More things are connected to the Internet these days than people. When even innocuous daily objects like your living room light bulbs and the tire pressure gage on your Toyota are connected to the data stream, how can consumers understand what is actually going on with their data? What kind of unique challenges does that pose for the legal and ethical conduct of marketing research?
A Federal Trade Commission (FTC) workshop on the “Internet of Things” in Washington, DC, on November 19 endeavored to find out. The workshop aimed to explore consumer privacy and security issues posed by the growing connectivity of devices, to inform the FTC before they consider regulations in this complex area.
Dr. Keith Marzullo of the National Science Foundation informed the FTC workshop audience that the Internet of Things has actually been around for about 25 years, but that technological advances like radio frequency identification (RFID), “smart dust” (miniscule data collecting devices) and cellular communications, have only recently made it affordable and scalable. At the same time, advances in control, verification and Big Data analysis are driving its commercial utilization. “Given all this, security and privacy are real issues,” he said.
FTC Chairwoman Edith Ramirez opened the workshop, observing that we are nearing “the next technological leap when most everyday physical objects will be able to communicate with other objects, as well as with us. Almost anything to which a sensor can be attached can become a node in a ubiquitous network, continuously transmitting data in real time. It is estimated that there are already 3.5 billion such sensors, and some experts expect that number to increase to trillions within the next decade.”
After marveling at the growth of the Internet of Things, and the potential benefits, Ramirez turned to her worries that the “ubiquitous” collection of data is fueling “really, really Big Data” and may be an inherent risk to consumers. “The very technology that allows you to stream your favorite movie or send for help when your car breaks down can also collect, transmit, and compile information about your actions.”
Ramirez laid out three big risks in the Internet of Things:
- Facilitating “the collection of vastly greater amounts of consumer data;”
- Opening such data “to uses that may be unexpected by consumers;” and
- Putting that data’s security at risk.
According to Ramirez, with Big Data comes “big responsibility.” In case you are too optimistic about Big Data to be able to imagine all the potential horrors, she helpfully sketched out some of them:
“Connected cars may direct emergency responders to an accident, but will the data transmitted be shared with your insurer who may raise your rate or cancel your policy? Your smart TV may track whether you watch Masterpiece Theatre or the Kardashians, but will your TV viewing habits be shared with prospective employers or schools? Or to data brokers, who will put that nugget together with information collected by your parking lot security gate, your heart monitor, and your smart phone, and paint a picture of you that you won’t see but that others will – people who might make decisions about whether you are shown ads for organic food or junk food, what sale offers you receive, and where your call to customer service is routed.”
Worried that the data “flowing in from our smart cars, smart devices, and smart cities” will “swell the ocean” of Big Data, she called on companies to be good “stewards,” starting with principles outlined in the FTC’s 2012 privacy report: privacy by design, simplified consumer choice, and transparency.
Ramirez summarized her concerns about the Internet of Things as “a cyber-environment that breathes our personal data like oxygen.”
The FTC’s role in regulating the Internet of Things
FTC Commissioner Maureen Ohlhausen also spoke at the workshop, saying that regulators like the FTC need to approach technology and innovation “with a dose of humility” and “identify benefits as well as harms.” Ohlhausen noted that the FTC has a role to play in the Internet of Things, utilizing its existing toolbox to:
- Use “policy R&D” to better understand the technology, emerging business models, risks and benefits for consumers, and “any existing regulatory structures, including any self-regulation;”
- Educate consumers and businesses “on how to avoid or minimize any risks that we may identify;”
- Use the FTC’s “traditional deception and unfairness authority to stop consumer harms that may arise from particular Internet-connected devices;” and
- Investigate and challenge “competitive harms occurring in the Internet sphere” under the FTC’s antitrust authority.
Ohlhausen referenced an FTC enforcement case from September that exemplified the agency’s role in policing the Internet of Things and the resulting data security risks. The FTC settled a case against TRENDnet, a company that sold video cameras designed to allow consumers to remotely monitor their homes. “Although the company claimed that the cameras were secure, they actually had faulty software that allowed unfettered online viewing by anyone with a camera’s Internet address. As a result, hackers posted live feeds of nearly 700 consumer cameras on the Internet, showing activities such as babies asleep in their cribs and children playing in their homes.”
With a case like TRENDnet’s feeding “concerns about the Internet of Things overall,” Ohlhausen warned companies against impugning an infant technology through privacy or security malfeasance, whether intentional or not.
For the whole MRA series about the workshop on the Internet of Things, see part 1, “The Internet of Things: Connected devices are changing the world for consumers and data users” part 2, “Trust and context in a connected world: what can marketing research tell us?”, part 3, “Vint Cerf and the Internet of Things: "Privacy may be an anomaly", part 4, “Smart Home, Smart Health, Smart Cars: What will inter-connected devices mean for users and data users?” and part 5, "Ubiquitous Data: Privacy and Security in a Connected World."