FTC Report Recommended Best Practices For Companies Offering Products For The Internet of Things
Wednesday, July 29, 2015
Earlier this year, the U.S. Federal Trade Commission (FTC) released a report about the Internet of Things (IoT): the set of technologies and devices outfitted with sensors collect data, communicate directly with each other, transmit data to the development company, and publish data to the Internet with human interactions. The FTC recommended:
"... a series of concrete steps that businesses can take to enhance and protect consumers’ privacy and security... The Internet of Things is already impacting the daily lives of millions of Americans through the adoption of health and fitness monitors, home security devices, connected cars and household appliances... Such devices offer the potential for improved health-monitoring, safer highways, and more efficient home energy use... However, the FTC report also notes that connected devices raise numerous privacy and security concerns that could undermine consumer confidence."
Experts have estimated 25 billion connected devices this year, and 50 billion by 2020. FTC Chairwoman Edith Ramirez said:
"The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers... We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
The FTC held a workshop during November 2013 with interested industry participants. The report listed best practices identified and discussed during that workshop. Some important limitations of the report:
"... our discussion is limited to IoT devices that are sold to or used by consumers. Accordingly, the report does not discuss devices sold in a business-to-business context, nor does it address broader machine-to-machine communications that enable businesses to track inventory, functionality, or efficiency..."
The report listed some of the benefits from IoT devices:
"... connected medical devices can allow consumers with serious medical conditions to work with their physicians to manage their diseases. In the home, smart meters can enable energy providers to analyze consumer energy use, identify issues with home appliances, and enable consumers to be more energy-conscious. On the road, sensors on a car can notify drivers of dangerous road conditions, and software updates can occur wirelessly, obviating the need for consumers to visit the dealership..."
The disadvantages from the Internet of Things:
"... a variety of potential security risks that could be exploited to harm consumers by: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety. Participants also noted that privacy risks may flow from the collection of personal information, habits, locations, and physical conditions over time. In particular, some panelists noted that companies might use this data to make credit, insurance, and employment decisions..."
The report listed recommended a "security by design" approach with best practices for security, personnel, data minimization, and legislation. For security best practices, companies should:
- Conduct privacy or security risk assessments,
- Minimizing the data collected and archived,
- Test their security measures before launching products and services, and
- Monitor products (and services) throughout the life-cycle and patch known vulnerabilities.
For personnel best practices, the report recommended that companies:
- Train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization,
- Retain vendor and sub-contractors that are capable of maintaining reasonable security and provide reasonable oversight
- Identify significant risks within their systems, and implement corresponding defenses
- Consider implementing reasonable access control measures to limit the ability of unauthorized persons to access a consumer’s device, data, or even the consumer’s network
To minimize the amount of consumers' sensitive information collected, companies should:
"... examine their data practices and business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data... data minimization is a flexible one that gives companies many options. They can decide not to collect data at all; collect only the fields of data necessary to the product or service being offered; collect data that is less sensitive; or de-identify the data they collect...
Companies that collect consumers' information should obtain consumers' consent before collection. The report seemed to focus more on balancing consumers' needs for notice and consent with companies' needs for streamlined systems (link added):
"This does not mean that every data collection requires choice. The Commission has recognized that providing choices for every instance of data collection is not necessary to protect privacy. In its 2012 Privacy Report, which set forth recommended best practices, the Commission stated that companies should not be compelled to provide choice before collecting and using consumer data for practices that are consistent with the context of a transaction or the company’s relationship with the consumer. Indeed, because these data uses are generally consistent with consumers’ reasonable expectations, the cost to consumers and businesses of providing notice and choice likely outweighs the benefits. This principle applies equally to the Internet of Things."
Many devices connected to the Internet of Things will not have traditional interfaces (e.g., keyboard, screen) like you see today with computers, laptops, tablets, and smart phones. Hence:
"Staff acknowledges the practical difficulty of providing choice when there is no consumer interface and recognizes that there is no one-size-fits-all approach. Some options include developing video tutorials, affixing QR codes on devices, and providing choices at point of sale, within set-up wizards, or in a privacy dashboard. Whatever approach a company decides to take, the privacy choices it offers should be clear and prominent, and not buried within lengthy documents."
The example that comes to mind are Internet-connect refrigerators. For consumers to make informed choices, manufacturers must provide privacy and terms of use policies to consumers before and after purchase. This suggests alternative delivery methods of privacy and terms of use policies. I am sure that other privacy bloggers and privacy advocates will watch closely how these IoT devices are marketed.
Last, the report discussed the current state of legislation. the consensus seemed to be that more is needed at both the state and federal levels.
Download the FTC report: "Internet of Things: Privacy & Security In a Connected World" (Adobe PDF) from the FTC site. A copy is also available here.
What are your opinions of the Internet of Things? Of the recommended best practices? How would you like IoT manufacturers to delivery policies before purchase?
I suppose that these FTC guidelines for the Internet of Things, IoT, is the best that we can expect at the moment, given the power of the companies that oppose any restrictions on their ability to collect and use our personal information and the vast amounts of potential profits to be made from the IoT. Take, for example, Bill Gates' new company, which is focused on the hardware and software for the IoT and Google's acquisition of Nest, which is a pioneer in making the IoT devices. But, in pursuit of profit, firm and individuals will ignore these guidelines and will go to the limit of applicable law and beyond in exploiting the IoT to collect, trade, and otherwise use our personal information for their profits. And nothing short of well designed and strongly enforced laws will stop them.
Among those laws should be provisions that give every person rights and standing to sue at law and equity for relief and remedy for un-consented to collection and use of his personal information. Of course, a person's rights regarding his personal information should not stand solely on government granting him status to sue under statute or having a special status in the law but on the firmer and true foundation of being the owner of his personal information with all of the legal rights, constitutional, statutory, and at common law, which would arise from being the owner of his personal information. Until each of us is regarded as the owner of his personal information, the law's protection of our personal information and our rights in it and to it will remain unjustly incomplete and deficient.
Posted by: Chanson de Roland | Wednesday, July 29, 2015 at 10:28 AM
George, I thought you would find this of interest - LifeLock Is Facing An Existential Survival Threat (And The Prognosis Is Not Good) https://www.evernote.com/l/AAasGiyQk1ZHGqT3Ytj4QtHQoMsTSChuJ60
Bill Garner www.IDTShield.info
Posted by: Bill Garner | Thursday, July 30, 2015 at 08:48 AM