When it comes to marketing tactics, security products are no different than any other consumer products – advertisers sometimes fall victim to their own hype. A walk across the floor at a security expo presents a bewildering range of product claims, ranging from the mundane to the questionable to the implausible. Marketers sometimes exploit potential customers' fear, uncertainty, and doubt (FUD), banking that emotional appeals will overtake reason.
But marketers of security products are subject to the same truth-in-advertising laws as all other advertisers. In this talk, we will discuss the Federal Trade Commission's (FTC) longstanding authority to protect consumers from unfair and deceptive practices. We will focus on how deceptive claims and advertising are violations of the FTC Act, and offer guidance on what security companies should do to avoid making deceptive claims. We also offer questions researchers and security professionals can ask to challenge claims companies make.
Aaron Alva (@aalvatar) is a lawyer (not yours) and hacker who works as a technologist at the Federal Trade Commission's Office of Technology Research and Investigation (OTech). He was a recipient of the NSF CyberCorps scholarship for his MS/JD work at the University of Washington. At the FTC, he explains technical issues to attorneys working on behalf of consumers, and conducts research on areas that impact us all. He fights to protect the future in which his daughter will grow, lead, and amaze.
Terrell McSweeny serves as a Commissioner of the Federal Trade Commission. When it comes to tech issues, Commissioner McSweeny has focused on the valuable role researchers and hackers can play protecting consumer data security and privacy. She opposes bad policy and legislative proposals like mandatory backdoors and the criminalization of hacking and believes that enforcers like the FTC should work with the researcher community to protect consumers. She wants companies to implement security by design, privacy by design and data ethics by designâbut recognizes that, in the absence of regulation, enforcement and research are the only means of holding companies accountable for the choices they make in the ways that they hold and use consumer data.