Privacy, Security, and the Internet of Things

According to the Federal Trade Commission (FTC), the Internet of Things (IoT) is currently composed of 25 billion connected devices around the world and the number will double to 50 billion within the next five years. These devices collect vast amounts of information on industrial and business processes and human health, behavior, and preferences that can be leveraged to improve delivery of products and services, health, and safety.

IoT will bring significant societal benefits; but without guidance, it could also bring undesired side effects. To date, the security and privacy of IoT is largely achieved through market preferences and industry self-regulation. But governments are increasingly scrutinizing the privacy and security risks associated with the Internet of Things.

The Federal Trade Commission (FTC) recently issued a staff report on the Internet of Things, urging companies to adopt data security best practices, minimize the collection and retention of consumer data, and to provide notice and choice to users. Recognizing the enormous potential for innovation in IoT, the report stated that IoT-specific legislation could stifle innovation at this stage and would therefore be premature. Instead, the FTC provocatively advocated for new, broad-based legislation that would expand the FTC’s enforcement authority to regulate companies broadly for consumer privacy, as well as the functionality of the devices and services they produce.

Critics of the report say that the FTC is rushing to conclusions about how to secure IoT devices, particularly on the issues of data minimization and the need for legislation. These critics are likely overreacting.

The report highlighted issues that the FTC plans to monitor. It does not expand the FTC’s enforcement authority. Nudging companies to adopt improved security best practices through non-regulatory means is a good thing, and it is much needed. The report was also carefully scoped to include consumer-facing IoT devices, and makes clear that business-to-business and machine-to-machine devices are outside the scope of the report.

Technology permeates every aspect of modern life. As users become more tech-savvy, they will demand more control and transparency in regard to how their personal data is collected, stored, and used. User demand for a consent-based model that provides notice to consumers of how data is used and lets individuals opt out is inevitable. Companies entering the IoT space should practice privacy-by-design in their product development processes.

The call for legislation is a statement of support for the White House’s legislative proposal on data security and breach notification released two weeks ago. Those worried about sweeping regulation should be comforted by the fact that the current Republican-controlled Congress is unlikely to take up legislation that would significantly expand government mandates.

At the end of the day, the U.S. approach to addressing privacy and security risks associated with IoT is still considerably more measured than that of the European Union, which has signaled intent to designate all data produced by IoT devices as protected under the EU Data Protection Directive.

Denise Zheng is deputy director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington D.C.

Commentary is produced by the Center for Strategic and International Studies (CSIS), a private, tax-exempt institution focusing on international public policy issues. Its research is nonpartisan and nonproprietary. CSIS does not take specific policy positions. Accordingly, all views, positions, and conclusions expressed in this publication should be understood to be solely those of the author(s).

© 2015 by the Center for Strategic and International Studies. All rights reserved.