There are immense potential benefits from the Internet of Things, but also potential data security and privacy risks, said the Chair of the FTC this week.

Speaking to the Consumer Electronics Show on January 6 in Las Vegas, FTC Chair Edith Ramirez (D) commented that, “Whether it is a remote valet parking assistant, which allows drivers to get out of their cars and remotely guide their empty car to a parking spot; a new fashionable bracelet that allows consumers to check their texts and see reviews of nearby restaurants; or smart glucose meters, which make glucose readings accessible both to those afflicted with diabetes and their doctors, the IoT has the potential to transform our daily lives.”

However, this could be “the year we start hearing about smart-home hacking.” The same “connected devices that provide increased convenience and improve health services are also collecting, transmitting, storing, and often sharing vast amounts of consumer data, some of it highly personal.” Ultimately, the Internet of Things poses three key challenges to consumer privacy and security, according to Ramirez: “(1) ubiquitous data collection; (2) the potential for unexpected uses of consumer data that could have adverse consequences; and (3) heightened security risks.” All of these, feeding the dangers of data brokers and Big Data analysis could “undermine consumer trust,” which she believes “is as important to the widespread consumer adoption of new IoT products and services as a network connection is to the functionality of an IoT device.”

Ramirez went on to express concern that smart televisions and tablet computers are tracking consumers digital trail, and that the data might be shared with “prospective employers or universities,” or even worse, with “data brokers, who will put those nuggets together with information collected by your parking lot security gate, your heart monitor, and your smart phone” to “picture of you that you will not see but that others will.” She suggested that introducing “sensors and devices into currently intimate spaces – like our homes, cars, and even our bodies – poses particular challenges.” The FTC Chair then touched upon familiar notes about the purported dangers of Big Data analysis and data brokers: “as businesses use the vast troves of data generated by connected devices to segment consumers to determine what products are marketed to them, the prices they are charged, and the level of customer service they receive, will it exacerbate existing socio-economic disparities?”

The security risks in a connected world are still getting sorted out, and most devices are at risk of hijacking, just like computers. The Internet of Things will “increase the number of entry points an intruder could exploit to launch attacks on or from,” and as we connect “more devices linked to our physical safety, such as our cars, medical care, and homes,” vulnerability will only increase.

Ramirez believes that the keys to successful Internet of Things business models include:

  • Data security: The FTC Chair recommended that “companies should prioritize security and build security into their devices from the outset. Specifically, companies should: (1) conduct a privacy or security risk assessment as part of the design process; (2) test security measures before products launch; (3) use smart defaults – such as requiring consumers to change default passwords in the set-up process; (4) consider encryption, particularly for the storage and transmission of sensitive information, such as health data; and (5) monitor products throughout their life cycle and, to the extent possible, patch known vulnerabilities. In addition, companies should implement technical and administrative measures to ensure reasonable security, including designating people responsible for security in the organization, conducting security training for employees, and taking steps to ensure service providers protect consumer data.”
  • Data minimization: She also recommended that “companies should collect only the data needed for a specific purpose and then safely dispose of it afterwards. …Data that has not been collected or that has already been destroyed cannot fall into the wrong hands. Collecting and retaining large amounts of data greatly increases the potential harm that could result from a data breach.”
  • Deidentification: “To the extent that companies collect information, they should de-identify consumer data where possible,” she said. While it may not be perfect, “sound technical strategies for making data anonymous should be coupled with administrative safeguards. As the Federal Trade Commission has said, companies should publicly commit not to seek to re-identify data and they should, through contract, require the same of those with whom they share data.”
  • Notice and choice: A smart thermostat “gathering information about their heating habits” or “a fitness band” tracking their exercise is easily understood by consumers. However, Ramirez asked, “would they expect this information to be shared with data brokers or marketing firms?” In such cases of unexpected data use, “consumers should be given clear and simple notice of the proposed uses of their data and a way to consent. This means notice and choice outside of lengthy privacy policies and terms of use.” Admittedly, many devices in the Internet of Things will not have interfaces that could easily allow notice and choice, and Ramirez even gave a nod to the problem of notice fatigue. Still, she insisted, “the question is not whether consumers should be given a say over unexpected uses of their data; rather, the question is how to provide simplified notice and choice.”

The FTC Chair concluded with ebullience “that the same ingenuity, design acumen, and technical know-how that is bringing us the IoT can also provide innovative ways to give consumers easy-to-understand choices. I believe steps like the ones I have described are critical to fostering consumer trust. And they are also good business.”