What the FTC Worries About with Nest, FitBit, and Privacy in the Internet of Things
The FTC has officially released a report on their recommendations for the Internet of Things. And the number-one thing on their priorities? Privacy.
The Internet of things is a term to describe the trend of connecting everyday devices to the Internet and each other. Home appliances, wearables, and jet engines are already ushering in the complete connection of devices, and there’s plenty more where that came from. Google’s snapping up Nest (thermostats controlled by mobile app) for $3.2 billion, while Samsung went after SmartThings (apps for locking doors and flipping switches around the house) to the tune of a reported $200 million—clearly showing that the people making the gadgets are excited about the opportunities Internet of Things provides.
The report summarized a workshop the FTC had hosted for their staff to discuss recommendations for staff dealing with the Internet of Things, but for the industry the most important aspect was the concerns about privacy.
According to the report, six years ago the number of devices passed the number of people on the planet. Now we’re up to 25 billion devices connected to the Internet, and the FTC estimates that number will double by 2020. So there’s a lot riding on the security of this system. The staff’s security recommendations fell in three main categories: security, data minimization, and notice and choice.
Notice and Choice
The FTC notes that there is no “one-size-fits-all approach” for notice and choice, a term used to describe the process of giving consumers more say in how, when and if their data is collected, but reaffirmed their commitment to notice and choice principles, such as consumer protection. As Jared Bomberg writes for Chronicle of Data Protection, it isn’t clear right now what that needs to look like and it certainly won’t be easy–but it’s important:
FTC staff reiterated their support for notice and choice, despite the fact that many participants in the FTC’s 2013 IoT workshop described the difficulties of implementing notice and choice with IoT devices. Noting that there is no one-size-fits-all approach to notice and choice, the report offers suggested practices such as developing video tutorials, affixing QR codes on devices, or providing choices at point of sale, within set-up wizards, or in a privacy dashboard. The report also recognizes that not every data collection requires choice. Some forms of data collection and use may be consistent with users’ reasonable expectations and not require choice. For situations concerning data that is inconsistent with users’ reasonable expectations, however, FTC staff recommends that companies should offer clear and conspicuous choices. While the report states that the Commission has protected privacy through a use-based approach, the report also clearly expresses concerns about adopting a pure use-based model for IoT.
The report also calls for companies to be more mindful of data minimization–reducing kept or collected data in order to minimize the harm in a potential data breach. It’s a particularly tricky area given how much momentum there is behind certain data-driven applications (like FitBits, which exist to mine your health data). Even FTC commissioner Maureen Ohlhausen found the data minimization suggestions “overly prescriptive.” According to Shelton Abramson of Inside Privacy:
…The FTC staff states that companies must strike a balance between consumer privacy and collecting data that affords companies “the flexibility to innovate” around beneficial new uses of data. Thus, while companies should “impose reasonable limits on the collection and retention of consumer data,” the FTC staff emphasizes that its recommendations are intended to be “flexible” and provide companies with “many options.” According to the FTC staff, companies “can decide not to collect data at all; collect only the fields of data necessary to the product or service being offered; collect data that is less sensitive; or de-identify the data they collect.” If a company does not take advantage of one of these options, it can obtain consumer consent to that collection. The FTC staff also emphasizes that appropriate collection and retention practices depend on whether the data at issue is “sensitive” (e.g., health data).
Of course all of these policies harken back to the big one: security. The FTC outlined a plan in their supplementary guide for businesses that entailed six best practices for companies to consider, notably including security in their designs from the get-go. As Cheryl Falvey notes in her piece for Retail & Consumer Products Law Observer:
To tackle the challenges of launching products on the Internet of Things, the FTC recommends designing security into interconnected products from the outset as well as monitoring products post sale to quickly identify security risks…Whether designing for safety or security, regulators expect design engineers to play a central role in an overall program that operationalizes safety and security as part of ordinary business processes. Both the CPSC and FTC demand engineering solutions for legal compliance and ask companies to build multiple layers of safety and security into a product by design. Protecting against cybersecurity risks and safeguarding data collected by products on the Internet of Things needs to become business as usual, not some special new legal requirement. Existing corporate process development programs built to ensure a continuous improvement loop in product design need to be updated to ensure that safety, security and privacy are built into every product on the Internet of Things.
So after all that, what does the FTC recommend for legislation? For now, nothing. They’re of the belief that “legislation aimed specifically at the IoT at this stage would be premature,” endorsing self-regulatory programs by businesses and its prior recommendations that Congress enact general privacy and data security legislation. They also cite previous laws, like the Children’s Online Privacy Protection Act, The Fair Credit Reporting Act, and the FTC Act in place to stave off any new legislation until we know more.
Time will tell if they’re correct that this industry can get by on its own for a while–with the increase in awareness and calls for cybersecurity it wouldn’t be out of the blue. But it’s also important to remember that next to the breakneck speeds of the tech industry, Congress moves with the urgency and awareness of a snail. The eyes of Congress are already turning towards the Internet of things, but for now there’s not enough information to predict the future of legislation, and it wouldn’t be the first time the law was behind the digital times. It’s a bit of a gamble to hope that legislation will strike while the iron is still hot, when there’s enough information to enact effective legislation while still remaining effective. For now we’ll just have to set our devices to wait and see.