FTC published on 27 January a Report on the Internet of Things, based on the conclusions of a workshop organised in November with representatives of industry, consumers and academia.
It is apparent from the Report that the most important issue to be tackled by the industry is data security – it represents also the most important risk to consumers.
While data security enjoys the most attention in the Report and the bigger part of the recommendations for best practices, data minimisation and notice and choice are considered to remain relevant and important in the IoT environment. FTC even provides a list of practical options for the industry to provide notice and choice, admitting that there is no one-size-fits-all solution.
The most welcomed recommendation in the report (at least, by this particular reader) was the one referring to the need of general data security and data privacy legislation – and not such legislation especially tailored for IoT. FTC called the Congress to act on these two topics.
Here is a brief summary of the Report:
The IoT definition from FTC’s point of view
Everyone in the field knows there is no generally accepted definition of what IoT is. It is therefore helpful to know what FTC considers IoT to be for its own activity:
“things” such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet.
In addition, FTC clarified that, consistent with their mission to protect consumers in the commercial sphere, their discussion of IoT is limited to such devices that are sold to or used by consumers.
Stunning facts and numbers
- as of this year, there will be 25 billion connected devices worldwide;
- fewer than 10,000 households using one company’s IoT home automation product can “generate 150 million discrete data points a day” or approximately one data point every six seconds for each household.
Data security, the elephant in the house
Most of the recommendations for best practices that FTC made are about ensuring data security. According to the Report, companies:
- should implement “security by design” by building security into their devices at the outset, rather than as an afterthought;
- must ensure that their personnel practices promote good security; as part of their personnel practices, companies should ensure that product security is addressed at the appropriate level of responsibility within the organization;
- must work to ensure that they retain service providers that are capable of maintaining reasonable security, and provide reasonable oversight to ensure that those service providers do so;
- should implement a defense-in-depth approach, where security measures are considered at several levels; (…) FTC staff encourages companies to take additional steps to secure information passed over consumers’ home networks;
- should consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network;
- should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.
Attention to de-identification!
In the IoT ecosystem, data minimization is challenging, but it remains important.
- Companies should examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data.
- To the extent that companies decide they need to collect and maintain data to satisfy a business purpose, they should also consider whether they can do so while maintaining data in deidentified form.
When a company states that it maintains de-identified or anonymous data, the Commission has stated that companies should
- take reasonable steps to de-identify the data, including by keeping up with technological developments;
- publicly commit not to re-identify the data; and
- have enforceable contracts in place with any third parties with whom they share the data, requiring the third parties to commit not to re-identify the data.
Notice and choice – difficult in practice, but still relevant
While the traditional methods of providing consumers with disclosures and choices may need to be modified as new business models continue to emerge, (FTC) staff believes that providing notice and choice remains important, as potential privacy and security risks may be heightened due to the pervasiveness of data collection inherent in the IoT. Notice and choice is particularly important when sensitive data is collected.
- Staff believes that providing consumers with the ability to make informed choices remains practicable in the IoT;
- Staff acknowledges the practical difficulty of providing choice when there is no consumer interface, and recognizes that there is no one-size-fits-all approach. Some options are enumerated in the report – several of which were discussed by workshop participants: choices at point of sale, tutorials, codes on the device, choices during set-up.
No need for IoT specific legislation, but general data security and data privacy legislation much needed
- Staff does not believe that the privacy and security risks, though real, need to be addressed through IoT-specific legislation at this time;
- However, while IoT specific-legislation is not needed, the workshop provided further evidence that Congress should enact general data security legislation;
- General technology-neutral data security legislation should protect against unauthorized access to both personal information and device functionality itself;
- General privacy legislation that provides for greater transparency and choices could help both consumers and businesses by promoting trust in the burgeoning IoT marketplace; In addition, as demonstrated at the workshop, general privacy legislation could ensure that consumers’ data is protected, regardless of who is asking for it.