Federal Trade Commission wants IoT firms to prioritize security
January 28, 2015
The Federal Trade Commission in the USA has recommend a series of steps that businesses can take to enhance and protect consumers’ privacy and security, as Americans start to reap the benefits from a growing world of internet-connected devices.
The IoT is already impacting the daily lives of millions of Americans through the adoption of health and fitness monitors, home security devices, connected cars and household appliances, among other applications. Such devices have the potential for improved health monitoring, safer highways and more efficient home energy use, among other benefits. However, the FTC report also notes that connected devices raise numerous privacy and security concerns that could undermine consumer confidence.
“The only way for the internet of things to reach its full potential for innovation is with the trust of American consumers,” said FTC chairwoman Edith Ramirez. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the internet of things to be fully realised.”
The IoT is expanding quickly, and there are now over 25 billion connected devices in use worldwide, with that number set to rise significantly as consumer goods companies, car makers, healthcare providers and other businesses continue to invest in connected devices, according to data cited in the report.
The report is partly based on input from technologists, academics, industry representatives, consumer advocates and others who participated in the FTC’s IoT workshop held in Washington DC in November 2013, as well as those who submitted public comments to the commission. Staff defined the IoT as devices or sensors – other than computers, smartphones or tablets – that connect, store or transmit information with or between each other via the internet. The scope of the report is limited to IoT devices that are sold to or used by consumers.
Security was one of the main topics addressed at the workshop and in the comments, particularly due to the highly networked nature of the devices. The report recommends companies developing IoT devices should build security into devices at the outset, rather than as an afterthought in the design process. It also called on them to train employees about the importance of security, and ensure that security is managed at an appropriate level in the organisation.
When outside service providers are used, they should ensure that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers. When a security risk is identified, they should consider a defence-in-depth strategy whereby multiple layers of security may be used to defend against a particular risk.
They should also consider measures to keep unauthorised users from accessing a consumer’s device, data or personal information stored on the network. And they should monitor connected devices throughout their expected life cycle and, where feasible, provide security patches to cover known risks.
Commission staff also recommend that companies consider data minimisation – that is, limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely. The report notes that data minimisation addresses two key privacy risks: first, the risk that a company with a large store of consumer data will become a more enticing target for data thieves or hackers and, secondly, that consumer data will be used in ways contrary to consumers’ expectations.
The report takes a flexible approach to data minimisation. Under the recommendations, companies can choose to collect no data, data limited to the categories required to provide the service offered by the device, less sensitive data, or choose to de-identify the data collected.
FTC staff also recommends that companies notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations. It acknowledges that there is no one-size-fits-all approach to how that notice must be given to consumers, particularly since some IoT devices may have no consumer interface. The FTC identified several innovative ways that companies could provide notice and choice to consumers.
Regarding legislation, the FTC concurs with many stakeholders that any IoT-specific legislation would be premature at this point in time given the rapidly evolving nature of the technology. The report, however, reiterates the commission’s repeated call for strong data security and breach notification legislation. It also reiterates the commission’s call from its 2012 Privacy Report for broad-based privacy legislation that is both flexible and technology-neutral.
The FTC has a range of tools available to protect consumers’ privacy related to the IoT, including enforcement actions under laws such as the FTC Act, the Fair Credit Reporting Act and the Children’s Online Privacy Protection Act.
In addition to the report, the FTC released a publication for businesses containing advice about how to build security into products connected to the IoT. This encourages companies to implement a risk-based approach and take advantage of best practices developed by security experts, such as using strong encryption and proper authentication.