The Federal Trade Commission (FTC) has said that any privacy and security data legislation specific to the Internet of Things would currently be premature. FTC staff report recommended that Congress enact more general IoT security and privacy legislation, instead of specific ones.
This report is in response to the National Telecommunications & Information Administration, which is collecting input on the upsides, downsides, and government’s role in the increasingly net-connected world.
With the growing concern over the lack of security of IoT devices, it is not surprising that there are calls for tighter regulations guiding the IoT. A recent survey by a security firm claimed that only one in ten IoT devices offers adequate protection, which makes it even more urgent for more regulations and standards to be implemented.
The FTC says it supports a “flexible, technology-neutral data security legislation” that would strengthen the FTC’s enforcement tools and require companies to notify consumers when there is a security breach. The FTC also recommended that general data security legislation should be enacted to protect consumers against any unauthorized to their personal information and the device functionality.
In addition to calls for general IoT legislation, the FTC also recommended a “broad-based, technology-neutral, general privacy legislation.” This is a result of what it calls “the lack of transparency regarding companies’ data practices and the lack of meaningful consumer control over their data.”
The massive volume of granular data collected by IoT devices enables those with access to the data to perform analyses that would not be possible with less rich data sets. For example, car insurance companies can now use data from connected cars to base insurance rates on consumers’ actual driving habits (e.g., number of “hard brakes,” miles driven, and amount of time driving between midnight and 4 a.m.); others might use IoT data to make in-house credit, insurance, or other eligibility-type decisions.
Using data for these purposes could bring benefits, such as enabling safer drivers to reduce their rates for car insurance or expanding consumers’ access to credit. However, such uses could be problematic if they occurred without consumers’ knowledge or consent, or without regard to the accuracy of the data.
These concerns permeate the IoT space, given the ubiquity of information collection, the broad range of uses that the IoT makes possible, the multitude of companies involved in collecting and using information, and the sensitivity of some of the data at issue, said the FTC. General privacy legislation that addresses these issues through greater transparency and choices could help both consumers and businesses by promoting trust in the IoT marketplace.
The FTC said the adoption of standards that allow for the interoperability of consumer devices often promotes and enhances competition in an industry, with direct benefits for consumers. The commission said the full realization of these benefits depends on standards being selected “in a nonpartisan manner. . . and in the presence of ‘meaningful safeguards’ that ‘prevent the standard-setting process from being biased by members with economic interests in stifling product competition.’”
Standards—particularly in the information technology and telecommunications industries—are often created through a collaborative standard-setting process involving market participants who normally compete against each other. False or misleading representations or other anticompetitive abuse of collaborative standard setting can reduce competition, minimize the role of consumers, and potentially lock-in existing technological approaches to the detriment of innovation and consumers.