With Promising IoT Benefits Come Major Privacy, Security Risks, FTC's Ramirez Says
As IoT devices proliferate more rapidly than imagined, potential risks to people's privacy and security could "also emerge at a breakneck pace," which will have to be addressed through comprehensive legislation, FTC Chairwoman Edith Ramirez said during a speech before the American Bar Association's conference on IoT Thursday (see 1603300052). She touted the benefits of IoT devices such as providing real-time diagnostics to drivers and service facilities or monitoring pipeline leaks. But there also have been news reports and studies about hacks into medical connected devices to obtain data that is 10 times more valuable than a credit card number or to change settings that can stop an insulin device from delivering medicine.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Citing Gartner research, Ramirez said that 6.4 billion connected IoT devices will be used worldwide this year, up 30 percent from 2015. And, by 2020, more than 20 billion IoT devices will be in use, she added. This year, she said, 5.5 million new devices are being connected every single day. But the potential privacy and security risks could erode that growth. A 2015 TRUSTe survey found that 79 percent of Americans are concerned about personal information collected by such devices, while 25 percent cited potential privacy and security risks as the primary reason they don't own a smart device, she said.
These devices within people's homes, cars, workplaces or even on their bodies can produce an enormous amount of data, Ramirez said. For instance, fewer than 10,000 households using an IoT home automation system can generate 150 million discrete data points every day, she said. A 2015 ABI Research report, which she cited, said the volume of data from IoT devices eclipsed 200 exabytes in 2014, but the annual total is expected to top 1.6 zettabytes in 2020. Ramirez said that figure is equivalent to the information on 250 billion DVDs. “All of these independent data points when patched together present a deeply personal and ... complete picture of each of us, one that includes details about our financial circumstances, our health, our religious preferences and our family and friends," Ramirez said. This information could also lead to other inferences about people's moods, personality type, sleep pattern, well-being and level of fitness, among others, she added.
Hardware and software makers could be sharing this data with a host of unknown third parties, Ramirez said. In 2014, the FTC studied 12 health-related mobile apps and found that sensitive health conditions like pregnancy and ovulation along with consumer names, email addresses and other unique, persistent identifiers were transmitted to ad networks, analytics firms and other third parties, often without user knowledge or consent, she said. Devices like baby monitors, smart TVs and toys can be used for identification, surveillance, monitoring and location tracking, she added (see 1501060062).
IoT devices present a "heightened security risk" due to a lack of economic incentives, Ramirez pointed out. Since many devices are small, low-cost and essentially disposable, many companies may not think it is cost-effective to update software, apply a patch or provide ongoing device support, she said. A device's small size and limited processing power may also inhibit encryption or other security measures, she added. Not only can information be stolen, but people's physical safety also may be at risk since hackers could open garage doors or switch off critical medical devices. In the U.K., a glitch in smart thermostats raised temperatures in the homes of British Gas customers to 90 degrees Fahrenheit, she said.
But Ramirez said that industry can follow certain practices such as data minimization and develop policies that weigh the benefits and harms of the potential usefulness of sensitive data. She said companies could collect other types of data -- ZIP codes vs. precise geolocation -- that could be just as useful. Companies also should provide simplified notice and choice to customers regarding the collection and use of their data. Whatever approach companies take, the notices need to be clear and prominent and "not buried in lengthy privacy notices," she said. Also, companies should provide "just-in-time" alerts so consumers have a choice at the time of collection or use, she added.
There also are promising ideas such as Carnegie Mellon University's development of "personalized privacy assistants that are capable of learning the privacy preferences of their users over time, semi-automatically configuring many settings and making privacy decisions on their behalf,” Ramirez said. This assistant could make choices on behalf of a user or prompt a user to make a decision. Companies should build in security from the outset and test such functionality before a product launch, she said.
The FTC is active in promoting policy recommendations and enforcement around privacy and security under Section 5 of the FTC Act, Ramirez said. But she acknowledged the commission is limited under existing law and more needs to be done. The commission, she added, endorsed data security legislation and comprehensive federal privacy law to set standards in this area. “Right now, of course, our Congress is unlikely to take any action," she said. But she added the FTC is not only enforcing the law but also educating consumers and companies about privacy and security practices, citing the commission's Start with Security initiative (see 1601210023).