So you want to market your security product… Terrell McSweeny Aaron Alva Federal Trade Commission Black Hat 2017 O VERVIEW W FTC ? HO IS THE AND WHY ARE WE HERE D ECEPTION M 101 ARKETING W ? HAT SHOULD A SECURITY COMPANY DO W ? HAT SHOULD A SECURITY RESEARCHER DO R : ECENT DEVELOPMENTS RE PRODUCT REVIEWS AND GAG CLAUSES 2 whois ftc.gov Commissioner Terrell McSweeny : • Commissioner (@TMcSweenyFTC) Aaron Alva : • Technologist, Office of Technology Research & Investigation (OTech) These views are our own, and do not necessarily represent the views of the Commission. 3 whois ftc.gov 4 whois ftc.gov Mission: Ensure a fair & competitive Consumer Protection marketplace for businesses Tools: Civil law enforcement Policy activities actions (workshops, reports) Consumer & business Research education (OTech) ID Theft Drones Smart TVs Cross-device Ransomware tracking 5 Marketing Security Products FUD in the security market 6 Deceptive FUD E.g. Hayes Microcomputer Products, Inc. (1994) • Modem company claimed that modems without • the “Improved Escape Sequence with Guard Time” would destroy data. Not true, and ad showed that a time bomb may • be lurking inside your computer. TAKE AWAY: Even if you’re using hyperbole, you can’t misrepresent what your product does 7 Truth-in-advertising 101 Marketers of security products are subject to the same truth-in-advertising laws as all other advertisers 8 Truth-in-advertising 101 Tell the truth The whole truth 9 W FTC ? HO IS THE AND WHY ARE WE HERE D ECEPTION M 101 ARKETING W ? HAT SHOULD A SECURITY COMPANY DO W ? HAT SHOULD A SECURITY RESEARCHER DO R : ECENT DEVELOPMENTS RE PRODUCT REVIEWS AND GAG CLAUSES 10