#DataInsecurity Digest Interview with FTC Commissioner Terrell McSweeny
National Consumers League: What is the state of data security in America? Should consumers be concerned about what companies, the government and other organizations are doing (or not doing) to safeguard the data that companies hold about them?
Commissioner McSweeny: The good news is many firms have taken the idea of security by design to heart and have integrated security into the product design process from the start. Many companies do have robust defense in depth security architectures to protect consumer data. On the other hand, there is a wide spectrum of data security practices in the marketplace. and it can be difficult for consumers to know what is going on behind the scenes at the companies that hold their data. I’m particularly concerned about the security of so-called “Internet of Things” products – connected appliances, wearables, cars, televisions etc. The FTC’s enforcement and business education efforts are raising awareness among businesses that they must put data security front and center. But the fact remains that in our increasingly interconnected world vulnerabilities remain and, I fear, will continue to plague consumers.
Consumers should think about what types of data companies are asking for and whether it makes sense to provide the requested data in connection with whatever products or services consumers wants to use.
NCL: Congratulations on another successful Start with Security event in Chicago! What other steps or events is the FTC planning to help companies, governments and consumers protect and secure their data online?
Commissioner McSweeny: In addition to law enforcement – which is the cornerstone of our data security efforts – outreach to businesses and consumers is a critical part of the FTC’s consumer protection mission, including when it comes to privacy and data security. We strive to keep our educational materials recent and relevant, and I hope that we will produce updated versions of our Start with Security Guide. We are always refreshing our educational materials, and we communicate the relevance of current law enforcement actions on our consumer blog and business blog.
In addition, we use our convening power to bring together industry members, researchers, and consumer advocates to discuss consumer protection aspects of developing technology. For instance, this fall we’re having a series of seminars on technology issues including ransomware, drones, and Smart TVs. And in January 2017, we’re having our second annual PrivacyCon to discuss the latest research in privacy and data security. Through events such as these, the FTC can stay on top of technological trends, identify where potential data security problems may arise for consumers, and start to look at possible solutions.
NCL: Recently, we’ve learned about some pretty huge breaches involving hundreds of millions of account credentials at places like MySpace, LinkedIn and Tumblr. We’re seeing those credentials being re-used in other attacks. What role does the FTC have in preventing password re-use?
Commissioner McSweeny: Besides educating consumers about using unique strong passwords and how to identify and avoid phishing attacks, we also advise consumers to turn on two-factor authentication at sites where it’s offered. And on the business side, we tell companies that they should require strong passwords, guard against brute force attacks, and not store passwords in clear text.
NCL: You’ve become something of a regular at some of the more popular hacker conferences like Black Hat and DEFCON in recent years. What are you hearing at these conferences that has influenced how you’re doing your job at the FTC?
Commissioner McSweeny: I think it is important to understand as much as possible about how technology works. I always learn a lot from security researchers I meet at these kinds of conferences and from the presentations of research at them. Some of our cases even come to our attention thanks to the work of hackers. I think it is important for the FTC to continue to build relationships with researchers who can be important partners in our work to protect consumer data security and privacy.
NCL: In March, the Federal Trade Commission’s Consumer Sentinel Network Data Book reported a 47 percent year on year increase in identity theft complaints. We also learned recently that the FTC’s Chief Technologist, Lorrie Cranor, was herself a victim of identity fraud. What is the FTC working on to help fight the ID theft problem and what can consumers do to help protect themselves? Should consumers be concerned about the security of two-factor authentication?
Commissioner McSweeny: Lorrie Cranor blogged about her experience and explained that someone used a fake ID with Lorrie’s name and the thief’s photo, and went to a retail store to acquire new iPhones that were charged to Lorrie’s account. This type of mobile phone theft – where someone goes through the time and trouble to create a fake ID with someone else’s name on it in order to steal a mobile account – appears to be on the rise, but is still relatively rare.
The reason Lorrie wrote about the experience was to educate consumers about the problem and let them know that they can take proactive steps – such as establishing a PIN or password that must be provided before making changes to a mobile account – to reduce the risk of having it happen to them. In addition, she highlighted that mobile carriers are in a better position to help prevent identity theft and should implement a multi-level approach to authenticating both new and existing customers.
We continue to educate consumers about ID theft and emerging data security risks, such as mobile phone account hijacking, to help them protect themselves as they navigate through the connected world. And for consumers who unfortunately do become victims, our website idtheft.gov offers a one-stop shop where consumers can get a personalized plan to report and help recover from ID theft.
NCL: There has been a lot of discussion recently around the issue of encryption, backdoors, and iPhone passcodes. Earlier this year, you wrote about concerns that businesses may be implementing encryption in insecure ways. Has your view about encryption technology evolved given all of the debate around the issue? How does the FTC help consumers take advantage of the security protections that encryption provides?
Commissioner McSweeny: I personally have highlighted encryption as a vital practice that can allow firms to store and transmit personal information securely. I’m concerned that mandating back doors to break encryption would weaken security protections for consumers and make them worse off. As we connect more things in our daily lives – such as our TVs, watches, appliances, cars – we will increasingly need tools like encryption to make sure that they remain secure. The FTC advises consumers that encryption is key to keeping their information secure, whether it’s transmitted to a website, to a mobile app, or through a wi-fi hotspot.
NCL: Back in 2005, the FTC released a staff report on the threat of spyware, adware and other unwanted software. In 2008, the Commission testified about the threat of spyware and the principles it relies on in enforcement actions against spyware operators. We recently sent an alert about the related issue of unwanted software (UwS). What are your thoughts on the growing phenomenon of UwS and the threats it may pose to consumers’ online security? Can the FTC do more to protect consumers from UwS?
Commissioner McSweeny: Unwanted software remains a problem, and we have put out some consumer education on how to avoid it and remove it, including telling consumers to obtain well-known software only directly from manufacturers’ websites, and to be alert when installing new software. This is the type of problem that really needs a broad technological solution, and I know that industry members – such as browser manufacturers – are working diligently to fight the problem, including issuing alerts that will warn consumers about potentially harmful websites. In the same vein, app stores are working hard to police the app marketplaces to reduce the number of malicious apps. Depending upon the specific facts of the case, we could also potentially bring an FTC enforcement action relating to the installation of unwanted software.
NCL: In the news recently there has been a rise in coverage of so called “ransomware,” attacks especially in the healthcare space. What is the FTC doing on the issue? Do you believe this is a distinct issue or is it a symptom of the larger data security problems facing the country? What can consumers do to protect themselves from ransomware?
Commissioner McSweeny: One of our fall tech seminars in September will be devoted to the topic of ransomware, precisely because it is such an important issue that is affecting more and more consumers. This seminar should help us learn more about the scope of the problem and help consumers understand how they can reduce their risk of a ransomware attack and how they should respond to one if they do become a victim. While ransomware is a distinct problem from the type of security breach that leads to wider-spread compromise of personal information held by a third party, it’s a problem that hits affected consumers closer to home, since consumers whose files are held for ransom see the immediate concrete and negative effects of an attack. I’m concerned ransomware could become an even greater problem as more of the things in our daily lives are connected to the Internet. We continue to provide consumers with information about how to protect themselves, including not clicking on unknown links in emails, checking the security settings on their browsers, and backing up their files.
Published by National Consumers League’s #DataInsecurity Digest
August 3, 2016