Consumers should have the right to inspect the source code for connected devices they own, to ensure it doesn’t contain bugs or backdoors, one U.S. Federal Trade Commissioner believes.
As we connect our homes, our vehicles and our clothing to the Internet of Things, “We need to be very mindful of consumer data security and be very careful of anything that undermines that data security,” said Commissioner Terrell McSweeny.
McSweeny was speaking in a personal capacity at the State of the Net conference in Washington, D.C., on Monday, but her position as one of four Commissioners at the U.S. Federal Trade Commission could allow her to influence policy.
She doesn’t plan on reverse-engineering her connected devices herself.
“That’s certainly not what I’m going to be doing with my free time,” she said. “I don’t have the technical ability to do that.”
However, she would like to see consumer devices made more open to their owners.
“I think transparency and having the ability to take a look at some of these things is going to be incredibly important… for the people that have the capacity to do that.”
White-hat security researchers are playing a vital role, she said, developing tools to examine devices and gain control of them — but those tools need to come out of the lab and into stores.
“I really hope innovations will come into the market that will help me as an individual consumer.”
The kind of help she’s looking for is with ensuring that her privacy preferences are respected by the different devices she’s connecting to, and warning her when they are not.
Representatives of other U.S. federal agencies have recently called for backdoors to be introduced into all sorts of electronic devices and software in order to allow law enforcement and intelligence services to listen in on encrypted communications. Such backdoors are often called for in the name of preventing terrorism, although a recent proposition in California says such moves should be taken to stop “human trafficking.”
While acknowledging that law enforcers need to have the tools to perform their work, McSweeny said that, as someone responsible for consumer protection, “I deeply worry about things like mandatory back doors and exceptional access systems in consumer-facing products because I think it has the consequence of potentially making consumer data less secure.”
Indeed, many have argued that where backdoors are built in for law enforcers, criminals will sooner or later obtain the keys.
“We’ve been having this debate for a long time in this country. We’ve had it in the crypto wars, for example,” McSweeny said, referring to the U.S. government’s attempts to impose a key escrow system for encryption in the 1990s.
“I’m personally opposed to government mandating this kind of thing,” said McSweeny, adding that what makes things different this time around is the number of devices we’re connecting to in our personal lives, and the amount of data we’re putting on those devices.
Concern about who might have access to that data is slowing adoption of such technologies, she said.
And it’s not just concern about demands from law enforcers: it’s also worries about lax security and sloppy coding.
“I’ve spent a lot of time at hacker conferences looking at IoT security. I’m also a parent thinking in terms of baby monitors and toys, and I’m deeply worried about some of the security practices,” McSweeny said.
Through the Office of Technology Research and Investigation (OTRI), the FTC is developing its in-house capabilities to research security vulnerabilities in products, she said.
That expertise will be useful far beyond individual investigations and enforcement actions, she concluded.
“Having more people who understand technology working on those issues in government and in public policy discussions is going to be incredibly important.”