The U.S. Senate Committee on Commerce, Science, and Transportation held a hearing on February 11, 2015, entitled The Connected World: Examining the Internet of Things. The panelists included Justin Brookman, director of the Consumer Privacy Project at the Center for Democracy and Technology; Adam Thierer, a senior research fellow at George Mason University’s Mercatus Center; Lance Donny, CEO of OnFarm; Douglas Davis, Vice President and General Manager of Intel’s Internet of Things Group, and Michael Abbott, General Partner at Kleiner Perkins Caufield & Byers.
While the hearing covered a variety of Internet of Things (IoT) related topics, an overarching theme the Senators contemplated was how to strike the appropriate balance between encouraging IoT innovation and protecting privacy and data security. The opening statements of Chairman John Thune (R-SD) and Ranking Member Bill Nelson (D-FL) laid out the basic concerns underlying each side of this consideration. Chairman Thune suggested the Committee “tread carefully and thoughtfully before stepping in with a ‘government knows best’ mentality that could halt innovation and growth” while Ranking Member Nelson called talk of overregulating a red herring and stressed that the “promise of the Internet of Things must be balanced with real concerns of privacy and the security of our networks.” But concern about overregulation cut across party lines. Senator Corey Booker (D-NJ), for instance, noted that government efforts in the IoT space should not “inhibit a leap in humanity.”
Data security and data breaches received particular attention during the hearing. Senator Kelly Ayotte (R-NH) asked the panelists what Congress should be doing on data breach legislation, identifying security as the number one concern in the IoT space. Similarly, Senator Jerry Moran (R-KS) asked the panel whether the consequence of IoT data breaches involve any unique characteristics not present in other sorts of data breaches. Justin Brookman of CDT noted multiple times that the introduction of a data security bill would be appropriate in light of the security concerns IoT technologies present.
The Committee also focused on IoT developments in the realm of connected cars. Senator Gary Peters (D-MI) described the safety and fuel efficiency benefits vehicle-to-vehicle (V2V) communications promise. Senators Richard Blumenthal (D-Conn.) and Edward J. Markey (D-Mass.) announced that they intended to introduce legislation that would direct the National Highway Traffic Safety Administration and the Federal Trade Commission (FTC) to establish federal privacy and security standards for connected cars. Senator Markey mentioned his report, Tracking & Hacking: Security & Privacy Gaps Put American Drivers at Risk, which outlines how automobile manufacturers have not addressed the possibilities of hacker infiltration into vehicles that have fully adopted wireless technologies. And Senator Amy Klobuchar (D-Mo.) discussed the Driver Privacy Act bill she introduced, which makes clear that the owner of a vehicle is also the owner of any information collected by an Event Data Recorder (commonly called a “black box,” the recorder that maintains status and driving information that could be relevant in the event of an accident).
Another major concern the Committee discussed was wireless spectrum and spectrum allocation. Calling spectrum the “lifeblood” of IoT devices, Senator Nelson noted that the Congress must engage in a “careful consideration to balance competing needs for this finite yet critical public resource.” Senator Booker said the government hoards too much spectrum, and that IoT developments will necessitate that more spectrum be made available. He highlighted the importance of sharing agreements and noted the need to create more broadband availability. Senator Steve Daines (R-MT) also mentioned the need for spectrum innovation.
As the Committee considered what sort of federal legislation might be appropriate, it also discussed the FTC’s role in regulating the IoT space. George Mason’s Adam Thierer emphasized the active role the FTC has played thus far in enforcing privacy and data security violations with its Section 5 authority to regulate unfair and deceptive practices. But Senator Ayotte noted that what constitutes and unfair and deceptive practice is not always clearly understood, and Brookman brought up recent legal challenges to the FTC’s regulatory authority on this front, such as the lawsuit brought by Wyndham Hotel and Resorts.