Tech Policy Lab Distinguished Lecture with General Kevin Chilton

The Tech Policy Lab was honored to host General Kevin Chilton for our spring 2016 Distinguished Lecture. General Chilton focused on Deterrence in the 21st century, describing deterrence theory and how it can be applied in the future and to cyberspace.

General Chilton served 34 1/2 years in the US Air Force in various flying and staff positions and retired in 2011 as the Commander of U.S. Strategic Command, responsible for the plans and operations of all U.S. forces conducting strategic deterrence and DoD space and cyberspace operations. Prior to his work in Strategic Command, General Chilton commanded Air Force Space Command. During part of his Air Force career he served with NASA and was a Command Astronaut Pilot and flew 3 Space Shuttle missions.  General Chilton has a BS in engineering from the USAF Academy, a Masters in Mechanical Engineering from Columbia University and an honorary Doctor of Laws degree from Creighton University.

Computer Security and the Internet of Things – Faculty Co-Director Tadayoshi Kohno presents at Usenix Enigma 2016

Computers are now integrating into everyday objects, from medical devices to children’s toys. This integration of technology brings many benefits. Without the appropriate checks and balances, however, these emerging technologies also have the potential to compromise our digital and physical security and privacy. Tech Policy Lab Faculty Co-Director Kohno’s talk explored case studies in the design and analysis of computer systems for several types of everyday objects, including wireless medical devices, children’s toys, and automobiles. He discussed the discovery of security risks with leading examples of these technologies, the challenges to securing these technologies and the ecosystem leading to their vulnerabilities, and new directions for security and privacy. Including efforts (in collaboration with UC San Diego) to compromise the computers in an automobile from a thousand miles away, and the implications and consequences of this and other works. He also outlined directions for mitigating computer security and privacy risks, including both technical directions and education.

Federal Trade Commission Start With Security Seattle


The FTC’s third “Start With Security” event took place on February 9, 2016, in Seattle, Washington, and was co-sponsored by the University of Washington Tech Policy Lab, the University of Washington School of Law Technology Law & Public Policy Clinic, and CoMotion at the University of Washington.

The one-day event continued the FTC’s work to provide companies with practical tips and strategies for implementing effective data security. The event brought together experts to provide insights on how startups and other small companies can secure the software and products they develop, and how important it is to do so. FTC Commissioner Julie Brill kicked things off with opening remarks. The day included panels on Building a Security Culture, Integrating Security into the Development Pipeline, the Business Case for Security, and Securing the Internet of Things.

Panel 1: Building a Security Culture

How can startups build a culture of security? This panel will explore how startups can jumpstart security in their organization, and why they should, including how to get organizational buy-in for security, train developers to code securely, use basic threat modeling to identify security threats, and more.

Panel 2: Integrating Security into the Development Pipeline

How can startups effectively integrate security testing and review into their development processes when they may be hiring new engineers at a rapid clip, experiencing exponential user growth, and shipping code frequently? This panel will discuss how security testing can be automated and adapted in startup environments.

Presentation – Avoiding Catastrophe: An Introduction to OWASP Proactive Controls

Ian Gorrie
Principal Consultant
Locked Networks
Chapter Leader
Open Web Application Security Project (OWASP), Seattle Chapter

Panel 3: The Business Case for Security

How can startups determine the importance of security to their bottom line? Building security in up front may help startups avoid significant costs: Venture capital investors may emphasize security in funding decisions; customers may demand contractual security requirements; potential acquirers may evaluate a startup’s security posture; and startups may incur fatal damage to reputation and monetary costs from a security incident. This panel will discuss the importance of security from the investor, customer, and potential acquirer standpoints.

Panel 4: Securing the Internet of Things

Connected devices present new security challenges and expanded attack surfaces. How can startups secure their IoT products and services in a rapidly developing ecosystem? This panel will address how IoT startups can identify and manage critical risks in their businesses and plan for the unique challenges they face.

Tech Policy Primer Videos

Primer Videos for Concepts in Tech & Law


What is a bot?

What is Product Liability?

What is Robot?


What is Machine Learning?

What is an Algorithm?

What is Administrative Law?


Toys That Listen and the Internet of Things

Hello Barbie, Amazon Echo, and the home robot Jibo are part of a new wave of connected toys and gadgets for the home that listen. Different than the smartphone, these devices are always on, blending into the background until needed by the adult or child user. We do not yet know all the information our new toys are collecting, storing, or disclosing. With an intended audience of designers and regulators, this project brings an interdisciplinary group of experts together to build a set of consumer protection best practices for design and user control of connected devices in the home. We are grateful to the Rose Foundation Consumer Privacy Rights Fund for funding this work.

Forthcoming in CHI 2017, our study Toys That Listen: A Study of Parents, Children, and Internet-Connected Toys, explored people’s mental models and experiences with these emerging technologies and to help inform the future designs of interactive, connected toys and gadgets.

Our goal is to preempt privacy problems before they occur. Consumer privacy protection laws have often been reactionary–drafted or amended after privacy was breached and individuals harmed. The Video Privacy Protection Act, for example, was the result of lessons on the dangers of the distribution of an individual’s video rental history. The recent Netflix settlement under the same Act shows that these issues are alive and well today. The Children’s Online Privacy Protection Act (COPPA) responds to fears adults have about children being online and the new internet-connected toys like Hello Barbie raise these fears. While legislation like California’s Online Privacy Protection Act has been found to extend from the initial web page privacy policy requirement to apps on devices, the delivery of privacy notices on toys such as Hello Barbie is more difficult to design. With household devices having the ability to collect increasingly detailed information about what we watch, listen to, talk about, or purchase from the comfort of home, now is the time to identify and implement best practices.