FTC Argues Against IoT Law, For Now

The future explosion in e-commerce connectivity of all manner of electronic devices, sensors, and consumer products — known as the Internet of Things (IoT) — will pose a major challenge to ensure that IoT data is secure and that personal privacy is protected. The global “installed and connected base” of IoT units will reach approximately 30 billion in 2020, noted IDC in a November 2014 report.

Yet now is not the time to enact privacy or security laws aimed directly at the impact of the IoT, the U.S. Federal Trade Commission (FTC) says. The FTC argues that such specific legislation could stymie the development of IoT technology.

The FTC assessed the impact of the IoT as it relates to the commission’s consumer protection mission in a report issued on January 27. The agency conducted a workshop on the subject in November of 2013, and accepted comments from the public. The report outlined the agency’s position on IoT, including its responses to views expressed at the workshop and in public comments.

“The commission staff recognizes that this industry is in its relatively early stages. Staff does not believe that the privacy and security risks, though real, need to be addressed through IoT-specific legislation at this time,” the agency said in the report. “Staff agrees with those commenters who stated that there is great potential for innovation in this area, and that legislation aimed specifically at the IoT at this stage would be premature,” the FTC said.

Establish Guidelines

The report recognized that the huge potential for innovation in IT generated by the IoT will create an equally significant risk environment — outpacing the current level of Internet risk borne by consumers.

To deal with IoT associated risks, the FTC staff strongly recommended that industries involved in the IoT adopt a set of best practices. These included designing privacy and security measures at the outset of an IoT venture: proper training of employees, utilizing ‘defense in depth’ methods to reduce risk, and life cycle monitoring of IoT devices.

The FTC staff also recommended that companies consider limiting the collection of consumer data, and retaining it only for a set period and not indefinitely. The report noted that such “data minimization” addresses two significant privacy threats: first, that a company with a large store of consumer data will become a “more enticing target for data thieves or hackers,” and that consumer data will be used in ways “contrary to consumers’ expectations.”

“The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” said FTC Chairwoman Edith Ramirez. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”

IT Groups Support Report

A sampling of reactions from private sector organizations indicated support for the commission staff’s position.

“The FTC’s report thoughtfully balances the essential need for privacy and security with an understanding that innovation and economic growth must be allowed to flourish. We strongly agree that legislation or a broad regulatory framework to govern the IoT is premature, and could threaten its tremendous societal and economic potential,” said Mark MacCarthy, vice president of public policy at the Software & Information Industry Association.

“The FTC instead is promoting a set of best practices that guide companies to be responsible stewards of data. We encourage them, and all policymakers, to maintain this wise regulatory approach. We continue to believe that current law provides an enforceable framework for IoT security and privacy that is working well and will continue to effectively adapt as technology evolves,” he said.

“With the Internet of Things soon consisting of roughly 25 billion wirelessly connected devices, consumers are embracing the transformative role that mobility is playing as the hub of our connected lives,” Jonathan Spalter, chair of Mobile Future, told the E-Commerce Times. “These newfound digital opportunities require pragmatic policy choices to keep the innovation pipeline running and ensure consumers and innovators continue driving our connected world,” he said.

“We commend the FTC for recognizing the enormous personal, economic and societal benefits that IoT enables, and the agency’s efforts to engage and educate businesses on how to secure the IoT ecosystem. However, it’s too early to rush out laws that may choke off innovation,” said Gary Shapiro, president and CEO of the Consumer Electronics Association. “We look forward to further discussion of these issues as the IoT matures and brings businesses and consumers the vast benefits of ubiquitous connectivity,” he said.

Broader Legislation

While the FTC report advised against the adoption of IoT-specific laws, the agency’s staff did express support for legislation which takes a more generalized approach to security and privacy issues. In the report, the agency’s staff noted that “the pervasiveness of information collection and use that the IoT makes possible reinforces the need for baseline privacy standards.” As a result, Congress should “consider enacting broad-based (as opposed to IoT-specific) privacy legislation,” the staff said.

“Such legislation should be flexible and technology-neutral, while also providing clear rules of the road for companies about such issues as when to provide privacy notices to consumers and offer them choices about data collection and use practices. Although the commission currently has authority to take action against some IoT-related practices, it cannot mandate certain basic privacy protections — such as privacy disclosures or consumer choice — absent a specific showing of deception or unfairness,” the report said.

Whether industry practices alone can meet IoT challenges remains a question mark for some. “We haven’t taken a position on whether the commission should have taken some action now,” Seth Schoen, senior staff technologist at the Electronic Frontier Foundation, told the E-Commerce Times.

Schoen participated last year in an FTC sponsored discussion on mobile privacy. “I can definitely say that IoT, or what we used to call ubiquitous computing or pervasive computing, is shaping up to be even more of a privacy and security nightmare than regular computing has been. Now we’re seeingan industry eager to put computers into even more roles in our lives under circumstances in which they’ll be even harder to keep safe,” he said.