Securing Dr. Robot

unnamed By Brooks Lindsay

Medical device robots present a number of cybersecurity, privacy, and safety challenges that regulation and industry standards must address in order to safely and rapidly advance innovation in the field.

The University of Washington’s Computer Science Department recently highlighted the problem. Computer Science Researchers hacked a teleoperated surgical robot called the Raven II during a mock surgery. The hack involved moving pegs on a pegboard, launching a denial-of-service attack that stopped the robot, and making it impossible for a surgeon to remotely operate. The researchers maliciously controlled a wide range of the Raven II’s functions and overrode command inputs from the surgeon. The researchers designed the test to show how a malicious attack could easily hijack the operations of a medical device robot. The researchers concluded that established and readily available security mechanisms, like encryption and authentication, could have prevented some of these attacks.  Continue reading

Telecoms’ Latest Attempt to Kill Net Neutrality

unnamed By Brennen Johnson

Last month, the Federal Communications Commission published its new net neutrality rules in the Federal Register. In response to the new rules, there has been an onslaught of legal challenges brought by telecom companies to defeat the rules before they go into effect mid-June. Within several days of publication, seven companies filed suit against the FCC over the rules. Rather than attacking the substance of the rules outright, the companies are instead seeking to block procedural aspects of the rules. The companies challenge both the FCC’s reclassification of the internet as a “public utility” as well as the legal standards and mechanisms that would allow the FCC to enforce the new rules.

By classifying broadband internet as a public utility, the FCC gains broader regulatory powers over internet providers under Title II of the Communications Act of 1934. The reclassification addresses the FCC’s January 2014 failed attempt to enforce net neutrality. The FCC’s rules at that time were struck down in large part because broadband internet was not classified as a public utility, implying that the FCC could not regulate internet providers in the same broad manner as other utility providers. Speaking for the Court in that case, D.C. Circuit U.S. Court of Appeals Judge David Tatel wrote: “[g]iven that the Commission has chosen to classify broadband providers in a manner that exempts them from treatment as common carriers, the Communications Act expressly prohibits the commission from nonetheless regulating them as such.” These broader powers significantly fortify the FCC’s position to protect its net neutrality rules from legal attack. However, if telecoms can successfully challenge the FCC’s reclassification of the internet as a public utility, then it seems a near certainty that the FCC’s current attempt at ensuring net neutrality will fail for the same reason it did in 2014.  Continue reading

Faking it by Omission? The FTC Targets Undisclosed Compensation for Online Reviews

Illustration for fake website testimonials By Julie Liu

When we sift through reviews for products and services, one of our top considerations is whether the words genuinely come from the customer’s experience and not a company’s imagination. There is no way, however, to determine a reviewer’s honesty beyond relying upon whatever disclaimers he or she provides. We have previously discussed the state of the law on fake business reviews. But what about “real” reviews incentivized by the reward of a good deal? If there was any question on the matter, the Federal Trade Commission (FTC) has now provided a real-life example of how to abide by the rules.

In a recent chapter in the battle against unfair competition online, the FTC zeroed in on automobile shipment broker AmeriFreight for its persuasive approach to seeking customer feedback. The FTC alleged in its complaint that AmeriFreight offered $50 discounts to customers in exchange for writing reviews on an independent review website and advertised its services to consumers as being “top rated” based on those reviews. In addition to the discount, reviewers automatically became eligible for a $100 “Best Monthly Review Award,” further incentivizing customers to write reviews. The complaint indicated that the issue was not the encouragement of reviews; the complaint alleged that AmeriFreight portrayed the reviews as unbiased and failed to disclose that the reviewers were compensated—a violation of Section 5 of the FTC Act. The case concluded late last month with the FTC’s approval of a final consent order which requires AmeriFreight to clearly disclose any “material connection” it has with an endorser and to not misrepresent customer reviews or product ratings. Continue reading

The FTC Reports on the Internet of Things: Things That May Invade Our Privacy

Screen Shot 2015-02-09 at 3.11.51 PMBy Eric Siebert

The Internet of Things arguably makes our lives easier, but in doing so, does it compromise other values we hold dearly? The Internet of Things is a system whereby objects that are commonplace in a normal lifestyle can connect to the Internet, enabling them to send and receive data to optimize or otherwise increase their abilities and functionality. With such increases in functionality, however, comes the ever-present risk that frequently accompanies changes in technology: Will this have a negative impact on our privacy? This is the very question the FTC sought to address in its report on the Internet of Things distributed last week. (We previously reported on the FTC’s preliminary examination of the Internet of Things here.) The new report discusses general ideas regarding the Internet of Things and sets forth best practices for businesses to follow in order to retain adequate consumer confidence in the products and the distributing companies themselves.

The Internet of Things presents many potential benefits to consumers. Among other things, it can be used to encourage and optimize energy efficiency throughout a household through integration with various appliances. It can also protect drivers on the roadway by warning drivers of various dangers, aiding in the development of autonomous vehicles (a topic previously discussed on this blog here and here). Further, the Internet of Things can help patients with medical conditions better communicate with their physicians to better manage their conditions. However, with such benefits, the FTC has also identified several security risks created by integration of the Internet of Things, namely: (1) enabling potential unauthorized access to personal information, (2) facilitating attacks on other systems, and (3) creating risks to personal safety. Continue reading

“Disappearing Forever” Too Good to be True? Snapchat Reaches Settlement with FTC

ImageBy Chris Ferrell

On May 8th, the Federal Trade Commission (“FTC”) announced that Snapchat, a mobile application company, had agreed to settle with the FTC over several charges, including deceptive advertising, failure to maintain security features, and collecting data from application users. The FTC alleged that Snapchat deceived users by claiming that their “snaps” (which are pictures users take with their cell phones and send to other users) would “disappear forever” after being viewed. According to Snapchat, users send 400 million photos and videos per day. However, recipients of a snap can save the snap in different ways, including: taking a “screen shot” of the picture, downloading the picture as original content, or, at the extreme, hacking into different Snapchat users’ accounts and stealing their photos. We’ve previously covered the legal ramifications of taking a screenshot of snaps in the context of revenge porn.

The FTC further alleged that Snapchat’s failure to secure its “Find Friends” feature resulted in a security breach that enabled attackers to compile a database of 4.6 million Snapchat usernames and phone numbers. Snapchat also allegedly took contacts from Apple iOS users’ address books, as well as geolocation information from people using Android-based phones. Snapchat does not have to pay a fine, but, under the settlement, it is prohibited from misrepresenting the extent to which it maintains the privacy and security of users’ information. Snapchat must also implement a comprehensive privacy program that will be monitored by a third-party privacy group for the next 20 years. Although Snapchat claims to have already addressed the FTC’s concerns by “improving the wording of their privacy policy” and implementing security counter measures, is that enough to allow applications like Snapchat to continue to exist? Continue reading