important part of what the FTC does and why I think it is a very successful regulator or enforcer in the technology space because it also uses the other feature of its design to a very important purpose. Its other feature is that it's meant to study trends and changes in the marketplace in order to inform its enforcement practice. So basically the FTC does this thing over and over again and I think in modern time has done it relatively well just it studies the trends and changes in the marketplace and then it writes reports on things and or it sends warning letters and then ultimately it enforces and that cycle sort of repeats right. So again the challenge of the policy conversation that we're in now and the digital economy is that we have to speed up that cycle a lot right. The study report enforce it has to happen more rapidly and so again here we are with that time thing that I think is really the underpinning of the changes that are underway. I actually think we have a lot to show for our efforts though. So in the last three or plus years that I've been on the FTC we've done a report on data brokers on big data whether it's a tool for inclusion or discrimination on the internet of things. We've initiated our start with security initiative which is about building with security in mind all of these new great devices. We have a cross-device tracking report. We've done workshops on ransomware, drones, smart television, financial technology including crowdfunding, blockchain and digital currency and that's just in the last two and a half years. So that's a lot of activity looking at a lot of these changes and helping to inform our enforcement but also helping to inform the broader policy conversation. So I think it's impressively agile actually for a government agency to be able to do that kind of work and I think that's a really useful quality and attribute to agencies that are trying to keep pace in this environment and I think it's also really important that in learning about how the technology works and one of the things we've also done at the FTC is include technologists and computer scientists in our work now and on our staff so that we have people who are actually experts in the technology we're talking about. We also try to make sure that we're appreciating all the innovation and benefits that are flowing from it rather than focusing always on the cost and the harm. So we want to make sure that we're continuing to balance our understanding of all the great new things that consumers are benefiting from while at the same time we are identifying some of the harms and risks that we want to avoid. So harms is a big part of our work and as an enforcement agency harms is where quite rightly our focus is usually placed. The FTC continues to be very busy in the brick and mortar world. There's plenty of sprods and scams and bad practices going on between people all the time so we spend some of our resources there but in the online world we've also become known as a privacy enforcer and data security enforcer and I think ultimately and I'll get to this towards the end of my remarks I think we need to help move everybody towards information governance which is a slightly broader broader concept. The FTC's first privacy case was in 1998 and it involved geo cities which was unfairly selling users data without their consent and since then we've brought about 500 data security in privacy cases. We've also been given regulatory authority and limited way over children's data so under the US Children Online Privacy Protection Act we actually write rules governing the consent that parents need to give for the collection and use of children's information who are under 13. So our focus is on holding companies accountable for the promises that they make about the information they use and collect and consistently emphasizing the real role of choice and over time the FTC has taken the view that consent which is a really important element of how we approach these issues can be inferred for collection and sharing and use of information within consumer expectations but it has to be consistent with the context of the transaction and consumers reasonable expectations and I think in this in this way we have supported the evolution of frameworks that require often consent for the collection and sharing of information that we regard as sensitive and right now sensitive information which is a concept that I think can evolve with the marketplace over time but right now the FTC regards it as content of communications social security number is very important in the US as identifying information health information financial information financial information children's information geolocation information and recently in a smart television's case that we had we added television viewing information as well so that is a framework that's requiring an opt-in choice around the collection and use of that information now there are certainly pros and cons to the the US's heavy reliance on an enforcement and sector based approach to technology policy making in the interest of time there it is again time I'm going to skip over like literally the hundreds of thousands of pages of scholarly thoughts that have been written about the relative merits of regulation and enforcement and a free market approach to these policies issues I suspect everybody in this room is kind of an expert on them already and suffices today there is like a really good and important debate about what frameworks are best I like to I'd like to argue I guess that a fact-based enforcement oriented approach is very pro innovation and it might be even more pro innovation than a heavy handed regulatory approach to dynamic digital markets because it lowers the cost and burdens on new entrants and maximizes the incentives to innovate so the FTC's focus is economically and technologically informed and is primarily harm based but it's also technology neutral which is a really important component of either regulatory or an enforcement approach and sufficiently flexible as I've just been discussing to keep pace with the rapidly changing marketplace you know I do think there are also these issues that that people study quite carefully of industry capture of regulators and those don't tend to arise quite as much in a broad based enforcement agency but of course there are drawbacks I mean actually our most common complaint is that the FTC doesn't provide clear enough guidance over how and when it is using its generalized authority so the marketplace doesn't know well enough when we are going to bring cases and other critics argue that the agency doesn't confine itself to purely economic harms or that it can't keep pace with innovative and dynamic markets and those who support more aggressive regulation argue that the FTC's modern mandate is confined to stopping practices inflicting concrete harms to consumers in competition so the agency can't really address these broader public interest concerns that are also very important components of the of the technology policy debate so I'm going to pause here for a second and note that of course relying on an enforcement only approach does not solve all of the problems that we're concerned about and I don't want anybody to understand that I am advocating that instead I'm I'm I'm sort of trying to point out some of the strengths of the FTC's approach and of course the reality in the United States that I think has been relatively successful when it comes to optimizing for innovation is that we have a hybrid approach so the FTC is an enforcement agency but we work with expert regulators those those issues of when an expert regulator writes clear x anti rules for something versus when we rely on an x post enforcement framework are really front and center in the open internet debate that we are having once again in the United States and there I would say we're about to make a really big mistake because if you rely on an enforcement only approach to protect the neutrality and access and non-discrimination on the internet then you really are going to end up with a lot of problems because of the market structure of the way broadband works in the United States we don't have a lot of competition in that market so we have these very powerful companies that are vertically integrated with a lot of incentives to prioritize our own content or to engage in this is a technical term hijinks never use that term and and relying on an enforcement only approach is going to tee up some of the real weaknesses of an enforcement only approach which is that it takes us time to detect conduct if we can even detect it at all we may not have necessarily sector specific expertise in in what we're looking at we we would have to do a full investigation and that also takes additional time so you might end up several years after the fact trying to remedy a harm to say an entrepreneur is trying to build a new app with almost no remedy that's very satisfying at that point so i think it's a nice issue to tee up some of the complexities here there are certainly situations in which clear ex ante rules are justified it's particularly true when you're dealing with situations of market failure or you're trying to guard some of these public interest concerns like speech and access and non-discrimination on the internet that are really outside of the harms based framework of consumer protection or antitrust law so um i think move into the frontiers portion and hopefully we still have enough time i don't okay great um i don't have my watch on um and and and just sort of think a little bit about some of the really interesting challenges that we're all thinking about and working on as the array of technology we use in our lives is growing um first i think uh it's important that we remember that all of it's it's difficult to make generalizations all of these kinds of technologies are not necessarily the same and so for both regulators and enforcement agencies like the ftc the starting point should be to make sure that we're understanding the technology that we're talking about before making sort of big generalizations about it and now i'm going to make some big generalizations about it so i'll just assert that i understand the technology i'm talking about which is probably definitely not true um uh not true in that i think it's very hard for everybody to understand all these different things maybe some people are geniuses um so i think the questions we're wrestling with now is it you know how do we make sure that consumers um who want to benefit from all this innovation and who are benefiting from it have choices and transparency within it um are there additional protections that consumers need uh can the notice and choice framework continue to be the paradigm for privacy policy especially when the choices increasingly this take it or leave it proposition where you have to accept terms of use um in order to use a service uh and as the technology gets smarter i think one of the really important questions we're going to be wrestling with is how and when do we protect human agency and decision making um fortunately not all of these issues reside within the ftc thank god they're very hard um but a lot of them do and i think uh the ftc has some very valuable learning that it can use to inform the discussion in this area that it has evolved as it has evolved along with the marketplace so um first i would argue that we need to continue to protect consumers notice and choice and ensuring uh also that the technology is honoring those choices so in our recent enforcement cases the ftc has been particularly focused on technology that is essentially thwarting a consumer choice through some sort of clever work around this might be a critique of a kind of regulatory approach to some of these issues that you write a reg that says this and the technology just moves around it over here right so as an enforcement agency with a broad tool we've been looking at these challenges and in our recent case in mobi involving a company that was providing advertisements in apps we looked at the fact that although you might have shut off the geolocation tracking for the app the technology in mobi was still tracking your geolocation and it was doing that by triangulating off of your wi-fi connection so it was a clever technical work around that allowed them to continue to serve ads that pins your geolocation uh but we said look you can't deceive consumers if a consumer asserts a privacy choice that says don't track me you have to honor that choice and i think this area is an area the ftc has to be very vigilant in um and that we need to continue to work in our case in turn also was very related to that this was a case involving the Verizon super cookie program which was a bunch of tracking uh that was happening that was very hard to get rid of or actually impossible to get rid of and it and there we said look you can't deceive consumers and say that you can eliminate tracking that's occurring when that's not actually the case um and in our recent case involving smart televisions and visio uh we said look you can't present a notice that you're uh monetizing every single second of someone's television viewing um in the uh uh what was it called it was like the it was called the notice was like um we it was like performance and we might be using your information to serve you uh recommendations like that does not capture what is actually going on there especially when american consumers at least were pretty surprised to learn that they were being tracked like that and didn't really expect it so there we have those elements of consumer expectation and context being very important as well so um I think we have to continue to be vigilant and sometimes the vigilance um takes the form of actually sending out warning letters ahead of time so we were actually talking about this silver push you and I were talking about this nail this silver push warning letter that we we put out so this is software that is actually designed to gather your television use by turning on the microphone on your phone and listening for audio beacons that are being sent out right and it would be in like whatever app that's running that scene like I appreciate the laugh thank you it's quite clever um but again we said look you there's not a way that you can properly explain to people that that's happening to them that we think will work here so please app developers in the US don't do this um and again I mean I think in the US system it is flexible enough that if people actually designed a way in which that could be made clear to people we would allow the the conduct and the choice but we need to make sure that consumers really want to consent to that um secondly we've been looking at cross device tracking and one of the areas that I think we need to do a much better job on is making sure that a privacy choice that is made on one device is actually honored across your entire device graph because what is now happening is um it's most of your profiles are including every device that you access and what you access on it you can imagine the scenarios where people are doing things on their home computers that they didn't expect to show up on their work computers um and that can cause some very uncomfortable situations so we want to we want to make sure that that we're developing the technology it doesn't exist yet but I would like it to that would allow a consumer choice to be made across their device graph and I think that we really are in this situation where we're going to need to continue to have the innovation and technology that provides consumers with better controls and choices um and that provides the privacy innovations in this always on always connected atmosphere because that's going to be very very important I'm going to skip over a little bit here just in the in the interest of time um and uh and say that there are a bunch of other laws in the United States that I think are also really applicable to continuing to protect consumers in our digital economy um and they involve civil rights protections for equal opportunity protections against discrimination and we actually have some pretty robust authorities at the FSTC in the form of our fair credit reporting act which are requirements that are imposed on companies that are using consumer information um in ways that um affect uh lending decisions that are being made about consumers that can be a very nice model for what frameworks we want to put in place around consumers um so that they have ample information to know how their data is being used in ways that might affect their actual economic opportunity their ability to buy a house their ability to be employed um their ability um to be free of of discrimination in the marketplace see look at that I skipped a whole page it's good all right um I think I'm going to finish up with some of some of what I think we can actually evolve to without new authority and then some of the areas where I think it would actually be very helpful for the FTC to have some additional tools as well um first uh I want to start with where I think we can all go so um the issues of information and control and economic power and competition associated with the digital economy are far broader than privacy policy I think everybody in the room knows that um we have had an amazing experience in the last year of elections both here in Europe and in the United States that really underscores some of the uh non economic arguably non consumer protection risks associated with technology that's increasingly pushing us into like-minded groups and curating our lives in ways that are hard to to anticipate and and I think those are those are real problems um I also think there's a whole host of frontiers here around the the level of intelligence of the technology that is running algorithms and the impact that that has on the functioning of the marketplace um and the accountability that needs to be associated with the companies that are using that technology so um we've evolved this concept at the FTC and privacy over time called privacy by design we didn't come up with it I'm actually a wonderful scholar did and it's been part of the privacy conversation globally now for some time um the notion being that you can't tack on privacy values at the end of the product development lifecycle you have to build with those values in mind all along because if you push it in at the end the technology won't work like that anyway and in fact um we came to it because we a lot of our early privacy cases were deception cases where someone would say it doesn't do that and we'd say yes it does you can't say that um right and so building with these values in mind helps you avoid FTC liability well we adapted that framework into our data security program so we've brought hundreds of data security cases in which consumer data wasn't properly secured because a company failed to have proper security practice in place and we said look it you you should also have security by design security by design like privacy by design means building all along the the product lifecycle with security values in mind because it's a coders will tell you that all coders don't know security you need to have people who understand cyber security as part of that process right and it also means organizationally you need to have a data security program you need to have the ability to receive and respond to vulnerabilities you need to be testing your products you need to be patching your products right you need to have a whole framework in place around how you're securing a connected product or a connected offering so I think if we can evolve this into governance by design and then ultimately as the technology gets smarter ethics by design we can create governance structures within organizations using technology that are more responsive to some of the public interest values that we all care about and you know we're having a very vibrant conversation all over the world around these and I think there's a lot of consensus about what some of the elements of this kind of framework would look like and it includes transparency and choice and explainability I also think it includes testing data quality and remediation and mitigation strategies when that's necessary and ultimately as we get into increasingly autonomous technology it's going to require human minders that can explain what the autonomous technology is doing because I certainly can imagine problems in the future where some regulator or enforcer like the FTC says well why did it do that and the humans say I don't know right I don't think that's going to be a satisfying answer for anybody in that conversation so we want to be setting up the systems so that there is an explanation for that and and that we can govern the technology I am going to wrap it up there and simply say that it would be I think helpful if in the US we had the ability to write a privacy regulation I've supported that in the past that would be a generalized privacy law that we don't currently have and I think the FTC would be capable of writing that kind of rule I think it would be helpful if data brokers who are creating all these very detailed profiles about us were required to provide consumer access to that information and then we had more notice and choice and consent over how that profile is used and that would require in the US legislation as well I think it would be helpful if the Federal Trade Commission had civil penalty authority we don't have penalty authority we can get redress back for consumers but we can't really find anybody so I think that would give us a bigger stick and I would like to wield it and and I think we have to continue to have a very engaged global conversation around these issues which is why I'm so grateful to be here today because we're in a global digital economy so how we resolve these issues how we think about what the right policies are has an effect on all of us and everybody has a contribution to make