On November 19, 2013, the Federal Trade Commission (FTC) held an information gathering workshop entitled "The Internet of Things: Privacy & Security in a Connected World." The purpose of the workshop was to explore consumer privacy and security issues raised by the growing connectivity of devices, and to inform the Commission about the developments in this area. The FTC will be preparing a report that includes recommended best practices for "smart" devices. Interested parties may submit public comments regarding the topics and issues addressed in this Client Advisory to the FTC on or before January 10, 2014.
What is the "Internet of Things"?
FTC Chairwoman, Edith Ramirez, opened the workshop underscoring that the "Internet of Things" has already entered into the lives of many consumers. With the growth of "smart" devices, an ever increasing number of gadgets can communicate and interact with consumers, transmit data back to companies, and compile data for third parties. While there are benefits to consumers, there are also privacy risks. The Chairwoman emphasized three main challenges in this area: (1) the ubiquitous collection of consumer data will require companies to implement fundamental best practices of privacy by design, simplified choice, and greater transparency; (2) connecting devices to the Internet will give rise to more data collection than the consumer may expect or understand; and (3) companies need to understand and address the security risks associated with connected devices, especially when it comes to sensitive personal information, such as devices that track personal health or fitness data. She reiterated that, while consumers will invite the "Internet of Things" into their homes, cars, or workplaces, they should be confident as to who exercises control over the personal information generated from such smart devices.
Carolyn Nguyen, the Director of the Technology Policy Group at Microsoft, who commented on the topic of "Contextual Privacy," highlighted the benefits that smart devices provide to the individual. The "Internet of Things" is a unique, data-driven ecosystem, which can help assist consumers in optimizing the world around them. She noted that striking the balance with privacy concerns depends on context, taking into account the type of device being used, the data collected, the level of trust that consumers have in the entity with which they are interacting, and how the data impacts decisions made for (not by) a consumer. Ms. Nguyen commented that new approaches are necessary as the "Internet of Things" grows to ensure that it is the individual who has control over his or her data.
The Smart Home
The day's first panel, "The Smart Home," focused on the increased connectivity of products and services for the home – from smart meters to appliances to home security. Panelists included representatives from government, business, industry, and consumer advocacy groups. Industry representatives explored new products and opportunities in the marketplace that can provide value, convenience, and greater choice to consumers, in the form of connected appliances. For example, these may include home appliances, such as wall ovens for which the consumer can remotely set the oven temperature, change the oven cycle, set clocks or times, among other options. The panel discussed that, from a consumer's perspective, companies should integrate consumer-friendly platforms so that separate mobile apps are not necessary to control each appliance in the home. More broadly, the panel collectively addressed how connected devices raise a number of privacy and security issues given the collection of large amounts of data.
Five primary themes emerged from this panel's discussion:
- Disconnect in Consumer Understanding: Consumers do not understand the implications of the data being collected from these devices. These "smart" products can collect and analyze massive amounts of data, much more than the consumer would ever expect.
- Providing Notice and Choice on Data Collection/Use: As this industry develops, consumers should be provided with more notice and choice over how this data is collected and used.
- Appreciation of Privacy and Security Risks: Companies developing these technologies may not fully appreciate and account for the privacy and security of the embedded device, and simple vulnerabilities may allow hackers to break into devices. This was evident in the FTC's recent enforcement action against TRENDnet. The devices should not merely rely on the consumer's WiFi or home network to be secure.
- Product Risk Assessment, Disclosures, and Context: The level of the security risk depends upon the consumer's perception of the risk. For example, connected light bulbs tend not to have a security system in place, whereas connected door locks require more network security. Consumers are not necessarily concerned with a hacker hijacking the lights in their home (which is possible). That said, consumers should be made aware about the security of all connected devices because once a hacker is able to gain access to one device, the hacker may be able to access the whole connected system.
- Privacy/Security By Design: Those who are developing the technology may not understand the security of the embedded device, and the ensuing risks that arise. The panelists generally agreed that developers should build in security by design. Security should be addressed from the inside out and at all levels.
Connected Health and Fitness
The workshop continued with the exploration of the benefits to consumers from connected health and fitness devices and apps, and the privacy and data security concerns associated with the collection of sensitive health data enabled by these devices and apps. Cora Han, Senior Attorney at the FTC's Division of Privacy and Identity Protection, began the session by briefly addressing the current regulatory landscape for such devices. Although there are no formal regulations in place, Ms. Han stated that the FTC has authority to enforce against connected medical and health devices, and against app developers in this space. In addition, the Food & Drug Administration (FDA) released final guidance in September 2013 for mobile app developers that are creating medical apps that perform the same or similar functions as traditional medical devices. For certain kinds of health information, the federal health privacy rule (HIPPA) also contains general privacy protections; however, most consumer-facing health-related apps are not covered by HIPPA, which generally applies to health insurance plans, health clearinghouses, and medical providers.
Panelists generally agreed that notice and choice should be a prerequisite for these types of devices. It may be difficult, however, to provide notice and choice with interconnected devices that do not have screens. Jay Radcliffe, the Senior Security Analyst at InGuardians, Inc., noted that the primary concern with smart devices is that consumers cannot make decisions about what information the device should be allowed to collect because the privacy information they receive from the manufacturer often is incomplete. He noted that, with these types of devices, it is reasonable for consumers to give up some privacy to receive a benefit (medical or otherwise), but consumers need to have the information to make an informed choice.
The panel also discussed other significant privacy and security concerns raised by connected health and fitness devices and apps. Stan Crosley, the Director at the Center for Law, Ethics, and Applied Research in Health Information at Indiana University, explained his concern that more information is going to be known about the consumer's health by others, than by the consumer, and whether there are limits to "acceptable use" of such health data. For example, a home insurer may wish to obtain a consumer's smart appliance data to determine whether the consumer routinely leaves the stove on. Joseph Lorenzo Hall, Chief Technologist at the Center for Democracy and Technology, raised the point that the "Internet of Things" brings commercial surveillance into the home, and that it is already prevalent in physical and retail establishments. He noted further that most of the data on the devices themselves is not encrypted, and may not be encrypted when it is transmitted from the device to third parties.
The third panel of the day focused on "Connected Cars" and the security and privacy issues related to modern automobiles. Kenneth Wayne Powell, General Manager and Senior Executive Engineer of Electrical Systems for Toyota Technical Center, began the conversation by explaining that cars today generally have two pathways for connectivity: data communication modules (or embedded modems) and smartphone-based connections via Bluetooth or USB. Christopher Wolf, Founder and Co-Chair of the Future of Privacy Forum, listed a myriad of benefits currently available to drivers through these connections, including communicating with first responders in emergency situations, helping drivers avoid traffic, identifying malfunctions with the car itself, and monitoring driving habits for other drivers (e.g., novice drivers). John Nielson, Managing Director of Automotive Engineering and Repair for the American Automobile Association, added that he believed that increased technology in cars was a benefit and had no downside. The challenge is to determine how technology is best used by and displayed to drivers to ensure safe driving.
The panel also addressed the security and privacy issues related to connected cars. Dr. Tadayoshi Kohno, Associate Professor of Computer Science and Engineering at the University of Washington, explained that modern cars employ dozens of computers that can be attacked. Through a series of experiments, Dr. Kohno and his colleagues found ways to break into a car's internal network and control car systems, including the engine, brakes, GPS, and microphones. Dr. Kohno noted, however, that these types of attacks were highly sophisticated and have not yet occurred outside of a test setting, and that the automotive industry and government have focused on addressing these and other anticipated security issues.
In terms of privacy, the panel noted that, while there is always the risk that data could be misused, some do not believe the data stored in cars are of interest to third parties. Mr. Nielson added that data stored in vehicles are generally volatile and used more for diagnostic purposes. Mr. Wolf added that connected cars do not record where a driver travels or how fast he or she as driving. Regardless, the panel explained that consumers need to be more aware of potential privacy and security issues related to connected cars. Mr. Powell and Dr. Khono also urged the automotive industry to find better ways to provide notice for, and obtain consent from, drivers regarding privacy issues. Finally, noting that there still may be new and undiscovered ways to use even a minimal amount of data to invade the privacy of drivers, Dr. Khono emphasized the importance of considering privacy and security issues early in the technology's design cycle.
Privacy and Security in a Connected World
The last panel of the day addressed the broader privacy and security issues raised by the Internet of Things. The panel was moderated by Ben Davidson, Staff Attorney in the FTC's Division of Marketing Practices, and Maneesha Mithal, Associate Director in the FTC's Division of Privacy and Identity Protection, who posed four scenarios for panelists to discuss.
Scenario 1: "Sue" wants to design a system of connected devices in her home that she can control with her smartphone. Panelists were asked whether she should be thinking about privacy and security as soon as she conceives of this idea. Panelists generally discussed that, when designing any connected device, Sue should be considering privacy and security from inception. They reiterated that: (1) it is necessary to communicate, collaborate, and consult with the developers designing the system, and understand what platforms the apps will be running on; (2) identify where the app will be marketed – in the U.S. or internationally; (3) consider whether these devices use iOS, Android, or HTML5; and (4) confirm how the data will be collected, used, and stored. Designing secure systems does not have to exhaust a company's financial resources; the panel noted, however, that failing to address these issues may end up costing businesses far more in the event of a data breach, or the loss of consumer confidence in the product or brand.
Scenario 2: "Jane" wants to start training for a marathon and considers buying a new smart device to help her train. The device can connect to her online calendar to schedule times for runs, calibrate optimal training programs, design running courses, and post her progress on her social network accounts. The package insert that comes with the product contains a Terms and Conditions sheet, but the sheet does not address data connection and the sharing of personal information. The panelists were asked how Jane is put on notice of the data collection and use, and whether the initial advertisement of the product or the intended use put Jane on notice that the manufacturer will obtain personal information from her use of the device. The panelists suggested that companies need to innovate with new ways to provide notice to consumers. Panelists were further asked how notice should be provided if the manufacturer starts selling consumer data for advertising purposes. Ryan Calo, an Assistant Professor at the University of Washington School of Law, explained that it is the "bait and switch" (or the insufficiently disclosed secondary use of the data) that bothers the privacy community – where consumers believe their data is being collected to track their fitness, and instead it is being used for marketing or other purposes.
Scenario 3: Sue's system for controlling interconnected devices via the smartphone is extremely successful. One day, however, Sue gets a call from "Tom," who runs a home security system that is compatible with Sue's app. Tom informs Sue that the login credentials for his home security system were compromised via the app and that criminals have posted live video feeds of some of Sue's customers on the Internet. Panelists were asked who should be held responsible for this breach. Marc Rogers, Principal Security Researcher at Lookout, Inc., stated that both the app and the home security systems should have security systems in place. Michelle Chibba,
Director of Policy and Special Projects in the Commissioner of Ontario's Office of Information and Privacy, suggested that Sue cannot outsource accountability; Sue is the first line of contact with the consumer, and her systems should be adequately secured.
Scenario 4: Sue is approached by a marketing company that wants to buy data about her customers. The panelists were asked whether and how the consumer should be given notice, and that such a sale would constitute a material, retroactive change to Sue's privacy promises. Panelists suggested that there are a number of ways to obtain consent. For example, if it is a consumer-facing app, then there could be a "just in time" notice. If there is a registration from the connected device, notice and consent could be obtained through e-mail.
Next Steps By The FTC on Smart Devices; Request for Comments
Panelists were asked what the FTC should do next. Industry representatives explained that one of the challenges with the "Internet of Things" is that the relevant questions continue to evolve. Continuing education on these issues for consumers, industry, and developers is key, and a "one size fits all" approach could stifle innovation. Consumer groups suggested that the FTC continue enforcement in this area and provide guidance or revisions to its privacy report.
Jessica Rich, Director of the FTC's Bureau of Consumer Protection, provided closing remarks at the end of the workshop. She indicated that the FTC's next steps will be to prepare a report that includes recommended best practices for smart devices. Ms. Rich stated that interested parties can submit public comments on the issues and topics addressed in this workshop for consideration by the FTC as it prepares its business guidance on or before January 10, 2014.