On November 19, 2013, the Federal Trade Commission (the FTC) hosted a workshop titled the Internet of Things—Privacy & Security in a Connected World.Per the FTC:
The ability of everyday devices to communicate with each other and with people is becoming more prevalent and often is referred to as “The Internet of Things.” Connected devices can communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors. … The workshop [was focused] on privacy and security issues related to increased connectivity for consumers, both in the home (including home automation, smart home appliances and connected devices), and when consumers are on the move (including health and fitness devices, personal devices, and cars).
In a sense, the privacy and security issues associated with sharing information among numerous devices is next in a logical progression from the recent focus on ever-increasing service provider handling of personal information. In addition to the FTC, other state and federal agencies and standard-setting bodies (including the NIST) are recognizing that control systems, sensors, and the like must be taken into account along with traditional information systems in any sophisticated information/cyber security program. This focus also fits well with the FTC’s recently-announced top agenda items of (non-HIPAA) consumer health data security, predictive behavior /contextual data technology, and mobile device tracking.
Most fundamentally, the “Internet of Things” captures the concept of a highly-connected world in which devices connected to the Internet include phones, cars, home automation and security systems, utility meters, and even commodity-measuring tools for items such as milk and light bulbs.
Several recurring themes emerged as takeaways from the workshop:
- The importance of the context in which information is collected: For example, data generated by a home automation system to control a coffee pot may be inappropriate for marketing purposes.
- Consumer awareness and “privacy by design” considerations: Consumers underestimate how information collected about them might be used in a harmful manner. For example, consumers may not appreciate that information collected by their utility could indicate what types of devices they use, when they use those devices, and even when they are home or on vacation. On the flip side, developers may not place significant emphasis and make adequate investment in information security in the midst of rapid innovation, market pressures, and the difficulty of predicting the myriad potential uses of the information generated or obtained.
- The viability of Fair Information Practice Principles (FIPPs) notice and choice: The FTC continues to evaluate the current, traditional FIPPs approach to privacy notice and choice. Several panelists noted the limitations of such an approach in a world where information is collected about consumers ubiquitously, often without any user interfaces. Ultimately, solutions may involve standardized disclosures and notices in connection with use (as opposed to collection) of information. (Query whether the situation calls for a more EU-style approach, where information can’t be used except for a lawful purpose, as defined by the law.)
In her closing remarks, Jessica Rich, the director of the FTC’s Bureau of Consumer Protection, stated that, although the workshop was not a prelude to regulation, the FTC would issue a report on the topic in the near future.