FTC Asks Companies to Get Serious About IoT Security

When you add them all up—health and fitness monitors, connected cars, home automation systems, smart meters, etc.—the Internet of Things (IoT) total reaches an estimated 10 billion devices worldwide.

All of these devices collect, store and transmit information about who we are and what we do and as such raise privacy and security concerns. A connected home lighting system, smart refrigerator or any other IoT device is a potential beachhead for attackers and the Information obtained could have a negative effect on our employability, credit rating or insurance premiums. The trend toward “big data”– collecting terabytes of information that can be mined for marketing purposes—also means that IoT information has become a valuable commodity. If security issues are not addressed, leaks of the very personal information tracked by IoT products (e.g., your location, mood, smoking habits, exercise regimen and  the medications you take, for instance) could also create a consumer backlash that would prevent the benefits of the IoT from being fully realized.

Understanding the importance of providing consumers with the protections they want the staff of the Federal Trade Commission (FTC) earlier this year recommended a series of steps that businesses can take to enhance and protect consumers’ IoT privacy and security.

In January the FTC issued a staff report on IoT privacy and security.

The report is partly based on input from leading technologists and academics, industry representatives, consumer advocates and others who participated in the FTC’s Internet of Things workshop held in Washington D.C. on Nov. 19, 2013, as well as those who submitted public comments to the Commission. The scope of the report is limited to IoT devices that are sold to or used by consumers. No discussion of  the Industrial Internet of Things (IIoT, sometimes known as Industry 4.0) is included.

The report includes the following “recommendations” (the quotation marks are mine, for reasons that will become apparent shortly) for companies developing Internet of Things devices:

• build security into devices at the outset, rather than as an afterthought in the design process;
• train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
• ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
• when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
• consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
• monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.

Now back to the reason for the quotation marks in the word “recommendations” above. The FTC report includes a great many suggestions as to what business should do to insure IoT data privacy. But these are only suggestions, things to consider and courses of action that one might “take under advisement.” The FTC wants IoT entities to use its guidelines and “self-regulate.”

Well, the only thing missing in the FTC report is the phrase “pretty please”. There is not one “a company must” in the entire document and deliberately so, because, again, these are just in the FTC’s words, “best practices”, not formal regulatory measures. The commission believes that at this point specific legislation would be premature.

I disagree, but before I explain why you should know that in general I don’t like to see legislative bodies trying to mandate how individuals or corporate entities behave except when clearly needed for the public good.  And overall I don’t like it when government decides to micromanage society. I also recognize that an overly regulatory approach to IoT data protection could potentially stifle our burgeoning digital economy.

What’s more, I am by nature a capitalist and I believe that a business deserves a return on its investment. Even companies I don’t immediately trust, such as those collecting, analyzing and selling information on people. Overall I don’t categorize firms as  either  good or bad, but I do realize that unchecked they will do whatever the law allows to increase profitability and make their stock more attractive to shareholders. This is how the system works and we must adjust our rules, guidelines and regulations to account for it, creating, when needed, tools to protect the public welfare. And the best tools we have to do so are called laws.

(Source: The annual IT Risk/Reward Barometer, a study conducted by ISACA, a global association of more than 115,000 IT security, assurance, risk and governance professionals.)

There is precedence here. We have on the books a blueprint to help guide us through the process of protecting sensitive data. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) includes Privacy, Security and Breach Notification Rules to protect individually identifiable health information. It sets national standards for the security of electronic health data and it specifies the rights granted to individuals as well as breach notification requirements, enforcement activities, etc.

HIPAA includes a Privacy Rule  whose goal is to assure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high quality health care and to protect the public's health and well-being.

By all accounts—over the nearly twenty years since the rule’s inception—it has worked very well and could be used as a template for similar IoT legislation.

Even the FTC admits that eventually the Internet of Things will require privacy and security rules. So to give them a head start, here are a few things that I think must be included, in no particular order:

Minimize the amount of information collected. The FTC staff recommends that companies limit the collection of consumer data, and retain that information only for a set period of time, and not indefinitely. This is a good idea. Under the recommendations, companies can choose to collect no data, data limited to certain categories to provide a particular service offered, identify less sensitive data, or choose to de-identify-- that is, strip out information from the data collected that could provide a reasonable basis for identifying an individual, the individual’s relatives, household members, friends and employers. By minimizing the amount of data collected a company also becomes a less inviting target for data thieves or hackers.

Require that authorization must be obtained to use or disclose protected IoT information. This should take the form of either written permission from the individual who is the subject of the information to be used or via an easy to understand “opt out” feature. If the latter route is taken it should be made to be more effective than the telephone “Do Not Call Registry” which in my experience worked well initially but then was largely ignored by telemarketers. FTC staff also sensibly recommends that companies notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ expectations.

Privacy Practices Notice. As with current procedure for banks, credit card agencies and major retailers, entities collecting IoT data should provide consumers with notice of its privacy practices. The notice should describe the ways in which they use IoT data and how they protect privacy in doing so. It should describe the individuals’ rights, including the right to complain to the entity or a government agency if they believe their privacy rights have been violated. The notice also should include a point of contact for further information and for making complaints.

Public interest and benefit exceptions. These next few elements are tricky, but I believe there are circumstances in which IoT data holders may (one can argue should) disclose protected Information to local, state or federal authorities without an individual’s authorization or permission; for example if it is necessary to prevent or lessen a serious and imminent threat to the public (as long as appropriate checks and balances are put in place to prevent abuse of this exception).

Law enforcement exceptions. Provision should be made so that protected IoT information may be given to law enforcement officials under certain circumstances, and subject to strictly regulated conditions. Examples include the process of trying to identify or locate a suspect, fugitive, material witness, or missing person. Exceptions should also be considered in response to a law enforcement official’s request for information about a victim of a crime, or for preventing recurring criminal acts (such as when an IoT home monitoring device captures incidences of child abuse or domestic violence). Also, I can envision the need to allow IoT data to be used when such disclosure is needed to identify or apprehend an escapee or violent criminal.

Other law-based exceptions. Similarly, privacy protection exemptions should be allowed when the request for the information is through an order from a court or in response to a subpoena, warrant or other lawful process.

Penalties. Any rules that emerge regarding IoT data privacy should impose financial penalties or even allow for criminal prosecution if the wrongful conduct is willful.  One example would be if information continues to be collected surreptitiously after the consumer has specifically prohibited it. So as not to be unjustly harsh in cases not involving willful release of data wrongdoers should be allowed to simply correct the violation within a specified (and timely) period, provided it can be demonstrated that no harm had been done.

Add it all up and the rule-makers have plenty to concentrate on and more than a little bit to worry about. But rules to protect privacy and secure important information have worked in the past and they can do so again.

What do you think? Cast your vote and click the Submit button below.