Yesterday, the Federal Trade Commission released a staff report on the Internet of Things (“IoT”) that provides best practice recommendations for addressing privacy and security risks associated with IoT products and services. The report, Internet of Things: Privacy & Security in a Connected World, also summarizes findings from the FTC’s 2013 IoT workshop. In the report, the FTC staff defines “IoT” as “devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet.” Examples of IoT products and services include smart home appliances, connected car services, and fitness trackers.
For industry, the most significant sections of the report are the staff’s privacy and security recommendations, which fall into three main categories: (1) security, (2) data minimization, and (3) notice and choice. These recommendations are technology-neutral and applicable across a wide range of technologies. The report also addresses the staff’s view on the need for legislation.
The Commissioners voted 4 to 1 in favor of issuing the report. Commissioner Maureen Ohlhausen issued a separate statement that generally supported the report while declining to endorse a couple of its recommendations. Commissioner Joshua Wright dissented from the issuance of the report. The remainder of this blog post analyzes the report’s recommendations and the commissioners’ statements in greater detail.
The report recommends that companies institute reasonable security procedures, while acknowledging that what is “reasonable” will depend on factors such as “the amount and sensitivity of data collected, the sensitivity of the device’s functionality, and the costs of remedying the security vulnerabilities.” To assist companies with implementing appropriate security procedures, the FTC staff released a guide for businesses called Careful Connections: Building Security in the Internet of Things. In addition, the FTC describes six “best practices [that] companies should consider”:
- Security By Design. This concept refers to “building security into…devices at the outset, rather than as an afterthought.”
- Personnel Policies. The report recommends that companies provide appropriate security training for relevant personnel and that they “ensure that product security is addressed at the appropriate level of responsibility within the organization.”
- Service Providers. Companies should ensure that they only engage service providers that “are capable of maintaining appropriate security” and exercise reasonable oversight to ensure that service providers are actually providing appropriate security. With respect to this “recommendation,” the FTC staff specifically warns that failing to comply “could result in an FTC law enforcement action.”
- Defense-in-Depth. The report endorses a “defense-in-depth” approach, meaning that companies should employ “multiple layers of security” to defend against threats. For example, the report suggests that companies should consider encrypting certain data in transit and at rest instead of simply relying on a consumer’s own network security measures (e.g., the consumer’s Wi-Fi router).
- Access Controls. The FTC staff also recommends that companies “consider implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network.”
- Monitoring. In the report, the FTC expresses concern that the relatively short life cycles of some IoT products will lead companies to stop supporting and providing security patches for these devices, potentially leaving them vulnerable to security threats. The FTC staff acknowledges that companies may have good reason for discontinuing support for a specific product, but the report suggests that companies “weigh these decisions carefully” and states that companies should “be forthright” with consumers about whether they will continue to provide updates and patches.
The second major principle discussed in the report is data minimization. According to the report, data minimization helps combat two IoT privacy risks: (1) the fact that “collecting and retaining large amounts of data increases the potential harms associated with a data breach,” and (2) the “increased risk that the data will be used in a way that departs from consumers’ reasonable expectations.”
Of course, data minimization may interfere with certain data-driven innovations. To address this, the FTC staff states that companies must strike a balance between consumer privacy and collecting data that affords companies “the flexibility to innovate” around beneficial new uses of data. Thus, while companies should “impose reasonable limits on the collection and retention of consumer data,” the FTC staff emphasizes that its recommendations are intended to be “flexible” and provide companies with “many options.” According to the FTC staff, companies “can decide not to collect data at all; collect only the fields of data necessary to the product or service being offered; collect data that is less sensitive; or de-identify the data they collect.” If a company does not take advantage of one of these options, it can obtain consumer consent to that collection. The FTC staff also emphasizes that appropriate collection and retention practices depend on whether the data at issue is “sensitive” (e.g., health data).
Notice and Choice
Despite the “practical obstacles to providing information without a user interface,” the report emphasizes that “providing notice and choice remains important” for IoT products and services. However, the FTC staff notes that whether companies need to provide consumers with choices will depend on the context. If the entity collecting the data will use or disclose data in a manner that is consistent with the context of its interaction with the consumer or the data is “immediately and effectively” de-identified, then the company does not need to provide consumers with choice. However, if the data will be used in a manner that is inconsistent with the context of the transaction, then the company “should offer clear and conspicuous choices.” In addition, the staff recommends that companies obtain affirmative express consent before collecting sensitive data, regardless of how the data is used.
With regard to the mechanism for providing notice and choice, the FTC staff acknowledges that “there is no one-size-fits-all approach.” Here, the report summarizes a number of mechanisms cited in the workshop and public comments, such as providing choice at the point of sale, through a setup wizard, via a QR code, or as part of an online tutorial.
According to the FTC staff, “legislation aimed specifically at the IoT at this stage would be premature.” In the meantime, the staff endorses the creation of self-regulatory programs and plans to develop new materials to educate businesses and consumers about IoT issues.
The FTC staff also reiterates its prior recommendations that Congress enact general privacy, data security, and data breach legislation.
Two commissioners issued statements in conjunction with the release of the report. Commissioner Maureen Ohlhausen concurred in the release of the report, but declined to support two staff recommendations. First, Commissioner stated that she does not support federal baseline privacy legislation because she does “not see the current need for such legislation” and “question[s] what current harms baseline privacy legislation would reach that the FTC’s existing authority cannot.” In addition, Commissioner Ohlhausen expressed concerns that the report’s recommendations on data minimization were “overly prescriptive” and encourage “companies to delete valuable data — primarily to avoid hypothetical future harms” and “without examining costs or benefits.”
Commissioner Joshua Wright dissented from the release of the report. In his dissent, Commissioner Wright explained that he was dissenting because the report issues numerous recommendations without providing sufficient “analytical support to establish the likelihood that those practices and recommendations, if adopted, would improve consumer welfare.” He criticized the lack of any rigorous cost-benefit analysis and took issue with the staff’s issuance of best practices and legislative recommendations regarding such a broad and developing industry where those recommendations are based on “a one-day workshop, its accompanying public comments, and the staff’s impressions of those proceedings.”