As one of four Commissioners at the Federal Trade Commission (FTC), Terrell McSweeny plays an important role in protecting consumers. Since being appointed as a Commissioner in April 2014, Commissioner McSweeny has already left her mark as a thoughtful policy leader on issues important to developers like data use and innovation, security, encryption, and the Internet of Things (IoT). Commissioner McSweeny’s deep policy experience, including as an advisor to President Obama and Vice President Biden on areas including innovation and intellectual property, make her uniquely suited for her role as Commissioner.
Last year the FTC celebrated its 100th birthday, and while the Commission was originally created to protect competition, the FTC has also established itself as the nation’s chief privacy agency over the last forty years. Under authority granted to it in Section 5 of the Federal Trade Commission Act, the Commission prohibits deceptive and unfair commercial acts or practices, and enforces other privacy-focused laws like the Children’s Online Privacy Protection Act (COPPA), Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM) Act, and the Do Not Call Registry. On issues like data security, privacy by design, biometrics, in-app purchases, and much more, the Commission plays a critical role in the technology and app ecosystem.
Prior to joining the FTC, Commissioner McSweeny served as Counsel on the Senate Judiciary Committee, Chief Counsel for Competition Policy and Intergovernmental Relations for the U.S. Department of Justice Antitrust Division, and as an attorney at O’Melveny & Myers LLP.
As part of our Beltway Voices series, we caught up with Commissioner McSweeny to discuss a variety of issues important to app developers.
Application Developers Alliance: Many app developers and startups are focused on growing their businesses and may be unfamiliar with the important work being done at the FTC. What is the FTC’s role in the tech community? Is the FTC working with startups to educate them and offer guidance? What is your specific role within the tech community?
Commissioner McSweeny: The FTC was founded 101 years ago as the nation’s lead consumer protection enforcement agency. Since that time, the marketplace has changed but our core mission has not. We protect consumers wherever they are – whether they are online or in the brick-and-mortar world. Today our consumer protection mission includes policing privacy and data security, keeping kids safe online, and stopping online scams. Some have called us the Federal Technology Commission because of our involvement with these issues. Section 5 of the FTC Act gives us the authority to enforce against actions that are “deceptive” or “unfair”. For example, the FTC can act if a privacy policy does not reflect the actual practices a business is engaging in with consumers’ data, or if it finds that a company isn’t reasonably securing that data.
To help companies, especially small innovators, we offer a host of business education materials on our web site. Recently we started a new program called “Start with Security.” We have a Start with Security guide available on ftc.gov/business which is designed to take a business through the basics of setting up a data security program. We’re also hosting a Start with Security roadshow- we’ve had them in San Francisco and Austin with more on the way – to engage with startups about proper data security.
Application Developers Alliance: Data can be a great source of innovation and societal change. It is the lifeblood for developers and enables them to tailor their products and services for a more efficient, secure, and personalized consumer experience. It is also being used to tackle big issues. Among other things, developers are using data to enhance education, combat hunger, curb pollution, fight crime, and improve healthcare. How can the FTC and the federal government encourage the use of data to solve society’s toughest problems and make our lives easier?
Commissioner McSweeny: I think the Obama Administration did a revolutionary thing through the Open Data Initiative. Under President Obama, more than 130,000 data sets have been made available to the public for innovation and entrepreneurship on data.gov. This has provided new tools empowering people in a variety of ways – creating methods for better weather forecasts, providing searchable stats about colleges for students and parents, improving our response to natural disasters, helping consumers lower their utility bills, enabling a new era of medicine by making treatment and prevention plans more personalized and effective, and much more.
Through Challenge.gov, agencies throughout the government are empowered to enlist the help of citizen innovators to solve public policy dilemmas. Data sets and other tools are released to the public, often a prize is created, then innovators and entrepreneurs create solutions. For example, at the FTC we’ve used this platform to get help fighting robocalls, which thwart the Do Not Call list. Robocalls present particular enforcement challenges – defeating them is more or less like playing a game of whack-a-mole. A couple of years ago we held our first “FTC Robocall Challenge.” We made available the data collected on robo-calls such as the offending phone numbers, the times of day calls were most frequent, and the subject of the calls, then challenged developers to create their own solutions. The winner was a programmer named Aaron Foss. The service he founded, Nomorobo, is available to all consumers, and has so far stopped more than 36 million robocalls. This year, our “Robocalls: Humanity Strikes Back” contest challenged entrants to develop technologies that automatically block and forward the unwanted calls to a crowd-sourced honey pot. The winner, RoboKiller, uses audio fingerprint technology to identify calls and enables users to personalize their filtering settings.
These are terrific examples of how we in government can take our data, partner with the private sector, and develop innovative solutions to difficult problems.
FTC Commissioner Terrell McSweeny
One thing that we need to be aware of is that the use of big data can also exacerbate the social inequities we spend a lot of effort trying to correct. The data, and the resulting algorithms, can only be as good as the data inputs. If poorer people, older people, minorities, or recent immigrants aren’t being measured we have data sets and outcomes that won’t be truly reflective of the needs. Also, data scientists and their employers need to maintain vigilance against seemingly unfair outcomes. The Street Bump experiment in Boston is a good example. There, the city offered a way to report potholes and broken sidewalks directly to the city with a use of smartphone. The city noticed that all the potholes being reported were concentrated in wealthy neighborhoods. That was because the people in poorer neighborhoods either didn’t have smart phones, or weren’t using the app or took public transit. They fixed the situation by just providing the app to police and other public workers who frequented all areas of the city.
Application Developers Alliance: Data-fueled innovations are only possible with the collection of a large amount of information, some of which can be personal in nature. Developers know that consumer trust is critical to having a successful business and many use encryption to protect their users’ data. You recently wrote about the importance of encryption. Given that identity theft was the number one consumer complaint at the FTC for the fifteenth year in a row, how important is encryption and what other data security tools can developers use to protect their customers?
Commissioner McSweeny: Strong security and end-user controls are critical to protect personal information. I am a big advocate for consumers using encryption to guard their personal data, but consumers aren’t in control of their data once it they give it to another party. At the FTC we have noted a wide range of security practices among companies handling consumer data – particularly in the IoT sector. We are urging companies to embrace security by design early in product development. As noted in our Start with Security guide, use of encryption to secure confidential information during storage and transmission can help keep sensitive data secure throughout its lifecycle. Encouragingly, many companies are taking meaningful steps to improve their security practices including greater use of encryption technology for data in transit and at rest, whether it be stored in the cloud or on devices. Encryption has helped protect the information of millions of consumers – for example, protecting credit card information when a merchant is breached or protecting passwords when a popular website is hacked. The impact of major breaches may also be reduced the more that users’ data and communications are encrypted end-to-end.
Application Developers Alliance: Recently, law enforcement agencies like the FBI have argued encryption could hinder criminal investigations and suggested companies allow them to access their product through built-in “backdoors.” How do you respond to law enforcement’s proposition for a “backdoor?”
Commissioner McSweeny: I understand that there is incredibly difficult balancing being done by the FBI and the Department of Justice. I am not privy to the information that they have and I understand the very real and dangerous threats that they confront to keep us safe. But most technologists contend that exceptional access systems are likely to introduce vulnerabilities. The risks to consumers are even greater as we use more connected technology in every facet of our daily lives. I think policy makers need to carefully weigh the impact of any proposals mandating backdoors against the serious harms that could arise for ordinary consumers from weakening the security of products.
Application Developers Alliance: More than a year ago the European Court of Justice granted the “right to be forgotten.” The app marketplace is international and nearly every app wants to be global. This unusual “privacy” right poses serious challenges to developers, particularly if the U.S. were to impose a similar right. Do you agree with this concept and do you see this unusual right being adopted in the U.S.?
Commissioner McSweeny: We are at an inflection point in global Internet governance. The Right to be Forgotten, along with the recent ruling by the European Court of Justice on the Safe Harbor, could herald a time of increased data nationalization and a dialing back on the borderless flow of information that the United States has long advocated. I hope that is not the case. Part of our job at the FTC is to help assure our European friends that the U.S. is not the wild west when it comes to privacy- that we have enforcement regimes across different sectors of the economy, across the Federal government, and among the states.
As for the Right to be Forgotten specifically, I think the biggest reason it won’t happen here is because of our First Amendment. As it is practiced in Europe, the Right to be Forgotten runs straight into the freedom and press and speech we all cherish.
Application Developers Alliance: As our devices become increasingly connected and the Internet of Things plays a growing role in our daily lives, how does the FTC keep up with rapidly changing technologies?
Commissioner McSweeny: There are two things that I love about the FTC that help answer your question. First, we deal directly with the consumer. Many other agencies you need an expert or a lawyer to interact with, but at the FTC a consumer can file a complaint directly to us and we use those complaints to focus our investigations. If a consumer or researcher finds something amiss with an IoT product, they can refer straight to us.
Secondly, we are a nimble agency that has been able to adjust to new markets and new products quite successfully. We are expanding our own in-house technology unit and bringing in technologists to our recently formed Office of Technology Research and Investigation which will do research not only into IoT, but also AI, algorithmic transparency, and data security.
Application Developers Alliance: Emerging technologies like IoT and the sharing economy are not only changing the way we work, but are also offering consumers more choices for novel products and services. How can the FTC remain flexible enough to punish bad actors without smothering innovation?
Commissioner McSweeny: We view our role as protecting consumers from unfair or deceptive practices. As an enforcer, we are careful about the cases we bring. It is never our goal to chill innovation, but we do want to make sure companies treat their consumers fairly and without deception.
We also have a role in advocating for new entrants and disruptive technologies. For example, we’ve presented arguments that new platforms can introduce vital competition to state legislatures and local authorities when they attempt to ban services like Uber or Lyft. So, in some instances, we advocate directly on behalf of innovators.
Application Developers Alliance: One challenge developers and small businesses face are patent trolls, which continue to chill innovation and job growth aro
und the country. Trolls frequently single out small businesses that often lack the money, time, and legal expertise to defend themselves against frivolous demand letters sent by trolls. The FTC brought an enforcement action against one notorious patent troll, MPHJ, which sent demand letters to more than 16,000 businesses across the country for scanning technology. The FTC also commissioned a study on patent assertion entities (PAEs). While these actions are a good start, developers and small businesses need additional relief while much-needed patent reform legislation is pending in Congress. Can developers expect additional action by the FTC to combat demand letters sent by patent trolls? When can developers expect the results of the PAE study to be completed?
Commissioner McSweeny: I don’t have any information on the timing of our PAE report, but rest assured our staff is performing a thorough investigation. As for future cases, I obviously cannot divulge investigations that are not public but we pride ourselves on being accessible. If you find yourself targeted by abusive demand letters bring them to our attention.
Michelle Lease
Policy Counsel
