We’ve all been talking about the Internet of Things – the ability of everyday objects to connect to the Internet to send and receive data. (We wouldn’t be surprised if our devices are talking about it, too.) A just-released FTC Staff Report recaps what we learned at our November 2013 workshop on the subject and discusses four ongoing initiatives to address the consumer protection implications. There’s also a new nuts-and-bolts publication, Careful Connections: Building Security in the Internet of Things, for businesses developing the next generation of connected devices.
What kind of products are part of the Internet of Things? It’s the bracelet that shares with friends how far you walked in a day, the home automation system that switches the lights on as you turn onto your street, and maybe that under-wraps innovation your company is working on right now.
The scope of the industry is vast. Six years ago, the number of connected devices surpassed the number of people and the total now tops 25 billion worldwide. Experts estimate that by the end of the decade, that figure will bump to 50 billion. And it’s no wonder, given the potential benefits to consumers.
But businesses should think about the potential for risk, too. Protecting against unauthorized access to consumers’ personal information – something companies have been dealing with for decades now – is just one consideration. The Internet of Things poses new challenges, too. For example, if a consumer can use a device to lock the front door remotely, could a weak spot in the system let a burglar unlock it? The success of the industry depends, in part, on whether it can earn consumer confidence.
You’ll want to read the Report for an in-depth analysis of discussions at the 2013 workshop. The Report offers staff’s insights into how the principles of security, data minimization, notice, and choice apply in the developing Internet of Things marketplace.
Here’s just one example. Some people at the workshop suggested that offering notice and choice is challenging in the Internet of Things since many products don’t feature a traditional user interface – a screen, let’s say. Even so, FTC staff believes that providing consumers with easy-to-find information remains important. Building on recommendations in the 2012 Privacy Report, the staff called on industry members to consider creative options – for example, video tutorials, QR codes on devices, and choices at point of sale, within set-up wizards, or in a privacy dashboard. There’s no one-size-fits-all approach, of course, but well-settled principles about clear and prominent disclosures still apply.
The Report also highlights the Commission’s bipartisan recommendation for federal data security and data breach notification legislation that would strengthen the existing tools.
Where do we go from here? The Report describes four ongoing initiatives:
- Law enforcement: The FTC enforces – among other statutes – the FTC Act, the Fair Credit Reporting Act, COPPA, and the health breach notification provisions of the HI-TECH Act. When it’s appropriate, the staff will recommend that the Commission take action when there’s reason to believe the law is being violated.
- Consumer and business education. We’re continuing our effort to provide advice for businesses with the publication of Careful Connections: Building Security in the Internet of Things. And there will be more where that came from both for companies and for consumers.
- Participation in multi-stakeholder groups. We’re already working with groups considering guidelines and best practices – and those efforts will continue.
- Advocacy. We’ll look for opportunities to share our perspectives with other government agencies, state legislatures, and courts to promote protections in this area.