IoT Home Inspector Challenge, 840-847 [2016-31731]

Download as PDF 840 Federal Register / Vol. 82, No. 2 / Wednesday, January 4, 2017 / Notices nonbanking company complies with the standards in section 4 of the BHC Act (12 U.S.C. 1843). Unless otherwise noted, nonbanking activities will be conducted throughout the United States. Unless otherwise noted, comments regarding each of these applications must be received at the Reserve Bank indicated or the offices of the Board of Governors not later than January 27, 2017. A. Federal Reserve Bank of St. Louis (David L. Hubbard, Senior Manager) P.O. Box 442, St. Louis, Missouri 63166–2034. Comments can also be sent electronically to Comments.applications@stls.frb.org: 1. American Pacific Bancorp, Inc., Harrisburg, Illinois; to become a bank holding company by acquiring 67 percent of Main Street Bancshares, Inc., Harrisburg, Illinois, and thereby indirectly acquiring Grand Rivers Community Bank, Grand Chain, Illinois. Board of Governors of the Federal Reserve System, December 29, 2016. Yao-Chin Chao, Assistant Secretary of the Board. [FR Doc. 2016–31913 Filed 1–3–17; 8:45 am] Chad Wisdom McManus 2016 Irrevocable Trust, and Chad Wisdom McManus, acting in his capacity as trustee of both trusts, all of Enid, Oklahoma; and the Kelsey Grace Gingrich 2012 Irrevocable Trust, the Kelsey Grace Hunter 2016 Irrevocable ´ Trust, and Kelsey Grace Hunter (nee Gingrich), acting in her capacity as trustee of both trusts, all of Edmond, Oklahoma; to acquire voting shares of Grace Investment Company, Inc., Alva, Oklahoma, and thereby join the existing Peggy J. Wisdom Family Control Group previously approved to control 25 percent or more of the voting shares of Grace Investment Company, Inc. Grace Investment Company, Inc. is the parent holding company of Alva State Bank and Trust Company, Alva, Oklahoma; First National Bank in Okeene, Okeene, Oklahoma; and The First State Bank, Kiowa, Kansas. Board of Governors of the Federal Reserve System, December 29, 2016. Yao-Chin Chao, Assistant Secretary of the Board. [FR Doc. 2016–31914 Filed 1–3–17; 8:45 am] BILLING CODE 6210–01–P BILLING CODE 6210–01–P FEDERAL TRADE COMMISSION Change in Bank Control Notices; Acquisitions of Shares of a Bank or Bank Holding Company mstockstill on DSK3G9T082PROD with NOTICES FEDERAL RESERVE SYSTEM IoT Home Inspector Challenge ACTION: The notificants listed below have applied under the Change in Bank Control Act (12 U.S.C. 1817(j)) and § 225.41 of the Board’s Regulation Y (12 CFR 225.41) to acquire shares of a bank or bank holding company. The factors that are considered in acting on the notices are set forth in paragraph 7 of the Act (12 U.S.C. 1817(j)(7)). The notices are available for immediate inspection at the Federal Reserve Bank indicated. The notices also will be available for inspection at the offices of the Board of Governors. Interested persons may express their views in writing to the Reserve Bank indicated for that notice or to the offices of the Board of Governors. Comments must be received not later than January 18, 2017. A. Federal Reserve Bank of Kansas City (Dennis Denney, Assistant Vice President) 1 Memorial Drive, Kansas City, Missouri 64198–0001: 1. The Bryant James Gingrich 2012 Irrevocable Trust, the Bryant James Gingrich 2016 Irrevocable Trust, and Bryant James Gingrich, acting in his capacity as trustee of both trusts, all of Alva, Oklahoma; the Chad Wisdom McManus 2012 Irrevocable Trust, the VerDate Sep<11>2014 16:46 Jan 03, 2017 Jkt 241001 Federal Trade Commission. Notice; public challenge. AGENCY: The Federal Trade Commission (‘‘FTC’’) announces a prize competition that challenges the public to create a technical solution (‘‘tool’’) that consumers can deploy to guard against security vulnerabilities in software on the Internet of Things (‘‘IoT’’) devices in their homes. The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software. Contestants have the option of adding features, such as those that would address hard-coded, factory default or easy-to-guess passwords. The prize for the competition is up to $25,000, with $3,000 available for each honorable mention winner(s). Winners will be announced on or about July 27, 2017. DATES: The deadline for registering and submitting entries is May 22, 2017 at 12:00 p.m. EDT. Further instructions and requirements regarding the registration and submission process will be provided on the Contest Web site (ftc.gov/iothomeinspector). FOR FURTHER INFORMATION CONTACT: Ruth Yodaiken, 202–326–2127, Division of Privacy and Identity Protection, Bureau of Consumer Protection, FTC; SUMMARY: PO 00000 Frm 00026 Fmt 4703 Sfmt 4703 600 Pennsylvania Ave. NW., Mailstop CC–8232, Washington, DC 20580. SUPPLEMENTARY INFORMATION: The FTC IoT Home Inspector Challenge (the ‘‘Contest’’) encourages the public to create a tool that consumers can deploy to guard against security vulnerabilities in software on the IoT devices in their homes. The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out–of-date software. The competition’s purpose is to stimulate innovation and progress in protecting and empowering consumers against security risks associated with IoT devices in the home. A. Background Every day, American consumers use Internet-connected devices 1 to make their homes ‘‘smarter.’’ Consumers can remotely program their smart home devices to turn on their lights, start the oven, and turn on soft music so they return to a comfortable environment when they get home from work. Smart video monitors enable consumers to remotely view their homes, pets, or children. Smart fire and burglar alarms address safety issues through sensors and alerts. And smart thermostats can automatically adjust temperature settings depending on the time of day and presence of people in the house. To tie all these devices together, smart home platforms are also beginning to proliferate across the marketplace. While these smart devices enable enormous convenience and safety benefits, they can also create security risks. For example, press reports from October 2016 demonstrated how smart devices could be used in ‘‘botnets’’ to disrupt the Internet.2 This incident demonstrated that lax IoT device security can threaten not just device owners, but the entire Internet. In another incident, a group of hackers allegedly gained unauthorized access to routers manufactured by the tech company ASUS and left a text file warning stating, ‘‘Your Asus router (and your documents) can be accessed by anyone in the world with an internet connection.’’ 3 The FTC announced a 1 As used herein, ‘‘Internet-connected,’’ ‘‘IoT,’’ or ‘‘smart’’ devices are devices other than desktop or laptop computers or smartphones. 2 See, e.g., ‘‘Americans uneasy with IoT devices like those used in Dyn DDoS attack, survey finds,’’ Tech Crunch, Darrell Etherington (October 24, 2016) (stating that a ‘‘coordinated botnet attack effectively choked internet access to a large number of popular sites’’ and was attributed ‘‘in large part due to the spread of connected Internet of Things (IoT) devices’’), available at https:// techcrunch.com/2016/10/24/americans-uneasywith-iot-devices-like-those-used-in-dyn-ddos-attacksurvey-finds/. 3 ‘‘ASUS Settles FTC Charges That Insecure Home Routers and ‘‘Cloud’’ Services Put Consumers’ E:\FR\FM\04JAN1.SGM 04JAN1 Federal Register / Vol. 82, No. 2 / Wednesday, January 4, 2017 / Notices mstockstill on DSK3G9T082PROD with NOTICES settlement with ASUS last year, alleging that the company did not maintain reasonable security, resulting in threats to personal information. Further, there have been numerous reported incidents where the live feeds from consumers’ smart cameras have been available on the Internet. One company whose cameras were allegedly vulnerable in this manner, TRENDnet, was the subject of an earlier Commission law enforcement action.4 Consumers themselves are uneasy about the security risks of IoT devices. One recent survey found that more than 40% of respondents are ‘‘not confident at all’’ that IoT devices are safe, secure, and able to protect personal information.’’ Fifty percent of consumers surveyed said that ‘‘concerns about the cybersecurity of an IoT device have discouraged them from purchasing one.’’ 5 The Commission staff has previously recommended that IoT device manufacturers take appropriate steps to address the security of their devices. It has recommended that, among other things, companies in the IoT space: (1) Build security into their devices at the outset; (2) train employees on good security practices; (3) ensure downstream privacy and data protections through vendor contracts and oversight; (4) apply defense-indepth strategies that offer protections at multiple levels and interfaces; and (5) put in place reasonable access controls.6 The FTC’s Careful Connections and Start with Security publications offer more detailed guidance.7 One important component of IoT security is updating and providing Privacy At Risk,’’ FTC press release (February 23, 2016), available at https://www.ftc.gov/newsevents/press-releases/2016/02/asus-settles-ftccharges-insecure-home-routers-cloud-services-put. 4 ‘‘FTC Approves Final Order Settling Charges Against TRENDnet, Inc.,’’ FTC press release (February 7, 2014), available at https://www.ftc.gov/ news-events/press-releases/2014/02/ftc-approvesfinal-order-settling-charges-against-trendnet-inc. 5 See, e.g., ‘‘New ESET/NCSA Survey Explores the Internet of (Stranger) Things,’’ ESET/National Cyber Security Alliance study, available at https:// www.eset.com/us/resources/detail/survey-internetof-stranger-things/ and https://cdn3.esetstatic.com/ eset/US/resources/press/ESET_ConnectedLivesDataSummary.pdf. 6 ‘‘Internet of Things: Privacy and Security in a Connected World,’’ FTC Staff Report (January 2015), available at https://www.ftc.gov/system/files/ documents/reports/federal-trade-commission-staffreport-november-2013-workshop-entitled-internetthings-privacy/150127iotrpt.pdf. 7 Start with Security: A Guide for Businesses,’’ (‘‘Start with Security’’), available at https:// www.ftc.gov/tips-advice/business-center/guidance/ start-security-guide-business; ‘‘Careful Connections: Building Security in the Internet of Things,’’ available at https://www.ftc.gov/tips-advice/ business-center/guidance/careful-connectionsbuilding-security-internet-things. VerDate Sep<11>2014 16:46 Jan 03, 2017 Jkt 241001 security patches. If products do not have the latest security updates, they can be vulnerable to outside threats. Today, although some devices are updated automatically, many devices require consumers to take steps in order to install the update or make necessary adjustments.8 To be able to take these steps, consumers must have a certain level of technical expertise. In particular, consumers must know how to check for security updates and install them. The problem of how to simplify this task is compounded by the thriving market in this area: There are many different types of software (even within a single device), ways to configure devices, and approaches to updating.9 As devices within the home multiply, the task of updating devices could become increasingly daunting. B. The Competition With this Contest, the FTC seeks to encourage the development of a technical tool to assist consumers with ensuring that IoT devices in the home are running up-to-date software. Such a tool might be a physical device that the consumer adds to his or her home network that checks and installs updates for other IoT devices on that home network. It might be an app or cloud-based service that allows consumers to submit IoT device model numbers, and, based on that input, provides information on how the consumer can install updates. A dashboard or other user interface might inform the consumer about which devices were up-to-date already, those that had unpatched software vulnerabilities, and even those that the manufacturer no longer supported. The Contest is subject to all applicable laws and regulations. Registering to enter the Contest constitutes Contestant’s full agreement to these official rules and to decisions of the Sponsor (as defined below), which are final and binding in all matters related to the Contest. Winning a Prize is contingent upon fulfilling all requirements set forth in the official rules. 8 ‘‘They Keep Coming Back Like Zombies’: Improving Software Updating Interfaces,’’ Arunesh Mathur, Josefine Engel, Sonam Sobti, Victoria Chang, and Marshini Chetty, Univ. of Maryland, College Park, available at https://www.usenix.org/ system/files/conference/soups2016/soups2016paper-mathur.pdf. 9 More details about these technical issues can be found in material related to the National Telecommunications & Information Administration’s Multistakeholder Process for IoT Security and Upgradeability and Patching, available at https://www.ntia.doc.gov/other-publication/ 2016/multistakeholder-process-iot-security. PO 00000 Frm 00027 Fmt 4703 Sfmt 4703 841 1. Sponsor Organization A. Sponsor: Federal Trade Commission, 600 Pennsylvania Avenue NW., Washington, DC 20580. 2. Eligibility A. To participate in the Contest: (i) Contestants may compete as individuals or as teams of individuals, if they meet all eligibility requirements set forth in Sections 2.A–D. To be eligible to win a Prize, Contestants must meet the additional prize eligibility requirements set forth in Section 9. (ii) Contestants must comply with all terms and conditions of the official rules. (iii) Contestants must own or have access at their own expense to a computer, an Internet connection, and any other electronic devices, documentation, software, or other items that Contestants may deem necessary to create and enter a Submission (as defined in Section 4 below). (iv) Each team must appoint one individual (the ‘‘Representative’’) to represent and act on behalf of said team, including by entering a Submission (as outlined below). The Representative must be duly authorized to submit on behalf of the team, and must represent and warrant that he or she is duly authorized to act on behalf of the team. (v) An individual may enter the Contest only once, either on an individual basis or as a member of one team. (vi) No individual or team may enter the Contest on behalf of a corporation or other non-individual legal entity. B. Those ineligible to participate: The following individuals (including any individuals participating as part of a team) are not eligible regardless of whether they meet the criteria set forth above: (i) any individual under the age of 18 at the time of submission; (ii) any individual who employs any of the Contest Judges as an employee or agent; (iii) any individual who owns or controls an entity for whom a Contest Judge is an employee, officer, director, or agent; (iv) any individual who has a material business or financial relationship with any Contest Judge; (v) any individual who is a member of any Contest Judge’s immediate family or household; (vi) any employee, representative or agent of the Sponsor and all members of the immediate family or household of any such employee, representative, or agent; (vii) any Federal employee acting within the scope of his or her E:\FR\FM\04JAN1.SGM 04JAN1 842 Federal Register / Vol. 82, No. 2 / Wednesday, January 4, 2017 / Notices employment, or as may otherwise be prohibited by Federal law (employees should consult their agency ethics officials); (viii) any individual or team that used Federal facilities or consulted with Federal employees to develop a Submission, unless the facilities and employees were made available to all Contestants participating in the Contest on an equitable basis; and (ix) any individual or team that used Federal funds to develop a Submission, unless such use is consistent with the grant award, or other applicable Federal funds awarding document. If a grantee using Federal funds enters and wins this Contest, the prize monies shall be treated as program income for purposes of the original grant in accordance with applicable Office of Management and Budget Circulars. Federal contractors may not use Federal funds from a contract to develop a Submission for this Challenge. The Sponsor will, in its sole discretion, disqualify any individual or team that meets any of the criteria set forth in Section 2.B. C. For purposes hereof: (i) the members of an individual’s immediate family include such individual’s spouse, children and stepchildren, parents and step-parents, and siblings and step-siblings; and (ii) the members of an individual’s household include any other person who shares the same residence as such individual for at least three (3) months out of the year. D. Pursuant to the America Creating Opportunities to Meaningfully Promote Excellence in Technology, Education, and Science Reauthorization Act of 2010, 15 U.S.C. 3719, Contest Prizes (as defined in Section 8 below) may be awarded only to individuals and teams of individuals who are citizens or permanent residents of the United States, subject to verification by the Sponsor before Prizes are awarded (see Section 9 below). mstockstill on DSK3G9T082PROD with NOTICES 3. Registration Requirement for All Contestants A. Contestants must register no later than 12:00 p.m. EDT May 22, 2017 (‘‘Contest Deadline’’), to participate in the Contest. B. To enter, every Contestant, including each member of a team, must register by submitting a form, available on the Contest Web site (‘‘Registration Form’’), to verify that he or she has read and agreed to abide by the official rules and meets the eligibility requirements. Additional information and requirements about the registration VerDate Sep<11>2014 16:46 Jan 03, 2017 Jkt 241001 process will be provided on the Contest Web site. C. After a Contestant registers, the Sponsor will send a confirmation message to the email address provided by the Contestant. The Contestant should use the confirmation message to verify the email address that he or she provided in order to receive important Contest updates. D. In the event of a dispute pertaining to this Contest, the authorized account holder of the email address listed at registration will be deemed to be the Contestant. The ‘‘authorized account holder’’ is the natural person assigned an email address by an Internet access provider, online service provider, or other organization responsible for assigning email addresses for the domain associated with the submitted address. Contestants may be required to provide more information as evidence that they are the authorized account holder. 4. Submission A. Parts of the Submission: The Submission must contain three components that should describe the technical tool the Contestant has developed to assist consumers with security. (i) A title and a brief text description (‘‘abstract’’) of how the tool functions, which will be made public and should be easy for the public to understand. It must not be more than one page, with font size of no less than 11 points and margins of no less than one inch. (ii) A link to the Contestant’s video that is publicly available on Youtube.com or Vimeo.com demonstrating how the tool works. It must not be more than five (5) minutes long. (iii) A detailed written description of the tool that enables Judges to evaluate how well it works, how user-friendly it is, and how scalable it is (‘‘Detailed Explanation’’), including how the tool will avoid or mitigate any additional security risks that it itself might introduce into the consumer’s home. It must not be more than 15 pages, with font size of not less than 11 points and margins of no less than one inch. See Section 7 (Submission Requirements) for further details. The Submission itself shall not contain information revealing the Contestant’s identity, such as a name, address, employment information, or other identifying details, except that Contestants may include their own voice or image in the video. Additional information and requirements about the Submission process will be provided on the Contest Web site. PO 00000 Frm 00028 Fmt 4703 Sfmt 4703 B. Submission Deadlines: Contestants must enter their Submissions by the Contest Deadline, 12:00 p.m. EDT May 22, 2017. Any Submissions entered following the Contest Deadline, as determined solely by the Sponsor, shall be disqualified. The judging period will commence after the Contest Deadline. C. Terms for Submissions: (i) All parts of the Submission must be submitted together in a single email by the Contest Deadline. (ii) Contestants must use the email address provided on their Registration Form (or in the case of a team, the email address on the team Representative’s Registration Form). (iii) No part of a Submission, including any records, platforms, technologies, or licenses required to evaluate the Submission, may require the Sponsor or Contest Judges to spend money or otherwise obtain anything of value; or to execute or enter into any binding agreement not otherwise provided for under these Rules. (iv) Submissions from a team must be indicated as such when entering a Submission. (v) Submissions must be in English, except that textual or video material in a language other than English will be accepted if accompanied by an English translation of the text or video—within the existing page limits for the Submission. (vi) Any solution that was publicly available prior to January 4, 2017, is not eligible for entry in the Contest, unless the tool submitted incorporates significant new functionality, features, or changes. Contestants must identify any portion of the tool that was publicly available and—within the existing page limits for the Submission—include a narrative description of the new functionality, features, or changes with any such Submission. (vii) Submissions must not: a. violate applicable law; b. depict hatred; c. be in bad taste; d. denigrate (or be derogatory toward) any person or group of persons or any race, ethnic group, or culture; e. threaten a specific community in society, including any specific race, ethnic group, or culture; f. incite violence or be likely to incite violence; g. contain vulgar or obscene language or excessive violence; h. contain pornography, obscenity, or sexual activity; or i. disparage the Sponsor. (viii) Submissions must be free of malware and other security threats. Contestant agrees that the Sponsor may E:\FR\FM\04JAN1.SGM 04JAN1 Federal Register / Vol. 82, No. 2 / Wednesday, January 4, 2017 / Notices mstockstill on DSK3G9T082PROD with NOTICES conduct testing on each Submission to determine whether malware or other security threats may be present. (ix) Any Submission that fails to comply with these requirements, as determined by the Sponsor in its sole discretion, may be disqualified. (x) Once a Submission has been submitted, Contestant may not access or make any changes or alterations to the Submission. (xi) A Contestant may submit only one Submission, as either an individual or a member of a team. (xii) By entering a Submission, Contestant represents, warrants, and agrees that the Submission is the original work of the Contestant and complies with the official rules. Contestant further represents, warrants, and agrees that any use of the Submission by the Sponsor and Contest Judges (or any of their respective partners, subsidiaries, and affiliates) as authorized by these official rules, does not: a. infringe upon, misappropriate or otherwise violate any intellectual property right or proprietary right including, without limitation, any statutory or common law trademark, copyright or patent, nor any privacy rights, nor any other rights of any person or entity; b. constitute or result in any misappropriation or other violation of any person’s publicity rights or right of privacy. 5. Submission Rights A. Subject to the licenses described below, any applicable intellectual property rights to a Submission will remain with the Contestant. B. By entering a Submission to this Contest, Contestant grants to the Sponsor a non-exclusive, irrevocable, royalty-free and worldwide license to use the Submission, any information and content submitted by the Contestant, and any portion thereof, and to display the tool title, text description and the video through the Contest Web site, during the Contest and after its conclusion. The Contestant agrees that the foregoing constitutes solely a condition of the Contestant’s participation in the Contest, and that the Contest is not a request for or acquisition of any property or services or any other matter subject to federal procurement requirements. 6. Winner Selection and Judging A. All Submissions will be judged by an expert panel of judges (the ‘‘Contest Judges’’ or ‘‘Judges’’) selected by the Sponsor at the Sponsor’s sole discretion. The Sponsor reserves the right to VerDate Sep<11>2014 16:46 Jan 03, 2017 Jkt 241001 substitute or modify the judging panel, or extend or modify the Judging Period, at any time for any reason. B. All Contest Judges shall be required to remain fair and impartial. Any Contest Judge may recuse him or herself from judging a Submission if the Contest Judge or the Sponsor considers it inappropriate, for any reason, for the Contest Judge to evaluate a specific Submission or group of Submissions. C. A Contestant’s likelihood of winning will depend on the number and quality of all of the Submissions, as determined by the Contest Judges using the criteria in these official rules. D. The Submissions will be judged in two phases: the ‘‘Initial Phase’’ and the ‘‘Final Phase.’’ For the Initial Phase, Judges will only assess the Contestants’ videos and abstracts, without the Detailed Explanation. Only those Contestants judged to be within the top 20 scores for the Initial Phase are eligible to compete in the Final Phase (‘‘Finalists’’), where the Detailed Explanations will be judged. E. Judges will use the criteria outlined in Section 7, below. F. The Sponsor reserves the right to review the Contest Judges’ decision and to withhold any Prize if the Sponsor determines, in its sole discretion, that no Submission appropriately or adequately fulfills the stated goals and purposes of the Contest or there is any other procedural, legal, or other reason that the Prize should not be awarded. G. The Sponsor reserves the right to change the announcement dates with or without prior notice for any reason. Prizes, however, will not be awarded, and winners will not be named, until the Sponsor verifies eligibility for receipt of each Prize in accordance with Section 9 below. The Sponsor will announce verified winners on or about July 27, 2017, and the results will be made available at the Contest Web site. 7. Submission Content Requirements The Submission must meet other requirements as described in this document, including Sections 4 and 6, stating that Submissions must not include any unauthorized proprietary or copyrighted material (including copyrighted music without permission). A. Threshold Solution Criteria. Contestants will develop a tool that would, at a minimum, help protect consumers from security vulnerabilities caused by out of date software on IoT devices in their homes. Submissions must provide a technical solution, rather than a policy or legal solution. The tool must work on home IoT devices that currently exist on the market. The tool must protect PO 00000 Frm 00029 Fmt 4703 Sfmt 4703 843 information it collects both in transit and at rest. The Submission must address how the tool will avoid or mitigate any additional security risks that the tool itself might introduce into the consumer’s home by, for example, probing the home network or facilitating software upgrades. Submissions that do not address the tool’s security and the other items described in this paragraph as Threshold Solution Criteria will not be considered for the Prize. B. Phase-Specific Requirements (i) Initial Phase: Abstract and Video a. The Abstract. The abstract should include a title for the Submission and a brief explanation of how the tool functions. b. The Video. Although the solution requires a tool that should work with multiple IoT devices, the video need only demonstrate how the tool would be used with one (1) IoT device that is likely to be found in consumers’ homes. The video must address the Judging Criteria below and: (i) State what the tool is specifically designed to do; (ii) describe the set-up for the demonstration and any assumptions the Contestant has made about the capabilities and limitations of the device(s) for the demonstration; and (iii) explain what impact the tool would have on software of IoT devices beyond what is demonstrated in the video. (ii) Final Phase: Detailed Explanation, Abstract and Video In the Final Phase, in addition to looking at the abstract and video, the Judges will review the Detailed Explanation. The Detailed Explanation must provide sufficient material so that the Judges can evaluate the tool properly for how well it works, how user-friendly it is, and how scalable it is. The Detailed Explanation may include a detailed description; pseudocode; a description of algorithms and/or formulas; or material (such as diagrams) to show how the tool would function. It should include a description of testing methodology and results of any tests of the tool’s effectiveness. It should also discuss a strategy for development and deployment. C. The Submission will be assessed using the following Judging Criteria: (i) How well does it work? (60 points out of 100 total score) a. How well does your Submission address each of these four (4) components? (1) Recognizing what IoT devices are operating in the consumer’s home. A tool may automatically recognize devices or provide instructions for consumer input. (2) Determining what software version is already on those IoT devices. A tool E:\FR\FM\04JAN1.SGM 04JAN1 mstockstill on DSK3G9T082PROD with NOTICES 844 Federal Register / Vol. 82, No. 2 / Wednesday, January 4, 2017 / Notices may automatically recognize the software version or provide instructions for consumer input. (3) Determining the latest versions of the software that should be on those devices. The Submission must lay out a feasible plan for finding sources of information about what version should be on the device and explain the technical means by which that information would be procured. If the Submission relies upon databases that do not currently exist, the plan for developing those sources must be realistic and feasible. (4) Assisting in facilitating updates, to the extent possible. Contestants might rely upon the consumer to take steps or contact the device manufacturer to facilitate the update. If the tool conveys information to a third party, such as a device manufacturer, the tool must also allow for consumer control of the flow of that information. b. WILDCARD: If your Submission does not address the four components above, but offers a technical solution to address vulnerabilities caused by unpatched or out-of-date software of IoT devices in the home, the Contestant may demonstrate how that tool would work and argue for the superiority of the tool based on its level of innovation and impact on IoT security in the home. Any such WILDCARD option would also need to meet the criteria set forth in sections 7(ii)–(iii) (user friendliness and scalability requirements). c. Whether the Submission includes the four components identified above or is a WILDCARD option, Judges will award more points to Submissions based on the extent to which they identify potential challenges with implementing the tool and describe how the Contestant plans to address those challenges. Judges will also award more points for tools that address both situations where a manufacturer has failed to provide support for the software on a device as well as where the manufacturer does provide support. (ii) How user-friendly is your tool? (20 points out of 100 total score) a. How easy is your tool for the average consumer, without technical expertise, to set up and use? In assessing how easy the tool would be to use, the Judges will take into consideration whether functions are performed automatically, without action by the consumer. b. In analyzing the user-friendliness of the tool, the Judges will also take into consideration how well the tool does the following: VerDate Sep<11>2014 16:46 Jan 03, 2017 Jkt 241001 (1) Displays or conveys 10 information about which devices it has assessed. (2) Accurately communicates the risk mitigation provided by the tool (e.g., it should not give the impression that it solves all security problems). (3) Allows consumers to control any information being sent to a third party, to the extent that any such information is being sent. This includes making short, but accurate, disclosures about the information flow. c. Judges will award more points to Submissions that show the content of any consumer interface and decision points, as well as the methodology and results of user tests (e.g. surveys, focus groups, online user studies) demonstrating that the average consumer would be likely to understand such interface and information it conveys.11 (iii) How scalable is your tool? (20 points out of 100 total score) a. The Submission must explain how the tool could be used for products other than those addressed specifically in the Submission. b. Judges will award more points to Submissions that also explain how the tool would stay up-to-date. Judges will award more points to Submissions demonstrating tools that work on multiple types of devices (e.g., cameras, thermostats, refrigerators), devices from different manufacturers, devices using different protocols (e.g., WiFi, Bluetooth), and both newly released devices and legacy versions. (iv) Optional items (up to 10 bonus points) a. The Submission may also address other ways to help consumers guard against broader security vulnerabilities in IoT device software in their homes. For example, a tool might: (1) Find and facilitate changes to mitigate vulnerabilities in the existing configurations of devices in the home (e.g., determine whether particular IoT devices in the home have hard-coded, factory default or easy-to-guess passwords, and provide specific instructions for consumers to address the issue). (2) Provide purchasers of IoT devices an easy way to know whether their new devices include elements already known to be easily compromised before they make a purchase. 10 The consumer must have a way of knowing what is being assessed, so they do not have a false sense of assurance about a device that was not even evaluated by the tool. This process might also expose unauthorized devices. 11 For more information on communicating with consumers, see, e.g., Putting Disclosures to the Test (Sept. 15, 2016), available at https://www.ftc.gov/ testingdisclosures. PO 00000 Frm 00030 Fmt 4703 Sfmt 4703 (3) Address the problem of software or firmware updates that have been offered by a developer but not yet incorporated by a device manufacturer. (4) Differentiate between security updates and other updates. (5) Convey information about levels of urgency of installing patches based on the criticality of a vulnerability; (6) Tailor information to specific user groups (e.g., by providing technically sophisticated consumers access to additional information about the nature of the security issues addressed in the update); (7) Convey information about product recalls made for other reasons; (8) Convey other available information about the security of devices, such as benchmark security scores; 12 or (9) Convey information about the type of data collected by the device, how it is used and shared, and any associated privacy policies. D. In order to be considered for a Prize, Submissions must receive a score greater than zero in each required category (how well it works, how userfriendly it is, and how scalable it is). If the Contest Judges determine that no Submission satisfies each required category, no one will be deemed eligible for any Prize. In addition, Judges have the discretion to award up to 10 bonus points for optional features. E. The Contestant whose Submission earns the highest overall score in the Final Phase will be named the Top Prize Winner identified below in Section 8, if the Contestant satisfies the verification requirements described in Section 9. If the Contestant does not satisfy the verification requirements, the Top Prize may be awarded to the next highest scorer who satisfies the verification requirements, at the Sponsor’s discretion. F. Up to three (3) Contestants in the Final Phase who meet the Section 9 verification requirements may be awarded the Honorable Mention Prizes—described below in Section 8— at the Sponsor’s discretion. The Sponsor has discretion to award Honorable Mention Prizes to Contestants who (1) have the next highest scores in the Final Phase, or (2) have the highest score in any one category because of a significant innovation. If the Contestant does not satisfy the verification requirements, the Honorable Mention Prize may be awarded to the next highest scorer who satisfies the verification requirements, at the Sponsor’s discretion. 12 For example, a tool could use security scoring mechanisms developed by such entities as the Cyber Independent Testing Lab (CITL) (http://cyberitl.org/blog/). E:\FR\FM\04JAN1.SGM 04JAN1 845 Federal Register / Vol. 82, No. 2 / Wednesday, January 4, 2017 / Notices G. In the event of a tie between or among two or more Submissions where the Contestants meet the verification requirements, the relevant Prize identified below in Section 8 will be divided equally between the tied Contestants. 8. Prizes Winner Prize amount Top Prize ..................................................................................... Honorable Mention(s) .................................................................. Up to US $25,000 ....................................................................... US $3,000 ................................................................................... mstockstill on DSK3G9T082PROD with NOTICES A. If no eligible Submissions are entered in the Contest, no Prizes will be awarded. (See also Section 6.F. above.) The Sponsor retains the right to make a Prize substitution (including a nonmonetary award) in the event that funding for the Prize or any portion thereof becomes unavailable. No transfer or substitution of a Prize is permitted except at the Sponsor’s sole discretion. In the case of a team Prize, it will be the responsibility of the winning team’s Representative to inform the Sponsor how to allocate the Prize amongst the team, as the Representative deems it appropriate. B. Each Contestant hereby acknowledges and agrees that the relationship between the Contestant and the Sponsor is not a confidential, fiduciary, or other special relationship, and that the Contestant’s decision to provide the Contestant’s Submission to Sponsor for the purposes of this Contest does not place the Sponsor and its respective agents in a position that is any different from the position held by the members of the general public, except as specifically provided in these official rules. C. Winners (including any winning team members) are responsible for reporting and paying all applicable federal, state, and local taxes. It is the sole responsibility of winners of $600 or more to provide information to the Sponsor in order to facilitate receipt of the award, including completing and submitting any tax forms when necessary. It is also the sole responsibility of winners to satisfy any applicable reporting requirements. The Sponsor reserves the right to withhold a portion of the Prize amount to comply with tax laws. D. All payments shall be made by electronic funds transfer or other means determined by the Sponsor. 9. Verification of Eligibility for Receipt of a Prize A. All prize awards are subject to Sponsor verification of the winner’s identity, eligibility, and participation in the creation of the tool. The Sponsor’s decisions are final and binding in all matters related to the Contest. In order to receive a Prize, a Contestant will be VerDate Sep<11>2014 16:46 Jan 03, 2017 Jkt 241001 required to complete, sign and return to the Sponsor affidavit(s) of eligibility and liability release, or a similar verification document (‘‘Verification Form’’). (In the case of a team, the Representative and all participating members must complete, sign and return to the Sponsor the Verification Form.) In addition, social security numbers must be collected from the winner (including any winning team members) pursuant to 31 U.S.C. 7701 in order to issue a payment. B. Contestants potentially qualifying for a Prize will be notified and sent the Verification Form using the email address submitted at registration, starting on or about July 20, 2017. The Sponsor reserves the right to change the time period to send the Verification Form without providing any prior notice. In the case of a team, the notification will only be sent to the Representative. If a notification is returned as undeliverable, the Contestant or team may be disqualified at the Sponsor’s sole discretion. C. At the sole discretion of the Sponsor, a Contestant or team forfeits any Prize if: (i) The Contestant fails to provide the Verification Form within ten (10) business days of receipt of the email notification discussed above (or in the case of a team, any team member) fails to provide the Verification Form within ten business days of receipt of the email notification; (ii) the Contestant (or in the case of a team, any team member) does not timely communicate with the Sponsor to provide payment information and all other necessary information within ten business days of receiving a request for such information; (iii) such individual or team Representative is contacted and refuses the Prize; (iv) the Prize is returned as undeliverable; or (v) the Submission of the winner, the winner, or any member of a winner’s team is disqualified for any reason. D. In the event of a disqualification, Sponsor, at its sole discretion, may award the applicable Prize to an alternate Contestant. The disqualification of one (or more) team PO 00000 Frm 00031 Fmt 4703 Sfmt 4703 Quantity Up to 1. Up to 3. members at any time for any reason may result in the disqualification of the entire team and of each participating member at the sole discretion of the Sponsor. 10. Entry Conditions and Release A. By registering, each Contestant (including, in the case of a team, all participating members) agree(s): (i) To comply with and be bound by these official rules; and (ii) that the application of the judging criteria, evaluation of the Submissions, and final selection of the winners is a matter of discretion of the Contest Judges and Sponsor, and that their respective decisions are binding and final in all matters relating to this Contest. B. By registering, each Contestant (including, in the case of a team, all participating members) agree(s) to release, indemnify, and hold harmless the Sponsor, and any other individuals or organizations responsible for sponsoring, fulfilling, administering, advertising, or promoting the Contest, including their respective parents, subsidiaries, and affiliated companies, if any, and all of their respective past and present officers, directors, employees, agents and representatives (hereafter the ‘‘Released Parties’’) from and against any and all claims, expenses, and liabilities (including reasonable attorneys’ fees and costs of Submission preparation) arising out of or relating to a Contestant’s entry, creation of Submission or entry of a Submission, participation in the Contest, acceptance or use or misuse of the Prize, and the disclosure, broadcast, transmission, performance, exploitation, or use of Submission as authorized or licensed by these official rules. Released claims include all claims whatsoever including, but not limited to (except in cases of willful misconduct): Injury, death, damage, or loss of property, revenue or profits, whether direct, indirect, or consequential, arising from the Contestant’s participation in a competition, whether the claim of injury, death, damage, or loss arises through negligence, mistake, or otherwise. This release does not apply to claims against the Sponsor arising out E:\FR\FM\04JAN1.SGM 04JAN1 846 Federal Register / Vol. 82, No. 2 / Wednesday, January 4, 2017 / Notices mstockstill on DSK3G9T082PROD with NOTICES of the unauthorized use or disclosure by the Sponsor of intellectual property, trade secrets, or confidential business information of the Contestant. C. Without limiting the foregoing, each Contestant (including, in the case of a team, all participating members) agrees to release all Released Parties of all liability in connection with: (i) any incorrect or inaccurate information, whether caused by the Sponsor’s or a Contestant’s electronic or printing error or by any of the equipment or programming associated with or utilized in the Contest; (ii) technical failures of any kind, including, but not limited to, malfunctions, interruptions, or disconnections in phone lines, Internet connectivity, or electronic transmission errors, or network hardware or software or failure of the Contest Web site, or any other platform or tool that Contestants or Contest Judges choose to use; (iii) unauthorized human intervention in any part of the entry process or the Contest; (iv) technical or human error that may occur in the administration of the Contest or the processing of Submissions; or (v) any injury or damage to persons or property that may be caused, directly or indirectly, in whole or in part, from the Contestant’s participation in the Contest or receipt or use or misuse of any Prize. If for any reason any Contestant’s Submission is confirmed to have been erroneously deleted, lost, or otherwise destroyed or corrupted, the Contestant’s sole remedy is to request the opportunity to resubmit its Submission. The request will be addressed at the sole discretion of the Sponsor if the contest submission period is still open. D. Based on the subject matter of the Contest, the type of work that it possibly will require, and the low probability that any claims for death, bodily injury, or property damage, or loss could result from Contest participation, the Sponsor determines that Contestants are not required to obtain liability insurance or demonstrate fiscal responsibility in order to participate in this Contest. 11. Publicity Participation in the Contest constitutes consent to the use by the Sponsor, their agents’ and any other third parties acting on their behalf, of the Contestant’s name (and, as applicable, those of all other members of the team that participated in the Submission), Submission video, and Submission abstract for promotional purposes in any media, worldwide, without further payment or consideration. Furthermore, a VerDate Sep<11>2014 16:46 Jan 03, 2017 Jkt 241001 Contestant’s likeness, photograph, voice, opinions, comments, and hometown and state of residence (and, as applicable, those of all other members of the team that participated in the Submission) may be used for the Sponsor’s promotional purposes if the Contestant provides consent. In addition, the Sponsor reserves the right to make any disclosure required by law. 12. General Conditions A. Each Contestant agrees that the Sponsor is vested with the sole authority to interpret and apply these rules. B. Sponsor reserves the right, in its sole discretion, to cancel, suspend, or modify the Contest, or any part of it, with or without notice to the Contestants, if any fraud, technical failure, or any other unanticipated factor or factors beyond Sponsor’s control impairs the integrity or proper functioning of the Contest, or for any other reason. The Sponsor reserves the right at its sole discretion to disqualify any individual or Contestant that the Sponsor finds to be tampering with the entry process or the operation of the Contest, or to be acting in violation of these official rules or in a manner that is inappropriate, not in the best interests of this Contest, or in violation of any applicable law or regulation. C. Any attempt by any person to undermine the proper functioning of the Contest may be a violation of criminal and civil law, and, should such an attempt be made, the Sponsor reserves the right to take proper legal action, including, without limiting, referral to law enforcement, for any illegal or unlawful activities. D. The Sponsor’s failure to enforce any term of these official rules shall not constitute a waiver of that term. The Sponsor is not responsible for incomplete, late, misdirected, damaged, lost, illegible, or incomprehensible Submissions or for address or email address changes of the Contestants. Proof of sending or submitting is not proof of receipt by Sponsor. E. In the event of any discrepancy or inconsistency between the terms and conditions of the official rules and disclosures or other statements contained in any Contest materials, including but not limited to the Contest Web site or point of sale, television, print or online advertising, the terms and conditions of the official rules shall prevail. F. The Sponsor reserves the right to amend the terms and conditions of the official rules at any time, including the rights or obligations of the Contestants and the Sponsor. The Sponsor will post PO 00000 Frm 00032 Fmt 4703 Sfmt 4703 the terms and conditions of the amended official rules on the Contest Web site (‘‘Corrective Notice’’). As permitted by law, any amendment will become effective at the time the Sponsor posts the amended official rules. G. Excluding Submissions, all intellectual property related to this Contest, including but not limited to trademarks, trade-names, logos, designs, promotional materials, Web pages, source codes, drawings, illustrations, slogans, and representations are owned or used under license by the Sponsor. All rights are reserved. Unauthorized copying or use of any copyrighted material or intellectual property without the express written consent of the relevant owner(s) is strictly prohibited. H. Should any provision of these official rules be or become illegal or unenforceable under applicable Federal law, such illegality or unenforceability shall leave the remainder of these official rules unaffected and valid. The illegal or unenforceable provision may be replaced by the Sponsor with a valid and enforceable provision that, in the Sponsor’s sole judgment, comes closest to and best reflects the Sponsor’s intention in a legal and enforceable manner with respect to the invalid or unenforceable provision. 13. Disputes Subject to the release provisions in these official rules, Contestant agrees that: A. any and all disputes, claims, and causes of action arising out of or connected with this Contest, any Prizes awarded, the administration of the Contest, the determination of winners, or the construction, validity, interpretation, and enforceability of the official rules shall be resolved individually; B. any and all disputes, claims, and causes of action arising out of or connected with this Contest, any Prizes awarded, the administration of the Contest, the determination of winners, or the construction, validity, interpretation, and enforceability of the official rules shall be resolved pursuant to Federal law; C. under no circumstances will Contestants be entitled to, and Contestants hereby waive, all rights to claim, any punitive, incidental, and consequential damages and any and all rights to have damages multiplied or otherwise increased. 14. Privacy The Sponsor may collect personal information from the Contestant when he or she enters the Contest. Such personal information is subject to the E:\FR\FM\04JAN1.SGM 04JAN1 Federal Register / Vol. 82, No. 2 / Wednesday, January 4, 2017 / Notices privacy policy located here: http:// www.ftc.gov/site-information/privacypolicy. 15. Contact Us Please visit the Contest Web site for further Contest information and updates. Jessica Rich, Director, Bureau of Consumer Protection. [FR Doc. 2016–31731 Filed 1–3–17; 8:45 am] BILLING CODE 6750–01–P FEDERAL TRADE COMMISSION [File No. 161 0077] C.H. Boehringer Sohn AG & Co. KG; Analysis To Aid Public Comment Federal Trade Commission. Proposed Consent Agreement. AGENCY: ACTION: The consent agreement in this matter settles alleged violations of federal law prohibiting unfair methods of competition. The attached Analysis to Aid Public Comment describes both the allegations in the complaint and the terms of the consent orders—embodied in the consent agreement—that would settle these allegations. DATES: Comments must be received on or before January 27, 2017. ADDRESSES: Interested parties may file a comment at https:// ftcpublic.commentworks.com/FTC/ chboehringersohnagcokgconsent online or on paper, by following the instructions in the Request for Comment part of the SUPPLEMENTARY INFORMATION section below. Write ‘‘C.H. Boehringer Sohn AG & Co. KG File No. 1610077— Consent Agreement’’ on your comment and file your comment online at https:// ftcpublic.commentworks.com/FTC/ chboehringersohnagcokgconsent by following the instructions on the webbased form. If you prefer to file your comment on paper, write ‘‘C.H. Boehringer Sohn AG & Co. KG File No. 1610077—Consent Agreement’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC–5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC 20024. FOR FURTHER INFORMATION CONTACT: Michael Barnett (202–326–2362), Bureau of Competition, 600 Pennsylvania Avenue NW., Washington, DC 20580. mstockstill on DSK3G9T082PROD with NOTICES SUMMARY: VerDate Sep<11>2014 16:46 Jan 03, 2017 Jkt 241001 Pursuant to Section 6(f) of the Federal Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule 2.34, 16 CFR 2.34, notice is hereby given that the above-captioned consent agreement containing consent orders to cease and desist, having been filed with and accepted, subject to final approval, by the Commission, has been placed on the public record for a period of thirty (30) days. The following Analysis to Aid Public Comment describes the terms of the consent agreement, and the allegations in the complaint. An electronic copy of the full text of the consent agreement package can be obtained from the FTC Home Page (for December 28, 2016), on the World Wide Web, at http:// www.ftc.gov/os/actions.shtm. You can file a comment online or on paper. For the Commission to consider your comment, we must receive it on or before January 27, 2017. Write ‘‘C.H. Boehringer Sohn AG & Co. KG File No. 1610077—Consent Agreement’’ on your comment. Your comment—including your name and your state—will be placed on the public record of this proceeding, including, to the extent practicable, on the public Commission Web site, at http://www.ftc.gov/os/ publiccomments.shtm. As a matter of discretion, the Commission tries to remove individuals’ home contact information from comments before placing them on the Commission Web site. Because your comment will be made public, you are solely responsible for making sure that your comment does not include any sensitive personal information, like anyone’s Social Security number, date of birth, driver’s license number or other state identification number or foreign country equivalent, passport number, financial account number, or credit or debit card number. You are also solely responsible for making sure that your comment does not include any sensitive health information, like medical records or other individually identifiable health information. In addition, do not include any ‘‘[t]rade secret or any commercial or financial information which . . . is privileged or confidential,’’ as discussed in Section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule 4.10(a)(2), 16 CFR 4.10(a)(2). In particular, do not include competitively sensitive information such as costs, sales statistics, inventories, formulas, patterns, devices, manufacturing processes, or customer names. If you want the Commission to give your comment confidential treatment, you must file it in paper form, with a request for confidential treatment, and SUPPLEMENTARY INFORMATION: PO 00000 Frm 00033 Fmt 4703 Sfmt 4703 847 you have to follow the procedure explained in FTC Rule 4.9(c), 16 CFR 4.9(c).1 Your comment will be kept confidential only if the FTC General Counsel, in his or her sole discretion, grants your request in accordance with the law and the public interest. Postal mail addressed to the Commission is subject to delay due to heightened security screening. As a result, we encourage you to submit your comments online. To make sure that the Commission considers your online comment, you must file it at https:// ftcpublic.commentworks.com/FTC/ chboehringersohnagcokgconsent by following the instructions on the webbased form. If this Notice appears at http://www.regulations.gov/#!home, you also may file a comment through that Web site. If you file your comment on paper, write ‘‘C.H. Boehringer Sohn AG & Co. KG File No. 1610077—Consent Agreement’’ on your comment and on the envelope, and mail your comment to the following address: Federal Trade Commission, Office of the Secretary, 600 Pennsylvania Avenue NW., Suite CC–5610 (Annex D), Washington, DC 20580, or deliver your comment to the following address: Federal Trade Commission, Office of the Secretary, Constitution Center, 400 7th Street SW., 5th Floor, Suite 5610 (Annex D), Washington, DC. If possible, submit your paper comment to the Commission by courier or overnight service. Visit the Commission Web site at http://www.ftc.gov to read this Notice and the news release describing it. The FTC Act and other laws that the Commission administers permit the collection of public comments to consider and use in this proceeding as appropriate. The Commission will consider all timely and responsive public comments that it receives on or before January 27, 2017. You can find more information, including routine uses permitted by the Privacy Act, in the Commission’s privacy policy, at http://www.ftc.gov/ftc/privacy.htm. Analysis of Agreement Containing Consent Orders To Aid Public Comment Introduction The Federal Trade Commission (‘‘Commission’’) has accepted, subject to final approval, an Agreement Containing Consent Orders (‘‘Consent Agreement’’) from C.H. Boehringer Sohn 1 In particular, the written request for confidential treatment that accompanies the comment must include the factual and legal basis for the request, and must identify the specific portions of the comment to be withheld from the public record. See FTC Rule 4.9(c), 16 CFR 4.9(c). E:\FR\FM\04JAN1.SGM 04JAN1

Agencies

[Federal Register Volume 82, Number 2 (Wednesday, January 4, 2017)]
[Notices]
[Pages 840-847]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-31731]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION


IoT Home Inspector Challenge

AGENCY: Federal Trade Commission.

ACTION: Notice; public challenge.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``FTC'') announces a prize 
competition that challenges the public to create a technical solution 
(``tool'') that consumers can deploy to guard against security 
vulnerabilities in software on the Internet of Things (``IoT'') devices 
in their homes. The tool would, at a minimum, help protect consumers 
from security vulnerabilities caused by out-of-date software. 
Contestants have the option of adding features, such as those that 
would address hard-coded, factory default or easy-to-guess passwords. 
The prize for the competition is up to $25,000, with $3,000 available 
for each honorable mention winner(s). Winners will be announced on or 
about July 27, 2017.

DATES: The deadline for registering and submitting entries is May 22, 
2017 at 12:00 p.m. EDT. Further instructions and requirements regarding 
the registration and submission process will be provided on the Contest 
Web site (ftc.gov/iothomeinspector).

FOR FURTHER INFORMATION CONTACT: Ruth Yodaiken, 202-326-2127, Division 
of Privacy and Identity Protection, Bureau of Consumer Protection, FTC; 
600 Pennsylvania Ave. NW., Mailstop CC-8232, Washington, DC 20580.

SUPPLEMENTARY INFORMATION: The FTC IoT Home Inspector Challenge (the 
``Contest'') encourages the public to create a tool that consumers can 
deploy to guard against security vulnerabilities in software on the IoT 
devices in their homes. The tool would, at a minimum, help protect 
consumers from security vulnerabilities caused by out-of-date software. 
The competition's purpose is to stimulate innovation and progress in 
protecting and empowering consumers against security risks associated 
with IoT devices in the home.

A. Background

    Every day, American consumers use Internet-connected devices \1\ to 
make their homes ``smarter.'' Consumers can remotely program their 
smart home devices to turn on their lights, start the oven, and turn on 
soft music so they return to a comfortable environment when they get 
home from work. Smart video monitors enable consumers to remotely view 
their homes, pets, or children. Smart fire and burglar alarms address 
safety issues through sensors and alerts. And smart thermostats can 
automatically adjust temperature settings depending on the time of day 
and presence of people in the house. To tie all these devices together, 
smart home platforms are also beginning to proliferate across the 
marketplace.
---------------------------------------------------------------------------

    \1\ As used herein, ``Internet-connected,'' ``IoT,'' or 
``smart'' devices are devices other than desktop or laptop computers 
or smartphones.
---------------------------------------------------------------------------

    While these smart devices enable enormous convenience and safety 
benefits, they can also create security risks. For example, press 
reports from October 2016 demonstrated how smart devices could be used 
in ``botnets'' to disrupt the Internet.\2\ This incident demonstrated 
that lax IoT device security can threaten not just device owners, but 
the entire Internet. In another incident, a group of hackers allegedly 
gained unauthorized access to routers manufactured by the tech company 
ASUS and left a text file warning stating, ``Your Asus router (and your 
documents) can be accessed by anyone in the world with an internet 
connection.'' \3\ The FTC announced a

[[Page 841]]

settlement with ASUS last year, alleging that the company did not 
maintain reasonable security, resulting in threats to personal 
information. Further, there have been numerous reported incidents where 
the live feeds from consumers' smart cameras have been available on the 
Internet. One company whose cameras were allegedly vulnerable in this 
manner, TRENDnet, was the subject of an earlier Commission law 
enforcement action.\4\
---------------------------------------------------------------------------

    \2\ See, e.g., ``Americans uneasy with IoT devices like those 
used in Dyn DDoS attack, survey finds,'' Tech Crunch, Darrell 
Etherington (October 24, 2016) (stating that a ``coordinated botnet 
attack effectively choked internet access to a large number of 
popular sites'' and was attributed ``in large part due to the spread 
of connected Internet of Things (IoT) devices''), available at 
https://techcrunch.com/2016/10/24/americans-uneasy-with-iot-devices-like-those-used-in-dyn-ddos-attack-survey-finds/.
    \3\ ``ASUS Settles FTC Charges That Insecure Home Routers and 
``Cloud'' Services Put Consumers' Privacy At Risk,'' FTC press 
release (February 23, 2016), available at https://www.ftc.gov/news-events/press-releases/2016/02/asus-settles-ftc-charges-insecure-home-routers-cloud-services-put.
    \4\ ``FTC Approves Final Order Settling Charges Against 
TRENDnet, Inc.,'' FTC press release (February 7, 2014), available at 
https://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-order-settling-charges-against-trendnet-inc.
---------------------------------------------------------------------------

    Consumers themselves are uneasy about the security risks of IoT 
devices. One recent survey found that more than 40% of respondents are 
``not confident at all'' that IoT devices are safe, secure, and able to 
protect personal information.'' Fifty percent of consumers surveyed 
said that ``concerns about the cybersecurity of an IoT device have 
discouraged them from purchasing one.'' \5\
---------------------------------------------------------------------------

    \5\ See, e.g., ``New ESET/NCSA Survey Explores the Internet of 
(Stranger) Things,'' ESET/National Cyber Security Alliance study, 
available at https://www.eset.com/us/resources/detail/survey-internet-of-stranger-things/ and https://cdn3.esetstatic.com/eset/US/resources/press/ESET_ConnectedLives-DataSummary.pdf.
---------------------------------------------------------------------------

    The Commission staff has previously recommended that IoT device 
manufacturers take appropriate steps to address the security of their 
devices. It has recommended that, among other things, companies in the 
IoT space: (1) Build security into their devices at the outset; (2) 
train employees on good security practices; (3) ensure downstream 
privacy and data protections through vendor contracts and oversight; 
(4) apply defense-in-depth strategies that offer protections at 
multiple levels and interfaces; and (5) put in place reasonable access 
controls.\6\ The FTC's Careful Connections and Start with Security 
publications offer more detailed guidance.\7\
---------------------------------------------------------------------------

    \6\ ``Internet of Things: Privacy and Security in a Connected 
World,'' FTC Staff Report (January 2015), available at https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.
    \7\ Start with Security: A Guide for Businesses,'' (``Start with 
Security''), available at https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business; ``Careful 
Connections: Building Security in the Internet of Things,'' 
available at https://www.ftc.gov/tips-advice/business-center/guidance/careful-connections-building-security-internet-things.
---------------------------------------------------------------------------

    One important component of IoT security is updating and providing 
security patches. If products do not have the latest security updates, 
they can be vulnerable to outside threats. Today, although some devices 
are updated automatically, many devices require consumers to take steps 
in order to install the update or make necessary adjustments.\8\ To be 
able to take these steps, consumers must have a certain level of 
technical expertise. In particular, consumers must know how to check 
for security updates and install them. The problem of how to simplify 
this task is compounded by the thriving market in this area: There are 
many different types of software (even within a single device), ways to 
configure devices, and approaches to updating.\9\ As devices within the 
home multiply, the task of updating devices could become increasingly 
daunting.
---------------------------------------------------------------------------

    \8\ ``They Keep Coming Back Like Zombies': Improving Software 
Updating Interfaces,'' Arunesh Mathur, Josefine Engel, Sonam Sobti, 
Victoria Chang, and Marshini Chetty, Univ. of Maryland, College 
Park, available at https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-mathur.pdf.
    \9\ More details about these technical issues can be found in 
material related to the National Telecommunications & Information 
Administration's Multistakeholder Process for IoT Security and 
Upgradeability and Patching, available at https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security.
---------------------------------------------------------------------------

B. The Competition

    With this Contest, the FTC seeks to encourage the development of a 
technical tool to assist consumers with ensuring that IoT devices in 
the home are running up-to-date software. Such a tool might be a 
physical device that the consumer adds to his or her home network that 
checks and installs updates for other IoT devices on that home network. 
It might be an app or cloud-based service that allows consumers to 
submit IoT device model numbers, and, based on that input, provides 
information on how the consumer can install updates. A dashboard or 
other user interface might inform the consumer about which devices were 
up-to-date already, those that had unpatched software vulnerabilities, 
and even those that the manufacturer no longer supported.
    The Contest is subject to all applicable laws and regulations. 
Registering to enter the Contest constitutes Contestant's full 
agreement to these official rules and to decisions of the Sponsor (as 
defined below), which are final and binding in all matters related to 
the Contest. Winning a Prize is contingent upon fulfilling all 
requirements set forth in the official rules.

1. Sponsor Organization

    A. Sponsor: Federal Trade Commission, 600 Pennsylvania Avenue NW., 
Washington, DC 20580.

2. Eligibility

    A. To participate in the Contest:
    (i) Contestants may compete as individuals or as teams of 
individuals, if they meet all eligibility requirements set forth in 
Sections 2.A-D. To be eligible to win a Prize, Contestants must meet 
the additional prize eligibility requirements set forth in Section 9.
    (ii) Contestants must comply with all terms and conditions of the 
official rules.
    (iii) Contestants must own or have access at their own expense to a 
computer, an Internet connection, and any other electronic devices, 
documentation, software, or other items that Contestants may deem 
necessary to create and enter a Submission (as defined in Section 4 
below).
    (iv) Each team must appoint one individual (the ``Representative'') 
to represent and act on behalf of said team, including by entering a 
Submission (as outlined below). The Representative must be duly 
authorized to submit on behalf of the team, and must represent and 
warrant that he or she is duly authorized to act on behalf of the team.
    (v) An individual may enter the Contest only once, either on an 
individual basis or as a member of one team.
    (vi) No individual or team may enter the Contest on behalf of a 
corporation or other non-individual legal entity.
    B. Those ineligible to participate:
    The following individuals (including any individuals participating 
as part of a team) are not eligible regardless of whether they meet the 
criteria set forth above:
    (i) any individual under the age of 18 at the time of submission;
    (ii) any individual who employs any of the Contest Judges as an 
employee or agent;
    (iii) any individual who owns or controls an entity for whom a 
Contest Judge is an employee, officer, director, or agent;
    (iv) any individual who has a material business or financial 
relationship with any Contest Judge;
    (v) any individual who is a member of any Contest Judge's immediate 
family or household;
    (vi) any employee, representative or agent of the Sponsor and all 
members of the immediate family or household of any such employee, 
representative, or agent;
    (vii) any Federal employee acting within the scope of his or her

[[Page 842]]

employment, or as may otherwise be prohibited by Federal law (employees 
should consult their agency ethics officials);
    (viii) any individual or team that used Federal facilities or 
consulted with Federal employees to develop a Submission, unless the 
facilities and employees were made available to all Contestants 
participating in the Contest on an equitable basis; and
    (ix) any individual or team that used Federal funds to develop a 
Submission, unless such use is consistent with the grant award, or 
other applicable Federal funds awarding document. If a grantee using 
Federal funds enters and wins this Contest, the prize monies shall be 
treated as program income for purposes of the original grant in 
accordance with applicable Office of Management and Budget Circulars. 
Federal contractors may not use Federal funds from a contract to 
develop a Submission for this Challenge.
    The Sponsor will, in its sole discretion, disqualify any individual 
or team that meets any of the criteria set forth in Section 2.B.
    C. For purposes hereof:
    (i) the members of an individual's immediate family include such 
individual's spouse, children and step-children, parents and step-
parents, and siblings and step-siblings; and
    (ii) the members of an individual's household include any other 
person who shares the same residence as such individual for at least 
three (3) months out of the year.
    D. Pursuant to the America Creating Opportunities to Meaningfully 
Promote Excellence in Technology, Education, and Science 
Reauthorization Act of 2010, 15 U.S.C. 3719, Contest Prizes (as defined 
in Section 8 below) may be awarded only to individuals and teams of 
individuals who are citizens or permanent residents of the United 
States, subject to verification by the Sponsor before Prizes are 
awarded (see Section 9 below).

3. Registration Requirement for All Contestants

    A. Contestants must register no later than 12:00 p.m. EDT May 22, 
2017 (``Contest Deadline''), to participate in the Contest.
    B. To enter, every Contestant, including each member of a team, 
must register by submitting a form, available on the Contest Web site 
(``Registration Form''), to verify that he or she has read and agreed 
to abide by the official rules and meets the eligibility requirements. 
Additional information and requirements about the registration process 
will be provided on the Contest Web site.
    C. After a Contestant registers, the Sponsor will send a 
confirmation message to the email address provided by the Contestant. 
The Contestant should use the confirmation message to verify the email 
address that he or she provided in order to receive important Contest 
updates.
    D. In the event of a dispute pertaining to this Contest, the 
authorized account holder of the email address listed at registration 
will be deemed to be the Contestant. The ``authorized account holder'' 
is the natural person assigned an email address by an Internet access 
provider, online service provider, or other organization responsible 
for assigning email addresses for the domain associated with the 
submitted address. Contestants may be required to provide more 
information as evidence that they are the authorized account holder.

4. Submission

    A. Parts of the Submission:
    The Submission must contain three components that should describe 
the technical tool the Contestant has developed to assist consumers 
with security.
    (i) A title and a brief text description (``abstract'') of how the 
tool functions, which will be made public and should be easy for the 
public to understand. It must not be more than one page, with font size 
of no less than 11 points and margins of no less than one inch.
    (ii) A link to the Contestant's video that is publicly available on 
Youtube.com or Vimeo.com demonstrating how the tool works. It must not 
be more than five (5) minutes long.
    (iii) A detailed written description of the tool that enables 
Judges to evaluate how well it works, how user-friendly it is, and how 
scalable it is (``Detailed Explanation''), including how the tool will 
avoid or mitigate any additional security risks that it itself might 
introduce into the consumer's home. It must not be more than 15 pages, 
with font size of not less than 11 points and margins of no less than 
one inch.
    See Section 7 (Submission Requirements) for further details.
    The Submission itself shall not contain information revealing the 
Contestant's identity, such as a name, address, employment information, 
or other identifying details, except that Contestants may include their 
own voice or image in the video. Additional information and 
requirements about the Submission process will be provided on the 
Contest Web site.
    B. Submission Deadlines:
    Contestants must enter their Submissions by the Contest Deadline, 
12:00 p.m. EDT May 22, 2017. Any Submissions entered following the 
Contest Deadline, as determined solely by the Sponsor, shall be 
disqualified. The judging period will commence after the Contest 
Deadline.
    C. Terms for Submissions:
    (i) All parts of the Submission must be submitted together in a 
single email by the Contest Deadline.
    (ii) Contestants must use the email address provided on their 
Registration Form (or in the case of a team, the email address on the 
team Representative's Registration Form).
    (iii) No part of a Submission, including any records, platforms, 
technologies, or licenses required to evaluate the Submission, may 
require the Sponsor or Contest Judges to spend money or otherwise 
obtain anything of value; or to execute or enter into any binding 
agreement not otherwise provided for under these Rules.
    (iv) Submissions from a team must be indicated as such when 
entering a Submission.
    (v) Submissions must be in English, except that textual or video 
material in a language other than English will be accepted if 
accompanied by an English translation of the text or video--within the 
existing page limits for the Submission.
    (vi) Any solution that was publicly available prior to January 4, 
2017, is not eligible for entry in the Contest, unless the tool 
submitted incorporates significant new functionality, features, or 
changes. Contestants must identify any portion of the tool that was 
publicly available and--within the existing page limits for the 
Submission--include a narrative description of the new functionality, 
features, or changes with any such Submission.
    (vii) Submissions must not:
    a. violate applicable law;
    b. depict hatred;
    c. be in bad taste;
    d. denigrate (or be derogatory toward) any person or group of 
persons or any race, ethnic group, or culture;
    e. threaten a specific community in society, including any specific 
race, ethnic group, or culture;
    f. incite violence or be likely to incite violence;
    g. contain vulgar or obscene language or excessive violence;
    h. contain pornography, obscenity, or sexual activity; or
    i. disparage the Sponsor.
    (viii) Submissions must be free of malware and other security 
threats. Contestant agrees that the Sponsor may

[[Page 843]]

conduct testing on each Submission to determine whether malware or 
other security threats may be present.
    (ix) Any Submission that fails to comply with these requirements, 
as determined by the Sponsor in its sole discretion, may be 
disqualified.
    (x) Once a Submission has been submitted, Contestant may not access 
or make any changes or alterations to the Submission.
    (xi) A Contestant may submit only one Submission, as either an 
individual or a member of a team.
    (xii) By entering a Submission, Contestant represents, warrants, 
and agrees that the Submission is the original work of the Contestant 
and complies with the official rules. Contestant further represents, 
warrants, and agrees that any use of the Submission by the Sponsor and 
Contest Judges (or any of their respective partners, subsidiaries, and 
affiliates) as authorized by these official rules, does not:
    a. infringe upon, misappropriate or otherwise violate any 
intellectual property right or proprietary right including, without 
limitation, any statutory or common law trademark, copyright or patent, 
nor any privacy rights, nor any other rights of any person or entity;
    b. constitute or result in any misappropriation or other violation 
of any person's publicity rights or right of privacy.

5. Submission Rights

    A. Subject to the licenses described below, any applicable 
intellectual property rights to a Submission will remain with the 
Contestant.
    B. By entering a Submission to this Contest, Contestant grants to 
the Sponsor a non-exclusive, irrevocable, royalty-free and worldwide 
license to use the Submission, any information and content submitted by 
the Contestant, and any portion thereof, and to display the tool title, 
text description and the video through the Contest Web site, during the 
Contest and after its conclusion. The Contestant agrees that the 
foregoing constitutes solely a condition of the Contestant's 
participation in the Contest, and that the Contest is not a request for 
or acquisition of any property or services or any other matter subject 
to federal procurement requirements.

6. Winner Selection and Judging

    A. All Submissions will be judged by an expert panel of judges (the 
``Contest Judges'' or ``Judges'') selected by the Sponsor at the 
Sponsor's sole discretion. The Sponsor reserves the right to substitute 
or modify the judging panel, or extend or modify the Judging Period, at 
any time for any reason.
    B. All Contest Judges shall be required to remain fair and 
impartial. Any Contest Judge may recuse him or herself from judging a 
Submission if the Contest Judge or the Sponsor considers it 
inappropriate, for any reason, for the Contest Judge to evaluate a 
specific Submission or group of Submissions.
    C. A Contestant's likelihood of winning will depend on the number 
and quality of all of the Submissions, as determined by the Contest 
Judges using the criteria in these official rules.
    D. The Submissions will be judged in two phases: the ``Initial 
Phase'' and the ``Final Phase.'' For the Initial Phase, Judges will 
only assess the Contestants' videos and abstracts, without the Detailed 
Explanation. Only those Contestants judged to be within the top 20 
scores for the Initial Phase are eligible to compete in the Final Phase 
(``Finalists''), where the Detailed Explanations will be judged.
    E. Judges will use the criteria outlined in Section 7, below.
    F. The Sponsor reserves the right to review the Contest Judges' 
decision and to withhold any Prize if the Sponsor determines, in its 
sole discretion, that no Submission appropriately or adequately 
fulfills the stated goals and purposes of the Contest or there is any 
other procedural, legal, or other reason that the Prize should not be 
awarded.
    G. The Sponsor reserves the right to change the announcement dates 
with or without prior notice for any reason. Prizes, however, will not 
be awarded, and winners will not be named, until the Sponsor verifies 
eligibility for receipt of each Prize in accordance with Section 9 
below. The Sponsor will announce verified winners on or about July 27, 
2017, and the results will be made available at the Contest Web site.

7. Submission Content Requirements

    The Submission must meet other requirements as described in this 
document, including Sections 4 and 6, stating that Submissions must not 
include any unauthorized proprietary or copyrighted material (including 
copyrighted music without permission).
    A. Threshold Solution Criteria.
    Contestants will develop a tool that would, at a minimum, help 
protect consumers from security vulnerabilities caused by out of date 
software on IoT devices in their homes. Submissions must provide a 
technical solution, rather than a policy or legal solution. The tool 
must work on home IoT devices that currently exist on the market. The 
tool must protect information it collects both in transit and at rest. 
The Submission must address how the tool will avoid or mitigate any 
additional security risks that the tool itself might introduce into the 
consumer's home by, for example, probing the home network or 
facilitating software upgrades. Submissions that do not address the 
tool's security and the other items described in this paragraph as 
Threshold Solution Criteria will not be considered for the Prize.
    B. Phase-Specific Requirements
    (i) Initial Phase: Abstract and Video
    a. The Abstract. The abstract should include a title for the 
Submission and a brief explanation of how the tool functions.
    b. The Video. Although the solution requires a tool that should 
work with multiple IoT devices, the video need only demonstrate how the 
tool would be used with one (1) IoT device that is likely to be found 
in consumers' homes. The video must address the Judging Criteria below 
and: (i) State what the tool is specifically designed to do; (ii) 
describe the set-up for the demonstration and any assumptions the 
Contestant has made about the capabilities and limitations of the 
device(s) for the demonstration; and (iii) explain what impact the tool 
would have on software of IoT devices beyond what is demonstrated in 
the video.
    (ii) Final Phase: Detailed Explanation, Abstract and Video
    In the Final Phase, in addition to looking at the abstract and 
video, the Judges will review the Detailed Explanation. The Detailed 
Explanation must provide sufficient material so that the Judges can 
evaluate the tool properly for how well it works, how user-friendly it 
is, and how scalable it is. The Detailed Explanation may include a 
detailed description; pseudocode; a description of algorithms and/or 
formulas; or material (such as diagrams) to show how the tool would 
function. It should include a description of testing methodology and 
results of any tests of the tool's effectiveness. It should also 
discuss a strategy for development and deployment.
    C. The Submission will be assessed using the following Judging 
Criteria:
    (i) How well does it work? (60 points out of 100 total score)
    a. How well does your Submission address each of these four (4) 
components?
    (1) Recognizing what IoT devices are operating in the consumer's 
home. A tool may automatically recognize devices or provide 
instructions for consumer input.
    (2) Determining what software version is already on those IoT 
devices. A tool

[[Page 844]]

may automatically recognize the software version or provide 
instructions for consumer input.
    (3) Determining the latest versions of the software that should be 
on those devices. The Submission must lay out a feasible plan for 
finding sources of information about what version should be on the 
device and explain the technical means by which that information would 
be procured. If the Submission relies upon databases that do not 
currently exist, the plan for developing those sources must be 
realistic and feasible.
    (4) Assisting in facilitating updates, to the extent possible. 
Contestants might rely upon the consumer to take steps or contact the 
device manufacturer to facilitate the update. If the tool conveys 
information to a third party, such as a device manufacturer, the tool 
must also allow for consumer control of the flow of that information.
    b. WILDCARD: If your Submission does not address the four 
components above, but offers a technical solution to address 
vulnerabilities caused by unpatched or out-of-date software of IoT 
devices in the home, the Contestant may demonstrate how that tool would 
work and argue for the superiority of the tool based on its level of 
innovation and impact on IoT security in the home. Any such WILDCARD 
option would also need to meet the criteria set forth in sections 
7(ii)-(iii) (user friendliness and scalability requirements).
    c. Whether the Submission includes the four components identified 
above or is a WILDCARD option, Judges will award more points to 
Submissions based on the extent to which they identify potential 
challenges with implementing the tool and describe how the Contestant 
plans to address those challenges. Judges will also award more points 
for tools that address both situations where a manufacturer has failed 
to provide support for the software on a device as well as where the 
manufacturer does provide support.
    (ii) How user-friendly is your tool? (20 points out of 100 total 
score)
    a. How easy is your tool for the average consumer, without 
technical expertise, to set up and use? In assessing how easy the tool 
would be to use, the Judges will take into consideration whether 
functions are performed automatically, without action by the consumer.
    b. In analyzing the user-friendliness of the tool, the Judges will 
also take into consideration how well the tool does the following:
    (1) Displays or conveys \10\ information about which devices it has 
assessed.
---------------------------------------------------------------------------

    \10\ The consumer must have a way of knowing what is being 
assessed, so they do not have a false sense of assurance about a 
device that was not even evaluated by the tool. This process might 
also expose unauthorized devices.
---------------------------------------------------------------------------

    (2) Accurately communicates the risk mitigation provided by the 
tool (e.g., it should not give the impression that it solves all 
security problems).
    (3) Allows consumers to control any information being sent to a 
third party, to the extent that any such information is being sent. 
This includes making short, but accurate, disclosures about the 
information flow.
    c. Judges will award more points to Submissions that show the 
content of any consumer interface and decision points, as well as the 
methodology and results of user tests (e.g. surveys, focus groups, 
online user studies) demonstrating that the average consumer would be 
likely to understand such interface and information it conveys.\11\
---------------------------------------------------------------------------

    \11\ For more information on communicating with consumers, see, 
e.g., Putting Disclosures to the Test (Sept. 15, 2016), available at 
https://www.ftc.gov/testingdisclosures.
---------------------------------------------------------------------------

    (iii) How scalable is your tool? (20 points out of 100 total score)
    a. The Submission must explain how the tool could be used for 
products other than those addressed specifically in the Submission.
    b. Judges will award more points to Submissions that also explain 
how the tool would stay up-to-date. Judges will award more points to 
Submissions demonstrating tools that work on multiple types of devices 
(e.g., cameras, thermostats, refrigerators), devices from different 
manufacturers, devices using different protocols (e.g., WiFi, 
Bluetooth), and both newly released devices and legacy versions.
    (iv) Optional items (up to 10 bonus points)
    a. The Submission may also address other ways to help consumers 
guard against broader security vulnerabilities in IoT device software 
in their homes. For example, a tool might:
    (1) Find and facilitate changes to mitigate vulnerabilities in the 
existing configurations of devices in the home (e.g., determine whether 
particular IoT devices in the home have hard-coded, factory default or 
easy-to-guess passwords, and provide specific instructions for 
consumers to address the issue).
    (2) Provide purchasers of IoT devices an easy way to know whether 
their new devices include elements already known to be easily 
compromised before they make a purchase.
    (3) Address the problem of software or firmware updates that have 
been offered by a developer but not yet incorporated by a device 
manufacturer.
    (4) Differentiate between security updates and other updates.
    (5) Convey information about levels of urgency of installing 
patches based on the criticality of a vulnerability;
    (6) Tailor information to specific user groups (e.g., by providing 
technically sophisticated consumers access to additional information 
about the nature of the security issues addressed in the update);
    (7) Convey information about product recalls made for other 
reasons;
    (8) Convey other available information about the security of 
devices, such as benchmark security scores; \12\ or
---------------------------------------------------------------------------

    \12\ For example, a tool could use security scoring mechanisms 
developed by such entities as the Cyber Independent Testing Lab 
(CITL) (http://cyber-itl.org/blog/).
---------------------------------------------------------------------------

    (9) Convey information about the type of data collected by the 
device, how it is used and shared, and any associated privacy policies.
    D. In order to be considered for a Prize, Submissions must receive 
a score greater than zero in each required category (how well it works, 
how user-friendly it is, and how scalable it is). If the Contest Judges 
determine that no Submission satisfies each required category, no one 
will be deemed eligible for any Prize. In addition, Judges have the 
discretion to award up to 10 bonus points for optional features.
    E. The Contestant whose Submission earns the highest overall score 
in the Final Phase will be named the Top Prize Winner identified below 
in Section 8, if the Contestant satisfies the verification requirements 
described in Section 9. If the Contestant does not satisfy the 
verification requirements, the Top Prize may be awarded to the next 
highest scorer who satisfies the verification requirements, at the 
Sponsor's discretion.
    F. Up to three (3) Contestants in the Final Phase who meet the 
Section 9 verification requirements may be awarded the Honorable 
Mention Prizes--described below in Section 8--at the Sponsor's 
discretion. The Sponsor has discretion to award Honorable Mention 
Prizes to Contestants who (1) have the next highest scores in the Final 
Phase, or (2) have the highest score in any one category because of a 
significant innovation. If the Contestant does not satisfy the 
verification requirements, the Honorable Mention Prize may be awarded 
to the next highest scorer who satisfies the verification requirements, 
at the Sponsor's discretion.

[[Page 845]]

    G. In the event of a tie between or among two or more Submissions 
where the Contestants meet the verification requirements, the relevant 
Prize identified below in Section 8 will be divided equally between the 
tied Contestants.

8. Prizes

------------------------------------------------------------------------
             Winner                 Prize amount           Quantity
------------------------------------------------------------------------
Top Prize......................  Up to US $25,000..  Up to 1.
Honorable Mention(s)...........  US $3,000.........  Up to 3.
------------------------------------------------------------------------

    A. If no eligible Submissions are entered in the Contest, no Prizes 
will be awarded. (See also Section 6.F. above.) The Sponsor retains the 
right to make a Prize substitution (including a non-monetary award) in 
the event that funding for the Prize or any portion thereof becomes 
unavailable. No transfer or substitution of a Prize is permitted except 
at the Sponsor's sole discretion. In the case of a team Prize, it will 
be the responsibility of the winning team's Representative to inform 
the Sponsor how to allocate the Prize amongst the team, as the 
Representative deems it appropriate.
    B. Each Contestant hereby acknowledges and agrees that the 
relationship between the Contestant and the Sponsor is not a 
confidential, fiduciary, or other special relationship, and that the 
Contestant's decision to provide the Contestant's Submission to Sponsor 
for the purposes of this Contest does not place the Sponsor and its 
respective agents in a position that is any different from the position 
held by the members of the general public, except as specifically 
provided in these official rules.
    C. Winners (including any winning team members) are responsible for 
reporting and paying all applicable federal, state, and local taxes. It 
is the sole responsibility of winners of $600 or more to provide 
information to the Sponsor in order to facilitate receipt of the award, 
including completing and submitting any tax forms when necessary. It is 
also the sole responsibility of winners to satisfy any applicable 
reporting requirements. The Sponsor reserves the right to withhold a 
portion of the Prize amount to comply with tax laws.
    D. All payments shall be made by electronic funds transfer or other 
means determined by the Sponsor.

9. Verification of Eligibility for Receipt of a Prize

    A. All prize awards are subject to Sponsor verification of the 
winner's identity, eligibility, and participation in the creation of 
the tool. The Sponsor's decisions are final and binding in all matters 
related to the Contest. In order to receive a Prize, a Contestant will 
be required to complete, sign and return to the Sponsor affidavit(s) of 
eligibility and liability release, or a similar verification document 
(``Verification Form''). (In the case of a team, the Representative and 
all participating members must complete, sign and return to the Sponsor 
the Verification Form.) In addition, social security numbers must be 
collected from the winner (including any winning team members) pursuant 
to 31 U.S.C. 7701 in order to issue a payment.
    B. Contestants potentially qualifying for a Prize will be notified 
and sent the Verification Form using the email address submitted at 
registration, starting on or about July 20, 2017. The Sponsor reserves 
the right to change the time period to send the Verification Form 
without providing any prior notice. In the case of a team, the 
notification will only be sent to the Representative. If a notification 
is returned as undeliverable, the Contestant or team may be 
disqualified at the Sponsor's sole discretion.
    C. At the sole discretion of the Sponsor, a Contestant or team 
forfeits any Prize if:
    (i) The Contestant fails to provide the Verification Form within 
ten (10) business days of receipt of the email notification discussed 
above (or in the case of a team, any team member) fails to provide the 
Verification Form within ten business days of receipt of the email 
notification;
    (ii) the Contestant (or in the case of a team, any team member) 
does not timely communicate with the Sponsor to provide payment 
information and all other necessary information within ten business 
days of receiving a request for such information;
    (iii) such individual or team Representative is contacted and 
refuses the Prize;
    (iv) the Prize is returned as undeliverable; or
    (v) the Submission of the winner, the winner, or any member of a 
winner's team is disqualified for any reason.
    D. In the event of a disqualification, Sponsor, at its sole 
discretion, may award the applicable Prize to an alternate Contestant. 
The disqualification of one (or more) team members at any time for any 
reason may result in the disqualification of the entire team and of 
each participating member at the sole discretion of the Sponsor.

10. Entry Conditions and Release

    A. By registering, each Contestant (including, in the case of a 
team, all participating members) agree(s):
    (i) To comply with and be bound by these official rules; and
    (ii) that the application of the judging criteria, evaluation of 
the Submissions, and final selection of the winners is a matter of 
discretion of the Contest Judges and Sponsor, and that their respective 
decisions are binding and final in all matters relating to this 
Contest.
    B. By registering, each Contestant (including, in the case of a 
team, all participating members) agree(s) to release, indemnify, and 
hold harmless the Sponsor, and any other individuals or organizations 
responsible for sponsoring, fulfilling, administering, advertising, or 
promoting the Contest, including their respective parents, 
subsidiaries, and affiliated companies, if any, and all of their 
respective past and present officers, directors, employees, agents and 
representatives (hereafter the ``Released Parties'') from and against 
any and all claims, expenses, and liabilities (including reasonable 
attorneys' fees and costs of Submission preparation) arising out of or 
relating to a Contestant's entry, creation of Submission or entry of a 
Submission, participation in the Contest, acceptance or use or misuse 
of the Prize, and the disclosure, broadcast, transmission, performance, 
exploitation, or use of Submission as authorized or licensed by these 
official rules. Released claims include all claims whatsoever 
including, but not limited to (except in cases of willful misconduct): 
Injury, death, damage, or loss of property, revenue or profits, whether 
direct, indirect, or consequential, arising from the Contestant's 
participation in a competition, whether the claim of injury, death, 
damage, or loss arises through negligence, mistake, or otherwise. This 
release does not apply to claims against the Sponsor arising out

[[Page 846]]

of the unauthorized use or disclosure by the Sponsor of intellectual 
property, trade secrets, or confidential business information of the 
Contestant.
    C. Without limiting the foregoing, each Contestant (including, in 
the case of a team, all participating members) agrees to release all 
Released Parties of all liability in connection with:
    (i) any incorrect or inaccurate information, whether caused by the 
Sponsor's or a Contestant's electronic or printing error or by any of 
the equipment or programming associated with or utilized in the 
Contest;
    (ii) technical failures of any kind, including, but not limited to, 
malfunctions, interruptions, or disconnections in phone lines, Internet 
connectivity, or electronic transmission errors, or network hardware or 
software or failure of the Contest Web site, or any other platform or 
tool that Contestants or Contest Judges choose to use;
    (iii) unauthorized human intervention in any part of the entry 
process or the Contest;
    (iv) technical or human error that may occur in the administration 
of the Contest or the processing of Submissions; or
    (v) any injury or damage to persons or property that may be caused, 
directly or indirectly, in whole or in part, from the Contestant's 
participation in the Contest or receipt or use or misuse of any Prize. 
If for any reason any Contestant's Submission is confirmed to have been 
erroneously deleted, lost, or otherwise destroyed or corrupted, the 
Contestant's sole remedy is to request the opportunity to resubmit its 
Submission. The request will be addressed at the sole discretion of the 
Sponsor if the contest submission period is still open.
    D. Based on the subject matter of the Contest, the type of work 
that it possibly will require, and the low probability that any claims 
for death, bodily injury, or property damage, or loss could result from 
Contest participation, the Sponsor determines that Contestants are not 
required to obtain liability insurance or demonstrate fiscal 
responsibility in order to participate in this Contest.

11. Publicity

    Participation in the Contest constitutes consent to the use by the 
Sponsor, their agents' and any other third parties acting on their 
behalf, of the Contestant's name (and, as applicable, those of all 
other members of the team that participated in the Submission), 
Submission video, and Submission abstract for promotional purposes in 
any media, worldwide, without further payment or consideration. 
Furthermore, a Contestant's likeness, photograph, voice, opinions, 
comments, and hometown and state of residence (and, as applicable, 
those of all other members of the team that participated in the 
Submission) may be used for the Sponsor's promotional purposes if the 
Contestant provides consent. In addition, the Sponsor reserves the 
right to make any disclosure required by law.

12. General Conditions

    A. Each Contestant agrees that the Sponsor is vested with the sole 
authority to interpret and apply these rules.
    B. Sponsor reserves the right, in its sole discretion, to cancel, 
suspend, or modify the Contest, or any part of it, with or without 
notice to the Contestants, if any fraud, technical failure, or any 
other unanticipated factor or factors beyond Sponsor's control impairs 
the integrity or proper functioning of the Contest, or for any other 
reason. The Sponsor reserves the right at its sole discretion to 
disqualify any individual or Contestant that the Sponsor finds to be 
tampering with the entry process or the operation of the Contest, or to 
be acting in violation of these official rules or in a manner that is 
inappropriate, not in the best interests of this Contest, or in 
violation of any applicable law or regulation.
    C. Any attempt by any person to undermine the proper functioning of 
the Contest may be a violation of criminal and civil law, and, should 
such an attempt be made, the Sponsor reserves the right to take proper 
legal action, including, without limiting, referral to law enforcement, 
for any illegal or unlawful activities.
    D. The Sponsor's failure to enforce any term of these official 
rules shall not constitute a waiver of that term. The Sponsor is not 
responsible for incomplete, late, misdirected, damaged, lost, 
illegible, or incomprehensible Submissions or for address or email 
address changes of the Contestants. Proof of sending or submitting is 
not proof of receipt by Sponsor.
    E. In the event of any discrepancy or inconsistency between the 
terms and conditions of the official rules and disclosures or other 
statements contained in any Contest materials, including but not 
limited to the Contest Web site or point of sale, television, print or 
online advertising, the terms and conditions of the official rules 
shall prevail.
    F. The Sponsor reserves the right to amend the terms and conditions 
of the official rules at any time, including the rights or obligations 
of the Contestants and the Sponsor. The Sponsor will post the terms and 
conditions of the amended official rules on the Contest Web site 
(``Corrective Notice''). As permitted by law, any amendment will become 
effective at the time the Sponsor posts the amended official rules.
    G. Excluding Submissions, all intellectual property related to this 
Contest, including but not limited to trademarks, trade-names, logos, 
designs, promotional materials, Web pages, source codes, drawings, 
illustrations, slogans, and representations are owned or used under 
license by the Sponsor. All rights are reserved. Unauthorized copying 
or use of any copyrighted material or intellectual property without the 
express written consent of the relevant owner(s) is strictly 
prohibited.
    H. Should any provision of these official rules be or become 
illegal or unenforceable under applicable Federal law, such illegality 
or unenforceability shall leave the remainder of these official rules 
unaffected and valid. The illegal or unenforceable provision may be 
replaced by the Sponsor with a valid and enforceable provision that, in 
the Sponsor's sole judgment, comes closest to and best reflects the 
Sponsor's intention in a legal and enforceable manner with respect to 
the invalid or unenforceable provision.

13. Disputes

    Subject to the release provisions in these official rules, 
Contestant agrees that:
    A. any and all disputes, claims, and causes of action arising out 
of or connected with this Contest, any Prizes awarded, the 
administration of the Contest, the determination of winners, or the 
construction, validity, interpretation, and enforceability of the 
official rules shall be resolved individually;
    B. any and all disputes, claims, and causes of action arising out 
of or connected with this Contest, any Prizes awarded, the 
administration of the Contest, the determination of winners, or the 
construction, validity, interpretation, and enforceability of the 
official rules shall be resolved pursuant to Federal law;
    C. under no circumstances will Contestants be entitled to, and 
Contestants hereby waive, all rights to claim, any punitive, 
incidental, and consequential damages and any and all rights to have 
damages multiplied or otherwise increased.

14. Privacy

    The Sponsor may collect personal information from the Contestant 
when he or she enters the Contest. Such personal information is subject 
to the

[[Page 847]]

privacy policy located here: http://www.ftc.gov/site-information/privacy-policy.

15. Contact Us

    Please visit the Contest Web site for further Contest information 
and updates.

Jessica Rich,
Director, Bureau of Consumer Protection.
[FR Doc. 2016-31731 Filed 1-3-17; 8:45 am]
BILLING CODE 6750-01-P