Privacy and security are both huge concerns for consumers and businesses alike in the evolving IoT landscape. Privacy is the unauthorized use of data by an entity that has been granted access to a dataset. Thus it is generally privacy that forms the relationship between companies and customers, and any breach of this contract is a privacy concern. Security, on the other hand, is the unauthorized use and or/access of data by an entity that has not been granted access to some dataset; e.g. hacking and external security breaches. Both privacy and security goals will be hard to reconcile with the main aim of IoT development: monitoring, collecting, analyzing, and using massive amounts of data.
Whose job is it to protect sensitive data in these rapidly-growing IoT industries? Responsibilities for data privacy and security vary by industry and by country. In the US, when companies are not regulated by another agency (e.g. the Department of Health and Human Services for HIPAA rules on medical patient data), this responsibility usually falls under the jurisdiction of the Federal Trade Commission (FTC).
The FTC has conflicting interests to balance. The Commission was created in 1914 in order to break up the increasingly-powerful corporations that controlled the oil, steel, and tobacco industries with the end goal of protecting consumers from “unfair or competitive practices”. Conversely, the FTC must avoid “unduly burdening legitimate business activity.” The FTC walks a fine line between social and moral conservatism, and economic progress.
As with the majority of emerging and semi-defined technologies, the US government has been largely content to let the market shape the course of the IoT Services market development. Yet the steadily-growing stream of privacy concerns (Snapchat, NSA, Google, Facebook, etc.) and security concerns (Anthem, Blue Cross, Target, Adobe, LastPass, the Office of Personnel of the US Government) has made it clear that the FTC will need to make its presence felt in the IoT Services market sooner rather than later. It is quite apparent that many entities simply do not have the proper incentive to thoroughly self-regulate with regards to privacy and security. Data regulation is in its infancy and it will undoubtedly be a daunting task.
The FTC published corporate guidance on privacy and security practices earlier this year. Let us parse this document to see if we can elucidate any key findings and conclusions. It is important to keep in mind that none of these recommendations carry the weight of law; the report simply “summarizes the workshop and provides staff’s recommendations in this [IoT] area.”
Security
The FTC makes six main security recommendations in order to prevent unauthorized breaches of data. Companies should:
- Plan by building security into devices “at the outset, rather than as an afterthought”
- Train “all employees about good security, and ensure that security issues are addressed at the appropriate level of responsibility within the organization”
- Hire only service providers that can maintain “reasonable security and provide reasonable oversight for these service providers”
- Layer by implementing “security measures at several levels”
- Protect by “implementing reasonable access control measures to limit the ability of an unauthorized person to access a consumer’s device, data, or even the consumer’s network”
- Monitor and fix, patching known vulnerabilities throughout the product lifecycle “to the extent feasible.”
This is the full extent of the security recommendations. These are all common practice in industry, and the vague nature of the language adds little value to the discussion of how the FTC specifically might regulate data in the IoT market.
Data Collection & Privacy
In the privacy section of the FTC report, the agency recommends that companies minimize the amount of data they collect, but the recommendation is quite flexible, giving companies the option to collect potentially useful data with consumer consent. But how does a company obtain consent when the device or service has no interface, as will be the case with many embedded devices employed in the IoT market?
According to the FTC, as long as the use of the data is “expected” and “consistent with the context of the interaction” a company need not explicitly obtain consent to collect data. This language does not set any standards; rather it is remedial language that can be applied to different situations post-incident. The FTC couples this expected use language with industry-specific legislation, such as the Fair Credit Reporting Act, which restricts the usage of credit data in certain circumstances. In summary, under these recommendations the company has nearly full discretion in the collection and usage of data as long as it can prove that it is using the data in an “expected” manner relative to the nature and context of its relation with its patron (barring any industry-specific legislation).
The report notes an interesting idea proposed by MIT Professor Hal Abelson. He suggests that data be “tagged” upon collection with appropriate uses so that another software could identify and flag and inappropriate uses, providing a layer of protection and forcing the company to think about how to use the data before collecting it. We expressed a similar view in a recent VDC View document entitled “Beyond ‘Who Owns the Data?’,” suggesting that IoT vendors develop and implement data structures to permit highly flexible assignments of data access right and usage permissions. Tagging would certainly be one way to segregate usage rights and protect different streams of data.
Legislation
The FTC states that any legislation concerning the IoT would be premature at this point. However, staff recommends that Congress should enact “general data security legislation” and “basic privacy protections” which it cannot mandate itself. Basically, the FTC needs a new legislative base from which to launch lawsuits. Congress created an IoT Caucus shortly after the filing of this FTC report, but it has been mostly silent since its inception.
Dissent
FTC Commissioner Joshua Wright
Perhaps the most interesting part of this report comes in the form of a dissent by one of the 5 commissioners (leaders) of the FTC. Commissioner Joshua Wright notes that the FTC generally issues two types of reports: 1) an in-depth and impactful report commissioned by Congress that compels private parties to submit data to the FTC for analysis and review; or 2) a slightly less formal report that details and makes public any workshops conducted by the Commission, concluding with recommendations that are supported by substantial data and analysis.
Wright contends that this FTC report does not fit either of these categories, and goes on to shred the report to pieces. Firstly, he argues, the IoT is a nascent and far-ranging concept – a one-day workshop cannot generate a sufficient sample of ideas or range of views in order to support any policy recommendation. Secondly, he observes that the report “does not perform any actual analysis,” instead merely relying on its own assertions without qualification or economic backing. He goes as far as to say that the report merely pays “lip service” to a few obvious facts without actually performing any analysis. Thirdly, he remains unconvinced that the Fair Information Practice Principles (FIPP) is a proper concept to apply to the IoT, favoring instead “the well-established Commission view companies must maintain reasonable and appropriate security measures; that inquiry necessitates a cost-benefit analysis. The most significant drawback of the concepts of ‘security by design’ and other privacy-related catchphrases is that they do not appear to contain any meaningful analytical content.” Commissioner Wright clearly has a large bone to pick with the method by which the FTC is considering data regulation in the IoT market.
Conclusion
Corporations and consumers alike in the IoT market would do well to pay attention to the following conclusions that we can draw from the FTC document and Commissioner Wright’s dissent:
- Congress has not yet created a legislative base upon which the FTC can clearly pursue judicial remedies for breaches of privacy specific to the IoT market (barring specific acts such as the Fair Credit Reporting Act).
- Even if the legislation were in place, the FTC has not performed a proper cost-benefit analysis of the potential impact of privacy and security breaches within the IoT market, thus it cannot recommend clear, data-backed, corporate guidance at this time.
- The FTC clearly recognizes the “profound impact” that the IoT will have on consumers, and is looking into regulation, but is internally conflicted about how to move forward.
- The report does not introduce any new incentives for companies to better safeguard customer data or to implement less-intrusive privacy contracts, so we can expect to see continued growth in data collection in the IoT market in line with VDC’s forecasts.
- Consumer-facing companies that wish to differentiate themselves from competitors would do well to safeguard their data; we may very well see security breaches as the norm in the near future, so a company with a clean history will have an advantage in the market. See VDC’s series of reports on Security and the IoT for deeper analysis of security issues.
You should note that the FTC is not the only regulatory body / body of practice in play, and that specific vectors of data use or context may also apply. HIPAA/HITECH for instance has very specific security and privacy controls. The Banking sector equally has other controls which apply. You should also note that the IoT is often boundary-free, and therefore that other jurisdictions may apply where the concepts of privacy are not akin to those of the US (for instance the EU).
Posted by: mark thristan | 06/25/2015 at 03:15 PM
Hello Mark,
Great observations. That the FTC is not the be-all-end-all of IoT regulation is an important point and definitely deserves attention. We tried to qualify our discussion of the FTC guidance with this disclaimer: "Responsibilities for data privacy and security vary by industry and by country. In the US, when companies are not regulated by another agency (e.g. the Department of Health and Human Services for HIPAA rules on medical patient data), this responsibility usually falls under the jurisdiction of the Federal Trade Commission (FTC)."
Your comment also highlights just how fragmented (both by government oversight vertical and geographical vertical) the nascent regulation of the IoT market really is. We may cover the broader regulatory landscape in another post.
Thank you for reading.
Posted by: Roy Murdock | 06/25/2015 at 05:27 PM