The Office of Technology Research and Investigation (OTech) is located at the intersection of consumer protection and new technologies. As a trusted source for research and information on technology’s impact on consumers, the Office conducts independent studies, evaluates new marketing practices, and provides guidance to consumers, businesses and policy makers. It also assists the FTC’s consumer protection investigators and attorneys by providing technical expertise, investigative assistance, and training. The Office is housed in the Bureau of Consumer Protection and its work supports all facets of the FTC’s consumer protection mission, including issues related to privacy, data security, connected cars, smart homes, algorithmic transparency, emerging payment methods, fraud, big data, and the Internet of Things.
For additional technology-related content, please visit the Tech@FTC blog.
Help protect consumers through research. The FTC welcomes researchers to inform us of their latest findings by emailing papers to firstname.lastname@example.org. Please note that the FTC does not offer compensation of any kind to research submitters and that submitted research may be made public by the FTC. If your research reveals a security vulnerability or otherwise contains information that could pose a risk of harm to the public, before submitting the research to the FTC, please contact Dan Salsburg, Chief Counsel of OTech, at email@example.com or 202-326-3402.
Bad Job: Abusive Work on Alternative Microtask Platforms
Do you want to pay someone to write a fake review for your app, click on your site, or “like” your social media page? If you try to recruit people to do these sorts of tasks, the FTC is on to you. On May 27, 2021, OTech’s Tina Yeung presented a research paper at the peer-reviewed ConPro ‘ 21 that examines these and other types of sketchy jobs available on alternative microtask platforms – sites where employers ask workers to complete small tasks for modest pay. In the paper Bad Job: Abusive Work on Alternative Microtask Platforms, we collected details from three alternative platforms over approximately a month, categorizing the available work. We found that potentially abusive work persists in well-known categories like search engine optimization, but we also uncovered new and emerging categories of work, such as tasks that may manipulate spam ﬁlters. In the paper, we comprehensively explore these categories and discuss potential mitigation approaches.
Nixing the Fix: An FTC Report to Congress on Repair Restrictions
In a new report to Congress, the FTC identifies numerous types of repair restrictions, such as using adhesives that make parts difficult to replace, limiting the availability of spare parts, and making diagnostic software unavailable. The report’s findings, including that “there is scant evidence to support manufacturers’ justifications for repair restrictions,” are primarily based on responses to the Commission’s requests for public comments and empirical research issued in connection with a July 2019 workshop conducted by OTech and the FTC’s Division of Marketing Practices. The report explores means of expanding consumers’ repair options and how the Commission could assist in that expansion, consistent with its statutory authority. In addition, the Commission notes that it stands ready to work with lawmakers, either at the state or federal level, to ensure that consumers have choices when they need to repair products that they purchase and own.
Checkout Checkup: Misuse of Payment Data from Web Skimming
What happens to consumers’ payment credentials when they are used to purchase items from online storefronts infected with web skimming code? The answer to this question can be found in a research paper OTech’s Phoebe Rouge presented on November 18, 2020 at the peer-reviewed eCrime 2020 Symposium on Electronic Crime Research. The paper, “Checkout Checkup: Misuse of Payment Data from Web Skimming”, describes a study in which Phoebe identified 50 web sites whose shopping carts appeared to be compromised by web skimming code that would send purchasers’ payment credential information to malicious actors. Over an 11 month period, thieves used 15 of the payment cards. But, they didn’t use the cards immediately. The initial fraudulent use of the 15 payment cards ranged from 16 to 240 days after the cards were entered into the compromised web site’s shopping cart. The moderately long delay between exposure of credit card data and misuse of that data suggests that the impact of web skimming may not be apparent for an extended period following an incident.
Misuse of two-factor authentication phone numbers
On August 7, OTech’s Min Hee Kim presented “Secondary Education: Measuring Secondary Uses of 2FA Phone Numbers” at the peer-reviewed WAY 2020 conference. The paper examines whether top online merchants that offer SMS-based two-factor authentication send marketing messages to the 2FA phone numbers provided by consumers. Min Hee and her colleagues in OTech examined web traffic for evidence that sites share numbers with third parties when the user enrolls in 2FA and monitored the phone numbers for a two-month period after enrollment. They did not observe either the transfer of phone numbers in the web traffic or any marketing calls or messages, suggesting a consistent norm against sending marketing messages to phone numbers that consumers only provide for 2FA purposes.
Joe Calandrino wins Best Reviewer Award at IEEE Symposium on Security and Privacy
OTech’s Research Director, Joe Calandrino, was awarded the Best Reviewer Award at the 41st IEEE Symposium on Security and Privacy. This award is given to the top reviewer of papers submitted to this preeminent conference on security and privacy research. Joe will also be chairing the symposium’s session on Web Privacy and is the co-chair of ConPro, the consumer protection research workshop that is co-located with the IEEE Symposium.
You Don’t Say: An FTC Workshop on Voice Cloning Technology
Advances in artificial intelligence and text-to-speech (TTS) synthesis have allowed researchers to create a near-perfect voice clone with less than a five second recording of a person’s voice. These technologies could help people with tracheotomies and other conditions use TTS systems using voices derived from their previously-recorded audio samples. These technologies, however, could also cause substantial harm when used to impersonate a trusted person. On January 28, 2020, OTech and the Division of Marketing Practices hosted a workshop that examines the promise of voice cloning technologies, the serious risks these technologies pose, and whether there are ways to ensure that these technologies are not abused.
Guiding to Safety: How Technical Documentation Writers Can Encourage Software Security
This piece aims to assist writers of formal developer documentation, such as a detailed programming language reference or tutorials on programming for a platform. The Federal Trade Commission has more than twenty years of experience in protecting consumer privacy and security. For this piece, we consulted with experts on documentation for developers. Based on those discussions, we suggest ways that documentation writers can guide software developers toward more secure practices.
Last updated: 6/2/2021