Next month the Federal Trade Commission will meet to discuss how it plans to regulate the internet of things, and how connected devices share consumer data. There are two issues at play here, one being the privacy of consumer data and the other being the security of the networks delivering that data. The privacy issue, however, also contains a security dimension since the devices can share things that affect a person’s safety — such as where they live and whether or not they are home.
The rise of such connected devices essentially takes the established privacy framework the FTC adopted for web data and throws the problem into three dimensions. The FTC had established several categories of “sensitive data” in its 2012 Privacy Report, including Social Security numbers, precise geolocation data, financial records, health information and information about children. This data required higher levels of user consent and protections.
Yet in a decision last month, the FTC seems to be expanding that concept of sensitive information for the internet of things. In an article at Lexology, the law firm Hogan Lovells writes that the FTC seems to be adopting a broader view of “sensitive data.” The story reads:
Whether the FTC intends to adopt the view that all video feeds are sensitive information is unclear, but it does seem that the FTC is moving away from defining “sensitive information” in terms of certain categories of data. This will likely create uncertainty for organizations attempting to classify data during the design and implementation of security and privacy programs.
The issue is a tough one for the agency. It’s in the unenviable position of trying to understand an emerging industry built on connectivity and data collection that in many areas doesn’t even have a business model associated with it. Companies know they want as much data as they can glean with the widest possible permissions to go with them, while consumers have no idea what they are giving up. A common sense that services built on the back of data and collected by a variety of connected devices is, for now, the only thing that ties today’s internet of things evangelists together.
Thus, comments filed with the FTC ahead of the meeting range include a short letter from the Direct Marketing Association calling for self-regulation, much like what was offered with the development of the internet. Yet, that model when applied to greater connectivity in more personal settings has many people worried. You’ve only to look at the presentation by Kaivan Karimi at our Mobilize event last week where he explained that 50 cents worth of sensors on a phone could give device-makers the ability to read your emotions in real time.
That’s why Karimi advocates a conversation about connected sensors and data before we start building out businesses. He’s not alone. EPIC, the Electronic Privacy Information Center, argues that the privacy implications of connectivity start with the devices, which could allow a person to be tracked continuously across a variety of networks. This has consequences that range from redlining customers based on their perceived value to being able to act as a digital voyeur on people’s intimate lives and habits. From the EPIC filing:
Because the Internet of Things will generate data from all aspects of consumers’ lives, these types of secondary uses could lead to the commercialization of intimate segments of consumers’ lives. …. Similarly, the increased amount of usage data will enable companies to develop and enforce hidden charges and fees for certain uses. For example, GPS and other networked technologies have enabled rental car companies to charge numerous “gotcha fees” for driving outside of specified regions or using certain services.
Once your physical and intimate private life is compromised, it also represents a security threat. For example, think about connected cars. Because the ports that control access to vehicle telematics are physically unsecured or the transmission of data from the car to other services might be either from digital threats like malware in your car to physical threats, like being able to see motorists driving in remote areas and robbing them.
A comment filing from AT&T doesn’t delve into the privacy aspects, likely because AT&T has terabytes of customer data it might like to sell, but focuses instead on network security. A glance at all of these comments show the same thing. The FTC has asked companies to comment on the internet of things within a broad scope. A few big names responded with self-serving examples that ignore the big issue: namely, we’re entering into an unknown era of data collection combined with analytics that can strip away our privacy in the name of convenience, energy savings or even cheaper medical bills.
As the FTC evaluates its role in the internet of things, I hope it recognizes that while this is an emerging area where too many rules might stymie the development of an industry, adopting a bill of rights for consumer data privacy and being willing to actively regulate the space as problems emerge would go a long way in striking a balance between stifling a growing industry and letting marketers and companies run roughshod over consumer privacy in the name of boosting their profits.
For a model of what those data privacy rights should look like, I suggest this article by Alexandra Deschamps-Sonsino or this one by Limor Fried of Adafruit. Companies are ready to suck up this data and beg forgiveness just like they did on the internet. But the stakes are much higher this time, so hopefully the FTC will take real action on behalf of consumers.