BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

The FTC's Controversial Battle To Force Companies To Protect Your Data

This article is more than 9 years old.

Hacker conference Defcon has a long tradition of playing “spot the fed,” a game that involves outing government types who attend under the radar to learn about the latest hacking tricks and those who are expert at developing them. There was little challenge in the game this August when it came to one group of infiltrators from Washington, D.C. The Federal Trade Commission sent a host of employees and a newly-minted commissioner to Las Vegas to run a ‘robocall honeytrap’ contest, inviting hackers to come up with a tech tool to catch companies illegally auto-ringing consumers. There is sometimes antagonism in the relationship between hackers and the government but the FTC was welcomed warmly, perhaps because it has something in common with the group: the art of the hack. While the security researchers who attend Defcon are expert in hacking technological devices, the FTC has been steadily hacking the law, to make itself into a privacy and security officer responsible for protecting Americans’ data.

This is not uncontroversial. The FTC is responsible for ensuring fair trade practices. One of the mandates in the law that created the agency is ensuring companies don’t do “unfair and deceptive” things to consumers. In 2012, the FTC filed a complaint against Wyndham Hotels after it was hacked repeatedly, saying that the hotel chain was being “unfair” to customers by not employing commercially reasonable data security practices to protect their information. Wyndham fought back. It argued that the case should be dismissed because the FTC doesn't have the regulatory authority to oversee data security. A district judge disagreed. Now Wyndham’s appeal is heading to the Third Circuit. The Wall Street Journal says Wyndham is being “victimized” twice, first by the hackers that broke into its systems and now by the FTC. (Though technically, that would mean it was victimized four times, because hackers managed to break into that place 3 times in 2 years.) But that’s not an argument most Defcon attendees would support. The constant refrain of the conference – where hackers demonstrate the insecurity of everything from IP cams to cars – is that companies aren't doing enough to ensure that their products are secure, and that they owe it to their customers to make products that don’t leak sensitive information, whether it’s credit card numbers, home security footage, location information, or how many steps they took that day.

“We’re one of the only cops on the beat when it comes to data security,” said FTC Commissioner Terrell McSweeny, who was appointed to the FTC in April. “Consumers should have an expectation of security in their data.” McSweeny was at Defcon for the first time, and made the mistake of going for a run in the morning. It is August, and Las Vegas is in the desert. And she got lost. But there’s no hint of the ordeal as she stands in a conference room at the Rio chatting by the FTC’s contest stall, “Zap Rachel” – named for the infamous robocaller associated with Cardholder Services. McSweeny’s black slacks and sweater do not help her blend in with the hacker crowd.

She can’t speak about the Wyndham case while it’s in litigation. “All I can say is that I believe it’s important for the FTC to bring data security cases and I support enforcement in that area,” she says. At the conference, McSweeny talked to security researchers and attended presentations on insecurities in the Internet of Things, including cars that are hackable and medical devices that show up in scans of the Internet. If the agency is looking for companies to punish for improperly securing digital data, Defcon is a treasure trove.

“Enforcement is just one part of the response to security vulnerabilities. We react to complaints that come in and prioritize with limited resources,” said McSweeny. Rather than finding cases the FTC might want to pursue, she said her Defcon takeaway is that the FTC needs more power to pressure companies to safeguard our data.

“This reinforces my support – and it’s a unanimous position held by the FTC -- that we need comprehensive data security legislation,” said McSweeny. “It would be very helpful for sectors that aren’t covered by security standards to have standards, to give FTC civil penalty authority, and to have breach notification requirements that are strong. It reinforces to me that Congressional action around data security is important.”

Medical and financial privacy laws have been passed with explicit guidelines about the expectation for how companies in those areas should treat data, but it’s far less clear for companies not dealing in those “sensitive” data areas. That’s Wyndham’s argument. It doesn’t know what the FTC expects when it comes to “reasonable data security practices.” As more and more companies start collecting and storing information about us thanks to connected devices – thermostats, cameras, cars – these questions will get even more urgent.

The FTC recently brought in Andrea Matwyshyn, an Internet security lawyer and law professor, who has been attending Defcon for a decade, as a senior policy advisor. It was her idea to run the robocall contest at Defcon this year. “The Internet of Things is bringing code into very personal aspects of our lives – into our homes and into our bodies,” she said. “When our medical devices, our cars, our homes, the gadgets we interact with are non-transparent agents of our trust, it’s increasingly important to consumers that there is transparent security and trust expectations for governance of their data.”

Consumers assume that a product they buy at Best Buy or in Home Depot has been vetted, that they can trust it not to leak their data. But anyone who hangs out with hackers or has attended a security conference knows how flawed that assumption might be. The FTC recently inked a settlement with TRENDnet forcing it to up its security practices because its IP cams – which were in thousands of homes and businesses -- were easily accessible to tech-savvy strangers, as demonstrated by journalists who went through and looked at hundreds of exposed cameras.

“Security is not a feature. It’s a core functionality of a product,” said Matwyshyn, speaking as an academic and not on behalf of the FTC. “Products that lack security at a reasonable level are broken.”