“Don’t be a tool!” posts the exuberant blogger, admonishing the company that makes itself the unwitting victim of a “List bomb” attack” by failing to include a CAPTCHA challenge to prevent automated email signups. Only 3% of retailers currently use CAPTCHA and only 6% use a confirmed opt-in process to validate subscriptions.
The charismatic blogger in question is a cyber-warrior. He is Jeff Wilbur, the chairman of the Bellevue-based Online Trust Alliance and the committee chair of the annual OTA Online Trust Audit initiative. Wilbur was involved at the founding stages of Ethernet, routing, switching, VOIP, unified messaging, and email authentication and services for a plethora of startups and Fortune 500 companies.
The sentiment is understandable — “List bomb” Email attacks. IoT vulnerabilities. Massive data breaches of consumer privacy. State-sponsored espionage. In today’s Internet environment there lurks an existential threat. Vigilance and education are essential to lock-in prevention and unlock solutions.
Formed as an informal industry working group in 2005, today OTA is a 501c3 charitable organization with a mission to enhance online trust and empower users, while promoting innovation and the vitality of the Internet. From its headquarters in Bellevue, and offices in the “other” Washington, the OTA stands tall as a global entity supported by over 100 organizations.
With today’s headlines ranging from the FCC’s consumer-affirmative rulings to political misconduct in electioneering, and the ultimate “cost” of Yahoo’s data breach, we sought out the most trustworthy answers with OTA Executive Director & CEO Craig Spiezle, Forewarned is forearmed!
Seattle24x7: The FCC has just voted to approve privacy and security rules for broadband Internet service providers. Which of the new rules does OTA consider to be the most significant for protecting consumer privacy?
Spiezle: The new rules do not go into effect for 12 months, and we should expect attempts to overturn them, meaning we may need to double-down on our support. Still, the rule making marks a significant advance. ISPs are required to obtain affirmative “opt-in” consent from consumers to use and share sensitive information. This includes precise geolocation data, financial information, health information, children’s information, Social Security numbers, web browsing history, app usage history and the content of communications. ISPs may not use or share customer information unless a customer “opts-out.”
Let’s say an ISP determines that unauthorized disclosure of a customer’s personal information has occurred. Unless the ISP determines that no harm is reasonably likely to occur, the ISP must notify affected customers no later than 30 days after the determination has been made. If the breach affected 5,000 or more customers, the ISPS must notify the FCC, FBI and U.S. Secret Service, no later than seven business days after the determination has been made.
The tide is turning and now is the time to work together to enhance online trust, respect consumer choice and promote innovation.
Seattle24x7: The FCC Commissioner has called for a 21st century interagency privacy council among federal regulators to better align privacy policies across the board. Does OTA agree with such an intra-governmental structure? Would OTA have a role in that scenario?
Spiezle: Absolutely. Clearly the FCC has the power to move forward with rule making, yet the FTC’s hands are tied by Congress. Bringing together universal privacy policies are important as they need to not only apply to ISPs and carriers, but to edge providers such as Google and Facebook.
Seattle24x7: What are the notable differences between the FCC rules and the FTC’s “less prescriptive” approach that have been the biggest points of contention?
Spiezle: The fundamental difference is that the FTC is limited in its enforcement under Section 5 of the FTC Act. They have broad guidance, but cannot force requirements unless the privacy and data collection practices are misleading, deceptive or conflict with their written policy.
Seattle24x7: Yahoo recently made headlines when it announced a massive data breach. Verizon has since reconsidered Yahoo’s acquisition value. Can you put a price on the kind of damage the data breach caused Yahoo? What would that price be?
Spiezle: It is difficult to put a dollar value on it. While there is no perfect security and most any organization can experience a breach or data loss incident, the issue comes down to a few key legal issues. Was the breach disclosed to Verizon? Secondly, and perhaps most importantly, what could have been done to prevent, detect and mitigate it? Does the breach represent systemic breakdown in process, people or technology? Was there a breakdown on the security culture of Yahoo? Was there a material impact to their stock price?
Spiezle: The rapid influx of products hitting the market and the installed base of devices are all vulnerable. By their nature, these devices will all degrade overtime and become threat vectors. As they are typically “always on,” they become an attractive vector for criminals. Thus far, we have only had a warning shot with a DDos attack.
Our real concern is the impact to critical infrastructure and to the life and safety harms which may result. What is lacking is a “lifecycle approach” (and commitment) to address these issues and risks
We have created an IoT ecosystem built on trust and innovation, where benefits to society and commerce are realized by prioritizing safety, privacy and security.
Seattle24x7: How does the OTA consider the role and trustworthiness of search engines and the question of trust between paid advertisements vs. organic results? Where does Google stand in terms of consumer trust? It did not appear on OTA’s Top Ten List of “Trustworthy Companies.”
“We are fast approaching the tragedy of the ad commons.” — Craig Spiezle
Spiezle: This is a key issue which OTA is working on. We see the ad industry at an inflection point. Trust in ads is declining. User experience and device performance is being impacted. More users are opting to use ad blockers. Native advertising and the lack of transparency and use of “click bait” is short-sighted. It is bad for the consumer and I would argue bad for a brand publishers reputation. We are fast approaching the “tragedy of the ad commons.”
Our position on advertising and content integrity is outlined online.
Seattle24x7: On the subject of email, a recent report revealed that the data systems put in place by America’s national political parties (RNC/DNC) including their data stores of the presidential election donor email lists have been turned over to the parties’ nominees for president. Is this re-use or re-purposing of political donor email addresses for after-marketing lawful? Ethical?
Spiezle: OTA released a report in September on this issue raising concerns on the broad latitude candidates and political parties take on data collection, sharing and selling of data. While they are not necessarily governed by the FTC, we believe they are not consistent with consumer expectations. For more, check out our recent announcement.
Seattle24x7: Where does the OTA stand on Drone initiatives for commerce delivery? Has the FAA provided its consent? What are the most pivotal points in the debate?
Spiezle: OTA participated in the NTIA and Whitehouse multi-stakeholder UAS / drone initiative. We see many significant benefits for delivery as well as for other purposes such as surveying property, search and rescue, yet also see this as an extension of IoT. The key question: What are the security and privacy safeguards? [24×7]