Regulating the 'Internet of Things'

Despite its rather inelegant name, the “Internet of Things” is revolutionizing the business world and presenting regulators with some weighty challenges.

The “things” in question are consumer products that can share data over the Internet– from automobiles to thermostats, dishwashers to slow cookers, pacemakers to insulin pumps. The benefits to consumers include convenience and efficiency; the perk for companies is a treasure trove of once nearly-impossible-to-acquire data on product usage and the habits of consumers themselves.

The threat: Data has broken free from the confines of computers and mobile devices, making it hard for pretty much anyone to control what is collected, how it is aggregated, and how it can be used. With regulators already struggling to keep order on the gathering of online consumer data, the Internet of Things threatens to make the Wild West of Internet data gathering that much wilder.

While regulators in the United States and abroad already have their hands full policing privacy and security issues inherent to Websites, mobile apps, and retail “Big Data” collections, this new breed of connected devices is a far more difficult area to police. For example, the Federal Trade Commission has structured many of its online efforts around mandatory safeguards for “personally identifiable information” data points such as Social Security numbers that can directly single out an individual. The Internet of Things redefines the very concept of what is personally identifiable.

“The truth is that personally identifiable information is a mathematical construct and no longer a list of specific items,” says Theodore Claypoole, a privacy expert and partner with the law firm Womble Carlyle Sandridge & Rice. Identities can be gleaned purely from location, piecing together work and home. Studies have also shown that just three pieces of data—birth date, zip code, and gender—can be enough to zero in on nearly any individual, he says.

“We built our regulatory scheme around pieces of personally identifiable information, when the truth is it can mean nearly anything we want it to depending on what kind of information I am collecting,” Claypoole says. “When we are talking about the Internet of Things, more things will know where you are and if we know where you are, we know who you are.”

Another obstacle for regulators is that high-tech security “doesn't lend itself to a list of rules where, if you do a-z then you have good procedures and you are going to be safe,” says Christopher Clearfield, a principal at System Logic, a risk consultant. “Cyber-security doesn't really lend itself to a rule-based approach and it will be really hard for agencies to actually regulate this.”

Regulatory Fits and Starts

It may not be easy, but regulators—specifically the FTC—are nevertheless trying. In September 2013, the agency took its first steps toward cracking down on the Internet of Things when it reached a settlement with TRENDnet, a California-based company that markets security cameras that can be monitored remotely by users over the Internet. The FTC's complaint said that TRENDnet failed to implement reasonable security measures, and as a result the live feeds for nearly 700 cameras were publicly accessible online, with illicit viewers watching and recording unaware families from inside their homes.

“The exposure of sensitive information through respondents' IP cameras increases the likelihood that consumers or their property will be targeted for theft or other criminal activity, increases the likelihood that consumers' personal activities and conversations or those of their family members, including young children, will be observed and recorded by strangers over the Internet,” the complaint stated.

“What companies should think about as a starting point, and it is not an end point, is looking at the core FTC principles and privacy by design notions as a jumping off point and asking if they apply and make sense, in some form, in this new space.”

—Gerard Waldron,

Partner,

Covington & Burling

The center of the FTC complaint is that TRENDnet failed to use reasonable security measures, despite implying to customers that it was doing so. It also failed “to employ reasonable security in the design and testing of its software.”

A lesson for companies: If you have a stated privacy policy, you need to fully abide by it. “Over time, the more responsible players in the industry have developed best practices and the FTC has said that if you have a policy they are going to hold you responsible for it,” says Gerard Waldron, a partner with the law firm Covington & Burling.

One obstacle, however, is exactly how a company can convey a privacy policy and ongoing updates given the wide variety of appliances. Do you have to tell a driver that data is collected every time they start their car? Do privacy expectations differ based on the product being used?

“What companies should think about as a starting point, and it is not an end point, is looking at the core FTC principles and privacy by design notions as a jumping off point and asking if they apply and make sense, in some form, in this new space,” Waldron says. “They may not make sense in the same way they do in the online world, but I don't think that means you rip them up, throw them away, and do whatever you want. It means you need to be smart and think about how the principles and general policy goals make sense for your particular product or service. It may be that they are not all adaptable, but some are.”

Do What You Say You Do

THE INTERNET OF THINGS

As it looks to regulate the “Internet of Things” the Federal Trade Commission has been considering a variety of questions, many of which were posed to businesses as part of a public comment process earlier this year. Among those questions:

1. How can consumers benefit from the Internet of Things?

2. What are the unique privacy and security concerns and solutions associated with the Internet of Things?

3. What existing security technologies and practices could businesses and consumers use to enhance privacy and security in the Internet of Things?

4. What is the role of the Fair Information Practice Principles in the Internet of Things?

5. What steps can companies take (before putting a product or service on the market) to prevent connected devices from becoming targets of, or vectors for, malware or adware?

6. How can companies provide effective notice and choice? If there are circumstances where effective notice and choice aren't possible, what solutions are available to protect consumers?

7. What new challenges does constant, passive data-collection pose?

8. What effect does the Internet of Things have on data de-identification or anonymization?

9. How can privacy and security risks be weighed against potential societal benefits (such as improved health-care decision-making or energy efficiency) for consumers and businesses?

10. How can companies update device software for security purposes or patch security vulnerabilities in connected devices, particularly if they do not have an ongoing relationship with the consumer? Do companies have adequate incentives to provide updates or patches over products' lifecycles?

11. How should the FTC encourage innovation in this area while protecting consumers' privacy and the security of their data?

12. Are new use-restrictions necessary to protect consumers' privacy?

13. How could shifting social norms be taken into account?

14. How can consumers learn more about the security and privacy of specific products or services?

15. How can consumers or researchers with insight into vulnerabilities best reach companies?

Source: Federal Trade Commission.

Companies that adopt boilerplate online security language but don't ensure that the proper data security and privacy safeguards are in place for Internet appliances could be exposed. “The FTC has made it [its] mission to go after people who say they are secure, when they really aren't making much effort to be secure,” warns Claypoole. “The problem is that the government cannot set standards for data security because the technology changes all the time. Regulators can only hold you to your word that you are going to live up to what you are promising you are doing.”

Claypoole suggests that companies pay closer attention to the terms-of-use agreements they present to consumers and avoid the temptation to turn them into a marketing document full of vague, feel-good promises. “It's a matter of keeping your promises,” he says. “One of the most important things when you are dealing with privacy and security and writing something for the general public is to be accurate. Describe what you are doing precisely and don't overstate anything. This isn't a sales or marketing document. You need to tell people exactly what you are doing. It is bad for businesses to have broad statements like, ‘We care deeply about your privacy and do everything possible to protect that information.' No you don't, because you can't afford to. Nobody does everything possible.”

Empty promises, despite their public relations value, open a door for regulators to take action and for judges to side with aggrieved plaintiffs, says Claypoole.

According to John Hutchins, a partner with the law firm Troutman Sanders, companies must know the data they are collecting from online appliances and how it is used. “The first question you have to ask is what information you are collecting, then ask how you are using it. That includes how it is stored and what are the security protocols you have in place. And those same questions apply to information that is going to be collected in these less traditional ways.”

An ideal for regulators, one that is also the basis of privacy standards under consideration in the European Union, is that consumers should have meaningful opportunities to review and accept a privacy policy and “own” their data. “That is a laudable goal, but it is not realistic,” Hutchins says. “Two, three, or five years from now there are going to be so many devices connected to the Internet that are not the kind of devices we are used to seeing connected."