The Federal Trade Commission staff has issued a report on the Internet of things that recommends companies minimize the data they collect and the time frame in which they retain it. It agrees with "many stakeholders" that any specific legislation on privacy and security would be premature, but calls for broad legislation in those areas.
The report makes a number of recommendations for steps businesses can take to protect information in a world of interconnected devices--some 25 billion of them, according to the agency.
“The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” said FTC Chairwoman Edith Ramirez in releasing the report. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
In terms of data minimization, the staffers say say companies can choose from collecting no data, limiting it to what is essential for the service offered by the device, collect less sensitive data, or anonymize the data collected.
Other best practices include:
1. "Build security into devices at the outset, rather than as an afterthought in the design process;
2. "Train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
3. "Ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
4. "When a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
5. "Consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
6. "Monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks."
The report says that specific legislation would be premature given how fast the space is moving, but it reiterates earlier FTC calls for strong data security and breach notification and privacy legislation.
Daniel Castro, director of the Center for Data Innovation, agreed with the need for data security and breach information, but not privacy legislation.
"While the FTC’s report correctly recognizes that the Internet of Things offers potentially revolutionary benefits for consumers and that the industry is still at an early stage, it unfortunately attempts to shoehorn old ideas on new technology by calling for broad-based privacy legislation," he said in a statement. "It is disheartening that the FTC staff has failed to propose a forward-looking regulatory approach to technology that narrowly targets actual harms while leaving companies free to innovate."
He also is no fan of minimization. "In particular, in calling for companies to reduce their use of data, the FTC misses the point that data is the driving force behind innovation in today’s information economy," he said.
As to breach and security legislation. "Following a string of cyberattacks last year, passing this legislation should be at the top of the agenda for the new Congress," he said.
TechFreedom President Berin Szoka was not pleased. “At best, this is just another exercise in Workshop Theater; at worst, the FTC is trying to regulate the Internet of Things by stealth,” he said in a statement. “We’ve been down this road before: In 1980, a heavily Democratic Congress twice tried to rein in the FTC’s Naderite regulatory spree. Now, the FTC is effectively circumventing those constraints, using workshop reports as de facto regulations.”
House Energy & Commerce Committee Chairman Fred Upton (R-Mich.) and Commerce, Manufacturing and Trade Subcommittee Chair Michael Burgess (R-Tex.) said protecting personal information is important, but not overregulating it important too. "While public awareness of the Internet of Things is still in its early stages, now is the time to understand its future prospects and ensure that companies are protecting personal information when they introduce connected devices and services into the marketplace," they said in a joint statement last week. "We also must be certain that throughout this process we don’t smother innovation that can improve the quality of life for consumers and create jobs. We must exercise great caution to avoid the slippery slope of the Internet of Things evolving into the Internet of Regulation. Let's stay on this path of remarkable breakthroughs and advancement."