FTC Internet of Things Report Emphasizes Need for Consumer Privacy Protections

“All of the benefits an Internet of Things or Big Data world can provide can only flourish when you take privacy and security into account,” said FTC Chairwoman Edith Ramirez Tuesday at the State of the Net event as the agency released the report, on which work began in 2013. It outlined steps consumers and businesses can and should take to ensure privacy and security is maintained in an increasingly connected digital world. With data constantly being collected -- with an anticipated 25 billion devices expected to be connected to the Internet worldwide by the end of 2015 -- Ramirez said privacy and security concerns must be addressed since the devices are coming into what used to be private spheres such as homes, cars, workplaces and on human bodies.

The FTC recognizes IoT devices can improve lives, while understanding the information they collect “could be exploited to harm consumers,” the report said. Security concerns include unauthorized access and misuse of personal information, the facilitation of attacks on other systems, and risks that may jeopardize an individual’s personal safety. “Data being generated is increasingly more sensitive,” Ramirez said, and there’s more of it, which is why Ramirez advised companies to build security features into devices from the get-go. Companies should also design a secure system for the device’s use by conducting a risk assessment of the device, minimize the amount of data collected and retained, and test security measures before the product is launched, she said.

As the IoT expands to items that don't have a user interface, such as socks with smart technologies, the report said, notice and choice becomes an increasingly complex issue. That's why the agency recommended businesses develop video tutorials, affix QR codes to devices and provide choices during the set-up process -- not bury that information within lengthy documents -- to ensure consumers are as aware as possible of what kind of information is being collected, retained and shared. The report is a summary of recommendations made by leading technologists, academics, industry representatives, consumer advocates and others who participated in a 2013 workshop on the privacy and security concerns that surface with the use of IoT devices that are sold to or used by consumers. Public comments were also influential in the report, it said.

Commissioner Wright Dissents

Commissioner Joshua Wright disagreed with the findings. He released a dissenting statement that said the report relied heavily on the opinions and assertions of certain FTC staff and isn't necessarily representative of actual consumer preferences. The FTC should “identify the potential costs and benefits of implementing such best practices and recommendations,” Wright said. The agency should also “perform analysis sufficient to establish with reasonable confidence that such benefits are not outweighed by their costs at the margin of policy intervention,” he said.

Commissioner Maureen Ohlhausen ultimately voted in favor of releasing the report, but wrote in her concurring statement that she disagreed with two recommendations, one of which was data minimization. This recommendation “encourages companies to delete valuable data -- primarily to avoid hypothetical future harms,” Ohlhausen said, which is “overly prescriptive.”

The absence of policies based on statistically relevant data, analysis and evidence concerned Steve DelBianco, the executive director of NetChoice in a statement. Daniel Castro, director of the Information Technology and Innovation Foundation's Center for Data Innovation, said in an interview that data minimization isn't the answer to solving the security and privacy concerns, arguing it will likely stifle innovation. The FTC missed the point that data is the driving force behind innovation, Castro said.

“Although some participants expressed concern that requiring data minimization could curtail innovative uses of data,” the report said, smaller data stores aren't as attractive to thieves. A specified data collection decreases the chance the information will be used in a way that consumers didn't expect, Ramirez said. “If you want these new technologies to flourish, you have to make sure consumers understand what is happening, what is being collected and how information is being shared,” Ramirez said. “Consumers should continue to be in the driver’s seat and have a say over how information is being used.” During a Twitter chat, FTC staff reiterated Ramirez’s comments that this is an opportunity for companies to be innovative on privacy and consumer protection.

TechFreedom President Berin Szoka said Ramirez and FTC staffers pushed a Democratic agenda. The Software & Information Industry Association called the report a thoughtful balance between the “essential need for privacy and security with an understanding that innovation and economic growth must be allowed to flourish.”

The FTC staff report is "timely," given that more than 900 exhibitors showcased IoT devices at CES, said CEA President Gary Shapiro in a statement. "The IoT touches many aspects of our lives, and in the near future our interactions with these devices will be so routine and all-encompassing they will go almost unnoticed," Shapiro said. "Companies across the IoT ecosystem must continue to earn consumer trust to bring forth the full benefits of IoT." CEA hails the FTC "for recognizing the enormous personal, economic and societal benefits that IoT enables, and the agency's efforts to engage and educate businesses on how to secure the IoT ecosystem," Shapiro said. "However, it’s too early to rush out laws that may choke off innovation. CEA is at the forefront of discussing these issues, and discovering how best to protect consumer privacy and security while encouraging continued innovation.”

Hill Concerns, Hearing Looms

Some Republican lawmakers were concerned even before its release about what they considered the partisan nature of the report. Senate Commerce Committee Chairman John Thune, R-S.D., said the government shouldn’t “needlessly slow the pace of new development” by enacting policies. Thune set a committee hearing regarding the IoT at 10 a.m. in 253 Russell on Feb. 11, at the request of a bipartisan group of senators.

Sens. Deb Fischer, R-Neb., Cory A. Booker, D-N.J., Kelly Ayotte, R-N.H., and Brian Schatz, D-Hawaii requested the hearing. They released a statement saying they haven't reviewed the FTC report, but they want to explore ways to shape policy for the IoT to allow the U.S. to remain a global leader in innovation. Rep. Suzan DelBene, D-Wash., co-founder of the IoT Caucus with Rep. Darrell Issa, R-Calif., said the FTC’s “guidance [for] companies will help spur an important conversation about the IoT and consumer privacy issues.”

Though the FTC recognizes the need for legislators, regulators, self-regulatory bodies and individual companies to determine what's “permissible” and “impermissible” on consumer data, IoT-specific legislation should be put on hold for now, the report said. “IoT-specific legislation at this stage would be premature,” but the development of self-regulatory programs that encourage privacy- and security-sensitive practices is encouraged, the report said. The FTC recommended Congress “enact strong, flexible, and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach."

The FTC will continue to enforce laws under the FTC Act, the Federal Credit Reporting Act, the health breach notification provisions of the HI-TECH Act, the Children’s Online Privacy Protection Act, and other laws that may apply to the IoT, the report said. The FTC will also develop new consumer and business education materials related to the IoT and continue to participate in the creation of policies related to IoT, including facial recognition and smart meters, said the report.