On January 27, 2015, the Federal Trade Commission (FTC), by a 4 to 1 vote, issued a long-awaited staff report entitled The Internet of Things: Privacy and Security in a Connected World. The lengthy report summarizes the FTC’s November 19, 2013, workshop, which explored the consumer privacy and security issues associated with the increasing number of connected devices, provides recommended privacy and security best practices for companies that create and sell connected devices, and repeats the Commission’s call to Congress to enact broad, technology-neutral privacy and data security legislation. FTC Chairwoman Edith Ramirez announced the release of the report during her keynote address at the annual State of the Net conference, stating that “by adopting the best practices . . . laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
Background – The November 2013 Workshop
During the November 2013 workshop, participants, including FTC staff attorneys, academics, and public and private sector industry representatives, discussed the benefits and risks associated with the “Internet of Things” – the Internet-connected devices that communicate and interact with consumers through the collection and transmission of data. In her opening statements at the workshop, Chairwoman Ramirez emphasized three challenges in the area:
- The ubiquitous collection of consumer data will require companies to implement fundamental best practices of privacy by design, simplified choice and greater transparency;
- Connecting devices to the Internet will give rise to more data collection than the consumer may expect or understand; and
- Companies must understand and address the security risks associated with connected devices, particularly those that contain sensitive health information.
The workshop’s panels focused on the privacy concerns associated with three areas in particular – the “smart home,” connected health and fitness devices and apps, and connected cars – and concluded with a panel addressing the broader privacy and security issues raised by the Internet of Things.
The FTC staff note in the recent report that, although workshop participants generally agreed that the Internet of Things (“IoT”) will provide numerous benefits to consumers, the participants highlighted several potential security risks unique to the IoT arena. Those risks are (1) enabling unauthorized access to and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety. In addition, the staff note in the report that these risks may change over time as information collection and use change.
IoT Report’s Best Practice Recommendations
The report provides and encourages companies that create and sell connected devices to consider adopting a number of best practices, which are grouped into three categories modeled after the Fair Information Practice Principles – (1) data security, (2) data minimization, and (3) notice and choice.
1. Data Security
While acknowledging that “reasonable” security practices depends on several factors, including the amount and sensitivity of consumer data collected, the staff recommend the following specific security best practices:
- Implementing “security by design” by (1) building security into devices at the outset, (2) conducting a privacy or security risk assessment that considers the risks presented by the collection and retention of consumer data, (3) considering how to minimize the data collected and retained, and (4) testing security measures before launching products to help reduce the risk that “backdoors” are inadvertently left open.
- Ensuring that personnel practices promote good security through mechanisms such as training and assigning responsibility for security to an executive-level employee.
- Working to ensure that service providers are capable of maintaining reasonable security, and providing reasonable oversight of those service providers.
- Implementing a defense-in-depth approach that considers security measures at several levels (e.g., encrypting sensitive information) for systems with significant risk.
- Considering implementing reasonable access control measures to limit unauthorized access to a consumer’s device, data or network, such as strong authentication that does not unduly impede device usability.
- Continued monitoring through the product lifecycle, including taking affirmative steps to patch known vulnerabilities and notify consumers of security risks and updates.
Importantly, the staff note that the Commission’s first Internet of Things case against TRENDnet, involving Internet-connected cameras marketed for home security and baby monitoring, dealt with many issues the data security best practices are intended to help mitigate and demonstrated the importance of privacy by design.
2. Data Minimization
The staff’s second set of best practices focuses on self-examination. Specifically, the staff recommend that companies examine their data practices in view of their business needs and develop policies and practices that impose reasonable limits on the collection and retention of consumer data in line with those needs. For example, a company may decide not to collect all data; collect only the data fields necessary for the functioning of the product or service offered; collect only less sensitive data; or de-identify the data collected. Data minimization, the staff explain, can help guard against the potential harms associated with a data breach, as well as the risk that the collector will use the data in a manner that deviates from consumers’ reasonable expectations.
3. Notice and Choice
The staff’s final set of best practices evaluates the notice and choice principle in light of the non-traditional (and broad) collection and use environment of the Internet of Things. The staff maintain, however, that providing consumers with the ability to make informed choices remains feasible in this environment, but recognizes that one size does not fit all. The staff provide the following non-exhaustive list of several notice and choice options:
- Providing opt-in choices at the time of purchase;
- Offering a tutorial to guide consumers through the available privacy settings (as Facebook does);
- Affixing a code to the device that, when scanned, takes the consumer to a website that provides information and choice; or
- Providing choice via disclosures during initial setup, privacy settings menus or dashboards, or icons (such as those that provide the ability to turn connections on or off).
While the staff also acknowledged a use-based notice and choice model, which learns from consumer behavior on a device to personalize the device, they raise three concerns about the adoption of a use-based model only: (1) it is unclear who would decide which uses are beneficial or harmful; (2) use limitations alone do not address the risks created by expansive data collection; and (3) the model would not take into account concerns about the practice of collecting sensitive information.
The staff acknowledge that Internet-of-Things-specific legislation is not necessary at this time but encourage the development of self-regulation designed for particular industries, which “would be helpful as a means to encourage the adoption of privacy- and security-sensitive practices.” Additionally, the staff took the opportunity to reiterate its call to Congress to enact general data security legislation, pointing to the availability of connected devices that are not reasonably secure and explaining that technology-neutral legislation would apply to the Internet of Things environment and address the risks connected devices pose to consumer personal information. The legislation would require companies to implement reasonable and appropriate data security practices, notify consumers in the event of a security breach, issue privacy notices at specific points, and offer consumers choices about the company’s data collection and use.
Despite Chairwoman Ramirez’s praise, the Commission’s vote to publish the report was not unanimous. Commissioner Wright dissented from the decision to publish the report because, in his opinion, the staff’s recommendations for both best practices and baseline privacy legislation are without analytical support establishing that, if adopted, they would improve consumer welfare. Any published report, he explains, should set forth evidence identifying the costs and benefits of these recommendations and analyzing whether the latter outweigh the former.
Additionally, Commissioner Olhausen issued a concurring statement explaining that, while she generally agrees with the report, she does not support the recommendation for baseline privacy legislation because, in her opinion, it is not necessary. She also expressed concern that the call for data minimization encourages the deletion of valuable data based on speculative and hypothetical harms.
At a minimum, the FTC’s IoT report underscores the areas on which the Commission will be focusing from a policy perspective in the arena of mobile and wireless-connected devices. But if past is prologue, these recent “do’s and don’ts” also provide a blueprint on enforcement issues that the FTC and other government enforcers and private litigants are likely to scrutinize and use to take action against companies whose practices may fall short of these guideposts. Companies that provide an IoT product or service can benefit from considering how this latest guidance applies to their business practices and whether there is an opportunity for enhancements to:
- The existing privacy and data security product design and its implementation, as well as oversight and enhancements on privacy and security over the product’s lifecycle;
- Policies that identify the amount and type of personal data collected and retained; and/or
- The existing notice and choice mechanisms over the collection of personal information, and whether any of the FTC’s suggested, non-exhaustive list of possible options might be incorporated.
Taking proactive, reasonable efforts now on compliance considerations in the design and marketing of such products and services can ultimately determine whether a company’s brand will become one of these 2015 enforcement examples.
Published February 13, 2015.