The Federal Trade Commission is hoping to take a lead role in shaping best practices for privacy and security in the growing Internet of Things. Near the end of January, the FTC issued a staff report entitled Internet of Things: Privacy & Security in a Connected World. In it, the agency spells out a need for companies designing IoT products to establish appropriate data privacy and cybersecurity practices and tools to protect consumers.
As the report points out, and as we’ve seen for ourselves, the Internet of Things is an economic sector that will experiencing exponential growth in recent years. The report cites data that forecasts that the world will have 25 billion Internet-connected devices this year, rising to 50 billion connected devices by 2020. The ability for Internet-connected devices and sensors to connect on an ad-hoc basis creates an environment where a consumer could potentially reveal much more private data than he or she intended. Here on IPWatchdog, we’ve covered a major focus on IoT technologies at the 2014 and 2015 Consumer Electronic Shows. With many major corporations making billion dollar investments into Internet of Things development, it should be clear that IoT tech will continue to be an important industry for consumers and businesses alike.
This recent advocacy is not the first foray that the FTC has made into the sphere of the Internet of Things. As far back as November 2013, the commission held a public workshop on privacy issues related to the IoT. In the opening remarks to that workshop made by FTC Chairwoman Edith Ramirez, potential problems regarding ubiquitous data collection, unexpected data uses and cybersecurity were discussed. “It is up to the companies that take part in this ecosystem to embrace their role as stewards of the consumer data they collect and use,” Ramirez said.
The FTC recognizes the great consumer benefits that could come as a result of the further maturation of Internet of Things products. Highly precise medical trackers and devices can connect patients living at home to medical advice from physicians. Smart home networks utilizing IoT tech could be designed to minimize electricity usage while operating home appliances. Vehicle telematics and autonomous driving systems are a couple of automotive applications for the Internet of Things that we’ve also discussed in recent posts.
However, there are palpable risks that may be encountered by those using Internet of Things products. Unauthorized access of personal information, the use of devices to facilitate attacks on other systems and the creation of safety risks. The FTC report muses on a couple of instances of risk in IoT systems, including the capability for a hacker to remotely access an insulin pump to change the level of a patient’s medication. One recent segment from CBS’ 60 Minutes showed how one man was able to access a car using the emergency communication system to gain control of the windshield fluid pump and the vehicle’s braking system.
Best Practices for Securing the Internet of Things for Consumers
Much of the activities being advocated by this recent report rely on self-regulation by businesses as regulatory legislation within the sector is fairly lacking at the current moment. The best practices for privacy within the Internet of Things, as determined thus far by the Federal Trade Commission, focus on the areas of data security, data minimization as well as notice and choice. These are not binding regulations but the agency has found these aspects important for building consumer trust in the growing Internet of Things market.
Data security is a concern associated with Internet-connected devices that exists at just about every level of functioning among IoT devices. The reports espouses a proactive approach to cybersecurity among companies, advising them to be “building security into their devices at the outset, rather than as an afterthought.” Personnel practices should also reflect the importance of security; as one workshop participant noted, just because a person is capable of writing software code does not mean that person understands the security required of an embedded device. Strong controls against unauthorized network access and continual monitoring of products throughout their life cycles to upgrade security features if necessary are also discussed by the report.
The principle of data minimization is another idea that challenges some of the activities in the Internet of Things ecosystem. The larger the data store collected by a company, the report suggests, the more attractive that database is to data thieves who might try to steal financial data or other personal information. In addition, with excessive data collection there comes the risk that data may be used in a way unintended by an IoT device consumer, and not just by unauthorized parties. As an example, the report discusses a hypothetical skin patch for assessing a skin condition. The company making that patch might find it desirable to track geographic location data for potential additional features to the patch but it shouldn’t track that data without consumer consent. Companies may also want to explore the potential for the de-identification of data, which involves the removal of sensitive data from data collected for some services.
The data minimization practices have been the target of much of the criticism that has been levied against the recent FTC report. One of the Commissioners of the FTC, Joshua D. Wright, issued a dissenting statement of the report lambasting the commission’s decision to publish the staff report, which he felt relied too heavily on anecdotal information from public comments and did not include nearly enough analytical support of the proposed best practices. The data minimization subject afforded him his best target for derision. “In considering the costs of data minimization,” Wright wrote, “staff merely acknowledges it would potentially curtail innovative uses of data.” Wright calls the commission’s analysis of data minimization “abbreviated” and argued that it doesn’t provide any sense of the magnitude of costs to consumers.
The notice and choice practices discussed by the report, however, largely escaped the dissenting attack. Following notice and choice practices, a company could determine a potentially new feature of an Internet-connected device that would require the collection of additional data which is inconsistent with a consumer’s relationship with a device manufacturer. Notice and choice options identified by workshop participants included point-of-sale opt-in choices, initial setup wizard choices, data privacy tutorials and icons for displaying important device settings related to privacy, such as the current status of the device’s Internet connection.
FTC Actions and Further Congressional Recommendations
Despite the issues regarding Internet of Things technologies highlighted by this report, the FTC isn’t calling for Congress to enact legislation that addresses these very specific risks. “Staff agrees with those commenters who stated that there is great potential for innovation in this area, and that legislation aimed specifically at the IoT at this stage would be premature,” the report reads.
The FTC does lay out a number of specific actions which it can undertake in order to promote data privacy and security among consumer IoT technologies. The report notes a number of laws granting the agency with regulatory authorities relevant to the IoT, including the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act and the Federal Trade Commissions Act. The commission has already used these powers to bring action against at least one company for lax cybersecurity practices which led, in that case, to unauthorized access of home baby monitoring systems.
The report also pledges the FTC efforts towards the development of IoT security education materials for both businesses and consumers. Keeping IoT devices secure would be of particular benefit to small businesses, which have limited resources and must prevent cyberattacks that would prevent them from gaining consumer trust. Participation in multi-stakeholder programs, such as the Department of Energy initiative for developing privacy practices for smart grid owners, and advocacy opportunities with other government agencies are also mentioned.
Other Efforts Towards Greater Digital Privacy in the Internet of Things
The protections of digital networks utilized by various sectors of the American economy has been growing in importance in recent months. In November of last year, we covered a cybersecurity partnership meeting featuring officials from the U.S. Patent and Trademark Office as well as the National Institute of Standards and Technology, during which they announced a voluntary data security framework developed by NIST for determining best practices in cybersecurity.
The discussion on digital security in America has even reached the White House. Recently, President Obama has called for stronger rules requiring companies to notify consumers about hacking events which have accessed customer financial data as well as a revised Consumer Privacy Bill of Rights that includes limits on how student data may be used by education companies.
Non-governmental agencies involved in consumer advocacy initiatives are also clamoring for federal action on various areas related to the Internet of Things. The Electronic Privacy Information Center, for example, submitted comments not only to the FTC workshop but also to the National Highway Traffic Safety Administration regarding driver privacy in vehicle-to-vehicle technologies. As EPIC points out, an amazing myriad of technologies are involved in the Internet of Things, from smartphones to vehicles to home technologies to fitness trackers. “Protecting consumer privacy becomes increasingly difficult as the IoT becomes more prevalent,” EPIC states on its official website.
June should prove to be another interesting month in the growing dialogue about privacy in the Internet of Things. That’s when the 2nd annual IoT Privacy Summit will take place in Mountain View, CA, bringing together a long list of policy makers, academics, IoT developers and privacy professionals to discuss the challenges of responsible data use posed by the IoT.