Felten Advocates for Enhanced Data Security Before the U.S. Senate
By Riis L. Williams, Princeton School of Public and International Affairs
On Oct. 6, the U.S. Senate Committee on Commerce, Science, and Transportation held a hearing to discuss consumer privacy and data security.
Edward Felten provided three recommendations for the Federal Trade Commission to strengthen consumer protection: greater civil penalties, a strong rule-making framework, and empowerment of the technology workforce.“More and more data about our lives is captured, stored, and analyzed, with little transparency about what is collected, who has it, what they are doing with it, and how well companies are protecting it,” said Felten, the Robert E. Kahn Professor of Computer Science and Public Affairs, Emeritus, at the Princeton School of Public and International Affairs, in his opening statement. “Too often companies fail to take common, reasonable steps to ensure data security, and too often these failures lead to security breaches that ultimately harm consumers.”
From 2011 to 2012, Felten served as the Federal Trade Commission’s (FTC) first chief technologist, where he oversaw data security activities and technology accessibility. This position, as well as his academic background in the policymaking and technology of internet security, largely informed his advocacy for stronger privacy protections.
Nationally, the FTC plays an essential role in enforcing data protection in many sectors of the economy by enforcing Section 5 of the Federal Trade Commission Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” Felten explained, however, that the FTC often struggles to cope with the wide scope and complexity of data security, which, he ensured, will get only more challenging as human reliance on digital technology increases.
In the past decade, Internet of Things (IoT) devices — everyday objects that wirelessly connect to the internet without human intervention — have become increasingly popular in American households. Many at-home security webcams, for example, allow consumers to monitor household activity from their phones while they are away from home. Though advertised to enhance safety, many of these webcams have had hidden administrative functions that allow hackers to easily log into camera systems with weak passwords or passwords set up in advance by the manufacturer. In 2016, this catastrophic flaw was exploited by what was dubbed the Mirai botnet, when hackers installed malware and took control of hundreds of thousands of IoT devices.
“There was little, if anything, that consumers could have done to protect themselves,” Felten said. “Nothing on the webcams or their packaging suggested the existence of a minimally protected administrative interface.”
Felten referenced another disastrous data breach involving the consumer credit reporting company Equifax. In 2017, the company found a series of intrusions in its system that resulted in the extraction of private data for 150 million people, including 145 million unencrypted Social Security numbers. (When data is unencrypted, it remains in a state of code that is vulnerable to unauthorized access.) Equifax knew of the security flaw, Felten said, but failed to apply a solution until the problem was exploited.
Felten ended his testimony with three recommendations for the FTC to improve consumer data protection. First, he argued, there should be civil penalties for first violations of Section 5 of the Federal Trade Commission Act. Currently, companies that commit serious violations face no financial penalty if it is their first infringement. “[The Act] is a weak deterrent, tempting a company to gamble that it won’t face enforcement…that it can gain advantage through unfair practices, then clean up its act after the first enforcement,” Felten said.
He also suggested that the FTC create a statutory or rule-making framework that regulates data security practices. The framework might require:
- Companies store and transmit sensitive consumer data in an encrypted form.
- Strong multifactor authentication for administrative accounts.
- The deletion of consumer data when it is no longer needed for the purpose it was collected.
- Strong efforts to track and install available security updates in systems that possess consumer data.
Lastly, Felten advocated for the growth and empowerment of the FTC’s technology workforce. “[Technologists] need to be treated as full partners in the agency’s internal processes and staff-level decision making, and not merely as consultants to a legal team,” he said.
With data security only growing in importance as technology continues to revolutionize human lifestyles, Felten and other Princeton researchers are focusing on issues related to science, technology, and innovation.
In addition to Felten, witnesses at the hearing included James E. Lee of the Identity Theft Resource Center; Jessica Rich, former director of the Federal Trade Commission’s Bureau of Consumer Protection; and Kate Tummarello of Engine.