Last week the Federal Trade Commission Chairwoman Edith Ramirez announced that the FTC’s latest initiative was to watch the Internet of things for privacy violations. They are already concerned that IoT devices are subject to easy hacking, and also that they are being used to gather data on us.
In a report issued last week the FTC Staff, and approved by 4 to 1 by the Commissioners, the FTC made specific recommendations in the areas of privacy, data collection and customer notification and choice. They also discussed the need for federal legislation to give them more power to police the IoT.
The FTC broadly defined the Internet of Things to include any device, other than computers and smartphones, which transmits information about the owner of the device over an internet connection.
The report makes specific recommendations about security and recommended that manufacturers of IoT devices should:
- Assess the security risk for every device they make;
- Minimize the data they collect and retain;
- Test security before they ship product;
- Implement measures to keep unauthorized users from accessing a device or data stored on their own networks;
- Monitor devices throughout the product life cycle and provide patches to cover known risks;
- Develop a defense to be ready to react to security breaches.
It’s good to see the government espousing these kinds of concerns. You might recall that HP tested ten popular IoT devices last year and found an average of ten security flaws on each device. My fear is that if the industry doesn’t self-police itself (or get prodded by regulators to do so) then someday we are headed for a perfect storm where hackers will do something terrible, like hack and kill hundreds of people with pacemakers. If something really dreadful happens because the industry doesn’t care about security then the world could quickly turn against the IoT. The IoT industry has the potential for huge growth, but one really terrible security breach on devices could badly sour people on the devices.
The report also made recommendations about storing and misusing customer data. The FTC has already been engaged in monitoring company’s use of data. For example, late last year the FTC reached an agreement with SnapChat to stop misrepresenting that data on their network was completely private. SnapChat has changed their advertising and also agreed to hire an independent privacy monitor for the next twenty years.
For now the report recommends that companies limit the data they collect, and absent legislation that is probably as strong of a warning as the FTC can issue. The report is specifically very concerned about customers not knowing what data is being collected about them from an IoT device. They think it is fundamental that customers be informed about the data they are giving up in order to make an informed decision about using any specific device. While any IoT device will have this concern, the sharing of data from things like health monitors is more troubling than the data gathered from a smart refrigerator or smart washing machine.
The report also voice a concern that the IoT device manufacturers would become the target of hackers and that the kind of information that could be stolen, such as detailed health records, are more troubling than stealing things like credit card numbers.
There is some industry concern, echoed by the dissenting Commissioner in adopting the report that the FTC needs to balance the desires to monitor the industry against too much regulation that might stifle innovation and investment in the field. But as a customer I would already vote in favor of what the FTC has started here. The risks to the industry are far greater from allowing companies to be lax with security and play free with customer data. I am going to be a lot more likely to use a device from a company that I think is being truthful with me and careful on both counts.