LAS VEGAS — The Federal Trade Commission, the de facto federal watchdog for consumers' privacy and data security, knows it needs help.
FTC Commissioner Terrell McSweeny and the agency's chief technologist Ashkan Soltani are in Las Vegas this week to talk with hackers and security researchers attending the Black Hat and DEF CON conferences. The agency wants their input as it navigates the increasingly complicated digital world in which consumers now live, McSweeny says. (Soltani previously worked with The Post on stories based on documents from Edward Snowden.)
McSweeny, a former senior aide to Vice President Biden who worked at the White House and the Justice Department before joining the FTC in 2014, sat down with The Post to talk about the agency's efforts to recruit more technologists and how the Internet of Things could make the FTC's data security mission even more important.
This interview has been lightly edited for length and clarity.
Andrea Peterson: Why are you out here at Black Hat and DEF CON?
Terrell McSweeny: This is actually my second time — I came to DEF CON last year as well, for a couple of reasons. Last year, we ran a contest on robo-calls called "Zapping Rachel" and this year we're completing our contest called "Humanity Strikes Back," which is all about providing consumers with better tools to defeat robo-calls.
We're also here talking to the security researcher community because the FTC is really on the front lines of trying to protect consumers' data security and privacy — and we find it incredibly beneficial to have direct communication with the folks in this community who help us understand how technology is working and how it's impacting people.
Q: How would you describe the FTC's role in the cybersecurity arena?
A: Where the FTC comes in is that we protect consumers from unfair and deceptive practices.
In the modern, wired context where consumers are connected and online, this means we try to make sure that privacy promises that are made to consumers are honored. It means that if apps or other types of technology are marketed in a deceptive way, we can take action. If consumers' data isn't secured properly that is unfair, it can cause an injury that consumers can't really avoid, those are the cases we can bring.
Q: How are the agency's efforts to expand its technical expertise going?
A: One of the things that have really marked the Commission in the last 25 years is its increasing focus on data security and privacy — and we've been trying to incorporate technologists more and more into the enforcement work we do as well as on the policy side.
What's really important in informing both our enforcement that involves technology and our understanding of the marketplace is making sure we have expert advice from technologists about exactly the technology we're dealing with and how it's impacting consumers.
I'm an attorney. I'm not a computer scientist. But I work with them to understand how a company is living up to their responsibilities to protect consumers and their data. Technologists like Ashkan really bring an ability to translate sometimes complex situations in ways that are key to the agency doing its job.
Q: The FTC recently established the Office of Technology Research and Investigation. Are these conferences fertile recruiting grounds for expanding those efforts?
A: This new office is really important. And it's building on a lot of work we've already been doing in using labs to test what's happening to consumers in mobile and other areas. I'm very excited about it — we are continuing to make sure that we reach out beyond maybe the normal ways. We do that to attract people who have the right experience and interest in that work.
Being here is really great for that. Today I met several people who are really interested in the work that we do and are interested in public service. That's the kind of person we want to talk to.
Q: Should we expect the FTC to bring more enforcement cases in the tech space?
A: I don't know that I would characterize it as more enforcement so much I would say we're going to continue to protect consumers wherever they are. And we've made this massive transition to the mobile ecosystem. Even 10 years ago, people really didn't have apps or smartphones and now we have advertising cases involving the marketing of apps and we have mobile payment systems that we're looking at very carefully. We try to adapt to protect consumers. That's part of the evolution of the FTC.
So, yes, you'll see more cases involving tech, but it's not because we're changing our focus, but because that's where consumers are going.
Q: Are there additional powers that would be helpful to the FTC?
A: Essentially, we take an authority that has been around for a really long time that I think Congress quite rightly intended to be flexible to adapt to a changing marketplace. We continue to adapt it to protect consumers in a really important way.
There are things that could strengthen our authority, speaking for myself as an individual commissioner, I would say I support comprehensive data security legislation. I believe my colleagues have supported that as well. It would not only set out requirements for how to notify consumers in the event of a breach, but also establish what security standards ought to be in place for consumer-facing products and give us civil penalty authorities which I think would be very useful.
I'd also support repealing the common carrier exemption [which prohibits the FTC from regulating phone companies and broadband providers among other firms that are overseen by the FCC], for example. I think it's outdated at this point and [repeal] would allow us to better protect consumers in partnership with the FCC.
So there are changed additions I think are helpful, but I think it's also important for us to continue to use the authority that we've already been to protect consumers.
Q: What are you learning about the way the cyber security community's views the FTC?
A: I think it would be a little presumptions for me to think I know what they think based on visiting a couple of times, but I do try to engage with these communities on a regular basis, as does the FTC. Obviously, our technologist, but also the enforcement staff, have a pretty regular dialogue with security researchers.
One thing that has always struck me is that we share a very similar inclination, at least in the White Hat context here, to protect consumers and make sure that as customers are using more and more technology — which is terrific, we love that it can improve consumers lives — that they're getting correct information about how their information is being used and how it's secured.
Those are common values I find with many in the security researcher community. Many care deeply about truthful and accurate information being given to people so they can make choices based on it.
Q: What particular areas are you seeing really pop up here? Where does the FTC fit in?
A: The Internet of Things which is really providing us with tremendous innovation and is a very exciting new growing part of consumers lives and the economy. It represents a lot of opportunities and a lot of consequences for consumers.
I think as we increasingly transform the Internet and become interconnected, securing of consumers information and these products and also providing consumers with complete and truthful information about what that technology does and how it's being used is going to be increasingly important.
I really feel like we're on the cusp of this really big change and in order to maintain trust, we're going to need to have good policies and good practices around the products themselves.
These are really big concepts, but even last year [at the conferences] were talks about different hacks and exploits around medical devices and cars. This year those are featured as well. And there are so many more consumer-facing products that are being presented.
For me it's scary and very interesting to watch the evolution of this space. I think we're in an incredibly dynamic moment — and one in which we need to be cautious not to overreact, but also be mindful of the fact that we need to protect consumers. I think the FTC plays a valuable role in this space.