What the FTC Report on the Internet of Things Means for Security and Privacy
On January 27th, 2015, the Federal Trade FTC (FTC) staff released a much-anticipated report on the Internet of Things. The 55-page report begins with a rundown of a public workshop held in Washington, D.C. by the FTC in November 2013 entitled The Internet of Things: Privacy and Security in a Connected World. The workshop consisted of a series of panels, each of which included a mix of consumer advocates, legal representatives, and experts in the field of technology and IOT discussing privacy and security issues as they relate to the growing number of connected devices.
The Connected Health and Fitness panel highlighted the advantages of using connected medical devices such as insulin pumps and blood pressure cuffs to manage healthcare data. Connected medical devices can contribute to medical research by providing data to scientists and can also help patients, doctors, and relatives closely monitor a patients’ health. The ability to report and monitor increases the efficiency of diagnosing, treating, and preventing disease, lowering the costs of healthcare. This reporting and monitoring comes with a high privacy stake, however, with privacy discussions centering on insurance companies increasing healthcare costs for patients that don’t meet certain data thresholds, for example.
Connected cars drove the discussion on another panel, with topics like safety measures that notify drivers of dangerous road conditions, the convenience of real-time diagnostics and wireless software upgrades that save time at the dealership, and the future of self-driving cars that can navigate themselves through traffic. However, there are concerns about insurance companies using data from connected cars to charge consumers higher insurance costs, as well as concerns about hackers gaining access to driver data such as location and manipulating the functionality of connected cars.
A third panel focused on the effects of IOT in home. Home automation systems offer consumers security, convenience, and ubiquitous control of their homes, while smart meters are teaching homeowners how to be more energy-conscious. Of course, there are obvious security concerns when it comes to smart homes—the ability to monitor the coming and going of occupants and the ability to hack into home devices, such as automatic door locks, allowing hackers access into homes.
The security and privacy discussions focused on the concerns we have been hearing for some time now: more connected devices means more vulnerabilities for hackers to access sensitive consumer information and facilitate an attack on a consumer’s home network or on a whole series of networks, such as a denial-of-service attack. Such hacks pose significant risks to consumers’ health and safety if, for example, someone hacked into an insulin pump, accessed wireless camera feeds to spy on a home, or seized control of a smart car.
Further, there is potential that companies will use private consumer information to make inferences about a person that influence things like employment decisions and insurance rates. Such privacy and security risks are the driving force behind the FTC’s best practices for companies to follow in order to promote privacy and security in the Internet of Things. The FTC’s hope is that adoption of these practices will give consumers increased confidence in the IOT in the face of the risks.
The FTC staff made its suggestions based on four of the Fair Information Practice Principles (FIPPs)—data security, data minimization, notice, and choice—which were first introduced in a 1973 report, Records, Computers and the Rights of Citizens by the U.S. Department of Health, Education, and Welfare.
- Security by Design: The FTC encourages companies to build security into their devices from the outset and to assess these measures at every level of development rather than consider security as an afterthought.
- Employee Training: The FTC recommends that companies provide security training to employees and to screen and monitor third-party service providers to ensure that consumer privacy and security is maintained throughout the product lifecycle. To minimize the amount of data collected and stored on IOT devices, the FTC staff suggests that companies make their best efforts to collect only reasonable and necessary data, to dispose of user data once its use has expired, and to de-identify user data so that any accumulated information may not be reasonably traced back to a specific individual.
- Notice and Choice: The FTC recommends that companies make every reasonable effort to notify consumers of any security risks and updates associated with a product or service. The FTC offers a list of methods for companies to use to provide consumers with adequate choices and educate them as to what data is collected and how that data may be used, including opt-in selections during set-up, security tutorials, and portals where users can change their privacy settings.
The FTC recognizes that it may be too early to enact federal IOT-specific legislation, as doing so could hinder innovation in the IOT industry. Therefore, the FTC staff recommends that Congress enact flexible, technology-neutral legislation to establish baseline privacy standards in addition to those established in previous initiatives such as the FTC Act and the Fair Credit Reporting Act (FCRA). The FTC staff also recommends that IOT companies enact their own self-regulatory policies and practices to ensure the protection of consumer data and limit the inappropriate use of that data.
This long-awaited report by the FTC is important for the IOT industry because it opens the floor for companies to further discuss new ways to handle privacy issues and ensure the security of consumer data to instill confidence in the Internet of Things. Though the future of the IOT is difficult to predict, the growing number of benefits to consumers gives the IOT capacity to succeed on a global scale. As more and more connected devices enter the market, it is critical that IOT companies minimize the risk of unauthorized access to and misuse of consumer information in order to secure the public’s acceptance of the IOT.
On Wednesday February 11, 2015, Congress took its first step toward discussing federal regulation of the Internet of Things when the Senate Commerce, Science and Transportation Committee held its first congressional hearing on the topic. The Committee heard statements from Senators, consumer advocates, and industry affiliates about data security, data breaches, connected cars, spectrum allocation, and the role the FTC might play in the regulation of the IOT. While there was some general agreement on issues such as freeing up more wireless spectrum, for now, it is unclear what the next move will be for Congress and whether the FTC will need to step in.
What do you think - should the FTC regulate IOT? Or could federal regulation could hinder innovation in the IOT?