[csoghoian]

This seems very similar (or perhaps even worse) than the fact pattern in the HTC/Carrier IQ case. https://www.ftc.gov/news-events/blogs/business-blog/2013/02/...

Did you provide the Federal Trade Commission with an advance copy of your report, or just DHS? If not, why not?

[duked]

We did work with DHS and notify all the parties ahead of the press release. We also remember carrierIQ ! We have a comparison table here: http://www.kryptowire.com/adups_security_analysis.html

[csoghoian]

So you didn't tell the Federal Trade Commission, even though they previously investigated (and punished) HTC for doing something similar?

[tombrossman]

Curious, do security researchers typically liaise with the FTC when vulnerabilities are discovered? This and your parent comment seem to imply a 'yes' but this doesn't seem like an obvious connection (to me at least). I would expect the first point of contact at DHS to flag this for other agencies' attention if they felt it was necessary. Should DHS feel territorial about this and be reluctant to contact outside agencies that's on them, not the researcher.

I wonder if many security researchers know to routinely shop their findings to multiple agencies independently. It doesn't seem like this is common knowledge.

[csoghoian]

DHS is a law enforcement agency, which regularly uses surveillance techniques, some of which exploit security flaws in devices and software. When you share information about security flaws with DHS, you're sharing them with ICE and the Secret Service.

The FTC, in contrast, is a consumer protection agency. They don't kick down doors and they don't arrest people.

And yes, many security researchers have shared their prepublication research with the FTC.