US regulators know that the internet is exploding into something new and strange, and they want to keep it safe for consumers. They just don't fully know how to do it yet.
Today the Federal Trade Commission released a report on the Internet of Things that coincided with its presence at the State of the Net conference in Washington, DC. The report largely consists of notes from a 2013 workshop on IoT devices, summarizing the thoughts of FTC staff and industry witnesses. It's an interesting look inside the agency because while regulators appear united in the basic idea that IoT devices should be secure, there's not really a consensus yet on what security looks like or how to establish it for everyone.
"We're now in a world where data is being collected all the time," FTC Commissioner Edith Ramirez said today at the State of the Net conference. "We're bringing these devices into our homes, into what used to be private spheres, and the data that is being generated is increasingly much more sensitive. It's really in my mind fundamental that consumers continue to be in the driver's seat, that they have a say in their own information and how it's being used."
"It's fundamental that consumers continue to be in the driver's seat."
In an op-ed for Recode, commissioner Terrell McSweeny echoes Ramirez's thoughts on security, writing that "security — or the lack of it — will largely determine the success or failure of widespread adoption of internet-connected devices." McSweeny notes that "some companies have already adopted relatively mature security frameworks, while others have not." That inconsistency is a major theme of the FTC's broader report. But what should the agency do about it? For now, it seems like the FTC believes self-regulation is the best bet — as long as Congress beefs up higher-level privacy protections for consumers.
In its report, the commission concludes that no IoT-specific legislation is needed yet, and that self-regulation could be "helpful" in encouraging companies to adopt privacy and security practices. But it also observes that Congress should pass "strong, flexible, and technology-neutral legislation" that requires companies to tell customers when there's a security breach. That appears to be in line with President Obama's recently stated aims — he wants a 30-day deadline for notices and a revised "Consumer Privacy Bill of Rights" — but we'll see how that shakes out in the new Congress. For its part, the FTC has been asking for stronger data protection laws since at least 2012, when Chairman Jon Leibowitz testified before Congress that the pace of self-regulation in the internet industry needed to "accelerate." Leibowitz called on lawmakers to pass the same kind of privacy laws the agency and the president are still asking for today.
What does privacy look like in practice? Is it an app?
Notifying users of a data breach is certainly important, but it's also the tail-end of privacy. What would strong privacy protections look like for people who use internet-connected devices on a daily basis? On that point, the FTC isn't entirely clear yet, but it's offered some hints. The agency's report recommends "management portals" or "dashboards," which seems to translate to "let people tweak settings in an app" — the report specifically calls out Android's privacy options for apps as an example of how to manage user privacy.
The overall recommendations have three prongs: data security (companies should make devices physically secure from the outset), data minimization (companies should not collect more data than they need), and "notice and choice" (let people choose what data to share, and tell them when you screw up). Again, it's just not clear what kind of standards consumers will be able to expect when the government's primary regulatory function appears to be giving companies suggestions about self-regulation. It just doesn't seem reasonable to expect that the maxim "be mindful about the amount of data you collect" will be taken seriously by companies like Whisper or Uber.
While the industry continues to self-regulate, expect partisan fights in Congress over the Internet of Things. Already we're seeing some of the same language that's being used in the fight for net neutrality in the discussion about IoT security. Words like "light touch" and "regulatory humility" may come to define the fight for internet freedom as well as privacy.