IoT Home Inspector Challenge, 840-847 [2016-31731]

Agencies

• FEDERAL TRADE COMMISSION

[Federal Register Volume 82, Number 2 (Wednesday, January 4, 2017)]
[Notices]
[Pages 840-847]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-31731]


=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION


IoT Home Inspector Challenge

AGENCY: Federal Trade Commission.

ACTION: Notice; public challenge.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``FTC'') announces a prize 
competition that challenges the public to create a technical solution 
(``tool'') that consumers can deploy to guard against security 
vulnerabilities in software on the Internet of Things (``IoT'') devices 
in their homes. The tool would, at a minimum, help protect consumers 
from security vulnerabilities caused by out-of-date software. 
Contestants have the option of adding features, such as those that 
would address hard-coded, factory default or easy-to-guess passwords. 
The prize for the competition is up to $25,000, with $3,000 available 
for each honorable mention winner(s). Winners will be announced on or 
about July 27, 2017.

DATES: The deadline for registering and submitting entries is May 22, 
2017 at 12:00 p.m. EDT. Further instructions and requirements regarding 
the registration and submission process will be provided on the Contest 
Web site (ftc.gov/iothomeinspector).

FOR FURTHER INFORMATION CONTACT: Ruth Yodaiken, 202-326-2127, Division 
of Privacy and Identity Protection, Bureau of Consumer Protection, FTC; 
600 Pennsylvania Ave. NW., Mailstop CC-8232, Washington, DC 20580.

SUPPLEMENTARY INFORMATION: The FTC IoT Home Inspector Challenge (the 
``Contest'') encourages the public to create a tool that consumers can 
deploy to guard against security vulnerabilities in software on the IoT 
devices in their homes. The tool would, at a minimum, help protect 
consumers from security vulnerabilities caused by out-of-date software. 
The competition's purpose is to stimulate innovation and progress in 
protecting and empowering consumers against security risks associated 
with IoT devices in the home.

A. Background

    Every day, American consumers use Internet-connected devices \1\ to 
make their homes ``smarter.'' Consumers can remotely program their 
smart home devices to turn on their lights, start the oven, and turn on 
soft music so they return to a comfortable environment when they get 
home from work. Smart video monitors enable consumers to remotely view 
their homes, pets, or children. Smart fire and burglar alarms address 
safety issues through sensors and alerts. And smart thermostats can 
automatically adjust temperature settings depending on the time of day 
and presence of people in the house. To tie all these devices together, 
smart home platforms are also beginning to proliferate across the 
marketplace.
---------------------------------------------------------------------------

    \1\ As used herein, ``Internet-connected,'' ``IoT,'' or 
``smart'' devices are devices other than desktop or laptop computers 
or smartphones.
---------------------------------------------------------------------------

    While these smart devices enable enormous convenience and safety 
benefits, they can also create security risks. For example, press 
reports from October 2016 demonstrated how smart devices could be used 
in ``botnets'' to disrupt the Internet.\2\ This incident demonstrated 
that lax IoT device security can threaten not just device owners, but 
the entire Internet. In another incident, a group of hackers allegedly 
gained unauthorized access to routers manufactured by the tech company 
ASUS and left a text file warning stating, ``Your Asus router (and your 
documents) can be accessed by anyone in the world with an internet 
connection.'' \3\ The FTC announced a

[[Page 841]]

settlement with ASUS last year, alleging that the company did not 
maintain reasonable security, resulting in threats to personal 
information. Further, there have been numerous reported incidents where 
the live feeds from consumers' smart cameras have been available on the 
Internet. One company whose cameras were allegedly vulnerable in this 
manner, TRENDnet, was the subject of an earlier Commission law 
enforcement action.\4\
---------------------------------------------------------------------------

    \2\ See, e.g., ``Americans uneasy with IoT devices like those 
used in Dyn DDoS attack, survey finds,'' Tech Crunch, Darrell 
Etherington (October 24, 2016) (stating that a ``coordinated botnet 
attack effectively choked internet access to a large number of 
popular sites'' and was attributed ``in large part due to the spread 
of connected Internet of Things (IoT) devices''), available at 
https://techcrunch.com/2016/10/24/americans-uneasy-with-iot-devices-like-those-used-in-dyn-ddos-attack-survey-finds/.
    \3\ ``ASUS Settles FTC Charges That Insecure Home Routers and 
``Cloud'' Services Put Consumers' Privacy At Risk,'' FTC press 
release (February 23, 2016), available at https://www.ftc.gov/news-events/press-releases/2016/02/asus-settles-ftc-charges-insecure-home-routers-cloud-services-put.
    \4\ ``FTC Approves Final Order Settling Charges Against 
TRENDnet, Inc.,'' FTC press release (February 7, 2014), available at 
https://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-order-settling-charges-against-trendnet-inc.
---------------------------------------------------------------------------

    Consumers themselves are uneasy about the security risks of IoT 
devices. One recent survey found that more than 40% of respondents are 
``not confident at all'' that IoT devices are safe, secure, and able to 
protect personal information.'' Fifty percent of consumers surveyed 
said that ``concerns about the cybersecurity of an IoT device have 
discouraged them from purchasing one.'' \5\
---------------------------------------------------------------------------

    \5\ See, e.g., ``New ESET/NCSA Survey Explores the Internet of 
(Stranger) Things,'' ESET/National Cyber Security Alliance study, 
available at https://www.eset.com/us/resources/detail/survey-internet-of-stranger-things/ and https://cdn3.esetstatic.com/eset/US/resources/press/ESET_ConnectedLives-DataSummary.pdf.
---------------------------------------------------------------------------

    The Commission staff has previously recommended that IoT device 
manufacturers take appropriate steps to address the security of their 
devices. It has recommended that, among other things, companies in the 
IoT space: (1) Build security into their devices at the outset; (2) 
train employees on good security practices; (3) ensure downstream 
privacy and data protections through vendor contracts and oversight; 
(4) apply defense-in-depth strategies that offer protections at 
multiple levels and interfaces; and (5) put in place reasonable access 
controls.\6\ The FTC's Careful Connections and Start with Security 
publications offer more detailed guidance.\7\
---------------------------------------------------------------------------

    \6\ ``Internet of Things: Privacy and Security in a Connected 
World,'' FTC Staff Report (January 2015), available at https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.
    \7\ Start with Security: A Guide for Businesses,'' (``Start with 
Security''), available at https://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business; ``Careful 
Connections: Building Security in the Internet of Things,'' 
available at https://www.ftc.gov/tips-advice/business-center/guidance/careful-connections-building-security-internet-things.
---------------------------------------------------------------------------

    One important component of IoT security is updating and providing 
security patches. If products do not have the latest security updates, 
they can be vulnerable to outside threats. Today, although some devices 
are updated automatically, many devices require consumers to take steps 
in order to install the update or make necessary adjustments.\8\ To be 
able to take these steps, consumers must have a certain level of 
technical expertise. In particular, consumers must know how to check 
for security updates and install them. The problem of how to simplify 
this task is compounded by the thriving market in this area: There are 
many different types of software (even within a single device), ways to 
configure devices, and approaches to updating.\9\ As devices within the 
home multiply, the task of updating devices could become increasingly 
daunting.
---------------------------------------------------------------------------

    \8\ ``They Keep Coming Back Like Zombies': Improving Software 
Updating Interfaces,'' Arunesh Mathur, Josefine Engel, Sonam Sobti, 
Victoria Chang, and Marshini Chetty, Univ. of Maryland, College 
Park, available at https://www.usenix.org/system/files/conference/soups2016/soups2016-paper-mathur.pdf.
    \9\ More details about these technical issues can be found in 
material related to the National Telecommunications & Information 
Administration's Multistakeholder Process for IoT Security and 
Upgradeability and Patching, available at https://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security.
---------------------------------------------------------------------------

B. The Competition

    With this Contest, the FTC seeks to encourage the development of a 
technical tool to assist consumers with ensuring that IoT devices in 
the home are running up-to-date software. Such a tool might be a 
physical device that the consumer adds to his or her home network that 
checks and installs updates for other IoT devices on that home network. 
It might be an app or cloud-based service that allows consumers to 
submit IoT device model numbers, and, based on that input, provides 
information on how the consumer can install updates. A dashboard or 
other user interface might inform the consumer about which devices were 
up-to-date already, those that had unpatched software vulnerabilities, 
and even those that the manufacturer no longer supported.
    The Contest is subject to all applicable laws and regulations. 
Registering to enter the Contest constitutes Contestant's full 
agreement to these official rules and to decisions of the Sponsor (as 
defined below), which are final and binding in all matters related to 
the Contest. Winning a Prize is contingent upon fulfilling all 
requirements set forth in the official rules.

1. Sponsor Organization

    A. Sponsor: Federal Trade Commission, 600 Pennsylvania Avenue NW., 
Washington, DC 20580.

2. Eligibility

    A. To participate in the Contest:
    (i) Contestants may compete as individuals or as teams of 
individuals, if they meet all eligibility requirements set forth in 
Sections 2.A-D. To be eligible to win a Prize, Contestants must meet 
the additional prize eligibility requirements set forth in Section 9.
    (ii) Contestants must comply with all terms and conditions of the 
official rules.
    (iii) Contestants must own or have access at their own expense to a 
computer, an Internet connection, and any other electronic devices, 
documentation, software, or other items that Contestants may deem 
necessary to create and enter a Submission (as defined in Section 4 
below).
    (iv) Each team must appoint one individual (the ``Representative'') 
to represent and act on behalf of said team, including by entering a 
Submission (as outlined below). The Representative must be duly 
authorized to submit on behalf of the team, and must represent and 
warrant that he or she is duly authorized to act on behalf of the team.
    (v) An individual may enter the Contest only once, either on an 
individual basis or as a member of one team.
    (vi) No individual or team may enter the Contest on behalf of a 
corporation or other non-individual legal entity.
    B. Those ineligible to participate:
    The following individuals (including any individuals participating 
as part of a team) are not eligible regardless of whether they meet the 
criteria set forth above:
    (i) any individual under the age of 18 at the time of submission;
    (ii) any individual who employs any of the Contest Judges as an 
employee or agent;
    (iii) any individual who owns or controls an entity for whom a 
Contest Judge is an employee, officer, director, or agent;
    (iv) any individual who has a material business or financial 
relationship with any Contest Judge;
    (v) any individual who is a member of any Contest Judge's immediate 
family or household;
    (vi) any employee, representative or agent of the Sponsor and all 
members of the immediate family or household of any such employee, 
representative, or agent;
    (vii) any Federal employee acting within the scope of his or her

[[Page 842]]

employment, or as may otherwise be prohibited by Federal law (employees 
should consult their agency ethics officials);
    (viii) any individual or team that used Federal facilities or 
consulted with Federal employees to develop a Submission, unless the 
facilities and employees were made available to all Contestants 
participating in the Contest on an equitable basis; and
    (ix) any individual or team that used Federal funds to develop a 
Submission, unless such use is consistent with the grant award, or 
other applicable Federal funds awarding document. If a grantee using 
Federal funds enters and wins this Contest, the prize monies shall be 
treated as program income for purposes of the original grant in 
accordance with applicable Office of Management and Budget Circulars. 
Federal contractors may not use Federal funds from a contract to 
develop a Submission for this Challenge.
    The Sponsor will, in its sole discretion, disqualify any individual 
or team that meets any of the criteria set forth in Section 2.B.
    C. For purposes hereof:
    (i) the members of an individual's immediate family include such 
individual's spouse, children and step-children, parents and step-
parents, and siblings and step-siblings; and
    (ii) the members of an individual's household include any other 
person who shares the same residence as such individual for at least 
three (3) months out of the year.
    D. Pursuant to the America Creating Opportunities to Meaningfully 
Promote Excellence in Technology, Education, and Science 
Reauthorization Act of 2010, 15 U.S.C. 3719, Contest Prizes (as defined 
in Section 8 below) may be awarded only to individuals and teams of 
individuals who are citizens or permanent residents of the United 
States, subject to verification by the Sponsor before Prizes are 
awarded (see Section 9 below).

3. Registration Requirement for All Contestants

    A. Contestants must register no later than 12:00 p.m. EDT May 22, 
2017 (``Contest Deadline''), to participate in the Contest.
    B. To enter, every Contestant, including each member of a team, 
must register by submitting a form, available on the Contest Web site 
(``Registration Form''), to verify that he or she has read and agreed 
to abide by the official rules and meets the eligibility requirements. 
Additional information and requirements about the registration process 
will be provided on the Contest Web site.
    C. After a Contestant registers, the Sponsor will send a 
confirmation message to the email address provided by the Contestant. 
The Contestant should use the confirmation message to verify the email 
address that he or she provided in order to receive important Contest 
updates.
    D. In the event of a dispute pertaining to this Contest, the 
authorized account holder of the email address listed at registration 
will be deemed to be the Contestant. The ``authorized account holder'' 
is the natural person assigned an email address by an Internet access 
provider, online service provider, or other organization responsible 
for assigning email addresses for the domain associated with the 
submitted address. Contestants may be required to provide more 
information as evidence that they are the authorized account holder.

4. Submission

    A. Parts of the Submission:
    The Submission must contain three components that should describe 
the technical tool the Contestant has developed to assist consumers 
with security.
    (i) A title and a brief text description (``abstract'') of how the 
tool functions, which will be made public and should be easy for the 
public to understand. It must not be more than one page, with font size 
of no less than 11 points and margins of no less than one inch.
    (ii) A link to the Contestant's video that is publicly available on 
Youtube.com or Vimeo.com demonstrating how the tool works. It must not 
be more than five (5) minutes long.
    (iii) A detailed written description of the tool that enables 
Judges to evaluate how well it works, how user-friendly it is, and how 
scalable it is (``Detailed Explanation''), including how the tool will 
avoid or mitigate any additional security risks that it itself might 
introduce into the consumer's home. It must not be more than 15 pages, 
with font size of not less than 11 points and margins of no less than 
one inch.
    See Section 7 (Submission Requirements) for further details.
    The Submission itself shall not contain information revealing the 
Contestant's identity, such as a name, address, employment information, 
or other identifying details, except that Contestants may include their 
own voice or image in the video. Additional information and 
requirements about the Submission process will be provided on the 
Contest Web site.
    B. Submission Deadlines:
    Contestants must enter their Submissions by the Contest Deadline, 
12:00 p.m. EDT May 22, 2017. Any Submissions entered following the 
Contest Deadline, as determined solely by the Sponsor, shall be 
disqualified. The judging period will commence after the Contest 
Deadline.
    C. Terms for Submissions:
    (i) All parts of the Submission must be submitted together in a 
single email by the Contest Deadline.
    (ii) Contestants must use the email address provided on their 
Registration Form (or in the case of a team, the email address on the 
team Representative's Registration Form).
    (iii) No part of a Submission, including any records, platforms, 
technologies, or licenses required to evaluate the Submission, may 
require the Sponsor or Contest Judges to spend money or otherwise 
obtain anything of value; or to execute or enter into any binding 
agreement not otherwise provided for under these Rules.
    (iv) Submissions from a team must be indicated as such when 
entering a Submission.
    (v) Submissions must be in English, except that textual or video 
material in a language other than English will be accepted if 
accompanied by an English translation of the text or video--within the 
existing page limits for the Submission.
    (vi) Any solution that was publicly available prior to January 4, 
2017, is not eligible for entry in the Contest, unless the tool 
submitted incorporates significant new functionality, features, or 
changes. Contestants must identify any portion of the tool that was 
publicly available and--within the existing page limits for the 
Submission--include a narrative description of the new functionality, 
features, or changes with any such Submission.
    (vii) Submissions must not:
    a. violate applicable law;
    b. depict hatred;
    c. be in bad taste;
    d. denigrate (or be derogatory toward) any person or group of 
persons or any race, ethnic group, or culture;
    e. threaten a specific community in society, including any specific 
race, ethnic group, or culture;
    f. incite violence or be likely to incite violence;
    g. contain vulgar or obscene language or excessive violence;
    h. contain pornography, obscenity, or sexual activity; or
    i. disparage the Sponsor.
    (viii) Submissions must be free of malware and other security 
threats. Contestant agrees that the Sponsor may

[[Page 843]]

conduct testing on each Submission to determine whether malware or 
other security threats may be present.
    (ix) Any Submission that fails to comply with these requirements, 
as determined by the Sponsor in its sole discretion, may be 
disqualified.
    (x) Once a Submission has been submitted, Contestant may not access 
or make any changes or alterations to the Submission.
    (xi) A Contestant may submit only one Submission, as either an 
individual or a member of a team.
    (xii) By entering a Submission, Contestant represents, warrants, 
and agrees that the Submission is the original work of the Contestant 
and complies with the official rules. Contestant further represents, 
warrants, and agrees that any use of the Submission by the Sponsor and 
Contest Judges (or any of their respective partners, subsidiaries, and 
affiliates) as authorized by these official rules, does not:
    a. infringe upon, misappropriate or otherwise violate any 
intellectual property right or proprietary right including, without 
limitation, any statutory or common law trademark, copyright or patent, 
nor any privacy rights, nor any other rights of any person or entity;
    b. constitute or result in any misappropriation or other violation 
of any person's publicity rights or right of privacy.

5. Submission Rights

    A. Subject to the licenses described below, any applicable 
intellectual property rights to a Submission will remain with the 
Contestant.
    B. By entering a Submission to this Contest, Contestant grants to 
the Sponsor a non-exclusive, irrevocable, royalty-free and worldwide 
license to use the Submission, any information and content submitted by 
the Contestant, and any portion thereof, and to display the tool title, 
text description and the video through the Contest Web site, during the 
Contest and after its conclusion. The Contestant agrees that the 
foregoing constitutes solely a condition of the Contestant's 
participation in the Contest, and that the Contest is not a request for 
or acquisition of any property or services or any other matter subject 
to federal procurement requirements.

6. Winner Selection and Judging

    A. All Submissions will be judged by an expert panel of judges (the 
``Contest Judges'' or ``Judges'') selected by the Sponsor at the 
Sponsor's sole discretion. The Sponsor reserves the right to substitute 
or modify the judging panel, or extend or modify the Judging Period, at 
any time for any reason.
    B. All Contest Judges shall be required to remain fair and 
impartial. Any Contest Judge may recuse him or herself from judging a 
Submission if the Contest Judge or the Sponsor considers it 
inappropriate, for any reason, for the Contest Judge to evaluate a 
specific Submission or group of Submissions.
    C. A Contestant's likelihood of winning will depend on the number 
and quality of all of the Submissions, as determined by the Contest 
Judges using the criteria in these official rules.
    D. The Submissions will be judged in two phases: the ``Initial 
Phase'' and the ``Final Phase.'' For the Initial Phase, Judges will 
only assess the Contestants' videos and abstracts, without the Detailed 
Explanation. Only those Contestants judged to be within the top 20 
scores for the Initial Phase are eligible to compete in the Final Phase 
(``Finalists''), where the Detailed Explanations will be judged.
    E. Judges will use the criteria outlined in Section 7, below.
    F. The Sponsor reserves the right to review the Contest Judges' 
decision and to withhold any Prize if the Sponsor determines, in its 
sole discretion, that no Submission appropriately or adequately 
fulfills the stated goals and purposes of the Contest or there is any 
other procedural, legal, or other reason that the Prize should not be 
awarded.
    G. The Sponsor reserves the right to change the announcement dates 
with or without prior notice for any reason. Prizes, however, will not 
be awarded, and winners will not be named, until the Sponsor verifies 
eligibility for receipt of each Prize in accordance with Section 9 
below. The Sponsor will announce verified winners on or about July 27, 
2017, and the results will be made available at the Contest Web site.

7. Submission Content Requirements

    The Submission must meet other requirements as described in this 
document, including Sections 4 and 6, stating that Submissions must not 
include any unauthorized proprietary or copyrighted material (including 
copyrighted music without permission).
    A. Threshold Solution Criteria.
    Contestants will develop a tool that would, at a minimum, help 
protect consumers from security vulnerabilities caused by out of date 
software on IoT devices in their homes. Submissions must provide a 
technical solution, rather than a policy or legal solution. The tool 
must work on home IoT devices that currently exist on the market. The 
tool must protect information it collects both in transit and at rest. 
The Submission must address how the tool will avoid or mitigate any 
additional security risks that the tool itself might introduce into the 
consumer's home by, for example, probing the home network or 
facilitating software upgrades. Submissions that do not address the 
tool's security and the other items described in this paragraph as 
Threshold Solution Criteria will not be considered for the Prize.
    B. Phase-Specific Requirements
    (i) Initial Phase: Abstract and Video
    a. The Abstract. The abstract should include a title for the 
Submission and a brief explanation of how the tool functions.
    b. The Video. Although the solution requires a tool that should 
work with multiple IoT devices, the video need only demonstrate how the 
tool would be used with one (1) IoT device that is likely to be found 
in consumers' homes. The video must address the Judging Criteria below 
and: (i) State what the tool is specifically designed to do; (ii) 
describe the set-up for the demonstration and any assumptions the 
Contestant has made about the capabilities and limitations of the 
device(s) for the demonstration; and (iii) explain what impact the tool 
would have on software of IoT devices beyond what is demonstrated in 
the video.
    (ii) Final Phase: Detailed Explanation, Abstract and Video
    In the Final Phase, in addition to looking at the abstract and 
video, the Judges will review the Detailed Explanation. The Detailed 
Explanation must provide sufficient material so that the Judges can 
evaluate the tool properly for how well it works, how user-friendly it 
is, and how scalable it is. The Detailed Explanation may include a 
detailed description; pseudocode; a description of algorithms and/or 
formulas; or material (such as diagrams) to show how the tool would 
function. It should include a description of testing methodology and 
results of any tests of the tool's effectiveness. It should also 
discuss a strategy for development and deployment.
    C. The Submission will be assessed using the following Judging 
Criteria:
    (i) How well does it work? (60 points out of 100 total score)
    a. How well does your Submission address each of these four (4) 
components?
    (1) Recognizing what IoT devices are operating in the consumer's 
home. A tool may automatically recognize devices or provide 
instructions for consumer input.
    (2) Determining what software version is already on those IoT 
devices. A tool

[[Page 844]]

may automatically recognize the software version or provide 
instructions for consumer input.
    (3) Determining the latest versions of the software that should be 
on those devices. The Submission must lay out a feasible plan for 
finding sources of information about what version should be on the 
device and explain the technical means by which that information would 
be procured. If the Submission relies upon databases that do not 
currently exist, the plan for developing those sources must be 
realistic and feasible.
    (4) Assisting in facilitating updates, to the extent possible. 
Contestants might rely upon the consumer to take steps or contact the 
device manufacturer to facilitate the update. If the tool conveys 
information to a third party, such as a device manufacturer, the tool 
must also allow for consumer control of the flow of that information.
    b. WILDCARD: If your Submission does not address the four 
components above, but offers a technical solution to address 
vulnerabilities caused by unpatched or out-of-date software of IoT 
devices in the home, the Contestant may demonstrate how that tool would 
work and argue for the superiority of the tool based on its level of 
innovation and impact on IoT security in the home. Any such WILDCARD 
option would also need to meet the criteria set forth in sections 
7(ii)-(iii) (user friendliness and scalability requirements).
    c. Whether the Submission includes the four components identified 
above or is a WILDCARD option, Judges will award more points to 
Submissions based on the extent to which they identify potential 
challenges with implementing the tool and describe how the Contestant 
plans to address those challenges. Judges will also award more points 
for tools that address both situations where a manufacturer has failed 
to provide support for the software on a device as well as where the 
manufacturer does provide support.
    (ii) How user-friendly is your tool? (20 points out of 100 total 
score)
    a. How easy is your tool for the average consumer, without 
technical expertise, to set up and use? In assessing how easy the tool 
would be to use, the Judges will take into consideration whether 
functions are performed automatically, without action by the consumer.
    b. In analyzing the user-friendliness of the tool, the Judges will 
also take into consideration how well the tool does the following:
    (1) Displays or conveys \10\ information about which devices it has 
assessed.
---------------------------------------------------------------------------

    \10\ The consumer must have a way of knowing what is being 
assessed, so they do not have a false sense of assurance about a 
device that was not even evaluated by the tool. This process might 
also expose unauthorized devices.
---------------------------------------------------------------------------

    (2) Accurately communicates the risk mitigation provided by the 
tool (e.g., it should not give the impression that it solves all 
security problems).
    (3) Allows consumers to control any information being sent to a 
third party, to the extent that any such information is being sent. 
This includes making short, but accurate, disclosures about the 
information flow.
    c. Judges will award more points to Submissions that show the 
content of any consumer interface and decision points, as well as the 
methodology and results of user tests (e.g. surveys, focus groups, 
online user studies) demonstrating that the average consumer would be 
likely to understand such interface and information it conveys.\11\
---------------------------------------------------------------------------

    \11\ For more information on communicating with consumers, see, 
e.g., Putting Disclosures to the Test (Sept. 15, 2016), available at 
https://www.ftc.gov/testingdisclosures.
---------------------------------------------------------------------------

    (iii) How scalable is your tool? (20 points out of 100 total score)
    a. The Submission must explain how the tool could be used for 
products other than those addressed specifically in the Submission.
    b. Judges will award more points to Submissions that also explain 
how the tool would stay up-to-date. Judges will award more points to 
Submissions demonstrating tools that work on multiple types of devices 
(e.g., cameras, thermostats, refrigerators), devices from different 
manufacturers, devices using different protocols (e.g., WiFi, 
Bluetooth), and both newly released devices and legacy versions.
    (iv) Optional items (up to 10 bonus points)
    a. The Submission may also address other ways to help consumers 
guard against broader security vulnerabilities in IoT device software 
in their homes. For example, a tool might:
    (1) Find and facilitate changes to mitigate vulnerabilities in the 
existing configurations of devices in the home (e.g., determine whether 
particular IoT devices in the home have hard-coded, factory default or 
easy-to-guess passwords, and provide specific instructions for 
consumers to address the issue).
    (2) Provide purchasers of IoT devices an easy way to know whether 
their new devices include elements already known to be easily 
compromised before they make a purchase.
    (3) Address the problem of software or firmware updates that have 
been offered by a developer but not yet incorporated by a device 
manufacturer.
    (4) Differentiate between security updates and other updates.
    (5) Convey information about levels of urgency of installing 
patches based on the criticality of a vulnerability;
    (6) Tailor information to specific user groups (e.g., by providing 
technically sophisticated consumers access to additional information 
about the nature of the security issues addressed in the update);
    (7) Convey information about product recalls made for other 
reasons;
    (8) Convey other available information about the security of 
devices, such as benchmark security scores; \12\ or
---------------------------------------------------------------------------

    \12\ For example, a tool could use security scoring mechanisms 
developed by such entities as the Cyber Independent Testing Lab 
(CITL) (https://cyber-itl.org/blog/).
---------------------------------------------------------------------------

    (9) Convey information about the type of data collected by the 
device, how it is used and shared, and any associated privacy policies.
    D. In order to be considered for a Prize, Submissions must receive 
a score greater than zero in each required category (how well it works, 
how user-friendly it is, and how scalable it is). If the Contest Judges 
determine that no Submission satisfies each required category, no one 
will be deemed eligible for any Prize. In addition, Judges have the 
discretion to award up to 10 bonus points for optional features.
    E. The Contestant whose Submission earns the highest overall score 
in the Final Phase will be named the Top Prize Winner identified below 
in Section 8, if the Contestant satisfies the verification requirements 
described in Section 9. If the Contestant does not satisfy the 
verification requirements, the Top Prize may be awarded to the next 
highest scorer who satisfies the verification requirements, at the 
Sponsor's discretion.
    F. Up to three (3) Contestants in the Final Phase who meet the 
Section 9 verification requirements may be awarded the Honorable 
Mention Prizes--described below in Section 8--at the Sponsor's 
discretion. The Sponsor has discretion to award Honorable Mention 
Prizes to Contestants who (1) have the next highest scores in the Final 
Phase, or (2) have the highest score in any one category because of a 
significant innovation. If the Contestant does not satisfy the 
verification requirements, the Honorable Mention Prize may be awarded 
to the next highest scorer who satisfies the verification requirements, 
at the Sponsor's discretion.

[[Page 845]]

    G. In the event of a tie between or among two or more Submissions 
where the Contestants meet the verification requirements, the relevant 
Prize identified below in Section 8 will be divided equally between the 
tied Contestants.

8. Prizes

------------------------------------------------------------------------
             Winner                 Prize amount           Quantity
------------------------------------------------------------------------
Top Prize......................  Up to US $25,000..  Up to 1.
Honorable Mention(s)...........  US $3,000.........  Up to 3.
------------------------------------------------------------------------

    A. If no eligible Submissions are entered in the Contest, no Prizes 
will be awarded. (See also Section 6.F. above.) The Sponsor retains the 
right to make a Prize substitution (including a non-monetary award) in 
the event that funding for the Prize or any portion thereof becomes 
unavailable. No transfer or substitution of a Prize is permitted except 
at the Sponsor's sole discretion. In the case of a team Prize, it will 
be the responsibility of the winning team's Representative to inform 
the Sponsor how to allocate the Prize amongst the team, as the 
Representative deems it appropriate.
    B. Each Contestant hereby acknowledges and agrees that the 
relationship between the Contestant and the Sponsor is not a 
confidential, fiduciary, or other special relationship, and that the 
Contestant's decision to provide the Contestant's Submission to Sponsor 
for the purposes of this Contest does not place the Sponsor and its 
respective agents in a position that is any different from the position 
held by the members of the general public, except as specifically 
provided in these official rules.
    C. Winners (including any winning team members) are responsible for 
reporting and paying all applicable federal, state, and local taxes. It 
is the sole responsibility of winners of $600 or more to provide 
information to the Sponsor in order to facilitate receipt of the award, 
including completing and submitting any tax forms when necessary. It is 
also the sole responsibility of winners to satisfy any applicable 
reporting requirements. The Sponsor reserves the right to withhold a 
portion of the Prize amount to comply with tax laws.
    D. All payments shall be made by electronic funds transfer or other 
means determined by the Sponsor.

9. Verification of Eligibility for Receipt of a Prize

    A. All prize awards are subject to Sponsor verification of the 
winner's identity, eligibility, and participation in the creation of 
the tool. The Sponsor's decisions are final and binding in all matters 
related to the Contest. In order to receive a Prize, a Contestant will 
be required to complete, sign and return to the Sponsor affidavit(s) of 
eligibility and liability release, or a similar verification document 
(``Verification Form''). (In the case of a team, the Representative and 
all participating members must complete, sign and return to the Sponsor 
the Verification Form.) In addition, social security numbers must be 
collected from the winner (including any winning team members) pursuant 
to 31 U.S.C. 7701 in order to issue a payment.
    B. Contestants potentially qualifying for a Prize will be notified 
and sent the Verification Form using the email address submitted at 
registration, starting on or about July 20, 2017. The Sponsor reserves 
the right to change the time period to send the Verification Form 
without providing any prior notice. In the case of a team, the 
notification will only be sent to the Representative. If a notification 
is returned as undeliverable, the Contestant or team may be 
disqualified at the Sponsor's sole discretion.
    C. At the sole discretion of the Sponsor, a Contestant or team 
forfeits any Prize if:
    (i) The Contestant fails to provide the Verification Form within 
ten (10) business days of receipt of the email notification discussed 
above (or in the case of a team, any team member) fails to provide the 
Verification Form within ten business days of receipt of the email 
notification;
    (ii) the Contestant (or in the case of a team, any team member) 
does not timely communicate with the Sponsor to provide payment 
information and all other necessary information within ten business 
days of receiving a request for such information;
    (iii) such individual or team Representative is contacted and 
refuses the Prize;
    (iv) the Prize is returned as undeliverable; or
    (v) the Submission of the winner, the winner, or any member of a 
winner's team is disqualified for any reason.
    D. In the event of a disqualification, Sponsor, at its sole 
discretion, may award the applicable Prize to an alternate Contestant. 
The disqualification of one (or more) team members at any time for any 
reason may result in the disqualification of the entire team and of 
each participating member at the sole discretion of the Sponsor.

10. Entry Conditions and Release

    A. By registering, each Contestant (including, in the case of a 
team, all participating members) agree(s):
    (i) To comply with and be bound by these official rules; and
    (ii) that the application of the judging criteria, evaluation of 
the Submissions, and final selection of the winners is a matter of 
discretion of the Contest Judges and Sponsor, and that their respective 
decisions are binding and final in all matters relating to this 
Contest.
    B. By registering, each Contestant (including, in the case of a 
team, all participating members) agree(s) to release, indemnify, and 
hold harmless the Sponsor, and any other individuals or organizations 
responsible for sponsoring, fulfilling, administering, advertising, or 
promoting the Contest, including their respective parents, 
subsidiaries, and affiliated companies, if any, and all of their 
respective past and present officers, directors, employees, agents and 
representatives (hereafter the ``Released Parties'') from and against 
any and all claims, expenses, and liabilities (including reasonable 
attorneys' fees and costs of Submission preparation) arising out of or 
relating to a Contestant's entry, creation of Submission or entry of a 
Submission, participation in the Contest, acceptance or use or misuse 
of the Prize, and the disclosure, broadcast, transmission, performance, 
exploitation, or use of Submission as authorized or licensed by these 
official rules. Released claims include all claims whatsoever 
including, but not limited to (except in cases of willful misconduct): 
Injury, death, damage, or loss of property, revenue or profits, whether 
direct, indirect, or consequential, arising from the Contestant's 
participation in a competition, whether the claim of injury, death, 
damage, or loss arises through negligence, mistake, or otherwise. This 
release does not apply to claims against the Sponsor arising out

[[Page 846]]

of the unauthorized use or disclosure by the Sponsor of intellectual 
property, trade secrets, or confidential business information of the 
Contestant.
    C. Without limiting the foregoing, each Contestant (including, in 
the case of a team, all participating members) agrees to release all 
Released Parties of all liability in connection with:
    (i) any incorrect or inaccurate information, whether caused by the 
Sponsor's or a Contestant's electronic or printing error or by any of 
the equipment or programming associated with or utilized in the 
Contest;
    (ii) technical failures of any kind, including, but not limited to, 
malfunctions, interruptions, or disconnections in phone lines, Internet 
connectivity, or electronic transmission errors, or network hardware or 
software or failure of the Contest Web site, or any other platform or 
tool that Contestants or Contest Judges choose to use;
    (iii) unauthorized human intervention in any part of the entry 
process or the Contest;
    (iv) technical or human error that may occur in the administration 
of the Contest or the processing of Submissions; or
    (v) any injury or damage to persons or property that may be caused, 
directly or indirectly, in whole or in part, from the Contestant's 
participation in the Contest or receipt or use or misuse of any Prize. 
If for any reason any Contestant's Submission is confirmed to have been 
erroneously deleted, lost, or otherwise destroyed or corrupted, the 
Contestant's sole remedy is to request the opportunity to resubmit its 
Submission. The request will be addressed at the sole discretion of the 
Sponsor if the contest submission period is still open.
    D. Based on the subject matter of the Contest, the type of work 
that it possibly will require, and the low probability that any claims 
for death, bodily injury, or property damage, or loss could result from 
Contest participation, the Sponsor determines that Contestants are not 
required to obtain liability insurance or demonstrate fiscal 
responsibility in order to participate in this Contest.

11. Publicity

    Participation in the Contest constitutes consent to the use by the 
Sponsor, their agents' and any other third parties acting on their 
behalf, of the Contestant's name (and, as applicable, those of all 
other members of the team that participated in the Submission), 
Submission video, and Submission abstract for promotional purposes in 
any media, worldwide, without further payment or consideration. 
Furthermore, a Contestant's likeness, photograph, voice, opinions, 
comments, and hometown and state of residence (and, as applicable, 
those of all other members of the team that participated in the 
Submission) may be used for the Sponsor's promotional purposes if the 
Contestant provides consent. In addition, the Sponsor reserves the 
right to make any disclosure required by law.

12. General Conditions

    A. Each Contestant agrees that the Sponsor is vested with the sole 
authority to interpret and apply these rules.
    B. Sponsor reserves the right, in its sole discretion, to cancel, 
suspend, or modify the Contest, or any part of it, with or without 
notice to the Contestants, if any fraud, technical failure, or any 
other unanticipated factor or factors beyond Sponsor's control impairs 
the integrity or proper functioning of the Contest, or for any other 
reason. The Sponsor reserves the right at its sole discretion to 
disqualify any individual or Contestant that the Sponsor finds to be 
tampering with the entry process or the operation of the Contest, or to 
be acting in violation of these official rules or in a manner that is 
inappropriate, not in the best interests of this Contest, or in 
violation of any applicable law or regulation.
    C. Any attempt by any person to undermine the proper functioning of 
the Contest may be a violation of criminal and civil law, and, should 
such an attempt be made, the Sponsor reserves the right to take proper 
legal action, including, without limiting, referral to law enforcement, 
for any illegal or unlawful activities.
    D. The Sponsor's failure to enforce any term of these official 
rules shall not constitute a waiver of that term. The Sponsor is not 
responsible for incomplete, late, misdirected, damaged, lost, 
illegible, or incomprehensible Submissions or for address or email 
address changes of the Contestants. Proof of sending or submitting is 
not proof of receipt by Sponsor.
    E. In the event of any discrepancy or inconsistency between the 
terms and conditions of the official rules and disclosures or other 
statements contained in any Contest materials, including but not 
limited to the Contest Web site or point of sale, television, print or 
online advertising, the terms and conditions of the official rules 
shall prevail.
    F. The Sponsor reserves the right to amend the terms and conditions 
of the official rules at any time, including the rights or obligations 
of the Contestants and the Sponsor. The Sponsor will post the terms and 
conditions of the amended official rules on the Contest Web site 
(``Corrective Notice''). As permitted by law, any amendment will become 
effective at the time the Sponsor posts the amended official rules.
    G. Excluding Submissions, all intellectual property related to this 
Contest, including but not limited to trademarks, trade-names, logos, 
designs, promotional materials, Web pages, source codes, drawings, 
illustrations, slogans, and representations are owned or used under 
license by the Sponsor. All rights are reserved. Unauthorized copying 
or use of any copyrighted material or intellectual property without the 
express written consent of the relevant owner(s) is strictly 
prohibited.
    H. Should any provision of these official rules be or become 
illegal or unenforceable under applicable Federal law, such illegality 
or unenforceability shall leave the remainder of these official rules 
unaffected and valid. The illegal or unenforceable provision may be 
replaced by the Sponsor with a valid and enforceable provision that, in 
the Sponsor's sole judgment, comes closest to and best reflects the 
Sponsor's intention in a legal and enforceable manner with respect to 
the invalid or unenforceable provision.

13. Disputes

    Subject to the release provisions in these official rules, 
Contestant agrees that:
    A. any and all disputes, claims, and causes of action arising out 
of or connected with this Contest, any Prizes awarded, the 
administration of the Contest, the determination of winners, or the 
construction, validity, interpretation, and enforceability of the 
official rules shall be resolved individually;
    B. any and all disputes, claims, and causes of action arising out 
of or connected with this Contest, any Prizes awarded, the 
administration of the Contest, the determination of winners, or the 
construction, validity, interpretation, and enforceability of the 
official rules shall be resolved pursuant to Federal law;
    C. under no circumstances will Contestants be entitled to, and 
Contestants hereby waive, all rights to claim, any punitive, 
incidental, and consequential damages and any and all rights to have 
damages multiplied or otherwise increased.

14. Privacy

    The Sponsor may collect personal information from the Contestant 
when he or she enters the Contest. Such personal information is subject 
to the

[[Page 847]]

privacy policy located here: https://www.ftc.gov/site-information/privacy-policy.

15. Contact Us

    Please visit the Contest Web site for further Contest information 
and updates.

Jessica Rich,
Director, Bureau of Consumer Protection.
[FR Doc. 2016-31731 Filed 1-3-17; 8:45 am]
BILLING CODE 6750-01-P