FTC Chair Warns of Internet of Things Data Privacy Concerns

Amid the shiny new gizmos on display at the International Consumer Electronics Show this week, Edith Ramirez, chairman of the Federal Trade Commission, was on hand to offer a warning to manufacturers about the inherent data pivacy concerns of “Internet of Things” and broadband-connected cars, wearable tech, and home appliances.

During a speech before attendees in Las Vegas, Ramirez cited analyst predictions that in 2015 the world will have 25 billion connected devices and the number of smart home devices will reach nearly 25 million. There are also warnings that this is the year we start hearing about smart-home hacking.

“[The IoT] has the potential to provide enormous benefits for consumers, but it also has significant privacy and security implications,” Ramirez said. “Connected devices that provide increased convenience and improve health services are also collecting, transmitting, storing, and often sharing vast amounts of consumer data, some of it highly personal, thereby creating a number of privacy risks.”

Ramirez cited specific issues regarding IoT and consumer privacy that the FTC will be watching closely in the year ahead: ubiquitous data collection; the potential for unexpected uses of consumer data that could have adverse consequences; and heightened security risks.

The introduction of sensors and devices into homes, cars, and even bodies poses particular challenges and increases the sensitivity of the data that is being collected, she said. Will the data be used solely to provide services to consumers? Or, will information to be used in ways that are inconsistent with a consumers’ expectations or relationship with a company?”

Ramirez cited examples of where this new breed of data collection could pose problems. A smart TV and tablet may track whether you watch the history channel or reality television, but will your viewing habits be shared with prospective employers or universities? Will that information be shared with data brokers, who will put those nuggets together with information collected by your parking lot security gate, your heart monitor, and your smart phone? Will this information be used to make decisions about ads pushed to you, where your call to customer service is routed, or credit card offers you receive.

Inadequate security on IoT devices could enable intruders to access and misuse personal information collected and transmitted by the device,” Ramirez cautioned. As consumers purchase more smart devices, they increase the number of entry points an intruder could exploit to launch attacks on or from,” she said. “Moreover, the risks that unauthorized access create intensify as we adopt more and more devices linked to our physical safety, such as our cars, medical care, and homes.” Data security may be even more challenging because developers entering the IoT market, unlike hardware and software companies, have not spent decades thinking about how to secure their products and services from hackers. The small size and limited processing power of many connected devices could also inhibit encryption and other robust security measures.

Ramirez outlined steps companies should take to enhance consumer privacy and security with IoT devices. These include adopting the agency’s often-cited “security by design” principles; data minimization; increasing transparency; and providing consumers with notice and choice for unexpected data uses.

Companies should prioritize security and build security into their devices from the outset, Ramirez said.  Specifically, they should conduct a privacy or security risk assessment as part of the design process; test security measures before products launch; require consumers to change default passwords in the set-up process; consider encryption, particularly for the storage and transmission of sensitive information, such as health data; and monitor products throughout their life cycle and, to the extent possible, patch known vulnerabilities.  Companies that collect personal information should collect only the data needed for a specific purpose, safely dispose of it afterwards, and use de-identified data when possible.

“We often hear the argument that to realize the benefits of big data, businesses should not face limits on the collection and retention of data because the value lies in its unanticipated uses,” Ramirez said. “But I question the notion that we must put sensitive consumer data at risk on the off-chance a company might someday discover a valuable use for the information.”