Federal Trade Commission Issues Report on the IoT, Privacy and Security

Comprising mostly findings from a November 2013 FTC workshop, the report makes a number of recommendations regarding best practices for data security, but does not call for specific legislation to regulate consumer-facing IoT products.
By Mary Catherine O'Connor
Jan 28, 2015

From cars to watches, IoT technology is having a profound impact on how products work and how consumers interact with them. Yet, security and privacy experts have been raising red flags for years, concerned that these devices will open the door to data thieves and degrade civil liberties.

At the State of the Net conference, held yesterday in Washington, D.C., the Federal Trade Commission (FTC) issued two reports about Internet of Things technologies. Both assessments focus on the security and privacy issues surrounding consumer-facing applications and products (as opposed to those used at places of business), and are written for companies that are deploying these products and services. The main report, titled "The Internet of Things: Privacy and Security in a Connected World," summarizes the recommendations that resulted from a day-long, same-named workshop that the FTC conducted in November 2013. The second, "Careful Connections: Building Security in the Internet of Things," is meant to serve as a guidebook for companies developing consumer-facing products.

The main report reviews key privacy and security issues that could harm consumers, such as the threat of hackers exploiting weak security protections in order to gain access to private data transmitted to or from IoT devices, or infiltrating a large number of IoT devices and using their particular vulnerability to execute a denial-of-service attack. The report notes that "denial of service attacks are more effective when the attacker has more devices under his or her control; as IoT devices proliferate, vulnerabilities could enable these attackers to assemble large numbers of devices to use in such attacks."

Another area of concern is that IoT devices could serve as a pathway to physically harm consumers. At the November 2013 FTC workshop, Tadayoshi Kohno, an associate professor in the University of Washington's Department of Computer Science, described how he was able to access settings on an Internet-connected insulin pump and cause it to malfunction; another participant had found a security hole in a vehicle's telematics system that would allow someone to remotely tinker with the car's braking system.

With respect to privacy concerns, the report notes that while some risks—such as the collection of sensitive personal information or geolocation information—already exist in "traditional Internet and mobile commerce," these are potentially magnified by IoT devices automatically collecting "personal information, habits, locations, and physical conditions over time, which may allow an entity that has not directly collected sensitive information to infer [such information]." Workshop participants also expressed concern that without proper safeguards, insurers or potential employers could hypothetically access an individual's personal data—sleep patterns, level of exercise, or even mood, for instance—collected through a consumer's wearable IoT devices, and consider that information when making decisions regarding whether or not to issue that person an insurance policy or offer him or her a job.

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations