Securing Billions of Smart Things

There are roughly 25 billion smart devices and objects busily gathering data and beaming information back to their respective motherships (and business partners).  That’s up from 7 billion things a mere five years ago.

And five years from now? The consensus is 50 billion things will be interconnected, merrily gathering data, and making our lives easier/transforming the world into a marketer’s magic kingdom.

The US Federal Trade Commission (FTC) has signaled its strong interest in bringing privacy enforcement to the so-called Internet of Things (IoT), with the release of its “voluntary standards” report this week.  We put those two works inside quotes because while the standards are voluntary right now, it’s a safe bet that they will be used in courtrooms as a best practice basis for determining whether a manufacturer abided by industry best practices.

The FTC defines the IoT infrastructure as “the ability of everyday objects to connect to the internet and to send and receive data.”

The FTC worries about how secure all of this data is and wants Congress to consider legislation to enforce security standards. But the agency also really wants to establish some guidelines on what companies will be doing with the data that they collect from devices.

The report notes that the FTC studied 12 mobile fitness apps and found that the apps shared data with 76 separate entities. Such data should not be usable by insurers to set health, life, car or other insurance premiums. Nor should it be utilized to make hiring, credit, housing or other types of economic decisions.

Congress shouldn’t consider implementing IoT-specific legislation at this time, the FTC says, but should focus on implementing legislation concerning data security protections ASAP.

“’In the future, the Internet of Things is likely to meld the virtual and physical worlds together in ways that are currently difficult to comprehend,” noted the FTC report.

“Staff believes (data sercurity) legislation will help build trust in new technologies that rely on consumer data, such as the IoT. Consumers are more likely to buy connected devices if they feel that their information is adequately protected.”

“Such legislation should be flexible and technology-neutral, while also providing clear rules of the road for companies about such issues as when to provide privacy notices to consumers and offer them choices about data collection and use practices.”

Not everyone agrees, including FTC commissioner Joshua D. Wright, who stated in a dissenting opinion that it was counterproductive to establish “industry best practices and recommendations for broad-based privacy legislation without analytical support to establish the likelihood that those practices and recommendations, if adopted, would improve consumer welfare.”

Wright added that “though an agency’s recommendations regarding industry best practices do not carry the force of law, there is a very real danger that companies may reasonably perceive failure to achieve those practices or to adopt such recommendations as actionable. Where an agency’s recommendations regarding best practices are not supported by cost-benefit analysis, firms may respond by adopting practices or engaging in expenditures that make consumers worse off.”

Obviously, this issue is far from settled and the discussions will continue for the foreseeable future. It’s likely that the generally accepted best practices and ways to protect collected data will come from industry trade groups, while privacy and permission concerns will eventually be determined by local, national and regional data privacy regulations.

Posted in BAI Security Blog and tagged , , , , , , .

Leave a Reply

Your email address will not be published. Required fields are marked *