The Federal Trade Commission wants to make sure that, as the Internet of Things becomes more prevalent in consumers’ lives, its security and privacy risks don’t outweigh the benefits.
FTC released a massive report Tuesday based on input from an IoT workshop it held in November 2013 along with other public comments submitted to the commission. The report sets forth a series of recommendations to the IoT industry to ensure the privacy and security of consumers who use the sensor-enabled devices.
“The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” FTC Chairwoman Edith Ramirez said in a release accompanying the report. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
Security is the foremost principle laid out in the report, and it cites several steps developers should take from design inception all the way through the sale of a device. Even after the devices reach the market, “companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities,” the report said.
To promote privacy, the report encouraged companies to minimize the personal data they gather and to notify device users of their privacy policies, something many argue isn’t feasible within the ubiquitous realm of IoT.
A call to Congress
Meanwhile, FTC says in the report that it stands firm in its recommendations for baseline privacy standards made in its 2012 privacy report.
“Although the Commission currently has authority to take action against some IoT-related practices, it cannot mandate certain basic privacy protections – such as privacy disclosures or consumer choice – absent a specific showing of deception or unfairness,” the report says. “Commission staff thus again recommends that Congress enact broadbased (as opposed to IoT-specific) privacy legislation.”
It said Congress should “enact strong, flexible, and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach.”
Meanwhile, FTC said it’d be too premature to propose specific legislation around IoT.
Some advocacy groups are objecting to FTC’s broad privacy legislation recommendation. The Information Technology and Innovation Foundation is worried how the increased privacy measures might limit innovation around Internet of Things data collection.
“While the FTC’s report correctly recognizes that the Internet of Things offers potentially revolutionary benefits for consumers and that the industry is still at an early stage, it unfortunately attempts to shoehorn old ideas on new technology by calling for broad-based privacy legislation,” Daniel Castro, the director of ITIF’s Center for Data Innovation, said in a statement. “It is disheartening that the FTC staff has failed to propose a forward-looking regulatory approach to technology that narrowly targets actual harms while leaving companies free to innovate. In particular, in calling for companies to reduce their use of data, the FTC misses the point that data is the driving force behind innovation in today’s information economy.”
FTC Commissioner Joshua D. Wright, the sole dissenter of the report, also cautioned against pushing for the broad privacy legislation.
Elsewhere, technology advocacy groups were pleased with FTC’s report. The Consumer Electronic Association called it timely and said it “advances the conversation.” It also agreed with FTC’s hesitance to recommend IoT-specific legislation that “may choke off innovation,” Gary Shapiro, president and CEO of CEA, said in a statement.
Mark MacCarthy, vice president of public policy for the Software and Information Industry Association, said the report creates a thoughtful balance between risks and benefits, without recommending innovation-killing legislation.
“We strongly agree that legislation or a broad regulatory framework to govern the IoT is premature, and could threaten its tremendous societal and economic potential,” McCarthy said. “We encourage them, and all policymakers, to maintain this wise regulatory approach. We continue to believe that current law provides an enforceable framework for IoT security and privacy that is working well and will continue to effectively adapt as technology evolves.”
Despite whether industry or the FTC wants legislation, it appears Congress has the Internet of Things in its sights. In early January, Sens. Darrell Issa, R-Calif., and Suzan DelBene, D-Wash., introduced the Congressional Caucus on the Internet of Things to educate members of Congress on the developing uses and potential worries associated with IoT.
And late Monday, the Senate Committee on Commerce, Science, and Transportation announced a Feb. 11 hearing on the Internet of Things.
“Standing on the cusp of technological innovations that will improve both the safety and convenience of everyday items, we shouldn’t let government needlessly slow the pace of new development,” Sen. John Thune, R-S.D., said in a statement. “By engaging early in this debate, Congress can ensure that any government efforts to protect consumers are tailored for actual problems and avoid regulatory overreach.”