FTC to Internet of Stuff: Security, motherf****r, do you speak it?
No new laws yet – emphasis on the word yet
US regulator the FTC says now is not the time for new laws on the "Internet of Things" – but security needs to be improved as we enter the era of always-on, always-connected gadgets, sensors and machines embedded in homes, streets and pockets.
In a report [PDF] published today, the commission's staff make a number of policy recommendations for the wave of new devices that collect and transmit data on our everyday lives.
From the camera that posts pictures online with a click, to automated home lighting and heating, to FitBits and Apple Watches, the Internet of Things (IoT) was the focus of this year's Consumer Electronic Show, as well as a speech by FTC chairwoman Edith Ramirez.
There will be 25 billion devices connected to the internet by the end of the year, doubling to 50 billion by 2020, according to Cisco's estimates. The problem is that many of the companies churning out these gizmos are not properly considering the risks associated with gathering masses of personal sensitive data, we're told.
Security, and ultimately the safeguarding of privacy, is the biggest problem, says the FTC. And it needs to be built "into devices at the outset rather than as an afterthought." Employees also need to be trained up on the importance of security so there is a company-wide understanding and approach to protecting data, both internally and with any third parties that companies work with.
Additional measures such as good network defenses to prevent unauthorized users from getting access to data, and keeping an eye on security holes and providing security patches on time, should also be key considerations.
Given that, for example, home router makers are so slow to patch security vulnerabilities in firmware, what luck does anyone have fixing critical flaws in their IoT light switches, boilers and shoes?
As well as security, companies jumping on the IoT bandwagon should also think about "data minimization", meaning limit the amount of information that is gathered and only retain it for a certain period of time.
The FTC's logic of that approach is that the fewer sensitive bytes companies hold, the less of a target their database will be (in theory) and the less opportunity exists for it to be used in ways that customers would be unhappy about.
Alternatively, companies could go out of their way to "de-indentify" data so it cannot be linked to specific individuals.
What you got?
In a related point, the FTC recommends that businesses adopt a "notice and choice" approach to data, ie: customers are informed what records the company gathers and are given the choice to opt out of its collection.
In order to prevent people from being overwhelmed with approval requests, the commission recommends that this "notice and choice" approach is adopted for any uses that would be "unexpected", ie: not immediately obvious to the consumer.
Obviously, this is something for lawyers to have fun with: sadly, is a photo-sharing app monitoring your movements really "unexpected" in this day and age?
If companies immediately de-identify data – erase any way to pick out a particular person from the information – the need to offer choices is greatly reduced, apparently.
As for legislation, the FTC report acknowledges that new laws may be needed at some point, but that it is too early to do so "given the rapidly evolving nature of the technology." As such, it sees self-regulation as the best way forward.
It does note however that the commission called for broad privacy legislation back in 2012, including breach notification laws, and that remains its position.
It is worth noting that the report was published only after four of the five commissioners voted in favor of doing so. The fifth commissioner, Joshua D Wright, published a dissenting opinion [PDF] and argued that the document is a weird hybrid between a writeup of discussions and a formal policy statement.
He would prefer one or the other, not a seemingly rushed mix of the two.
The report itself was based on a workshop held back in November 2013, and referred to subsequent public comments on the session. But the report as presented includes a range of policy recommendations.
Wright argues that if the FTC's staff wishes to produce policy recommendations, it needs to back them up with data, rather than "merely rely upon its own assertions." A workshop report should be a report of what people said; a formal report should "possess and present evidence that its policy recommendations are more likely to foster competition and innovation than to stifle it," he argues. ®
Sponsored: 2016 Cyberthreat defense report