Agency’s Workshop Connects Privacy and Data Security Issues to Emerging Market of Connected Devices, Also Known As the “Internet of Things”

On Nov. 19, 2013, the Federal Trade Commission (FTC) held its workshop on privacy and security issues arising from the emerging market of connected devices, also known as the “Internet of Things.” Chairwoman Edith Ramirez opened the workshop with a clear message to entities operating in this space: apply privacy by design principles and build security into your devices because the FTC will be paying close attention to companies that don’t. 

FTC Commissioner Ohlhausen articulated a more comprehensive approach for the agency to move forward in this space. First, she urged the agency to use its “policy R&D function” to better understand the various technologies facilitating the Internet of Things. Second, the FTC should use that information to educate consumers and businesses on how to avoid or minimize any risks that the agency identifies. Third, she argued that the agency should continue to use its consumer protection authority to stop consumer harms that may arise from particular Internet-connected devices.

The agency’s workshop follows its recent enforcement action against a company operating Internet-connected video cameras that failed to employ suitable security practices. That case, which involved the distribution of private video feeds to the public, illustrates the potential scope of privacy and data security issues arising from the use of connected devices.

Many of those privacy and security issues were raised during the workshop, which included remarks from several FTC Commissioners and Bureau staff, as well as Google’s “Internet Evangelist,” Vint Cerf. The workshop focused on discrete sectors of this emerging industry, such as so-called smart homes; connected health and fitness devices; and connected cars.

The Internet of Things

At issue is the application of privacy and data security issues and concerns in the emerging market sector of connected devices. Some examples of devices connected through the Internet include Google glass, the wearable computing device which collects and transmits audio and video feeds of the surrounding environment; smart cars which use telemetry and other automated processes to navigate and power cars without human assistance; smart watches equipped with GPS and heart-rate monitors; and, appliances and devices which monitor energy, light and other components of a consumers’ home environment.

Application of Existing Privacy/Security Norms Questioned

Although FTC Chairwoman Ramirez signaled the agency’s intent to monitor these issues closely, there was little consensus on what privacy and data security principles should apply to connected devices. 

For example, several panelists noted that traditional concepts of notice and choice may not be feasible for many connected devices which have no, or limited, user interfaces. Further, many kinds of connected devices will not be accessible to, or even seen by, the end user. Without accessible user interfaces or “screens”, which would otherwise permit the user to receive notice and provide choice, many of these connected devices may not be able to facilitate notice and choice protocols like those used in other sectors.

Also, many connected devices operating in the Internet of Things generate significant amounts of data on a regular basis. Indeed, many of these devices rely upon frequent, and sometimes continuous, data inputs and transmissions from a broad array of connected devices. Consider the prototype of connected cars, which rely upon multiple data transmissions from multiple sources on a real-time basis. Application of data minimization principles in those circumstances may be difficult, if not impossible, to apply in a meaningful way. 

For these reasons, some argue that new privacy and security principles must be developed for the Internet of Things. For example, the Future of Privacy Forum released a white paper concurrent with the workshop arguing that traditional privacy and security principles, like those articulated in the Fair Information Practice Principles (FIPPs) cannot practically be applied to connected devices. 

Conceiving New (or Modified) Privacy/Security Norms for the Internet of Things

If existing FIPPs-based privacy and security norms should not (or cannot) apply to the Internet of Things, what principles should apply? Some ideas emerged during the workshop.

Many participants noted that defining sensible privacy and security norms in the Internet of Things may require greater reliance on the concept of contextual privacy. At its core, this principle is often understood to mean that information should be used only within the context that the information was collected. But in an environment of connected devices, some believe that context should be viewed in much broader terms. For example, Microsoft Technology Policy Group Director Carolyn Nguyen explained that context could be based on the nature of the data itself, how it was gathered, or the purpose for which it is used. Further, others argue that traditional principles of context should not limit the potential benefit from a myriad of possible uses of information, even those that the end user may not foresee. 

Second, the expanded use of anonymized or de-identified data was cited as another potential principle that may work well to protect privacy in the Internet of Things. Precisely how, when, and where such data is de-identified remains open to discussion, but incorporating these practices at the onset of a product’s life cycle—privacy by design—is one possibility.

The Road Ahead

Beyond these questions, there appears to be a consensus that any attempted regulation of entities operating in this space would be premature. As one workshop panelist explained, the community still needs to ask further questions about the problems that need to be solved, before attempting to define solutions to any perceived problems. Google’s Cerf agreed that regulation is premature and any action at this time would be “tricky.”

The agency’s Director of the Bureau of Consumer Protection, Jessica Rich, confirmed that the agency had no plans to try and apply prescriptive rules governing actors in this space. Instead, the FTC will issue recommendations and identify best practices in a report to be published next year. The agency will continue to accept comments on these issues until Jan. 10, 2014.

Until then, we expect the FTC will continue to watch this sector closely and police those entities that fail to employ reasonable security practices necessary to protect against inadvertent disclosure of consumers’ personally identifiable information.