According to the Federal Trade Commission, the Internet of Things (IoT) “refers to the ability of everyday objects to connect to the Internet and to send and receive data.” Consumer-focused IoT devices include wearable electronics like watches and fitness bands, as well as the controls and appliances commonly found in “smart” homes and so-called “connected cars.”
In late 2013, the FTC held a “thought leader” workshop on the Internet of Things, and in January of this year, it released a report on the consumer privacy and security implications of the IoT, together with some associated “recommendations” to protect consumer privacy and ensure the security of these connected devices.
The number of devices connected to the internet long ago surpassed the number of people. By 2020, experts estimate that 50 billion devices will be so connected.
What are the security risks? The report emphasizes three: (1) the potential for unauthorized access to the device or its data store and misuse of the personally identifiable information (PII) collected by the device; (2) facilitation of attacks on other systems; and (3) the creation of risks to the consumer’s physical safety. The FTC speculates that these risks may be exacerbated by the limited data security experience of IoT manufacturers and the low cost of many devices, which together can make it economically and technologically difficult to implement effective patching mechanisms for connected devices and publicize the need to use them.
To address these risks, the FTC unsurprisingly calls for the makers of IoT devices to employ “reasonable security.” What is reasonable security in this context? It’s the usual balancing of multiple factors, most notably the value of the data collected versus the cost of protection. The FTC did, however, identify six specific best practices for purveyors of products participating in the IoT: (1) deploy security by design, including privacy and security risk assessment, data minimization, and security testing; (2) implement effective security training; (3) use third-party processors only if they have adequate data security and oversight; (4) implement defense-in-depth; (5) implement reasonable access control measures; and (6) monitor the security of, and patch, IoT products.
Much of the security discussion was typical stuff, but several interesting points were made. The deployment of smart defaults and consideration of data minimization got specific mention in the discussion of security by design. With respect to training, the FTC emphasized that good coders may not be effective as security hawks. The defense-in-depth discussion strongly suggested that devices placing PII at significant risk needed to employ encryption in transit and at rest. There was a helpful nod toward the importance of usability in the discussion of reasonable access controls like strong authentication, but the discussion of monitoring and patching provided less solace to makers: the FTC emphasized that if companies did not intend to monitor and patch, they needed to make that very clear to their customers.
In addition to security concerns, the FTC also identified privacy risks. These risks stem from the direct collection of PII and from the collection of detailed data that may, through accumulation and retention, provide personally identifiable insights into the user of the device. The FTC recognized that these insights could be used for beneficial purposes, but it noted that they could also be used for more controversial purposes like credit, insurance, or employment decisions.
Data minimization got special attention: for product developers thinking they should collect certain data in case it might be handy in the future, don’t: “Although some participants expressed concern that requiring data minimization could curtail innovative uses of data, staff agrees with [the minimizers].”
The FTC staff was similarly dismissive of the idea that notice and choice were outmoded concepts in the IoT context, but the staff did acknowledge that choice wasn’t required for data collection that was consistent with the customer’s reasonable expectations. It also recognized that the absence of a user interface in some devices would present problems implementing these concepts, listing a variety of alternatives to presenting the notice and choices on the device itself. These included choice at the point of sale, user tutorials, QR codes on the device that point to internet portals, choices made during device setup, management portals, lighted icons, communication of notice and choices via channels other than the device, and other options.
Some commentators had urged the FTC to substitute use restrictions for notice and choice, a possibility also addressed at some length in prior reports by the President’s Council of Advisors on Science and Technology and the White House. The FTC pointed out certain use-based restrictions that are already part of the current regulatory regimes, but its primary concession here was an acknowledgment that if the data is promptly and effectively anonymized and can’t be effectively reidentified, notice of collection need not be provided. The FTC emphasized, however, that if a vendor wanted to rely on this exception to notice, it needed to ensure that both it and its third-party processors were ccommitted not to reidentify the data.
The FTC did leave the door open to the possibility that effective use frameworks might be developed in the future. Indeed, the FTC supported industry development of self-regulatory frameworks and agreed with certain workshop participants that legislation specific to the Internet of Things was premature and might dampen innovation. The FTC did, however, reiterate its calls for a more general federal data breach law and for data security enforcement legislation.
Finally, the FTC confirmed that its enforcement actions, consumer education and outreach, stakeholder group participation, and privacy/security advocacy work would fully encompass the IoT arena.
The Commission adopted the report 4-1, with one concurring and one dissenting statement. In her concurrence, Commissioner Olhausen indicated her disagreement with the call for federal legislation and with the data minimization principle as delineated in the report. In his dissent, Commissioner Wright argued that the FTC lacked the evidentiary base necessary to make its recommendations, noted the absence of cost-benefit analysis, and questioned whether the FTC’s combination of Fair Information Practice Principles and security by design was the best framework for IoT regulation.
In addition to the report, the FTC simultaneously published some brief but useful guidance to industry on how security by design should work in connection with the internet of things.