IoT Home Inspector Challenge

Federal Register, Volume 82 Issue 2 (Wednesday, January 4, 2017)

Federal Register Volume 82, Number 2 (Wednesday, January 4, 2017)

Notices

Pages 840-847

From the Federal Register Online via the Government Publishing Office www.gpo.gov

FR Doc No: 2016-31731

=======================================================================

-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

IoT Home Inspector Challenge

AGENCY: Federal Trade Commission.

ACTION: Notice; public challenge.

-----------------------------------------------------------------------

SUMMARY: The Federal Trade Commission (``FTC'') announces a prize competition that challenges the public to create a technical solution (``tool'') that consumers can deploy to guard against security vulnerabilities in software on the Internet of Things (``IoT'') devices in their homes. The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software. Contestants have the option of adding features, such as those that would address hard-coded, factory default or easy-to-guess passwords. The prize for the competition is up to $25,000, with $3,000 available for each honorable mention winner(s). Winners will be announced on or about July 27, 2017.

DATES: The deadline for registering and submitting entries is May 22, 2017 at 12:00 p.m. EDT. Further instructions and requirements regarding the registration and submission process will be provided on the Contest Web site (ftc.gov/iothomeinspector).

FOR FURTHER INFORMATION CONTACT: Ruth Yodaiken, 202-326-2127, Division of Privacy and Identity Protection, Bureau of Consumer Protection, FTC; 600 Pennsylvania Ave. NW., Mailstop CC-8232, Washington, DC 20580.

SUPPLEMENTARY INFORMATION: The FTC IoT Home Inspector Challenge (the ``Contest'') encourages the public to create a tool that consumers can deploy to guard against security vulnerabilities in software on the IoT devices in their homes. The tool would, at a minimum, help protect consumers from security vulnerabilities caused by out-of-date software. The competition's purpose is to stimulate innovation and progress in protecting and empowering consumers against security risks associated with IoT devices in the home.

  1. Background

    Every day, American consumers use Internet-connected devices \1\ to make their homes ``smarter.'' Consumers can remotely program their smart home devices to turn on their lights, start the oven, and turn on soft music so they return to a comfortable environment when they get home from work. Smart video monitors enable consumers to remotely view their homes, pets, or children. Smart fire and burglar alarms address safety issues through sensors and alerts. And smart thermostats can automatically adjust temperature settings depending on the time of day and presence of people in the house. To tie all these devices together, smart home platforms are also beginning to proliferate across the marketplace.

    ---------------------------------------------------------------------------

    \1\ As used herein, ``Internet-connected,'' ``IoT,'' or ``smart'' devices are devices other than desktop or laptop computers or smartphones.

    ---------------------------------------------------------------------------

    While these smart devices enable enormous convenience and safety benefits, they can also create security risks. For example, press reports from October 2016 demonstrated how smart devices could be used in ``botnets'' to disrupt the Internet.\2\ This incident demonstrated that lax IoT device security can threaten not just device owners, but the entire Internet. In another incident, a group of hackers allegedly gained unauthorized access to routers manufactured by the tech company ASUS and left a text file warning stating, ``Your Asus router (and your documents) can be accessed by anyone in the world with an internet connection.'' \3\ The FTC announced a

    Page 841

    settlement with ASUS last year, alleging that the company did not maintain reasonable security, resulting in threats to personal information. Further, there have been numerous reported incidents where the live feeds from consumers' smart cameras have been available on the Internet. One company whose cameras were allegedly vulnerable in this manner, TRENDnet, was the subject of an earlier Commission law enforcement action.\4\

    ---------------------------------------------------------------------------

    \2\ See, e.g., ``Americans uneasy with IoT devices like those used in Dyn DDoS attack, survey finds,'' Tech Crunch, Darrell Etherington (October 24, 2016) (stating that a ``coordinated botnet attack effectively choked internet access to a large number of popular sites'' and was attributed ``in large part due to the spread of connected Internet of Things (IoT) devices''), available at http://techcrunch.com/2016/10/24/americans-uneasy-with-iot-devices-like-those-used-in-dyn-ddos-attack-survey-finds/.

    \3\ ``ASUS Settles FTC Charges That Insecure Home Routers and ``Cloud'' Services Put Consumers' Privacy At Risk,'' FTC press release (February 23, 2016), available at http://www.ftc.gov/news-events/press-releases/2016/02/asus-settles-ftc-charges-insecure-home-routers-cloud-services-put.

    \4\ ``FTC Approves Final Order Settling Charges Against TRENDnet, Inc.,'' FTC press release (February 7, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/02/ftc-approves-final-order-settling-charges-against-trendnet-inc.

    ---------------------------------------------------------------------------

    Consumers themselves are uneasy about the security risks of IoT devices. One recent survey found that more than 40% of respondents are ``not confident at all'' that IoT devices are safe, secure, and able to protect personal information.'' Fifty percent of consumers surveyed said that ``concerns about the cybersecurity of an IoT device have discouraged them from purchasing one.'' \5\

    ---------------------------------------------------------------------------

    \5\ See, e.g., ``New ESET/NCSA Survey Explores the Internet of (Stranger) Things,'' ESET/National Cyber Security Alliance study, available at http://www.eset.com/us/resources/detail/survey-internet-of-stranger-things/ and http://cdn3.esetstatic.com/eset/US/resources/press/ESET_ConnectedLives-DataSummary.pdf.

    ---------------------------------------------------------------------------

    The Commission staff has previously recommended that IoT device manufacturers take appropriate steps to address the security of their devices. It has recommended that, among other things, companies in the IoT space: (1) Build security into their devices at the outset; (2) train employees on good security practices; (3) ensure downstream privacy and data protections through vendor contracts and oversight; (4) apply defense-in-depth strategies that offer protections at multiple levels and interfaces; and (5) put in place reasonable access controls.\6\ The FTC's Careful Connections and Start with Security publications offer more detailed guidance.\7\

    ---------------------------------------------------------------------------

    \6\ ``Internet of Things: Privacy and Security in a Connected World,'' FTC Staff Report (January 2015), available at http://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf.

    \7\ Start with Security: A Guide for Businesses,'' (``Start with Security''), available at http://www.ftc.gov/tips-advice/business-center/guidance/start-security-guide-business; ``Careful Connections: Building Security in the Internet of Things,'' available at http://www.ftc.gov/tips-advice/business-center/guidance/careful-connections-building-security-internet-things.

    ---------------------------------------------------------------------------

    One important component of IoT security is updating and providing security patches. If products do not have the latest security updates, they can be vulnerable to outside threats. Today, although some devices are updated automatically, many devices require consumers to take steps in order to install the update or make necessary adjustments.\8\ To be able to take these steps, consumers must have a certain level of technical expertise. In particular, consumers must know how to check for security updates and install them. The problem of how to simplify this task is compounded by the thriving market in this area: There are many different types of software (even within a single device), ways to configure devices, and approaches to updating.\9\ As devices within the home multiply, the task of updating devices could become increasingly daunting.

    ---------------------------------------------------------------------------

    \8\ ``They Keep Coming Back Like Zombies': Improving Software Updating Interfaces,'' Arunesh Mathur, Josefine Engel, Sonam Sobti, Victoria Chang, and Marshini Chetty, Univ. of Maryland, College Park, available at http://www.usenix.org/system/files/conference/soups2016/soups2016-paper-mathur.pdf.

    \9\ More details about these technical issues can be found in material related to the National Telecommunications & Information Administration's Multistakeholder Process for IoT Security and Upgradeability and Patching, available at http://www.ntia.doc.gov/other-publication/2016/multistakeholder-process-iot-security.

    ---------------------------------------------------------------------------

  2. The Competition

    With this Contest, the FTC seeks to encourage the development of a technical tool to assist consumers with ensuring that IoT devices in the home are running up-to-date software. Such a tool might be a physical device that the consumer adds to his or her home network that checks and installs updates for other IoT devices on that home network. It might be an app or cloud-based service that allows consumers to submit IoT device model numbers, and, based on that input, provides information on how the consumer can install updates. A dashboard or other user interface might inform the consumer about which devices were up-to-date already, those that had unpatched software vulnerabilities, and even those that the manufacturer no longer supported.

    The Contest is subject to all applicable laws and regulations. Registering to enter the Contest constitutes Contestant's full agreement to these official rules and to decisions of the Sponsor (as defined below), which are final and binding in all matters related to the Contest. Winning a Prize is contingent upon fulfilling all requirements set forth in the official rules.

    1. Sponsor Organization

  3. Sponsor: Federal Trade Commission, 600 Pennsylvania Avenue NW., Washington, DC 20580.

    1. Eligibility

  4. To participate in the Contest:

    (i) Contestants may compete as individuals or as teams of individuals, if they meet all eligibility requirements set forth in Sections 2.A-D. To be eligible to win a Prize, Contestants must meet the additional prize eligibility requirements set forth in Section 9.

    (ii) Contestants must comply with all terms and conditions of the official rules.

    (iii) Contestants must own or have access at their own expense to a computer, an Internet connection, and any other electronic devices, documentation, software, or other items that Contestants may deem necessary to create and enter a Submission (as defined in Section 4 below).

    (iv) Each team must appoint one individual (the ``Representative'') to represent and act on behalf of said team, including by entering a Submission (as outlined below). The Representative must be duly authorized to submit on behalf of the team, and must represent and warrant that he or she is duly authorized to act on behalf of the team.

    (v) An individual may enter the Contest only once, either on an individual basis or as a member of one team.

    (vi) No individual or team may enter the Contest on behalf of a corporation or other non-individual legal entity.

  5. Those ineligible to participate:

    The following individuals (including any individuals participating as part of a team) are not eligible regardless of whether they meet the criteria set forth above:

    (i) any individual under the age of 18 at the time of submission;

    (ii) any individual who employs any of the Contest Judges as an employee or agent;

    (iii) any individual who owns or controls an entity for whom a Contest Judge is an employee, officer, director, or agent;

    (iv) any individual who has a material business or financial relationship with any Contest Judge;

    (v) any individual who is a member of any Contest Judge's immediate family or household;

    (vi) any employee, representative or agent of the Sponsor and all members of the immediate family or household of any such employee, representative, or agent;

    (vii) any Federal employee acting within the scope of his or her

    Page 842

    employment, or as may otherwise be prohibited by Federal law (employees should consult their agency ethics officials);

    (viii) any individual or team that used Federal facilities or consulted with Federal employees to develop a Submission, unless the facilities and employees were made available to all Contestants participating in the Contest on an equitable basis; and

    (ix) any individual or team that used Federal funds to develop a Submission, unless such use is consistent with the grant award, or other applicable Federal funds awarding document. If a grantee using Federal funds enters and wins this Contest, the prize monies shall be treated as program income for purposes of the original grant in accordance with applicable Office of Management and Budget Circulars. Federal contractors may not use Federal funds from a contract to develop a Submission for this Challenge.

    The Sponsor will, in its sole discretion, disqualify any individual or team that meets any of the criteria set forth in Section 2.B.

  6. For purposes hereof:

    (i) the members of an individual's immediate family include such individual's spouse, children and step-children, parents and step-

    parents, and siblings and step-siblings; and

    (ii) the members of an individual's household include any other person who shares the same residence as such individual for at least three (3) months out of the year.

  7. Pursuant to the America Creating Opportunities to Meaningfully Promote Excellence in Technology, Education, and Science Reauthorization Act of 2010, 15 U.S.C. 3719, Contest Prizes (as defined in Section 8 below) may be awarded only to individuals and teams of individuals who are citizens or permanent residents of the United States, subject to verification by the Sponsor before Prizes are awarded (see Section 9 below).

    1. Registration Requirement for All Contestants

  8. Contestants must register no later than 12:00 p.m. EDT May 22, 2017 (``Contest Deadline''), to participate in the Contest.

  9. To enter, every Contestant, including each member of a team, must register by submitting a form, available on the Contest Web site (``Registration Form''), to verify that he or she has read and agreed to abide by the official rules and meets the eligibility requirements. Additional information and requirements about the registration process will be provided on the Contest Web site.

  10. After a Contestant registers, the Sponsor will send a confirmation message to the email address provided by the Contestant. The Contestant should use the confirmation message to verify the email address that he or she provided in order to receive important Contest updates.

  11. In the event of a dispute pertaining to this Contest, the authorized account holder of the email address listed at registration will be deemed to be the Contestant. The ``authorized account holder'' is the natural person assigned an email address by an Internet access provider, online service provider, or other organization responsible for assigning email addresses for the domain associated with the submitted address. Contestants may be required to provide more information as evidence that they are the authorized account holder.

    1. Submission

  12. Parts of the Submission:

    The Submission must contain three components that should describe the technical tool the Contestant has developed to assist consumers with security.

    (i) A title and a brief text description (``abstract'') of how the tool functions, which will be made public and should be easy for the public to understand. It must not be more than one page, with font size of no less than 11 points and margins of no less than one inch.

    (ii) A link to the Contestant's video that is publicly available on Youtube.com or Vimeo.com demonstrating how the tool works. It must not be more than five (5) minutes long.

    (iii) A detailed written description of the tool that enables Judges to evaluate how well it works, how user-friendly it is, and how scalable it is (``Detailed Explanation''), including how the tool will avoid or mitigate any additional security risks that it itself might introduce into the consumer's home. It must not be more than 15 pages, with font size of not less than 11 points and margins of no less than one inch.

    See Section 7 (Submission Requirements) for further details.

    The Submission itself shall not contain information revealing the Contestant's identity, such as a name, address, employment information, or other identifying details, except that Contestants may include their own voice or image in the video. Additional information and requirements about the Submission process will be provided on the Contest Web site.

  13. Submission Deadlines:

    Contestants must enter their Submissions by the Contest Deadline, 12:00 p.m. EDT May 22, 2017. Any Submissions entered following the Contest Deadline, as determined solely by the Sponsor, shall be disqualified. The judging period will commence after the Contest Deadline.

  14. Terms for Submissions:

    (i) All parts of the Submission must be submitted together in a single email by the Contest Deadline.

    (ii) Contestants must use the email address provided on their Registration Form (or in the case of a team, the email address on the team Representative's Registration Form).

    (iii) No part of a Submission, including any records, platforms, technologies, or licenses required to evaluate the Submission, may require the Sponsor or Contest Judges to spend money or otherwise obtain anything of value; or to execute or enter into any binding agreement not otherwise provided for under these Rules.

    (iv) Submissions from a team must be indicated as such when entering a Submission.

    (v) Submissions must be in English, except that textual or video material in a language other than English will be accepted if accompanied by an English translation of the text or video--within the existing page limits for the Submission.

    (vi) Any solution that was publicly available prior to January 4, 2017, is not eligible for entry in the Contest, unless the tool submitted incorporates significant new functionality, features, or changes. Contestants must identify any portion of the tool that was publicly available and--within the existing page limits for the Submission--include a narrative description of the new functionality, features, or changes with any such Submission.

    (vii) Submissions must not:

    1. violate applicable law;

    2. depict hatred;

    3. be in bad taste;

    4. denigrate (or be derogatory toward) any person or group of persons or any race, ethnic group, or culture;

    5. threaten a specific community in society, including any specific race, ethnic group, or culture;

    6. incite violence or be likely to incite violence;

    7. contain vulgar or obscene language or excessive violence;

    8. contain pornography, obscenity, or sexual activity; or

    9. disparage the Sponsor.

      (viii) Submissions must be free of malware and other security threats. Contestant agrees that the Sponsor may

      Page 843

      conduct testing on each Submission to determine whether malware or other security threats may be present.

      (ix) Any Submission that fails to comply with these requirements, as determined by the Sponsor in its sole discretion, may be disqualified.

      (x) Once a Submission has been submitted, Contestant may not access or make any changes or alterations to the Submission.

      (xi) A Contestant may submit only one Submission, as either an individual or a member of a team.

      (xii) By entering a Submission, Contestant represents, warrants, and agrees that the Submission is the original work of the Contestant and complies with the official rules. Contestant further represents, warrants, and agrees that any use of the Submission by the Sponsor and Contest Judges (or any of their respective partners, subsidiaries, and affiliates) as authorized by these official rules, does not:

    10. infringe upon, misappropriate or otherwise violate any intellectual property right or proprietary right including, without limitation, any statutory or common law trademark, copyright or patent, nor any privacy rights, nor any other rights of any person or entity;

    11. constitute or result in any misappropriation or other violation of any person's publicity rights or right of privacy.

      1. Submission Rights

  15. Subject to the licenses described below, any applicable intellectual property rights to a Submission will remain with the Contestant.

  16. By entering a Submission to this Contest, Contestant grants to the Sponsor a non-exclusive, irrevocable, royalty-free and worldwide license to use the Submission, any information and content submitted by the Contestant, and any portion thereof, and to display the tool title, text description and the video through the Contest Web site, during the Contest and after its conclusion. The Contestant agrees that the foregoing constitutes solely a condition of the Contestant's participation in the Contest, and that the Contest is not a request for or acquisition of any property or services or any other matter subject to federal procurement requirements.

    1. Winner Selection and Judging

  17. All Submissions will be judged by an expert panel of judges (the ``Contest Judges'' or ``Judges'') selected by the Sponsor at the Sponsor's sole discretion. The Sponsor reserves the right to substitute or modify the judging panel, or extend or modify the Judging Period, at any time for any reason.

  18. All Contest Judges shall be required to remain fair and impartial. Any Contest Judge may recuse him or herself from judging a Submission if the Contest Judge or the Sponsor considers it inappropriate, for any reason, for the Contest Judge to evaluate a specific Submission or group of Submissions.

  19. A Contestant's likelihood of winning will depend on the number and quality of all of the Submissions, as determined by the Contest Judges using the criteria in these official rules.

  20. The Submissions will be judged in two phases: the ``Initial Phase'' and the ``Final Phase.'' For the Initial Phase, Judges will only assess the Contestants' videos and abstracts, without the Detailed Explanation. Only those Contestants judged to be within the top 20 scores for the Initial Phase are eligible to compete in the Final Phase (``Finalists''), where the Detailed Explanations will be judged.

  21. Judges will use the criteria outlined in Section 7, below.

  22. The Sponsor reserves the right to review the Contest Judges' decision and to withhold any Prize if the Sponsor determines, in its sole discretion, that no Submission appropriately or adequately fulfills the stated goals and purposes of the Contest or there is any other procedural, legal, or other reason that the Prize should not be awarded.

  23. The Sponsor reserves the right to change the announcement dates with or without prior notice for any reason. Prizes, however, will not be awarded, and winners will not be named, until the Sponsor verifies eligibility for receipt of each Prize in accordance with Section 9 below. The Sponsor will announce verified winners on or about July 27, 2017, and the results will be made available at the Contest Web site.

    1. Submission Content Requirements

    The Submission must meet other requirements as described in this document, including Sections 4 and 6, stating that Submissions must not include any unauthorized proprietary or copyrighted material (including copyrighted music without permission).

  24. Threshold Solution Criteria.

    Contestants will develop a tool that would, at a minimum, help protect consumers from security vulnerabilities caused by out of date software on IoT devices in their homes. Submissions must provide a technical solution, rather than a policy or legal solution. The tool must work on home IoT devices that currently exist on the market. The tool must protect information it collects both in transit and at rest. The Submission must address how the tool will avoid or mitigate any additional security risks that the tool itself might introduce into the consumer's home by, for example, probing the home network or facilitating software upgrades. Submissions that do not address the tool's security and the other items described in this paragraph as Threshold Solution Criteria will not be considered for the Prize.

  25. Phase-Specific Requirements

    (i) Initial Phase: Abstract and Video

    1. The Abstract. The abstract should include a title for the Submission and a brief explanation of how the tool functions.

    2. The Video. Although the solution requires a tool that should work with multiple IoT devices, the video need only demonstrate how the tool would be used with one (1) IoT device that is likely to be found in consumers' homes. The video must address the Judging Criteria below and: (i) State what the tool is specifically designed to do; (ii) describe the set-up for the demonstration and any assumptions the Contestant has made about the capabilities and limitations of the device(s) for the demonstration; and (iii) explain what impact the tool would have on software of IoT devices beyond what is demonstrated in the video.

    (ii) Final Phase: Detailed Explanation, Abstract and Video

    In the Final Phase, in addition to looking at the abstract and video, the Judges will review the Detailed Explanation. The Detailed Explanation must provide sufficient material so that the Judges can evaluate the tool properly for how well it works, how user-friendly it is, and how scalable it is. The Detailed Explanation may include a detailed description; pseudocode; a description of algorithms and/or formulas; or material (such as diagrams) to show how the tool would function. It should include a description of testing methodology and results of any tests of the tool's effectiveness. It should also discuss a strategy for development and deployment.

  26. The Submission will be assessed using the following Judging Criteria:

    (i) How well does it work? (60 points out of 100 total score)

    1. How well does your Submission address each of these four (4) components?

      (1) Recognizing what IoT devices are operating in the consumer's home. A tool may automatically recognize devices or provide instructions for consumer input.

      (2) Determining what software version is already on those IoT devices. A tool

      Page 844

      may automatically recognize the software version or provide instructions for consumer input.

      (3) Determining the latest versions of the software that should be on those devices. The Submission must lay out a feasible plan for finding sources of information about what version should be on the device and explain the technical means by which that information would be procured. If the Submission relies upon databases that do not currently exist, the plan for developing those sources must be realistic and feasible.

      (4) Assisting in facilitating updates, to the extent possible. Contestants might rely upon the consumer to take steps or contact the device manufacturer to facilitate the update. If the tool conveys information to a third party, such as a device manufacturer, the tool must also allow for consumer control of the flow of that information.

    2. WILDCARD: If your Submission does not address the four components above, but offers a technical solution to address vulnerabilities caused by unpatched or out-of-date software of IoT devices in the home, the Contestant may demonstrate how that tool would work and argue for the superiority of the tool based on its level of innovation and impact on IoT security in the home. Any such WILDCARD option would also need to meet the criteria set forth in sections 7(ii)-(iii) (user friendliness and scalability requirements).

    3. Whether the Submission includes the four components identified above or is a WILDCARD option, Judges will award more points to Submissions based on the extent to which they identify potential challenges with implementing the tool and describe how the Contestant plans to address those challenges. Judges will also award more points for tools that address both situations where a manufacturer has failed to provide support for the software on a device as well as where the manufacturer does provide support.

      (ii) How user-friendly is your tool? (20 points out of 100 total score)

    4. How easy is your tool for the average consumer, without technical expertise, to set up and use? In assessing how easy the tool would be to use, the Judges will take into consideration whether functions are performed automatically, without action by the consumer.

    5. In analyzing the user-friendliness of the tool, the Judges will also take into consideration how well the tool does the following:

      (1) Displays or conveys \10\ information about which devices it has assessed.

      ---------------------------------------------------------------------------

      \10\ The consumer must have a way of knowing what is being assessed, so they do not have a false sense of assurance about a device that was not even evaluated by the tool. This process might also expose unauthorized devices.

      ---------------------------------------------------------------------------

      (2) Accurately communicates the risk mitigation provided by the tool (e.g., it should not give the impression that it solves all security problems).

      (3) Allows consumers to control any information being sent to a third party, to the extent that any such information is being sent. This includes making short, but accurate, disclosures about the information flow.

    6. Judges will award more points to Submissions that show the content of any consumer interface and decision points, as well as the methodology and results of user tests (e.g. surveys, focus groups, online user studies) demonstrating that the average consumer would be likely to understand such interface and information it conveys.\11\

      ---------------------------------------------------------------------------

      \11\ For more information on communicating with consumers, see, e.g., Putting Disclosures to the Test (Sept. 15, 2016), available at http://www.ftc.gov/testingdisclosures.

      ---------------------------------------------------------------------------

      (iii) How scalable is your tool? (20 points out of 100 total score)

    7. The Submission must explain how the tool could be used for products other than those addressed specifically in the Submission.

    8. Judges will award more points to Submissions that also explain how the tool would stay up-to-date. Judges will award more points to Submissions demonstrating tools that work on multiple types of devices (e.g., cameras, thermostats, refrigerators), devices from different manufacturers, devices using different protocols (e.g., WiFi, Bluetooth), and both newly released devices and legacy versions.

      (iv) Optional items (up to 10 bonus points)

    9. The Submission may also address other ways to help consumers guard against broader security vulnerabilities in IoT device software in their homes. For example, a tool might:

      (1) Find and facilitate changes to mitigate vulnerabilities in the existing configurations of devices in the home (e.g., determine whether particular IoT devices in the home have hard-coded, factory default or easy-to-guess passwords, and provide specific instructions for consumers to address the issue).

      (2) Provide purchasers of IoT devices an easy way to know whether their new devices include elements already known to be easily compromised before they make a purchase.

      (3) Address the problem of software or firmware updates that have been offered by a developer but not yet incorporated by a device manufacturer.

      (4) Differentiate between security updates and other updates.

      (5) Convey information about levels of urgency of installing patches based on the criticality of a vulnerability;

      (6) Tailor information to specific user groups (e.g., by providing technically sophisticated consumers access to additional information about the nature of the security issues addressed in the update);

      (7) Convey information about product recalls made for other reasons;

      (8) Convey other available information about the security of devices, such as benchmark security scores; \12\ or

      ---------------------------------------------------------------------------

      \12\ For example, a tool could use security scoring mechanisms developed by such entities as the Cyber Independent Testing Lab (CITL) (http://cyber-itl.org/blog/).

      ---------------------------------------------------------------------------

      (9) Convey information about the type of data collected by the device, how it is used and shared, and any associated privacy policies.

  27. In order to be considered for a Prize, Submissions must receive a score greater than zero in each required category (how well it works, how user-friendly it is, and how scalable it is). If the Contest Judges determine that no Submission satisfies each required category, no one will be deemed eligible for any Prize. In addition, Judges have the discretion to award up to 10 bonus points for optional features.

  28. The Contestant whose Submission earns the highest overall score in the Final Phase will be named the Top Prize Winner identified below in Section 8, if the Contestant satisfies the verification requirements described in Section 9. If the Contestant does not satisfy the verification requirements, the Top Prize may be awarded to the next highest scorer who satisfies the verification requirements, at the Sponsor's discretion.

  29. Up to three (3) Contestants in the Final Phase who meet the Section 9 verification requirements may be awarded the Honorable Mention Prizes--described below in Section 8--at the Sponsor's discretion. The Sponsor has discretion to award Honorable Mention Prizes to Contestants who (1) have the next highest scores in the Final Phase, or (2) have the highest score in any one category because of a significant innovation. If the Contestant does not satisfy the verification requirements, the Honorable Mention Prize may be awarded to the next highest scorer who satisfies the verification requirements, at the Sponsor's discretion.

    Page 845

  30. In the event of a tie between or among two or more Submissions where the Contestants meet the verification requirements, the relevant Prize identified below in Section 8 will be divided equally between the tied Contestants.

    1. Prizes

    ------------------------------------------------------------------------

    Winner Prize amount Quantity

    ------------------------------------------------------------------------

    Top Prize...................... Up to US $25,000.. Up to 1.

    Honorable Mention(s)........... US $3,000......... Up to 3.

    ------------------------------------------------------------------------

  31. If no eligible Submissions are entered in the Contest, no Prizes will be awarded. (See also Section 6.F. above.) The Sponsor retains the right to make a Prize substitution (including a non-monetary award) in the event that funding for the Prize or any portion thereof becomes unavailable. No transfer or substitution of a Prize is permitted except at the Sponsor's sole discretion. In the case of a team Prize, it will be the responsibility of the winning team's Representative to inform the Sponsor how to allocate the Prize amongst the team, as the Representative deems it appropriate.

  32. Each Contestant hereby acknowledges and agrees that the relationship between the Contestant and the Sponsor is not a confidential, fiduciary, or other special relationship, and that the Contestant's decision to provide the Contestant's Submission to Sponsor for the purposes of this Contest does not place the Sponsor and its respective agents in a position that is any different from the position held by the members of the general public, except as specifically provided in these official rules.

  33. Winners (including any winning team members) are responsible for reporting and paying all applicable federal, state, and local taxes. It is the sole responsibility of winners of $600 or more to provide information to the Sponsor in order to facilitate receipt of the award, including completing and submitting any tax forms when necessary. It is also the sole responsibility of winners to satisfy any applicable reporting requirements. The Sponsor reserves the right to withhold a portion of the Prize amount to comply with tax laws.

  34. All payments shall be made by electronic funds transfer or other means determined by the Sponsor.

    1. Verification of Eligibility for Receipt of a Prize

  35. All prize awards are subject to Sponsor verification of the winner's identity, eligibility, and participation in the creation of the tool. The Sponsor's decisions are final and binding in all matters related to the Contest. In order to receive a Prize, a Contestant will be required to complete, sign and return to the Sponsor affidavit(s) of eligibility and liability release, or a similar verification document (``Verification Form''). (In the case of a team, the Representative and all participating members must complete, sign and return to the Sponsor the Verification Form.) In addition, social security numbers must be collected from the winner (including any winning team members) pursuant to 31 U.S.C. 7701 in order to issue a payment.

  36. Contestants potentially qualifying for a Prize will be notified and sent the Verification Form using the email address submitted at registration, starting on or about July 20, 2017. The Sponsor reserves the right to change the time period to send the Verification Form without providing any prior notice. In the case of a team, the notification will only be sent to the Representative. If a notification is returned as undeliverable, the Contestant or team may be disqualified at the Sponsor's sole discretion.

  37. At the sole discretion of the Sponsor, a Contestant or team forfeits any Prize if:

    (i) The Contestant fails to provide the Verification Form within ten (10) business days of receipt of the email notification discussed above (or in the case of a team, any team member) fails to provide the Verification Form within ten business days of receipt of the email notification;

    (ii) the Contestant (or in the case of a team, any team member) does not timely communicate with the Sponsor to provide payment information and all other necessary information within ten business days of receiving a request for such information;

    (iii) such individual or team Representative is contacted and refuses the Prize;

    (iv) the Prize is returned as undeliverable; or

    (v) the Submission of the winner, the winner, or any member of a winner's team is disqualified for any reason.

  38. In the event of a disqualification, Sponsor, at its sole discretion, may award the applicable Prize to an alternate Contestant. The disqualification of one (or more) team members at any time for any reason may result in the disqualification of the entire team and of each participating member at the sole discretion of the Sponsor.

    1. Entry Conditions and Release

  39. By registering, each Contestant (including, in the case of a team, all participating members) agree(s):

    (i) To comply with and be bound by these official rules; and

    (ii) that the application of the judging criteria, evaluation of the Submissions, and final selection of the winners is a matter of discretion of the Contest Judges and Sponsor, and that their respective decisions are binding and final in all matters relating to this Contest.

  40. By registering, each Contestant (including, in the case of a team, all participating members) agree(s) to release, indemnify, and hold harmless the Sponsor, and any other individuals or organizations responsible for sponsoring, fulfilling, administering, advertising, or promoting the Contest, including their respective parents, subsidiaries, and affiliated companies, if any, and all of their respective past and present officers, directors, employees, agents and representatives (hereafter the ``Released Parties'') from and against any and all claims, expenses, and liabilities (including reasonable attorneys' fees and costs of Submission preparation) arising out of or relating to a Contestant's entry, creation of Submission or entry of a Submission, participation in the Contest, acceptance or use or misuse of the Prize, and the disclosure, broadcast, transmission, performance, exploitation, or use of Submission as authorized or licensed by these official rules. Released claims include all claims whatsoever including, but not limited to (except in cases of willful misconduct): Injury, death, damage, or loss of property, revenue or profits, whether direct, indirect, or consequential, arising from the Contestant's participation in a competition, whether the claim of injury, death, damage, or loss arises through negligence, mistake, or otherwise. This release does not apply to claims against the Sponsor arising out

    Page 846

    of the unauthorized use or disclosure by the Sponsor of intellectual property, trade secrets, or confidential business information of the Contestant.

  41. Without limiting the foregoing, each Contestant (including, in the case of a team, all participating members) agrees to release all Released Parties of all liability in connection with:

    (i) any incorrect or inaccurate information, whether caused by the Sponsor's or a Contestant's electronic or printing error or by any of the equipment or programming associated with or utilized in the Contest;

    (ii) technical failures of any kind, including, but not limited to, malfunctions, interruptions, or disconnections in phone lines, Internet connectivity, or electronic transmission errors, or network hardware or software or failure of the Contest Web site, or any other platform or tool that Contestants or Contest Judges choose to use;

    (iii) unauthorized human intervention in any part of the entry process or the Contest;

    (iv) technical or human error that may occur in the administration of the Contest or the processing of Submissions; or

    (v) any injury or damage to persons or property that may be caused, directly or indirectly, in whole or in part, from the Contestant's participation in the Contest or receipt or use or misuse of any Prize. If for any reason any Contestant's Submission is confirmed to have been erroneously deleted, lost, or otherwise destroyed or corrupted, the Contestant's sole remedy is to request the opportunity to resubmit its Submission. The request will be addressed at the sole discretion of the Sponsor if the contest submission period is still open.

  42. Based on the subject matter of the Contest, the type of work that it possibly will require, and the low probability that any claims for death, bodily injury, or property damage, or loss could result from Contest participation, the Sponsor determines that Contestants are not required to obtain liability insurance or demonstrate fiscal responsibility in order to participate in this Contest.

    1. Publicity

      Participation in the Contest constitutes consent to the use by the Sponsor, their agents' and any other third parties acting on their behalf, of the Contestant's name (and, as applicable, those of all other members of the team that participated in the Submission), Submission video, and Submission abstract for promotional purposes in any media, worldwide, without further payment or consideration. Furthermore, a Contestant's likeness, photograph, voice, opinions, comments, and hometown and state of residence (and, as applicable, those of all other members of the team that participated in the Submission) may be used for the Sponsor's promotional purposes if the Contestant provides consent. In addition, the Sponsor reserves the right to make any disclosure required by law.

    2. General Conditions

  43. Each Contestant agrees that the Sponsor is vested with the sole authority to interpret and apply these rules.

  44. Sponsor reserves the right, in its sole discretion, to cancel, suspend, or modify the Contest, or any part of it, with or without notice to the Contestants, if any fraud, technical failure, or any other unanticipated factor or factors beyond Sponsor's control impairs the integrity or proper functioning of the Contest, or for any other reason. The Sponsor reserves the right at its sole discretion to disqualify any individual or Contestant that the Sponsor finds to be tampering with the entry process or the operation of the Contest, or to be acting in violation of these official rules or in a manner that is inappropriate, not in the best interests of this Contest, or in violation of any applicable law or regulation.

  45. Any attempt by any person to undermine the proper functioning of the Contest may be a violation of criminal and civil law, and, should such an attempt be made, the Sponsor reserves the right to take proper legal action, including, without limiting, referral to law enforcement, for any illegal or unlawful activities.

  46. The Sponsor's failure to enforce any term of these official rules shall not constitute a waiver of that term. The Sponsor is not responsible for incomplete, late, misdirected, damaged, lost, illegible, or incomprehensible Submissions or for address or email address changes of the Contestants. Proof of sending or submitting is not proof of receipt by Sponsor.

  47. In the event of any discrepancy or inconsistency between the terms and conditions of the official rules and disclosures or other statements contained in any Contest materials, including but not limited to the Contest Web site or point of sale, television, print or online advertising, the terms and conditions of the official rules shall prevail.

  48. The Sponsor reserves the right to amend the terms and conditions of the official rules at any time, including the rights or obligations of the Contestants and the Sponsor. The Sponsor will post the terms and conditions of the amended official rules on the Contest Web site (``Corrective Notice''). As permitted by law, any amendment will become effective at the time the Sponsor posts the amended official rules.

  49. Excluding Submissions, all intellectual property related to this Contest, including but not limited to trademarks, trade-names, logos, designs, promotional materials, Web pages, source codes, drawings, illustrations, slogans, and representations are owned or used under license by the Sponsor. All rights are reserved. Unauthorized copying or use of any copyrighted material or intellectual property without the express written consent of the relevant owner(s) is strictly prohibited.

  50. Should any provision of these official rules be or become illegal or unenforceable under applicable Federal law, such illegality or unenforceability shall leave the remainder of these official rules unaffected and valid. The illegal or unenforceable provision may be replaced by the Sponsor with a valid and enforceable provision that, in the Sponsor's sole judgment, comes closest to and best reflects the Sponsor's intention in a legal and enforceable manner with respect to the invalid or unenforceable provision.

    1. Disputes

    Subject to the release provisions in these official rules, Contestant agrees that:

  51. any and all disputes, claims, and causes of action arising out of or connected with this Contest, any Prizes awarded, the administration of the Contest, the determination of winners, or the construction, validity, interpretation, and enforceability of the official rules shall be resolved individually;

  52. any and all disputes, claims, and causes of action arising out of or connected with this Contest, any Prizes awarded, the administration of the Contest, the determination of winners, or the construction, validity, interpretation, and enforceability of the official rules shall be resolved pursuant to Federal law;

  53. under no circumstances will Contestants be entitled to, and Contestants hereby waive, all rights to claim, any punitive, incidental, and consequential damages and any and all rights to have damages multiplied or otherwise increased.

    1. Privacy

      The Sponsor may collect personal information from the Contestant when he or she enters the Contest. Such personal information is subject to the

      Page 847

      privacy policy located here: http://www.ftc.gov/site-information/privacy-policy.

    2. Contact Us

      Please visit the Contest Web site for further Contest information and updates.

      Jessica Rich,

      Director, Bureau of Consumer Protection.

      FR Doc. 2016-31731 Filed 1-3-17; 8:45 am

      BILLING CODE 6750-01-P

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT