The Federal Trade Commission (FTC) yesterday released its staff report on the Internet of Things (IoT). The report summarizes the FTC’s November 2013 workshop, “The Internet of Things: Privacy and Security in a Connected World,” and provides FTC staff recommendations in this area. Notably, the report also describes best practices for data security and data minimization, and reaffirms the FTC’s commitment to notice and choice principles. We provide below an overview of the staff’s recommendations and the concurring and dissenting views of Commissioners Ohlhausen and Wright.
To address the security concerns raised by IoT, the report recommends that consumer-facing companies adopt heightened security practices. Many of the safeguards below will be well-known to companies that follow the FTC’s data security activities. FTC staff recommends that a company:
- implement “security by design” by building security into its devices at the outset, rather than as an afterthought;
- ensure that personnel practices promote good security;
- retain service providers that are capable of maintaining reasonable security, and provide reasonable oversight to ensure that those service providers do so;
- implement a defense-in-depth approach for systems with significant risk, where security measures are considered at several levels;
- consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device; and
- continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.
The report suggests that companies consider limiting their collection and retention of consumer data. However, the report also recognizes the challenges of implementing this recommendation and the need to balance future beneficial uses of data with privacy protections. Given these considerations, FTC staff clarify that the data minimization recommendation is a flexible one that provides companies many options. The report states that companies could, for example, collect only the fields of data necessary to the product or service; collect data that is less sensitive; or de-identify the data they collect. In doing so, the FTC staff asks companies to make predictions regarding the value of data and its potential benefits, many of which may be unknown at the time of collection.
Notice and Choice
FTC staff reiterated their support for notice and choice, despite the fact that many participants in the FTC’s 2013 IoT workshop described the difficulties of implementing notice and choice with IoT devices. Noting that there is no one-size-fits-all approach to notice and choice, the report offers suggested practices such as developing video tutorials, affixing QR codes on devices, or providing choices at point of sale, within set-up wizards, or in a privacy dashboard. The report also recognizes that not every data collection requires choice. Some forms of data collection and use may be consistent with users’ reasonable expectations and not require choice. For situations concerning data that is inconsistent with users’ reasonable expectations, however, FTC staff recommends that companies should offer clear and conspicuous choices. While the report states that the Commission has protected privacy through a use-based approach, the report also clearly expresses concerns about adopting a pure use-based model for IoT.
Finally, the report stated that IoT-specific legislation would be premature at this time. Staff suggested that the development of self-regulatory programs designed for particular industries would be helpful as a means to encourage the adoption of privacy- and security-sensitive practices. The report also renews the Commission’s previous recommendation that Congress enact legislation to strengthen the Commission’s existing general data security and privacy tools.
The report was adopted by the FTC with a 4-1 vote, with Commissioner Maureen Ohlhausen issuing a concurring opinion and Commissioner Joshua Wright voting “no.” Importantly, while Commissioner Ohlhausen supports many of the FTC’s recommendations, she expressed concern about the report’s support for baseline privacy legislation and proposals for data minimization without exploring costs and benefits. Commissioner Ohlhausen also highlighted the missed opportunity to explore in depth the emerging tension between the IoT and the Fair Information Practice Principles (FIPPs), which has formed a core tenet of the IoT debate on privacy and security. Commissioner Wright, in his dissenting opinion, expressed similar concerns regarding the lack of a cost-benefit analysis, and added that the FIPPs and concepts such as “security by design” were not well suited to address the “still-nascent” IoT.