Internet scares

Can Washington protect us from our own devices?

Data cop Ashkan Soltani explains what scares him most about the Internet of Things.

By Danny Vinik

On Christmas morning, Americans will unwrap thousands of different new Internet-connected products: thermostats, toasters, even drones.

As data security becomes a bigger and bigger issue, and more and more devices actually share our data, who’s looking out for consumers? That job largely falls to the Federal Trade Commission, which has used its legal powers to take on the role of privacy and security cop in the burgeoning world of the “Internet of Things.”

Is the government up to the job? The Agenda’s Danny Vinik sat down with Ashkan Soltani, who just finished a stint as the agency’s chief technologist. He also was an investigative reporter for the Washington Post in 2013 and 2014 where he provided reporting and technical analysis of NSA documents leaked by Edward Snowden. After this interview, the White House announced that Soltani was taking on a role in the administration as a senior advisor to the U.S. Chief Technology Officer.

Soltani laid out the challenges the government faces in keeping up with a quickly changing market, described the fingerpointing he has seen among enforcers, and talked about how different agencies are now coming together to deal with a “holy crap” tough problem.

Danny Vinik: Many people think technology changes too fast for the government to regulate it. Do you buy that argument?

Ashkan Soltani: If you try to draft regulation or policy specific to a kind of technology or a protocol, oftentimes it is true that the technology will outpace regulation. But what you can do instead is try to look at attributes of the technology and try to create policy that speaks to what's unique about a particular technology or development or innovation, such that it works more broadly and gets to the spirit of what you're trying to achieve.

DV: A lot of new products transmit data without consumers even thinking about it. Does the FTC have the necessary tools to protect the buyers if something goes wrong?

AS: For a lot of things, information harms for which there are not ways to notify consumers become difficult for us, because our framework is based on notice and choice. And we often use deception [cases] to criticize companies that make promises to consumers that they don't live up to.

So, if a company promises that they have good security practices or if the company promises that they allow consumers to make choice with regards to their information collection and they do not uphold that promise, we have an easy tool. But a lot of the things I think we're seeing now evolve are passive collection of information by sensors, by devices, by drones, by whatever, that collect consumers' information. And we often may not see a direct notice, so [there is] no way for consumers to know. So it's hard to bring a deception case, and we often don't see harm in the strict sense of the word "harm.”

DV: The industry points out that there's an inherent balance there—that data has value to companies, but you also must make sure consumers are protected.

AS: Absolutely. We do recognize the value of data and the benefits that consumers have. For us, the key is that it's a fair marketplace that works under these principles that we've put forth. So we're the [Federal] Trade Commission, right? It’s important to us that there is kind of competition and there is actually not just consumer protection, but that there's trust in the marketplace such that consumers continue to adopt these technologies.

So, if people start freaking out about how their cars are collecting information or how, as they walk through the streets, stores might be collecting information about them, they're going to have less trust in the marketplace and engage with the marketplace less, and I think that's a harm overall.

DV: Where are we along that balance right now?

AS: I think one thing to ask is [about] data security. If you look at the polling around: Do consumers trust company to store their data or secure their data? We're seeing that go down. And so the question is, what do we want to do about that? Consumers are still engaging in the marketplace, but will we see a chilling effect for people to log into new sites or services or share that information more broadly? And that's what we want to make sure we avoid.

DV: Many people on the right see the rise of Internet-connected devises and rating systems as a way to replace regulation. For instance, Uber allows you to rate drivers on a five star scale, so that the top ones naturally rise to the top and lower-rated ones fall off. At least, that’s how it’s supposed to work. Do you think this can work across different Internet of Things devices?

AS: I've heard that argument of let the market solve the problem. The issue with a lot of the things that we just discussed are that there is not a consumer awareness or actual consumer knowledge. So a data broker that I've never had a relationship with that collects my data has poor security and then leaks that information to unauthorized parties that it would never learn about. I'm not going to be able to make a market choice.

DV: Could it work with consumer-facing companies?

AS: It could work if, I think, if there was some level of competition.

DV: There’s also an argument over national security about whether companies should offer a back door to law enforcement to protect against terrorism attacks. Do you think they should be required to do so?

AS: I think it's an important conversation to have. The piece that I'm kind of trying to highlight is that there are some technical solutions that solve some of the data security issues, but then they introduce some additional issues around national security and security more generally. So I think there are just considerations on both sides.

DV: What worries you most about Internet-connected devices?

AS: The thing that worries me is the life cycle of these things. So, when you buy a fridge, the typical life cycle of a fridge is like 10 to 20 years. When you buy a phone or a laptop, usually you keep that for one or two years. Then you get patches the entire time.

Something that I'm concerned about is how long will companies provide updates and security patches for things that consumers are going to keep around, like cars and fridges and toasters, such that even if your toaster still works, your Internet-connected toaster will toast your bread. If it has a network connection that is insecure, attackers can hack into that device, use it to jump into your network or use it to launch a DDoS attack or use it to do some harm using the Internet-connected portion of the device.

So some scholars, like Dan Geer, have called for expiration date or kind of a self-destruct mechanism for the Internet-connected portion of these new devices. I've called for potential transparency or disclosure by companies to say how long will they support these devices for.

DV: Should the government require firms to provide software updates for a longer time?

AS: You have to consider what it costs to do these things. So you build a $50 toaster. Do you want, as a company, to be responsible for updating it for 10 years? Probably not. But, we have to find a nice balance where companies can at least tell consumers how long it will be. Maybe it's the duration of the warranty. Maybe under warranty, critical remote security vulnerabilities should be patched. I'm not sure exactly what that is, but I do think it's something we should be talking about.

DV: Between working with The Post and the Snowden files and your time at the FTC, you’ve seen all sides of the debate over the Internet of Things. How have your views evolved about what the government's role should be?

AS: The biggest eye-opener for me is oftentimes—and this is true, this is an evolution of my predecessor Ed Felten's theorem—where if you have a room of policymakers and technologists, the technologists say, "The lawyers should fix it," and the lawyers should say, "The technologists should fix it." From the outside, people would call for the government to fix an issue or for them to bring an enforcement action or to regulate, and it's not that easy. I think the end solution will be a combination of civil society calling out the issues, [the] press highlighting issues, policymakers making policy for the critical ones, but then companies trying to lead by example and do the right thing on certain avenues because sometimes the people in the best position to fix these things are the actual companies themselves or the practitioners. So the biggest eye-opener is that it takes a village.

DV: Do you think there's an understanding of that among the different players?

AS: Cybersecurity, data security, privacy, it's all hard stuff, and so I think there's generally an understanding that, especially around data security, you've seen it in the last couple of years where it's no longer like you're worried about the FTC as a cop. You're like, holy shit, this is—sorry, holy crap—this is a tough problem. What can we all together do to help improve the state of security? And you see not just the regulators on the consumer protection side, but you also see DHS and others on the cybersecurity side start to weigh in as well.

DV: Does Congress get this? We did a big report that suggested they’re pretty behind.

AS: I do think they're trying. I’m biased. I'm a technologist, but if you remember the OTA, the Office of Technology Assessment. So it used to be that Congress would have a bunch of geeks they could go to that were not biased. They were not on anyone's payroll. They were not lobbyists with an agenda, but you could just task them and say, "This is a hard issue. Write us a memo as to what are the facets, what are the considerations, how should we think about this issue."

It saddens me that that's no longer available to Congress, and you see some congressional members engage with industry and engage with experts. But you see others that don't have the resources or the time to really dig into these complex issues, and that does worry me because they are part of this process as well.