If the Internet of Things is going to be a viable business, individuals relying on it must have some expectation that networks will be secure and privacy can be assured. The Federal Trade Commission today issued recommendations that businesses can take to enhance and protect consumers’ privacy and security.
The three major risk categories are 1) enabling unauthorized access and misuse of personal information; 2) facilitating attacks on other systems; and 3) creating risks to personal safety.
The FTC, along with advisors from industry, academia, and the general public devised a set of recommendations for best practices that companies developing Internet of Things devices can adopt to help minimize these risks.
The FTC considered whether new legislation specific to the IoT was necessary. Advice from advisors was mixed on the subject.
The Commission’s report said it has “continued to recommend that Congress enact strong, flexible, and technology-neutral legislation to strengthen the Commission’s existing data security enforcement tools and require companies to notify consumers when there is a security breach.”
It also called for broad-based legislation establishing baseline privacy standards, as well as legislation protecting against failures of critical IoT devices (the examples given in the report are commonly cited: improperly implanted pacemakers, and the ability of hackers to take over connected vehicles).
The recommendation to manufacturers of IoT devices include:
- build security into devices at the outset, rather than as an afterthought in the design process;
- train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
- ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
- when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
- consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
- monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
Commission staff also recommend that companies consider limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely.
The report notes that data minimization addresses two key privacy risks: first, the risk that a company with a large store of consumer data will become a more enticing target for data thieves or hackers, and second, that consumer data will be used in ways contrary to consumers’ expectations.
The FTC defined the Internet of Things as devices or sensors – other than computers, smartphones, or tablets – that connect, store or transmit information with or between each other via the Internet. The scope of the report is limited to IoT devices that are sold to or used by consumers.
By some calculations, there are now over 25 billion such connected devices in use worldwide. The tally includes health and fitness monitors, home security devices, connected cars and household appliances, among other applications.
Verizon last week reported Q4 revenue of $585 million it associated directly with the Internet of things.
But security and privacy remain issues. Many consumers have adopted home video monitoring and surveillance systems, but many service providers have steadfastly refused to offer any home monitoring or home automation equipment with microphones integrated, seeking to avoid entirely any possibility of any concerns of monitored conversations.
“The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” said FTC chairwoman Edith Ramirez. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
Some dissent on proposed legislation came from inside the FTC itself. Commissioner Maureen K. Ohlhausen issued a separate opinion that affirmed her support for most of the report’s recommendations, but then enumerating her objections: “First, I do not support the recommendation for baseline privacy legislation because I do not see the current need for such legislation. The FTC’s Section 5 deception and unfairness authority already requires notice and opt-in consent for collecting consumers’ sensitive, personally identifiable information.
It also protects against uses of personal information that cause substantial, unavoidable consumer harm not outweighed by benefits to consumers or competition. Furthermore, sector-specific laws, such as FCRA, provide additional protections for consumers. Thus, I question what current harms baseline privacy legislation would reach that the FTC’s existing authority cannot,” she wrote.
“Second, I am concerned that the report’s support for data minimization embodies what scholar Adam Thierer has called the ‘precautionary principle,’ and I cannot embrace such an approach. The report, without examining costs or benefits, encourages companies to delete valuable data – primarily to avoid hypothetical future harms. Even though the report recognizes the need for flexibility for companies weighing whether and what data to retain, the recommendation remains overly prescriptive
The report is partly based on input from technologists and academics, industry representatives, consumer advocates and others who participated in the FTC’s Internet of Things workshop held in November, 2013, as well as those who submitted public comments to the Commission.
Filed Under: Industry regulations