The Good, the Bad, & the Regulatory: A Summary of a Recent FTC Report on the Internet of Things

Internet-enabled devices bring near total connectivity. While this world of connection benefits us, it inevitably poses certain security and privacy risks. The FTC recommends best practices for companies venturing into the world of IoT.

The Internet of Things (“IoT”) refers to everyday internet-enabled objects that can network and communicate with each other and with other web-enabled devices to send and receive data. Unlike passive objects, devices in the IoT world actively communicate with each other and the environment to respond and to conditions — often autonomously. From a simple camera capable of automatically cropping and removing blemishes and posting photos online with a single click, to a diabetic’s glucose monitoring device that automatically titrates insulin doses to suit the patient’s changing condition; beyond even our ubiquitous smartphones, the IoT is dramatically affecting our social and working environments.

This growing connectedness poses revolutionary benefits to us, but also increases our vulnerability to the many risks accompanying a fluid and ubiquitous exchange of personally identifiable information. These technological breakthroughs have the potential to impact nearly every facet of daily life, and regulators are taking notice. The FTC held a workshop titled “The Internet of Things: Privacy & Security in a Connected World”, and issued a related report on January 27 of this year highlighting the benefits of this inevitable connected reality, as well as recommendations to help guard against security and privacy concerns posed by the IoT.

The Good

Internet of Things devices are becoming well known as tools to make our lives more productive, manageable, and frankly more fun. These devices have the ability to broadcast a user’s 8 mile morning run time splits in real time. They can direct a home entertainment system so that Game of Thrones addict can record that impromptu George R. R. Martin interview and never miss a related event. Beyond these indulgences the IoT is responsible for life-changing advances in myriad of applications like:

• Medicine
  • Connecting patients with their physicians to co-manage treatment
• Transportation
  • Warning drivers of dangerous road conditions through sensors in cars
• Conservation and Resource Use
  • Raising consumer awareness of energy consumption through monitoring
  • Optimizing provider infrastructure through automatic feedback metering and environmental controls

Cumulatively, these types of incremental advances can lead to breakthroughs in even the most difficult problems.

The Bad

According to the FTC, these “potential security risks” could be “exploited to harm consumers”:

• Enabling unauthorized access and misuse of personal information
• Facilitating attacks on other systems
• Creating risks to personal safety

Specifically, the FTC warns of privacy risks stemming from using IoT devices to collect personal information such as consumer location and preferences. Perhaps more significantly, companies could use this data to inform decisions affecting consumers’ ability to obtain credit, insurance, and even employment. The FTC posits that even if many of these risks never occur, consumer perception could stunt adoption of IoT devices — and potentially prevent these technologies from reaching their full potential.

The Regulatory

The Commission supports the industry’s voluntary development of programs that encourage effective privacy and security practices, but stops sort of backing IoT-specific legislation due to the IoT’s relative emergent status. The FTC also reiterated its call to Congress to “enact strong, flexible, and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach.”

The FTC also notes four long-standing Fair Information Practice Principles (FIPPs)

• Security
• Data Minimization
• Notice
• Choice

The FTC makes various recommendations for companies to meet these FIPPs. Some examples measures include training employees on “good security” practices, retaining capable security service providers, and conducting reasonable oversight. Additionally, the FTC instructs companies to impose “reasonable limits on the collection and retention of consumer data” by utilizing one of its prescribed methods that range from only collecting fields of data necessary to the product or service being offered, to simply de-identifying the data collected or obtaining the consumer’s informed consent. The FTC advises, “(companies)…should not be compelled to provide choice before collecting and using consumer data for practices that are consistent with the context of a transaction or the company’s relationship with the consumer”. Companies should, however, provide notice and an “opt out” choice to consumers if data use crosses beyond reasonable consumer expectations.

Final Thoughts

As the FTC acknowledges, there’s no one-size-fits-all solution to safeguarding against IoT security and privacy concerns. Accordingly, the process of assessing a company’s applicable regulatory and private risks and legal practices should not be ignored. An ounce of prevention is worth a pound of cure is an apt and profitable approach to minimize legal risks and maximize business success — both outside and within the ever-evolving world of the IoT.