Highlights from the FTC’s Internet of Things Report
As a follow-up to its 2013 workshop, “The Internet of Things: Privacy and Security in a Connected World,” the FTC recently released a report summarizing its findings and presenting some recommendations. Experts estimate that there are currently 25 billion connected devices and that the number will double by 2020. In this rapidly-growing, connected world where everyday objects, such as cars, cameras, and watches, are linked to the Internet, the FTC is grappling with how to promote the development of privacy and security-related best practices for these emerging technologies. Its report highlights some considerations that are likely to drive the FTC’s policy and enforcement efforts in this space.
Not surprisingly, the FTC’s recommendations align with their Fair Information Practice Principles (“FIPPS”), in particular the principles of data security, data minimization, and notice and choice. The FTC is not requesting legislation at this time because of the nascent state of the industry, but also did not task another stakeholder with developing more detailed guidance in the near future, leaving open an opportunity for industry self-regulation. Instead, the FTC is calling for Congress to enact broad-based, technology-neutral privacy legislation.
The issue of data minimization was a key privacy concern, and the report advised companies to develop policies and practices that impose reasonable limits on what consumer data is collected and retained. The FTC noted that “larger data stores present a more attractive target for data thieves, both outside and inside a company – and increases the potential harm to consumers from such an event.” In a relatively uncommon decision for a staff report, the Commission vote was not unanimous (4-1), with Commissioner Wright voting against it. Commissioner Ohlhausen also issued a concurrence questioning the need for preventative data minimization.
In terms of giving notice and choice to consumers, the staff acknowledged the practical difficulty companies face when many IoT devices have no consumer interface and noted that requiring companies to give notice and choice may prevent them from using data in beneficial ways. The FTC recommended that consumers should be given clear notice and choice if their data will be used in a way that is inconsistent with the context of the transaction in which the information was provided.
On the topic of data security, the FTC made six relatively specific recommendations on how to secure data:
- Implement security by design, rather than as an afterthought;
- Ensure appropriate employee security training;
- Choose third-party service providers with reasonable security practices;
- Implement a defense-in-depth approach to address risks;
- Employ access control measures; and
- Monitor products throughout the life cycle in order to patch any discovered vulnerabilities.
Although these recommendations were fairly predictable, the FTC went a step further and released a supplemental report to guide businesses on what reasonable steps they should take to protect consumers’ devices. The FTC advises businesses to:
- Start with the fundamentals: Among other things, businesses should designate a senior executive to be responsible for product security, take a risk-based approach in allocating security resources, and avoid using default passwords.
- Take advantage of lessons from security experts: Businesses implement some of the standard operating procedures for security-conscious companies, such as encrypting data as it is transmitted or stored, adding “salt” to hashed data, and limiting the amount of traffic sent or received by a network.
- Test security measures before launching a product.
- Establish an effective approach for updating security procedures.
- Keep customers and prospective customers informed about what steps they are taking to secure customer information.
To demonstrate the importance of practicing security-by-design, the report highlighted the FTC’s complaint against TRENDnet, the first case it has brought against an Internet-connected device. As we previously reported, TRENDnet sells video cameras that can be used for home security or baby monitoring. Hackers were able to access live feeds from nearly 700 of the cameras and conduct unauthorized surveillance, which the FTC alleged was due to the company’s flawed security practices. These flaws included transmitting user credentials in clear text over the Internet, storing login credentials in clear text on users’ devices, and failing to ensure that “private” video feeds were actually private. TRENDnet ultimately settled the charges, agreeing not to misrepresent the security of its cameras or information that the cameras transmit or the extent to which a consumer can control the security of information that the cameras store, capture, access, or transmit.
Finally, the FTC sent a clear enforcement warning shot when it stated it would “continue to look for cases involving companies making IoT devices that, among other things, do not maintain reasonable security [and] make misrepresentations about their privacy practices.”
Photo by Ben W from Flickr