Harnessing the Internet of Things
Yesterday, the Federal Trade Commission (“FTC” or “the Commission”) released its long-awaited staff report on the Internet of Things (“IoT”), which was announced by Chairwoman Ramirez in her keynote at the 2015 State of the Net conference. Building on a workshop held in 2013, the Commission’s report is a comprehensive look at the promise of Internet-connected everyday objects, the risks that they might pose to consumers, and the Commission’s recommended regulatory and legislative paths forward. Fortunately for consumers, the Commission’s suggestions, born of a collaborative workshop with privacy groups and industry, do not approach the onerous attempts by the EU to regulate the IoT well-before it gained a market foothold, which DisCo covered way back in 2012.
First, a short primer. The Internet of Things constitutes the growing wave of innovative technologies set to revolutionize the interactivity of the mundane products that we use every day. Smartwatches and other wearable devices get the most press, but introducing connectivity to other traditionally “dumb” devices in our environments will make them all more personal, adaptive, and efficient. Learning thermostats, networked refrigerators, Internet-enabled dog collars that track your pet’s location and wearable fitness trackers are already on sale, with driverless cars, wireless pacemakers, and home automation systems making their way to the main floor of this year’s Consumer Electronics Show (“CES”).
The FTC highlighted the array of benefits of connected devices early in its report. Connected health devices can provide richer sources of data and improve preventative care for physicians and patients. An adaptive thermostat coupled with automated lighting and security can reduce energy costs for homeowners and allow for remote monitoring of homes. Connected cars can offer on-demand vehicle diagnostics to drivers and service facilities, real-time traffic information, and provide automatic alerts to first responders when airbags are deployed. Eventually, self-driving cars may one day be widely available. Each additional type of connected device can provide another convenience or efficiency in the everyday lives of users.
Naturally, as a consumer protection agency, the Commission’s report primarily focused on the risks that the Internet of Things could present to consumers and provided recommendations for best practices to mitigate those risks. Connected devices send and receive personalized data by design, which leads to concerns about the security of private health and financial information that they might transmit. In the event that a connected device happens to be a car, home security system, or even insulin pump, the users’ well-being may be at risk if the devices are improperly configured or hacked.
The report paid special attention to the privacy risks associated with a proliferation of billions of connected devices tracking granular personal details of users. Inferences from such personalized “big data” collection could be used to make credit, insurance, and employment decisions, or even allow for profiles of the personalities, personal lives, and travel habits of users.
The FTC recommended that manufacturers of connected devices take a number of steps to ensure their users’ privacy and security. It suggested that they incorporate multi-layered privacy and security into the design of such devices; establish a privacy and security program, with organizational accountability and training (particularly for those manufacturers without traditionally digital products); conduct risk assessments; and apply the Fair Information Practice Principles (“FIPPs”) – including data minimization, notice and choice.
However, not all of the Commissioners agreed. Commissioner Wright dissented from the publication of the staff report because the inclusion of these recommendations was, in his view, premature. He felt that “the Commission must exercise far greater restraint when examining an issue as far ranging as the ‘Internet of Things’ – a nascent concept about which the only apparent consensus is that predicting its technological evolution and ultimate impact upon consumers is difficult.” Furthermore, he noted:
I remain unconvinced that the proposed framework described in the Workshop Report – a combination of Fair Information Practice Principles as well as other concepts such as “security by design” – is the proper framework to apply to the still-nascent Internet of Things. In contrast, I support the well-established Commission view that companies must maintain reasonable and appropriate security measures; that inquiry necessitates a cost-benefit analysis.
Commissioner Wright’s concerns are well-grounded and a welcome addition to the record. As this nascent industry evolves, regulatory humility is necessary as the 40+ year old Fair Information Privacy Principles will at the very least have to be significantly adapted to do more good than harm. Balance must be struck between the protective measures suggested by the FTC and the usefulness of the connected devices for consumers (and informed by the cost-benefit analysis of which Commissioner Wright speaks). The sole reason for the development of the IoT universe of products is the degree of personalization, automation, and convenience that they provide, and those benefits are a direct result of granular data collection and connectivity. Minimizing front-end data collection and instituting burdensome notifications each time new information is transmitted necessarily reduces the convenience and ultimate utility of connected devices. Consumers demand connected devices precisely because they do not have to think about them.
Coincidentally, the Commission’s consumer-protective report was released a day after news that the DEA maintains a massive national license plate reader program, which tracks the real-time whereabouts of millions of cars across the nation. The FTC’s recommendation for data minimization with respect to consumers’ connected devices stands in stark contrast to the extreme scale of the government’s own nonconsensual data collection.
The same privacy and security risks presented by connected cars are associated with the DEA’s dragnet database of the public movements of citizens’ vehicles, but with far graver consequences. Categorizing a consumer as a credit risk does not lead to the same Constitutional concerns as tagging a citizen as a criminal based on his travel habits. Ultimately, consumers are able to choose not to have a relationship with an at-risk manufacturer, but the same can’t be said for citizens and their governments.
While the FTC tries to have consumers’ best interests in mind, its efforts to safeguard the public’s privacy are severely undermined by other parts of the U.S. government, which have shown little regard for it. Perhaps the public would be better served by intelligence and law enforcement entities taking a few of the Commission’s recommendations to heart.