Show us the code! You should be able to peek inside the gadgets you buy – FTC commish
Worried about privacy, security? McSweeny has an answer
FTC Commissioner Terrell McSweeny supports the idea of giving people access to the source code to stuff to ensure better security and privacy in the era of the internet of things.
The idea is that obvious bad bugs and poor security mechanisms can be quickly spotted and either fixed or the item stays on the store shelf.
Speaking at the State of the Net conference in Washington DC on Monday, McSweeny noted that US consumer watchdog the FTC was looking closely at the proliferation of connected devices that gather and store highly personal information.
"It's not just federal trade commissioners that are concerned about this, consumers are as well," she noted, adding that she and the FTC are "deeply worried" about the security practices of many in the industry.
McSweeny was asked whether citizens should be able to look at the source code of products that they purchase. She thought it might be a good idea. "The ability to take a look at some of these things is really important," she noted. And she highlighted the "vital role" that white hat security researchers play in highlighting security problems – something that is "very valuable" to people.
While noting she was talking in her individual capacity, as opposed to an official position of the FTC, she highlighted the fact that the regulator was building its own in-house capacity to dig into products to assess their security and privacy. She said she could see a new market of "consumer facing tools" that would let people know whether their wishes for privacy were being observed as they move around a physical world packed with connected devices.
McSweeny also stepped into the ongoing debate over encryption and backdoors.
Speaking just moments after Assistant Attorney General Leslie Caldwell had given a keynote arguing what it was vital that law enforcement be able to access electronic information, McSweeney took the opposite tack and said she was opposed to backdoor being introduced or mandated because of the risk to consumer privacy.
Caldwell told the conference "there really aren’t any more [physical] paper trails for us to follow, there are only virtual ones" and said that she hadn't seen a single case in the past eight years, except for the most basic cases, in which electronic data wasn't a component.
The ability to access electronic material was in a timely manner was "essential", she argued, but that it was becoming "more and more difficult to obtain data even when we have court orders to do so".
She also noted that there are "very real physical threats" and that without access to emails, instant messages and so on, it creates obstacles "that can and do stop our investigations in their tracks". The ability to access encrypted information was a "public need", she argued.
However, McSweeny noted that while she was "not burdened by looking at intelligence information" that from consumer protection point of view "we have to very, very careful in undermining that security".
Both Caldwell and McSweeny agree that electronic devices are being used more and more to store every more personal information and in-depth material about ourselves. Except from Caldwell's perspective encryption means that information becomes inaccessible and from McSweeney's point of view it means the damage of that information being accessed is significantly greater.
"We need to make sure law enforcement has right tools to protect us from the bad guys," McSweeny noted. "But I am deeply worried about mandatory backdoors which could potentially make consumer data less secure."
Both agreed there needed to be more dialogue to find a solution that worked for everyone. ®
- Black Hat
- Common Vulnerability Scoring System
- Cybersecurity and Infrastructure Security Agency
- Cybersecurity Information Sharing Act
- Data Breach
- Data Protection
- Data Theft
- Digital certificate
- Identity Theft
- Kenna Security
- Let's Encrypt
- Palo Alto Networks
- Privacy Sandbox
- Trusted Platform Module
- Zero trust