Privacy & Information Security Law Blog

On November 19, 2013, the Federal Trade Commission held a workshop in Washington, D.C. to discuss The Internet of Things: Privacy & Security in a Connected World. FTC Chair Edith Ramirez and FTC Senior Attorney Karen Jagielski provided the opening remarks. Chairwoman Ramirez raised three key issues for workshop participants to consider:

• The Internet of Things will result in increased data collection, amplifying the importance of simplifying choices and giving control to individuals with just-in-time notices. Transparency will facilitate consumer understanding of the collection, use and sharing of personal data. Data privacy principles will still apply in The Internet of Things world, but will have to be adapted to respond to new realities.
• There is a real danger of data being used in unexpected ways. The trick will be to determine what “reasonable” expectations regarding data usage should be, and then manage consumer expectations accordingly.
• Security is taking on a new dimension, and the need to secure data in The Internet of Things will be paramount, as demonstrated by the recent FTC enforcement action against TrendNet. The FTC will not shy away from taking action again.

Following the opening remarks, National Science Foundation official Keith Marzullo discussed some current Foundation research focused on privacy and security issues with respect to the Internet of Things. For example, the Foundation has been examining technical vulnerabilities and security solutions to help protect pacemakers, vehicles, industrial control systems and telerobotics used by doctors engaged in remote surgery on soldiers in distant theaters of war.

In addition, Carolyn Nguyen, Director of the Technology Policy Group at Microsoft, discussed the findings of a recent Microsoft study of contextual data privacy and the factors that influence peoples’ sensitivities with respect to the use of their personal data. Microsoft identified objective variables (including the type of data, type of entity collecting the data, type of device, and the method of collection), as well as subjective variables such as the consumer’s level of trust in the entity and the perceived value to the consumer of the entity’s use of their data. Microsoft found that the relative importance of these variables differed by country and region. Ms. Nguyen concluded by discussing how these findings could be used to introduce contextual privacy in devices and applications.

The keynote address was delivered by Vint Cerf, Vice President and Chief Internet Evangelist of Google, Inc. He began by presenting statistics on current Internet usage, noting that there are 3 billion Internet users and 7 billion mobile devices in use worldwide. He then reviewed the growing variety of networked appliances, including consumer goods (refrigerators, bathroom scales, picture frames, beer kegs, and even surf boards), sensor systems, personal medical instruments, fitness sensors, remote controlled devices, wearable devices (like Google Glass), and self-driven cars. More broadly, he discussed the implications for smart cities, providing open access to city information and the implementation of the smart grid.

Cerf emphasized the many benefits of The Internet of Things, including:

• the huge potential for local, regional, national and global optimization of resource management;
• the creation of standards and interoperability for various products and services;
• improvements in the management of health and wellness through continuous monitoring (including early detection of epidemics);
• the democratization of access to learning and education for the masses; and
• great leaps forward in innovation affecting the products and services people use every day.

Cerf also highlighted a few notable challenges, including the transition to Internet Protocol Version 6 (“IPv6”), configurations for massive numbers of devices, dynamic self-configuration and access control.

FTC Commissioner Maureen Ohlhausen gave her remarks at the workshop in the afternoon, stating that The Internet of Things has great potential for industry and society, and it is important to realize these benefits while reducing risks to consumer privacy and security. In particular, Commissioner Ohlhausen identified three areas of the enhanced risks associated with The Internet of Things: data security, mobile services and Big Data.

Ohlhausen detailed the FTC’s role in balancing the benefits and risks of The Internet of Things by outlining a three-pronged approach for the FTC. The FTC’s approach will focus on (1) policymaking and research, to understand technology, new challenges and how existing regulation fits in; (2) providing information and consumer education to increase awareness and offer guidance to both business and consumers; and (3) bringing enforcement actions when violations occur.

During a later afternoon presentation on “Connected Health and Fitness,” panelists discussed examples of the significant medical benefits associated with the real-time sharing of medical data with doctors using networked devices such as insulin pumps. Vulnerability researchers, however, have publicly exposed security weaknesses of several leading insulin pump devices, and studies have revealed that many networked medical devices do not encrypt the health data that they collect. Many manufacturers of such devices have not established privacy policies, and those that do have policies often fail to follow them.

Finally, in her closing remarks, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, said that the FTC is not planning to issue new regulations on The Internet of Things. Instead, the FTC will be issuing a summary report of the workshop.