The Internet of Things definitely has data privacy and security issues. With so many devices communicating all the time, it’s more likely that there will be a weak spot somewhere. So on Tuesday, the Federal Trade Commission released a report detailing its best-practice recommendations for the Internet of things. But not everyone agrees with the agency’s approach.
The major message from the FTC is that companies should be self-policing their security measures, their transparency with customers, and—perhaps most controversially—their data-retention decisions. In a press release, FTC Chairwoman Edith Ramirez said, “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
The report, which is based on notes from an FTC IoT workshop that took place in 2013, emphasizes designing products and services with security as a primary focus—instead of considering it only midway through the development process. The agency also discusses the importance of training employees and choosing third-party partners with security in mind. It also emphasizes that companies should jettison customer data that they don’t need.
Importantly, the FTC doesn’t call for new IoT legislation from Congress. “There is great potential for innovation in this area,” the report says. “IoT-specific legislation at this stage would be premature.” The agency did reiterate its request that Congress pass stronger security legislation, an issue that President Obama also mentioned in his State of the Union address last week. “The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” FTC Chairwoman Ramirez said.
Industry advocates seemed relieved that the FTC wasn’t pushing for legislation that might make service development or device manufacturing more difficult. For example, the Software & Information Industry Association said in a statement, “We strongly agree that legislation or a broad regulatory framework to govern the IoT is premature, and could threaten its tremendous societal and economic potential.”
But not everyone agrees with the FTC’s analysis. Chief among them is FTC Commissioner Joshua Wright, who wrote a dissenting statement in response to the report, highlighting multiple aspects he feels are flawed. Wright argues that many of the agency’s recommendations aren”t based on adequate analysis. He says that he supports “reasonable and appropriate security measures” but that attempts to characterize and recommend specific structural approaches are doomed because the IoT is too nascent and there isn’t yet enough evidence about how it will function. He wrote:
An economically sound and evidence-based approach to consumer protection, privacy, and regulation of the Internet of Things would require the Commission to possess and present evidence that its policy recommendations are more likely to foster competition and innovation than to stifle it.
Wright and others also object to the “data minimization” recommendation in the FTC report. This section details the agency’s belief that companies should be limiting the data they keep and actively eliminating data that aren’t useful. In this way, the FTC says, industry can “minimize the individualized data companies have about consumers, and thus any potential consumer harm.” The agency does note that “some participants expressed concern that requiring data minimization could curtail innovative uses of data,” but its overall recommendation is to reduce data collection. Hackers can’t steal what you don’t have, right?
But some were disappointed by this stance. Daniel Castro, the director of the Center for Data Innovation at the Information Technology & Innovation Foundation, points out that the FTC report contains three pages on the benefits of the Internet of Things alongside nine pages detailing the risks. “I think they just don’t fully understand the benefits,” he said. “The whole point of [IoT] companies is they’re trying to collect data, that’s the model of innovation right now. And to just say ‘don’t have it’ ignores the reality of the technology today, it’s in every industry.”
The FTC isn’t the only agency thinking about how best to regulate the Internet of Things. Ofcom, the United Kingdom telecommunications regulator, published an outline of its approach to IoT regulation on Tuesday. The agency brought up many similar points as the FTC, but seemed to take data collection and retention as more of a given. It also had more focus on international interoperability. Ofcom wrote:
There is a danger that … privacy issues could hinder the development and widespread take-up of the IoT if they are not addressed. We are therefore interested in stakeholders’ views on the scale and nature of privacy issues that will emerge.
Since it mainly outlines recommendations and best practices, the FTC report probably won’t lead to significant change in itself. “The FTC has decided that they want to be more engaged in tech issues … They’re an agency that’s looking for problems, and they should be,” Castro said. But he added that the report would have been more constructive if it had provided concrete examples of how the FTC could specifically extend its authority to protect IoT consumers. “They didn’t do that,” he said.