FTC Explores Scope of Federal IoT Regulation
Feb 25, 2014 5:00 AM PT
The explosion of the Internet of Things promises great opportunities for improving quality of life -- but also for creating both seen and unforeseen dangers.
The Internet of Things, or IoT, generally refers to a network of physical objects that contain embedded technology to sense , communicate and interact with their internal states or their external environment, according to Gartner.
With IoT, sensors installed in such things as home appliances, automobiles, agricultural irrigation systems, and literally thousands of other objects can be connected via the Internet to other machines or computers. The uses of such systems are almost countless, but they include such functions as controlling energy use, providing safety warnings and operating equipment.
The Internet of Things will grow to 26 billion units installed in 2020, representing an almost 30-fold increase from 2009, according to Gartner. With a world population slightly exceeding 7 billion, there will be an average of three connected objects for every person. The physical objects encompasse in the Gartner IoT estimate do not include standard electronic devices such as laptops, tablets and smartphones, which should number about 7.3 billion by 2020.
Privacy Challenge for IoT
As with almost everything related to the Internet, information generated by the IoT for intended beneficial use can be misused. One of the chief public policy issues is the protection of privacy and data security for consumers who either consciously utilize or are passively subjected to the IoT. Worries over consumer privacy and security have spurred the U.S. Federal Trade Commission to examine the regulatory impact of IoT.
"Because interconnected devices and services often collect and share large amounts of personal information, policymakers and members of the tech community must be sensitive to consumer privacy and data security issues," said FTC Commissioner Maureen Ohlhausen at the Consumer Electronics Show early this year.
"It is thus crucial that companies offering these products as part of the Internet of Things act to safeguard the privacy of users to avoid giving the technology a bad name while it is still in its infancy," she said.
The FTC has initiated an information-gathering program to determine how to address the protection of consumers in the growing IoT environment. The agency conducted a conference on IoT policy last November, and invited the public --including the business sector -- to submit comments on IoT regulation by Jan. 10, 2014.
IT Sector Cautious on Rules
Several IT sector groups, while recognizing legitimate privacy and security issues, are wary of additional federal regulation that could impede the technological promise of IoT.
"The Internet of Things is an exploding innovation ecosystem and is poised to be a prime engine of economic growth and mobile opportunity globally. In these very early innings of this exciting technological transformation, government should avoid rigid, prescriptive policies that could stymie our rapidly evolving wireless revolution," Mobile Future Chair Jonathan Spalter told the E-Commerce Times. Mobile Future members include AT&T, Cisco, Ericsson and Verizon.
"There is nothing wrong with the FTC exploring how changes in technology may impact consumers," Daniel Castro, director of the Center for Data Innovation, told the E-Commerce Times.
However, caution is warranted for regulatory actions that try to protect consumers from "speculative harm" rather than actual damage, he said.
"Regulatory intervention is often justified because the market is failing consumers, but in this case it's not clear what failure the FTC may be trying to address. Prematurely trying to write the rules of the road for the Internet of Things will likely stagnate innovation, either because companies are prohibited from pursuing certain technologies and business models, or the cost of complying with the rules becomes too burdensome," he said.
Determining what the "rules of the road" should be is one of the objectives of the FTC's initiative. Currently, consumer privacy and security issues are addressed by properly informing consumers with notices that are provided with software purchases or with other transactions. In addition, consumers are given the opportunity to accept privacy terms or to partially or completely block the use of their personal data. These conventional tools may become obsolete in a world of increasing connectivity, however.
The current system may not be perfect but it "appropriately minimizes unnecessary privacy costs while providing consumers transparency, competition, and choice," the Center for Data Innovation said in its comments to the FTC.
Although many devices that will make up the Internet of Things will be tailored for consumers with strong privacy preferences, "the current system of providing privacy notices will pose new challenges with the Internet of Things for the simple fact that many Internet-enabled devices will not have displays, will have small displays, or will not directly interact with individuals," CDI said.
Current Privacy Model Questioned
"Heavily regulated industries like healthcare or banking have outdated requirements for handling data," Daniel said.
"For example, doctors' offices and banks routinely give out privacy notices that consumers routinely ignore. If we apply this same model to the Internet of Things, suddenly consumers will be inundated with privacy notices for every toaster, lamp, and thermostat in their home. That is not a sustainable model for promoting innovation," he explained.
"A better approach would be to allow more permissive data collection but closely restrict uses that result in identifiable consumer harm," added Daniel. "Focusing on use would allow more opportunities for innovations in both the devices that will make up the Internet of Things and the solutions proposed to address big societal problems."
In practical terms, the IoT will not happen overnight, and infrastructure challenges still need to be met, according to comments submitted to the FTC by CTIA-the Wireless Association.
Although many possible IoT applications have been conceived, they will not be realized until the development of cohesive interoperability standards allows the IoT to grow to scale and reach its full potential, CTIA said.
The process could take five or more years to complete, the organization suggested. However, because the data flows and associated privacy and security implications cannot be known until standards enable true interoperability, new regulation or new best practices at this time would be premature and could impede innovation," CTIA told the FTC.
Federal Buzz: Electronic Docket; Navy Cloud
GAO Electronic Files: The federal General Accountability Office will establish a system for businesses to file protests of government contract awards by electronic means. Information technology and telecom contracts comprise a significant number of such protests. The recently enacted federal appropriations bill required GAO to "establish and operate an electronic filing and document dissemination system" for registering protests.
It further required that all related documents be "made available to the parties through electronic means." GAO is seeking to develop a system that "is cost-effective and transparent," Ralph White, managing associate general counsel procurement law at GAO told the E-Commerce Times.
"We want to rely on commercially available products and services as much as possible. In the months ahead, we will be learning whether the market has changed for these kinds of electronic docketing systems -- one of which is already in use at the Superior Court of the District of Columbia," White said.
GAO is authorized to charge a special fee to users of the electronic system. The fee will be about $250, the agency previously said. The GAO will update that estimate as it develops the system.