The FTC Warns Internet Of Things Businesses To Bake In Privacy And Security

The FTC has raised concerns about the complexity and privacy risks posed by the rise of an Internet of Things, with some 25 billion connected objects predicted to be online in 2015, and so-called smart home devices predicted to number around 25 million this year.

Concerns about privacy could encourage consumer mistrust of IoT devices, the FTC has warned, having a knock-on impact on consumer adoption. To avoid that scenario it has detailed some of the measures it thinks IoT companies should take to mitigate privacy risks.

FTC Chairwoman Edith Ramirez was speaking at the Consumer Electronics Show in Las Vegas, after touring the show floor where exhibitors are showing off a swathe of connected objects they hope consumers will be installing in their homes in future.

“[The Internet of Things] has the potential to provide enormous benefits for consumers, but it also has significant privacy and security implications,” warned Ramirez.

“Connected devices that provide increased convenience and improve health services are also collecting, transmitting, storing, and often sharing vast amounts of consumer data, some of it highly personal, thereby creating a number of privacy risks.”

Key privacy and security challenges

She went on to detail three particular privacy challenges that companies in the IoT space will need to grapple with — namely:

(1) ubiquitous data collection; (2) the potential for unexpected uses of consumer data that could have adverse consequences; and (3) heightened security risks

Ubiquitous data collection refers to the cumulative impact of multiple sensing and tracking technologies, which — working in symphony — could sketch a “deeply personal and startlingly complete picture of each of us”, said Ramirez, with the massive volume of collected data allowing analysis that generates additional sensitive inferences.

Connected devices are also increasing the sensitivity of the data collected, as sensors and devices find their way into the most intimate spaces in our lives: our homes, our cars, and even onto our bodies. “Connected devices are effectively allowing companies to digitally monitor our otherwise private activities,” she noted.

Then there is the worry about unexpected uses of collected personal data. So, rather than being used to enhance the experience of the particular product a consumer bought, the data a connected device harvests might be funneled off elsewhere — and be used by prospect employers to judge the merits of a job application, for instance, or insurance companies to ascertain the risk of accepting a new customer, and so on.

“As businesses use the vast troves of data generated by connected devices to segment consumers to determine what products are marketed to them, the prices they are charged, and the level of customer service they receive, will it exacerbate existing socio-economic disparities?” said Ramirez.

“We cannot continue down the path toward pervasive data collection without thinking hard about all of these questions,” she added.

On the security point, she discussed the risk of connected objects becoming targets for hackers, and the proliferation of connected devices both increasing the number of entry points intruders can attack and the seriousness of any hacking incident, given so much sensitive data is now being connected.

She noted:

Data security is already challenging, as evidenced by the growing number of high profile breaches with which we are all familiar. But security in an IoT world is likely to present unique challenges. As an initial matter, some of the developers entering the IoT market, unlike hardware and software companies, have not spent decades thinking about how to secure their products and services from hackers. And, the small size and limited processing power of many connected devices could inhibit encryption and other robust security measures. Moreover, some connected devices are low-cost and essentially disposable. If a vulnerability is discovered on that type of device, it may be difficult to update the software or apply a patch – or even to get news of a fix to consumers.

Baking security and privacy into connected devices

To counter these challenges, the FTC is hoping IoT companies will adopt specific practices — and bake them into their business models — aimed at enhancing privacy and security, and bolstering consumer trust in their own products, and the IoT market as a whole.

The three measures set out by Ramirez are:

(1) adopting “security by design”; (2) engaging in data minimization; and (3) increasing transparency and providing consumers with notice and choice for unexpected data uses

On the security by design point, as well as prioritizing security and building it into devices from the outset, she said companies should conduct a privacy or security risk assessment as part of the design process; test security measures before a product is launched; use smart defaults (such as passwords that require consumers to change them on set-up); consider encryption; and monitor products throughout their life cycle and patch any known vulnerabilities. There should also be designated people within companies who are responsible for security in the organization.

In other words, all pretty standard and sensible security procedures which larger companies may already be practicing. However startup businesses, with their limited resources and impetus to speed new products to market while they are still disruptive, may well cut corners here. And therein lies another risk for the IoT as startups crowd in to rush their smart home devices into a nascent market. Those security ‘standards’ are going to slip.

Ramirez also discussed the importance of practicing data minimization. Which again potentially conflicts with the typical startup playbook. Grabbing as much data as you can to mine for future intel to monetize your free service is a common startup modus operandi, but not one that meshes naturally with the idea of collecting the minimum data possible, only for the specific product purpose and then discarding it as soon as possible afterwards. That’s what the FTC wants for the IoT, and that’s not how scores of startups operate. So another conflict lurks.

“Collecting and retaining large amounts of data greatly increases the potential harm that could result from a data breach. We often hear the argument that to realize the benefits of big data, businesses should not face limits on the collection and retention of data because the value lies in its unanticipated uses,” she said. “But I question the notion that we must put sensitive consumer data at risk on the off-chance a company might someday discover a valuable use for the information.”

“I agree that we need more dialogue on acceptable and unacceptable uses of consumer data. But I continue to believe that reasonable limits on data collection and retention are a necessary first line of protection for consumers,” she added.

She did discuss de-identifying consumer data as one possible compromise, although she also noted there is a risk of re-identification, adding that “sound technical strategies for making data anonymous should be coupled with administrative safeguards”. She also reiterated the FTC’s view that companies should publicly commit not to seek to re-identify data and, through contract, should also require the same commitment from those with whom they share data.

Finally she stressed the importance of clarity, transparency and choice when it comes to the ‘unexpected uses’ scenario — which looks likely to be an emergent property of the data mountain generated by the IoT. So that means “clear notice” provided to consumers, accompanied by “simplified choices” for any unexpected collection of their data.

Specifically, that means giving consumers the ability to consent (or not) when an IoT company is proposing sharing their data with a third party, and notification that is absolutely not embedded within a lengthy privacy policy or T&C agreement which does no get read. Rather the FTC wants such notifications to be specifically flagged up, however challenging that might be for connected device designers.

In other words if your connected kettle business wants to sell intel to the local supermarket on how many cups of tea a particular user of its shop drinks per day, well the kettle itself is going to need to find a way to ask its owner nicely.

“I recognize that providing notice and choice in an IoT world is easier said than done. Connected devices may have little or no interfaces that readily permit choices. And we risk inundating consumers with too many choices as connected devices and services proliferate. But in my mind, the question is not whether consumers should be given a say over unexpected uses of their data; rather, the question is how to provide simplified notice and choice,” Ramirez added.