FTC Seeks Internet Of Things Rules

10 Cloud Analytics & BI Platforms For Business

The Federal Trade Commission wants companies to limit data collection and improve security practices as they develop the Internet of Things. The Internet of Things (IoT) refers to the estimated 25 billion devices that can connect to networks to send and receive data. It includes not only desktop and mobile computing devices, but also Internet-ready appliances and accessories such as the Nest Thermostat and the Fitbit activity tracker, as well as networked automobiles.

The Internet of Things is growing and is expected to reach 50 billion devices by 2020. With more and more companies adding sensors, processors, and networking capabilities to their products, the FTC has become concerned about how the networking of all these things will affect consumer privacy and security.

In a report issued on Tuesday, the FTC advised businesses to adhere to best practices for security and privacy, based on findings from a workshop it held in November of 2013. The agency's recommendations hew to accepted wisdom in the security and privacy communities. The report advises companies: to build security into devices at the outset, rather than after the fact; to train employees about security; to ensure outside contractors also follow security rules; to practice defense-in-depth, rather than to rely on a single perimeter defense; to employ some means of data protection (encryption); and to update devices over their lifespans to patch security vulnerabilities.

Beyond this non-binding best-practices boilerplate, the FTC also wants legislation "to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach." It also wants "broad-based (as opposed to IoT-specific) privacy legislation."

While it awaits such legislation -- unlikely given present political gridlock and the inevitable pushback from the tech industry -- the agency says it will enforce the FTC Act, the FCRA, the health-breach notification provisions of the HI-TECH Act, the Children’s Online Privacy Protection Act, and other laws that might apply to the IoT.

Businesses may not find that too troublesome, given that several recent FTC settlements -- PaymentsMD, LLC, MPHJ Technology, and Google – have been generally seen as a slap on the wrist.

But one of the agency's recommendations in particular has alarmed anti-regulation advocates. The FTC wants companies to pursue data minimization, "limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely."

[Want to learn more about imposing security in the cloud? See IBM Launches Cross-Cloud Security Protection.]

Daniel Castro, Director of the Center for Data Innovation at the Information Technology and Innovation Foundation, said in a statement that the FTC has failed to propose a regulatory approach that narrowly targets harms without hampering potential innovation. "In particular, in calling for companies to reduce their use of data, the FTC misses the point that data is the driving force behind innovation in today’s information economy," he said.

It's as if the FTC had advised the miners flocking to California in the 1849 gold rush to collect only as much gold as they could reasonably protect. That's essentially what the FTC is asking of today's data miners, who prefer to operate without such pressure in a largely informal regulatory structure that recalls California's past.

FTC Commissioner Joshua D. Wright, in a dissenting statement, argues that the FTC fails to provide adequate evidence to justify the potential economic impact of its recommendations. The agency's advocacy of data minimization, he argues, comes "[w]ithout providing any sense of the magnitude of the costs to consumers of foregoing this innovation or of the benefits to consumers of data minimization, and without providing any evidence demonstrating that the benefits of data minimization will outweigh its costs to consumers."

Assessing privacy in economic terms, however, considers only one possible dimension of the issue. Privacy also is a component of human dignity, which doesn't have an easily measured value. It is protected under the Universal Declaration of Human Rights and by US law. It should be the default case rather than an exception when affordable. As we develop the Internet of Things, the burden should be on would-be innovators to demonstrate responsible stewardship of data.

Attend Interop Las Vegas, the leading independent technology conference and expo series designed to inspire, inform, and connect the world's IT community. In 2015, look for all new programs, networking opportunities, and classes that will help you set your organization's IT action plan. It happens April 27 to May 1. Register with Discount Code MPOIWK for $200 off Total Access & Conference Passes.