Attention whitehats, The FTC wants you to lead new privacy, security push
- 28 August, 2015 19:16
The Federal Trade Commission will in January hold a wide-ranging conference on security and privacy issues lead by all manner of whitehat security researchers and academics, industry representatives, consumer advocates.
The FTC’s PrivacyCon will include brief privacy and security research presentations, along with expert panel discussions on the latest privacy and security challenges facing consumers. Whitehat researchers and academics will discuss the latest security vulnerabilities, explain how they can be exploited to harm consumers, and highlight research affecting consumer privacy and data security. During panel discussions, participants will discuss the research presentations and the latest policy initiatives to address consumer privacy and security, develop suggestions for further collaboration between researchers and policymakers, and highlight steps that companies and consumers can and should take to protect themselves and their data, the FTC stated.
+ More on Network World: Wireless cyber security in your car stinks +
“Due to the unique role that whitehat researchers, academics, and information security specialists have played in raising awareness about privacy and data security issues, the FTC is particularly interested in enlisting their participation in this effort. For the past several years, their work to strengthen privacy and security protections in this country has greatly benefitted the FTC and the public. For example, the FTC’s reports on the privacy implications of facial recognition technology and the Internet of Things have referred to important academic research,” the FTC stated.
The FTC is seeking presentations on consumer privacy and security issues from a number of different arenas including:
- Connected health and fitness devices or applications
- Devices or services that incorporate voice-activation technology
- Connected vehicles
- Big data and algorithms
- Consumers’ attitudes toward, and valuation of, privacy
- Costs and benefits of privacy-protective technology or behavior
- Economics of privacy and security
- Security by design techniques
Such conferences have lead to a number of successful campaigns for the FTC in the past. Earlier this year the FTC issued a report on privacy and the Internet of Things that came from a he report is partly based on input from leading technologists and academics, industry representatives, consumer advocates and others who participated in the FTC’s Internet of Things workshop held in Washington D.C.
From that report: The sheer volume of data that even a small number of devices can generate is stunning: one participant in the workshop indicated that fewer than 10,000 households using the company’s IoT home-automation product can “generate 150 million discrete data points a day” or approximately one data point every six seconds for each household, the report states.
“The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” the FTC stated. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
- Build security into devices at the outset, rather than as an afterthought in the design process
- Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization.
- Ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers.
- When a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk. For example, companies should consider implementing reasonable
- Install access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network. In the IoT ecosystem, strong authentication could be used to permit or restrict IoT devices from interacting with other devices or systems.
- Consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network.
- Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
- Consider data minimization – that is, limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely. The report notes that data minimization addresses two key privacy risks: first, the risk that a company with a large store of consumer data will become a more enticing target for data thieves or hackers, and second, that consumer data will be used in ways contrary to consumers’ expectations.