Federal Trade Commission Issues Report on the IoT, Privacy and Security

Comprising mostly findings from a November 2013 FTC workshop, the report makes a number of recommendations regarding best practices for data security, but does not call for specific legislation to regulate consumer-facing IoT products.
By Mary Catherine O'Connor

The second half of the report focuses on debate around whether the use of conventional digital security measures, known as Fair Information Practice Principles (FIPPs), are appropriate when designing security measures for IoT devices. The FIPPs principals state that companies should provide notice to consumers when personal data is collected, offer a choice to opt in or out of such data collection, provide access to this information, and ensure accuracy, data minimization, security and accountability. A number of U.S. regulations use FIPPs or borrow from it, including the Health Insurance Portability and Accountability Act (HIPAA) and the Consumer Privacy Bill of Rights. Some workshop participants argued against using data minimization, notice and choice as tools for protecting consumer privacy in the IoT.

Data minimization refers to a company restricting the amount of personal data it collects from its users, the idea being that less data collected means less data for which it is responsible to safeguard. But some IoT industry pundits claim that such a practice could stifle innovation, with respect to the applications that a company could develop based on its data-collection efforts.

In terms of providing notice to consumers whenever data is collected, as well as managing their opt-in or opt-out preferences, some industry watchers involved in the FTC workshop expressed dismay at how difficult or impossible this would be, since the IoT device comes without a digital display or any means of conveying information to a user via text or audio.

Addressing these types of concerns, the report notes, will likely require new approaches to data-security best practices that have evolved through Internet- and smartphone-based consumer applications. For example, perhaps companies would demarcate each piece of data that they collect, by attaching digital markers ("tags") to the information that would dictate how each piece of data could and could not be used (both by the collector and by third parties).

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations