Home Home About Us Practice Areas Our Attorneys Press & Publications Events Diversity Pro-Bono Careers

Digital Media, Technology & Privacy Alert >> In “Internet of Things” Report, FTC Staff Warns Makers of Connected Devices to Improve Privacy and Security

January 28, 2015

A new report on the “Internet of Things” (IoT) issued by Federal Trade Commission (FTC) staff acknowledges the remarkable growth of the IoT, and recommends numerous steps for businesses to take to protect consumers’ security and privacy. More specifically, the report encourages creativity in providing “notice and choice,” endorses data minimization strategies, and supports new broad-based privacy legislation that would impact, but not be specific to, the IoT.

What Is the “IoT”?
The report, which follows an IoT workshop held by the FTC in 2013, defines the IoT as devices or sensors – other than computers, smartphones, or tablets – that connect, store, or transmit information with or between each other via the Internet. The report focuses on devices or sensors sold to or used by consumers, citing as examples Internet-connected cameras that allow users to post pictures online with a single click and home automation systems that turn on a front porch light when the homeowner leaves work.

As of this year, the report points out, there will be 25 billion connected devices, and 50 billion by 2020.

Security Recommendations
The report explains that IoT devices may present a variety of potential security risks that can be exploited to harm consumers, and the FTC staff recommends that companies developing IoT products implement “reasonable security” in an effort to limit certain risks. The report states that devices that collect sensitive information, present physical security or safety risks (such as door locks, ovens, or insulin pumps), or connect to other devices or networks in a manner that would enable intruders to access those devices or networks should be “more robustly secured” than, for example, devices that simply monitor room temperatures, miles run, or calories ingested.

The report sets forth a number of suggested security practices, such as the following:

  • First, companies “should build security into their devices at the outset, rather than as an afterthought.” As part of the “security by design” process, companies should consider conducting a privacy or security risk assessment, minimizing the data they collect and retain, and testing their security measures before launching their products.
  • Second, with respect to personnel practices, companies “should train all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization.”
  • Third, companies should retain service providers that are capable of “maintaining reasonable security” and should provide “reasonable oversight for these service providers.”
  • And finally, companies should continue to monitor products throughout the life cycle and, to the extent feasible, patch known vulnerabilities.

Data Minimization
The report makes it clear that, with respect to the IoT, the FTC staff supports “data minimization,” which refers to the concept that companies should limit the data they collect and retain and dispose of it once they no longer need it. Toward that end, the FTC staff suggests that companies should examine their data practices and business needs and develop policies and practices that impose “reasonable limits” on the collection and retention of consumer data. The staff points out that its recommendation on data minimization is a “flexible one” that gives companies options, from deciding not to collect data at all or collecting only the fields of data necessary to the product or service being offered, to collecting data that is less sensitive or de-identifying data they collect. If none of these options is satisfactory, the staff advises companies to seek consumers’ consent for collecting additional, unexpected categories of data.

Notice and Choice
In the report, the FTC staff states that providing “notice and choice” to protect privacy remains “important.” The staff recommends that companies notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations or includes sensitive data. The report acknowledges that there is no one-size-fits-all approach to how that notice must be given to consumers and the “practical difficulty” of providing choice when an IoT device has no consumer interface.

The report points to a number of possible options, including affixing a QR code or similar barcode on devices that, when scanned, takes the consumer to a website with information about the applicable data practices and enables consumers to make choices through the website interface; video tutorials; and providing choices at point of sale, within set-up wizards, or in a privacy dashboard. Moreover, the report states that whatever approach a company decides to take, the privacy choices it offers should be “clear and prominent, and not buried within lengthy documents.”

In the absence of legislative or widely-accepted multistakeholder frameworks that would standardize the approach to the concerns that underlie the notice and choice recommendations, the report concludes that giving consumers information and choices about their data will continue to be “the most viable” option for the IoT in the foreseeable future.

Interestingly, the report concludes that IoT-specific legislation at this stage would be “premature,” although it adds that development of self-regulatory programs designed for particular industries would be “helpful” as a means to encourage the adoption of privacy- and security-sensitive practices. The report further supports the adoption of strong, flexible, and technology-neutral federal legislation to strengthen the FTC’s existing data security enforcement tools and to provide notification to consumers when there is a security breach.

The Bottom Line

As the report makes clear, the FTC is focusing on privacy and security issues stemming from the growth of the IoT. Since FTC staff reports are often a prelude to enforcement action by the Commission, now is the time for IoT providers to review their privacy disclosures and security practices.