Just how close is ‘too close for comfort’ in the unprecedented connectivity of people, products and electronic communication that lies ahead with the Internet of Things? Should the providers of electronic devices be allowed to know when you set your house thermometer, or how often and how long you go for a jog using a ‘wearable’ electronic exercise sensor?
The U.S. Senate Commerce Committee will explore the impact of the IoT on personal privacy and security at a hearing set for Feb. 11.
In October 2014, several Senators requested a hearing on the issue of Internet connectivity, but it appears that a recently released report on the IoT by the Federal Trade Commission has triggered the committee’s interest.
The FTC report, issued in late January, also has spurred a robust debate on how the government should approach the development and potential regulation of the IoT. The FTC essentially touched on two key approaches: the appropriateness of enacting IoT legislation, and the use of voluntary business “best practices” related to privacy, security and data breach disclosure.
Go Slow on New Legislation
The FTC report noted that despite the potential risks associated with expanding connectivity, new legislation dealing specifically with the IoT would be inappropriate. “Regarding legislation, staff concurs with many stakeholders that any IoT-specific legislation would be premature at this point given the rapidly evolving nature of the technology,” the FTC said in a statement.
Key lawmakers were quick to support that view, including Sen. John Thune, (R-S.D.), chair of the Senate Commerce Committee. “Standing on the cusp of technological innovations that will improve both the safety and convenience of everyday items, we shouldn’t let government needlessly slow the pace of new development. By engaging early in this debate, Congress can ensure that any government efforts to protect consumers are tailored for actual problems and avoid regulatory overreach,” Thune said in a statement on the IoT hearing.
However, the FTC report re-stated the Commission’s support for enactment of strong data security and breach notification legislation, as well as for “broad-based privacy legislation that is both flexible and technology-neutral.”
While the FTC contended that specific IoT legislation would be inappropriate at this point, the agency recognized that as a result of the risks inherent in expanding Internet connectivity, IT providers and businesses involved in the IoT will need to implement enhanced protection mechanisms. “The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” said FTC Chairwoman Edith Ramirez.
“We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized,” Ramirez said.
FTC Outlines IoT Best Practices
The FTC’s recommendations for businesses included:
- Security and Privacy by Design: Providers should build security and privacy elements into IoT systems at the outset, rather than as an afterthought.
- Human Capabilities: Ensure that both employees and outside service providers are aware of increased risks and are capable of appropriately addressing such risks.
- Risk Management: When a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular threat. Monitor connected devices throughout their life cycle, and where feasible, provide security patches to cover known risks.
- Insulate Data: Utilize measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network.
The FTC report also suggested that risks can be reduced if the amount of IoT collected information is reduced to the minimum necessary for a given purpose, and retained only for a set period of time, not indefinitely.
The FTC said that such ‘data minimization’ addresses two major risks. The first danger is that a company holding a large base of consumer data will “become a more enticing target for data thieves or hackers.” The second is the risk that “consumer data will be used in ways contrary to consumers’ expectations.”
The FTC suggested a flexible approach to data control, in which companies could opt to collect no data; obtain data limited only to the purpose of the IoT service or device, and gather less sensitive data. FTC also said that providers could remove references to individuals by using techniques to ‘de-identify’ collected data.
Dissent From Industry and Within FTC
Reaction to the FTC report varied. “Establishing a sense of trust and fairness is critical for data-driven innovation that maximizes social innovation and economic growth, so SIIA supports best practices for companies that help to achieve this objective. Security by design, along with privacy by design, is a fundamental step for companies to be responsible data stewards,” David LeDuc, senior director of public policy at the Software and Information Industry Association, told the E-Commerce Times.
“We get the FTC’s message about security-by-design,” said Gary Shapiro, president and CEO of the Consumer Electronics Association, where, he said, two working groups are already drafting security best practices for the industry.
But he disagreed with other FTC guidelines. “The incredible personal and societal benefits of IoT will not be possible without supporting data analytics, and in many — if not most — cases we will not know in advance what data will yield these important benefits. The FTC’s blanket recommendation to delete data to avoid hypothetical future harm is overly prescriptive,” Shapiro told the E-Commerce Times.
“The bigger danger concerning me is killing nascent benefits before the market can decide if they want them. For example when Amazon introduced book suggestions based on your prior orders it was new, but they were keeping your private information. Now that service works with movies,” he added.
“It is unlikely these great services were dreamed of by early product designers. They were invented, appreciated and evolved. Requiring features be kept out of devices would be unprecedented and a prior restraint on unknown valuable, useful and potentially lifesaving innovation,” Shapiro noted. Devices monitoring physical conditions could be used to alert emergency responders, he noted.
Even within the FTC there are differing views. Although Commissioner Maureen Ohlhausen voted to release the report, she noted in a dissent that she could not support the data minimization recommendation. “The report, without examining costs or benefits, encourages companies to delete valuable data — primarily to avoid hypothetical future harms,” she said. Ohlhausen contended that while the report “recognizes the need for flexibility for companies weighing whether and what data to retain,” the recommendation is inappropriate.
Ohlhausen also opposed the report’s support for “baseline privacy legislation,” contending that current FTC authorities are adequate.
Dealing with IoT impacts will remain a formidable challenge, whatever role government or industry play in the process, according to Seth Schoen, senior staff technologist at the Electronic Frontier Foundation.
“We’re seeing plans to make large numbers of cheap devices, whose presence and specific functionality is hard to observe, developed at extremely low cost on a fast product lifecycle, placed into incredibly sensitive environments, constantly communicating with the outside world, and often with no plan to find or fix security problems in the field,” Schoen told the E-Commerce Times.
Schoen participated in an FTC panel on mobile privacy last year. While the EFF has not taken a position on whether the FTC should initiate some action now, he noted that currently “embedded systems have a poor security record and many aren’t designed to be updated — or don’t have anyone responsible for providing the updates.”