Web cameras, burglar alarms, fitness monitors, smartphones, and a host of other internet connected devices all have the potential to invade privacy by collecting and sharing personal information. Yet in many cases, the manufacturers and distributors of these devices either have taken no steps to include data security features to protect personal data or have affirmatively misrepresented the uses being made of the personal information they collect.
The Federal Trade Commission (FTC), fairly described as the de facto privacy and data protection agency of the federal government, showed in 2013 that it has discovered the privacy issues surrounding the explosive expansion of internet connected devices.
The FTC has indicated in several recent policy announcements that it will expand its attention to the privacy risks of internet connected devices in 2014. The agency also has told Congress that it will be seeking additional legislative authority specifically directed to the enforcement of standards to reduce the risk of breaches of data security, which includes data collected by internet connected hardware.
FTC Orders on Devices in 2013
In two signature cases resulting in consent orders in 2013, the FTC demonstrated that it is prepared to use its authority under § 5 of the FTC Act (15 U.S.C. § 45) to impose significant restraints on companies that violate fair information practices.
First, as we reported earlier in the year, in a settlement with TRENDnet, Inc., the FTC alleged that the retailer of an internet connected camera purchased by thousands of consumers for monitoring their homes and businesses represented that were secure from unauthorized tampering when they were in fact so insecure that a hacker who simply typed the word “netcam” into an internet search engine could obtain the IP addresses of hundreds of the cameras. In the course of the investigation, the FTC learned that the company had failed to implement even the most basic precautions to protect users login credentials, had failed to perform any vulnerability testing, and regularly ignored the requests of users to increase their privacy settings. Under the terms of the consent order between TRENDnet and the FTC, the company was required for a period of 20 years to report to the FTC on specific steps it takes to improve the security of the devices it sells, to provide free support to all customers who bought the camera to remove the security flaws, to make all of its advertising available to the FTC for inspection for 5 years, and take other steps to meet its privacy obligations.
Then, on December 5, 2013, the FTC entered in to a consent order with Goldenshores Technologies, LLC, the distributor of an app for Android phones widely distributed as the “Brightest Flashlight Free” app. According to the FTC’s complaint in that case, the app has been downloaded by tens of millions of users, but the company’s privacy notice “deceptively failed to disclose that the app transmitted users’ precise location and unique device identifier to third parties, including advertising networks.” Worse, the company deceived consumers by presenting them with an option to not share their information, even though it was shared automatically, thus rendering the option meaningless. The resulting consent order in Goldenshores includes requirements that Goldenshores must give the FTC prior notice before entering into any sale or merger, that the owner of Goldenshores may not, for 10 years, change his employment or start a new business without giving notice to the FTC, and that it must delete from company databases all of the geolocation and other personal information gathered from its customers.
Looking Forward to 2014
the expansion of the Internet of Things presents three main challenges to consumer privacy: first, it facilitates the collection of vastly greater amounts of consumer data; second, it opens that data to uses that may be unexpected by consumers; and third, it puts the security of that data at greater risk.
Chairwoman Ramirez went on to say that the FTC will be watching to see that companies undertake three critical steps in their design and marketing of internet connected hardware:
· building in consumer privacy protections from the outset, so-called “privacy by design;
· using data only for the purposes for which the consumer agrees to provide it; and
· providing proper security features on internet connected hardware to protect consumer privacy.
Failure to do so will invite FTC action, Chairwoman Ramirez said: “Companies that don’t pay attention to their security practices may find that the FTC will, as a company called TRENDnet recently learned.”
The FTC staff is preparing a staff report on internet connected devices, expected to be issued in mid-2014, which will provide a set of best practices for managing privacy and security. Manufacturers and retailers in the space may expect the agency will look to companies that fail to adhere to best practices as targets for enforcement action.
On December 6, 2013, the Director of the FTC’s Bureau of Consumer Protection, Jessica Rich, promised in a speech to the IAPP “We have no intention of slowing down. Our privacy work will continue at a rapid pace in the coming year.”
In February 2014, the FTC will be hosting another conference data privacy conference, this time focused on mobile device tracking. The agency wants to learn more about how companies track smartphones and other Wi-Fi connected devices to track the location of and reveal information about consumers. The FTC notes that “In most cases, this tracking is invisible to consumers and occurs with no consumer interaction. As a result, the use of these technologies raises a number of potential privacy concerns and questions.” The conference will lead to another staff report later in 2014, likely with another set of best practices recommendations that can become de facto standards upon which the agency bases enforcement decisions.
The FTC also has made no secret of the fact that it understands that its role as the sole federal agency with a mission to protect consumer privacy is flirting at the edges of its statutory authorization. In testimony before the House Subcommittee on Commerce, Manufacturing and Trade on December 3, 2013, Chairwoman Ramirez said that the FTC is seeking specific legislative authority to enforce a uniform set of rules on data breach notification and to permit the FTC to impose civil penalties on companies that fail to maintain proper data security.
Manufacturers and retailers of internet connected devices need to watch carefully as the FTC moves forward on its agenda in 2014. Expect enforcement actions against more companies that fail to provide reasonable security for data collected from such devices, and more aggressive steps to be taken against those that misrepresent their collection, use and sharing of such data.
With or without specific legislative authorization, and in the absence of any effective legislative action on broader national privacy standards, the FTC’s role as the de facto regulator of data privacy in the commercial marketplace will continue to expand in the year ahead.