Tag Archives: federal trade commission

Main points from FTC’s Internet of Things Report

FTC published on 27 January a Report on the Internet of Things, based on the conclusions of a workshop organised in November with representatives of industry, consumers and academia.

It is apparent from the Report that the most important issue to be tackled by  the industry is data security – it represents also the most important risk to consumers.

While data security enjoys the most attention in the Report and the bigger part of the recommendations for best practices, data minimisation and notice and choice are considered to remain relevant and important in the IoT environment. FTC even provides a list of practical options for the industry to provide notice and choice, admitting that there is no one-size-fits-all solution.

The most welcomed recommendation in the report (at least, by this particular reader) was the one referring to the need of general data security and data privacy legislation – and not such legislation especially tailored for IoT. FTC called the Congress to act on these two topics.

Here is a brief summary of the Report:

The IoT definition from FTC’s point of view

Everyone in the field knows there is no generally accepted definition of what IoT is. It is therefore helpful to know what FTC considers IoT to be for its own activity:

“things” such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet.

In addition, FTC clarified that, consistent with their mission to protect consumers in the commercial sphere, their discussion of IoT is limited to such devices that are sold to or used by consumers.

Stunning facts and numbers

  • as of this year, there will be 25 billion connected devices worldwide;
  • fewer than 10,000 households using one company’s IoT home automation product can “generate 150 million discrete data points a day” or approximately one data point every six seconds for each household.

Data security, the elephant in the house

Most of the recommendations for best practices that FTC made are about ensuring data security. According to the Report, companies:

  • should implement “security by design” by building security into their devices at the outset, rather than as an afterthought;
  • must ensure that their personnel practices promote good security; as part of their personnel practices, companies should ensure that product security is addressed at the appropriate level of responsibility within the organization;
  • must work to ensure that they retain service providers that are capable of maintaining reasonable security, and provide reasonable oversight to ensure that those service providers do so;
  • should implement a defense-in-depth approach, where security measures are considered at several levels; (…) FTC staff encourages companies to take additional steps to secure information passed over consumers’ home networks;
  • should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network;
  • should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.

Attention to de-identification! 

In the IoT ecosystem, data minimization is challenging, but it remains important.

  • Companies should examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data.
  • To the extent that companies decide they need to collect and maintain data to satisfy a business purpose, they should also consider whether they can do so while maintaining data in deidentified form.

When a company states that it maintains de-identified or anonymous data, the Commission has stated that companies should

  1. take reasonable steps to de-identify the data, including by keeping up with technological developments;
  2. publicly commit not to re-identify the data; and
  3. have enforceable contracts in place with any third parties with whom they share the data, requiring the third parties to commit not to re-identify the data.

Notice and choice – difficult in practice, but still relevant

While the traditional methods of providing consumers with disclosures and choices may need to be modified as new business models continue to emerge, (FTC) staff believes that providing notice and choice remains important, as potential privacy and security risks may be heightened due to the pervasiveness of data collection inherent in the IoT. Notice and choice is particularly important when sensitive data is collected.

  • Staff believes that providing consumers with the ability to make informed choices remains practicable in the IoT;
  • Staff acknowledges the practical difficulty of providing choice when there is no consumer interface, and recognizes that there is no one-size-fits-all approach. Some options are enumerated in the report – several of which were discussed by workshop participants: choices at point of sale, tutorials, codes on the device, choices during set-up.

No need for IoT specific legislation, but general data security and data privacy legislation much needed

  • Staff does not believe that the privacy and security risks, though real, need to be addressed through IoT-specific legislation at this time;
  • However, while IoT specific-legislation is not needed, the workshop provided further evidence that Congress should enact general data security legislation;
  • General technology-neutral data security legislation should protect against unauthorized access to both personal information and device functionality itself;
  • General privacy legislation that provides for greater transparency and choices could help both consumers and businesses by promoting trust in the burgeoning IoT marketplace; In addition, as demonstrated at the workshop, general privacy legislation could ensure that consumers’ data is protected, regardless of who is asking for it.

Open Book: The Failed Promise of Information Privacy in America (by James P. Nehf)


With financial and other personal information about us in countless databases, and with companies such as Facebook and Google collecting data about their users to drive profits and satisfy expectations of shareholders, there is a pervasive concern that we have little control over access to potentially harmful uses of that information.

Moreover, many consumers believe that little can be done to address the problem except to give out as little information as possible and try our best to monitor our credit reports and financial accounts in an effort to detect unexpected activity if it occurs. By not enacting strong information privacy laws in the non-governmental sector, the U.S. Congress and the fifty states have effectively defaulted to a market-based model of privacy protection that relies heavily on individual self-policing and market incentives as the primary means of information control.

A self-policing privacy protection model could be effective if a market for information privacy were possible — if well informed individuals could shop their privacy preferences effectively. This book-length paper examines the reasons why this is highly unlikely and why privacy laws in the United States (or the lack thereof) will not protect legitimate consumer interests in the years to come.

Part 1 shows why information privacy is a social or societal value and not just an individual concern. Part 2 examines in more detail why individualist, market approaches to privacy protection are destined to fail. Part 3 continues this theme and examines research in behavioral sciences about how consumers make decisions in market transactions. Part 4 concludes by critiquing the “new” privacy framework released by the Federal Trade Commission. While the framework contains hopeful rhetoric calling for greater emphasis on societal solutions to privacy concerns, most of the framework continues to rely heavily on individual notice and choice in transactions that involve exchanges of personal information.

Number of Pages in PDF File: 260

You can download the book following this link: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2192471

Now that's some piece of news! Facial recognition technology, used by bars and stores in Central Florida

Reading news like this one make me realize that law and Science-Fiction are more related than one could ever imagine: “A decade ago, in the Dreamworks movie “Minority Report,” billboards spoke directly to the characters in the movie and even knew their names. In just weeks, that science fiction plot will become reality as some businesses in Central Florida will know who you are when you walk through their door. It’s thanks to enhanced facial recognition technology”.

This is what clickorlando.com reports.

Apparently, “If a woman was to walk up to a mall directory, a camera inside would take a photo.  It will recognize her gender, age and race and instantly provide an ad for the appropriate products. So, if the shopper is a 30-year-old woman, she might see adds for makeup, shoes and clothing”.

The news website also reports that “researchers with Carnegie Mellon University used facial recognition technology to identify college students who volunteered to be photographed for their study. By taking those photos and comparing them to photos found on social networking sites, such as Facebook, they were able to identify almost a third of them. That means they had profiles, ‘likes,’ interests and possibly family information”.

And it’s more to the story. “It’s not out of the question that 10 years from now we’ll walk down the street and people will be wearing camouflage so they’re not picked up by facial recognition trackers all over the place,” said Mark Eichorn of the Federal Trade Commission.

You can find the rest of the story HERE.