Yesterday, the Federal Trade Commission (“FTC”) held a long awaited workshop on the “Internet of Things” (“IoT”) where nearly 200 data privacy and security professionals, device and appliance manufacturers such as Microsoft and GE, and lawyers and lawmakers engaged in a roundtable discussion about the evolution of connected devices and the data privacy and security perils it presents. The IoT refers to the technological ecosystem of the future, where the devices we use on a daily basis, such as cars, appliances, pacemakers, and smart phones, are interconnected in ways that creates many efficiencies and benefits in our daily lives, but that also result in the collection of a tremendous amount of data by these devices that paint a valuable picture of consumers for businesses and advertisers. As Carolyn Nguyen, Director of the Technology Policy Group at Microsoft described it, IoT consists of sensors (devices) that act as intelligent agents for individuals and are ubiquitously present to collect and transmit data about your every move.
One segment of the IoT workshop focused on “The Smart Home” which illustrated the increased connectivity of our homes: from refrigerators that collect data about their contents and the length of time and hour at which you spend perusing for a midnight snack, to smart meters that collect data about the amount of electricity you use and periods of high and low usage, to heating and cooling systems that collect data on the number of people occupying a room and adjusts lighting and temperature automatically.
Other segments included “Connected Health & Fitness” which described connected devices such as pacemakers that instantaneously transmit health information to your doctor and “Connected Cars” that collect data on your driving tendencies and locations, while controlling your speed at critical moments. The paramount concern that emerged from these discussions was the concept of providing notice and consent to consumers regarding the collection, storage and use of consumer data in this unprecedented, complex and connected environment. Opinions differed about whether effective notice and privacy are even possible to achieve in the IoT environment.
Despite these concerns, participants were uniformly of the opinion that regulation is not appropriate yet, since the field is still evolving. In his keynote address, Vint Cerf, Internet pioneer and VP at Google, suggested that he might be uncomfortable developing regulations for the IoT because of the uncertainty about the types of problems that could emerge. Cerf stated that “before we write regulations, we need to understand the problems more deeply.” He also identified seven technical challenges facing the IoT:
• Need to standardize interfaces;
• Difficulty in configuring massive numbers of devices;
• Developing strong access control and authentication;
• Privacy and safety;
• Instrumentation and feedback;
• Dealing with software errors, vulnerabilities and software updates; and
• Potential opportunities for third party businesses.
Regulators staked their positions at the workshop regarding the IoT. Edith Ramirez, Chairwoman for the FTC, stated that the IoT will accelerate the disappearance of the boundaries between the virtual and physical worlds, thereby ensuring that our personal data will infiltrate every facet of our life. Nonetheless, Ramirez emphasized the FTC’s expectation that businesses will adhere to the agency’s core principles with respect to the IOT:
• Privacy and security by design;
• Simplified consumer choice; and
Chairwoman Ramirez added that companies will need to build security into their products and that the FTC will enforce this requirement. Notably, she stressed the need to ensure the security of patient health care information in the IoT to safeguard against unauthorized disclosures.
At the midpoint of the workshop, Commissioner of the FTC, Maureen K. Ohlhausen, stated that the FTC will be policing those who collect data, with a focus on data security, mobile privacy and “Big Data.” Ohlhausen cited the FTC’s data security enforcement action against TRENDnet which settled in September, as well as the FTC’s mobile privacy enforcement action against Path, Inc. which settled in February, as examples of the types of actions it will take to ensure companies comply with their privacy policies and government regulations.
Jessica Rich, Director of the Bureau of Consumer Protection at the FTC, provided closing remarks for the workshop wherein she reiterated the importance of privacy and security and emphasized that the necessary protections must be built into the products and “nailed down before companies can come into your home” or vehicle to collect data. Director Rich noted the challenge of providing effective notice when no interconnection exists between many devices and where in some cases data is collected passively without the knowledge of the consumer. Director Rich concluded by announcing that the IoT workshop is not a prelude to regulation, but rather it is the first conversation between regulators, businesses and the public about the issues presented by the IoT and that the FTC will issue a report of best practices based on the information received at the workshop.
The comments by FTC’s leadership indicate that the agency will refrain from stifling regulations for the moment.
As a result, it will be incumbent on privacy professionals and practitioners to engage in self regulation in line with the principles set forth by the FTC at the IoT workshop and in its upcoming report. Especially since the FTC has made clear that it will enforce company privacy policies and existing regulations to protect consumers and their data in the IoT.