Federal Trade Commission Issues Report on the IoT, Privacy and Security

Comprising mostly findings from a November 2013 FTC workshop, the report makes a number of recommendations regarding best practices for data security, but does not call for specific legislation to regulate consumer-facing IoT products.
By Mary Catherine O'Connor

While noting that security and privacy risks are real and growing as IoT devices proliferate—scores of consumer products linked to the Internet have entered the marketplace since the FTC's 2013 workshop—the agency said it does not believe these risks should be addressed through legislative action at this time. However, the commission's staff does use the report to urge Congress to enact "general technology-neutral data security legislation" and "broad-based (as opposed to IoT-specific) privacy legislation."

In addition, the report calls for companies to self-regulate and adopt best practices, such as building security features into the products starting at their earliest design stages and developing some form of data-minimization practice, as well as offering a reliable means of upgrading products with security patches once they are available in the marketplace. The companion report, "Careful Connections: Building Security in the Internet of Things," goes into further detail regarding best practices.

The staff report's findings are consistent with public statements made by FTC chairwoman Edith Ramirez during the recent Consumer Electronics Show, and those in an article that FTC commissioner Terrell McSweeny wrote for the technology news site Re/Code. But Maureen K. Ohlhausen—one of Ramirez's and McSweeny's fellow commissioners (the FTC has five politically appointed commissioners, with no more than three from the same party)—issued a statement, echoed in a number of tweets she also sent on Tuesday, in which she argued against the report's recommendations for enacting broad privacy legislation. Specifically, she noted that the FTC already has authority to enforce regulations that companies must require consumers to opt in and consent to personal data collection. Ohlhausen described the report's recommendation that companies use data-minimization tools, albeit with flexibility, as "overly prescriptive," and wrote, "The report, without examining costs or benefits, encourages companies to delete valuable data—primarily to avoid hypothetical future harms."

In the statements and on Twitter, Ohlhausen called the report a "missed opportunity" to delve into the tensions between FIPPs and the IoT, particularly with regard to data minimization. Ohlhausen said the staff report's recommendations followed the precautionary principal (decision-making through which an organization attempts to mitigate harm by considering how a product or service could negatively impact users), whereas she prescribes to the concept of "permissionless innovation"—as expressed by Adam Thierer, a senior research fellow at George Mason University's Mercatus Center—in which companies are encouraged to develop new products unabated "unless a compelling case can be made that a new invention will bring serious harm to individuals."

Simply enter a question for our experts.
Sign up for the RFID Journal Newsletter
We will never sell or share your information
RFID Journal LIVE! RFID in Health Care LIVE! LatAm LIVE! Brasil LIVE! Europe RFID Connect Virtual Events RFID Journal Awards Webinars Presentations