FTC Commissioner Terrell McSweeny details how the government agency is working to improve privacy and limit deceptive practices online—and makes a plea to hackers
Terrell McSweeny, commissioner of the Federal Trade Commission, got a somewhat unique introduction at the DefCon security conference in Las Vegas on Aug. 5. When McSweeny was introduced to a large audience, the FTC was described as a federal agency that many in the hacker community actually really like.
“I’m really interested in protecting consumer privacy and data security,” she said.
The increasing rise of connected devices, commonly referred to as the internet of things (IoT), is top of mind for McSweeny, though she’s not a fan of the term “IoT” itself.
“I think the term ‘internet of things’ is overused; it’s the internet of a lot of stuff,” McSweeny quipped. “Really what’s going on is we are connecting ourselves and the stuff in our lives in new and exciting ways.”
The IoT is bringing innovation to consumers, but it is also coming with privacy and security issues. The FTC is very focused on helping to protect consumers from potential risks associated with the IoT, McSweeny said. While the FTC has “trade” in its name, she was quick to point out that her efforts have almost nothing to do with trade.
“The FTC has almost nothing to do with federal trade policy and everything to do with consumer protection and competition,” McSweeny said.
Primarily what the FTC does is bring civil cases against companies that may be engaged in deceptive practices or are not properly protecting consumer privacy and data, she said. One recent case the FTC was engaged in was a settlement with Oracle over Java updates and security.
One of the many challenges that faces the FTC—as well as consumers—is the fact that while there are different compliance specifications and various privacy laws, there is no single comprehensive data security law in the U.S., according to McSweeny. As such, she noted that the FTC doesn’t just work on enforcement, but also on education to try to address data security and privacy issues.
Interested in security research
Among the biggest issues that McSweeny said the FTC sees today are vendors ignoring vulnerability reports, slow response times by vendors to vulnerability reports, lack of data protection, failure to store passwords securely and lack of proper security configuration.
The FTC is also working to improve its own technology capabilities, which is where Lorrie Cranor, the FTC’s chief technologist, plays a key role. That said, the FTC didn’t come to DefCon just to tell people what the agency does; it came to recruit information and security experts.
Cranor said the FTC is interested many topics and areas of security research. Among the topics of interest are IoT security and best practices and research into online bots and how consumers interact with them.
“When consumers interact with bots, we wonder if they even know that they are interacting with a machine, so we want research on how consumers can become aware of bots,” she said.
Virtual reality is another area where the FTC is looking for research into privacy and security, as the technology is just now starting to enter the mainstream. Cranor noted that the FTC is also interested in tools that can help consumers to protect their own information across different technologies.
Additionally, the FTC is interested in research that can help consumers assess the risks posed by breach vulnerabilities. Cranor commented that the FTC is also looking for research into what can be done to protect consumers from malvertising and ransomware.
“We can’t solve all the challenges that are going to be confronting consumers in a hyperconnected environment without a lot of partnerships, particularly with the security researcher community,” McSweeny said. “If there is one takeaway here, we really want to forge a partnership and hear from you.”
Originally published on eWeek