Last month, the FTC held a public workshop on the “Internet of Things” (or “IoT”), during which it examined the privacy and security implications of everyday objects being connected to the Internet and to each other. The workshop—which considered “things” ranging from connected cars to remote-controlled defibrillators—brought together academics, business and industry representatives, and consumer advocacy groups to explore these issues.
The participants voiced a variety of views about what the IoT means for consumer privacy. One memorable—and certainly debatable—perspective was that of Vint Cerf, Google’s chief Internet evangelist and lead engineer on the Internet prototype “ARPANET,” who told the audience that “privacy may actually be an anomaly” and ultimately unsustainable in our increasingly connected world.
There were other key moments in the workshop that helped to illuminate the FTC’s position on how businesses should approach the IoT. Now that the initial reports are in, we provide 5 key takeaways after the jump.
1. IoT Technologies Will be Subject to the FTC’s Consumer Privacy Framework.
At least two FTC commissioners, including Chairwoman Edith Ramirez, believe that IoT technologies that collect information about consumers should be subject to the FTC’s 2012 consumer privacy framework. In her opening remarks, Ramirez noted that the “ubiquitous collection” of consumer data that the IoT makes possible may open that data to “unexpected uses” and security compromises. For that reason, the Chairwoman said, businesses that collect or maintain consumer data through IoT technologies should build and operate those technologies with the FTC’s principles of privacy by design, simplified choice, and transparency in mind.
Ramirez acknowledged the challenge of adapting these principles (particularly choice and transparency) to the IoT, given that they were created when the consumer side of the networked world consisted mainly of PCs, smartphones, tablets, and other devices with user interfaces. Because many IoT technologies may not have interactive components that would permit the kind of transparency and choice that the FTC framework envisions, Ramirez (and other FTC officials) stressed that these technologies must incorporate privacy by design and must use data responsibly. As Bureau of Consumer Protection Director Jessica Rich explained in closing the workshop, companies should “nail down privacy and security before opening the door,” and privacy and security safeguards should be “baked into the products and services.”
2. We’re Getting Closer to Understanding “Context.”
In its 2012 privacy framework, the FTC emphasized that the need to provide certain privacy protections depends on the “context of companies interactions with consumers.” Context has long been recognized as an important concept for thinking about privacy issues, but its usefulness has sometimes been underestimated because of the lack of clarity about what it means. Toward the end of the workshop, one panelist drew attention to the fact that, despite the workshop’s frequent focus on context, the term has not been adequately defined.
Context can be complex, but the workshop did feature some helpful thinking about what it means when we are thinking about privacy. For example, Carolyn Nguyen, Director of Microsoft’s Technology Policy Group, discussed context as the set of variables that exist at the time a consumer engages in a transaction with a third party that will use the consumer’s data. These variables include the type of data at issue, the type of service provider (or other entity) that will process the data, the device involved in the transaction, how the data will be collected and used, whether the consumer trusts the service provider, and the value the consumer receives as a result of the processing. As these variables change, so too do consumers’ privacy expectations. Nguyen suggested that new technologies could take into account these variables in order to assist consumers in managing third-party use and sharing of their data.
3. Violators Will Be Punished . . .
In her afternoon address, Commissioner Maureen Ohlhausen warned companies that the “collection of personal information may be deceptive under the FTC Act,” especially in the IoT world, where it is increasingly hard to convey to consumers “what data the devices and apps collect, use, and share.”
Throughout the day, FTC officials and workshop participants pointed to the FTC’s recent settlement with TRENDNet, a company that, the FTC alleged, failed to employ reasonable security on its line of home security cameras. According to the FTC’s draft complaint, this failure allowed hackers to access consumers’ privacy video feeds and to post those feeds online for public viewing. The TRENDNet case was invoked as a cautionary tale about the FTC’s broadening focus on networked technologies other than PCs, mobile devices, and servers.
4. . . . but the FTC believes monitoring, not regulating, is the way forward.
It also was clear from the workshop that the FTC will take a “watch and wait” approach to the IoT, rather than actively regulating these new technologies. Ohlhausen stressed that it was “vital that government officials approach new technologies with a dose of humility.” She emphasized the importance of “understand[ing] effects on consumers, identify[ing] benefits and harms, understand[ing] technologies, and consider[ing] whether existing laws are sufficient to address [the new technologies] before assuming new rules are required.” In the interim, the FTC will work toward gaining a better understanding of the technology, the new business models, the existing self-regulatory structures, market dynamics and the accompanying risks.
5. The FTC Will Issue a Staff Report—And There’s Still Time to Weigh In.
At the conclusion of the workshop, Rich announced that the FTC will issue a staff report recounting the information learned at the workshop, and including recommendations about best practices for companies providing IoT technologies. The FTC has invited interested parties to submit public comments on topics raised at the workshop. The comment period is open through January 10, 2014.