NTIA Targeting Summer Release For Report On IoT Security

February 16, 2017–NTIA is targeting summer for release of the results of its ongoing multistakeholder process regarding Internet of things security upgradability and patching, Evelyn Remaley, deputy associate NTIA administrator-Office of Policy Analysis and Development, said today at an event organized by the Federal Communications Bar Association. The multistakeholder group considering those issues last met on Jan. 31, and it will continue to meet through the spring, she said, adding, “we hope to hear something significant from them this summer.”

The process has created four working groups, she said, and is considering, among other issues, the breadth of the IoT ecosystem and “new players that haven’t had to think of security” as much as service providers have had to. Ms. Remaley also noted that the public has until Feb. 27 to submit comments to NTIA on the agency’s “green paper” released last month (TRDaily, Jan. 12) titled “Fostering the Advancement of the Internet of Things.”  The paper proposes several ways in which the Commerce Department can foster the development of IoT, including “fostering the physical and spectrum-related assets needed to support IoT growth and advancement.”

Also speaking at today’s FCBA event, Maneesha Mithal, associate director of the  Division of Privacy and Identity Protection in the Federal Trade Commission’s Bureau of Consumer Protection, explained the agency’s role in enforcing data privacy rules and highlighted its settlement agreement announced last week (TRDaily, Feb. 6) under which Vizio, Inc., a maker of Internet-connected TV sets, has agreed to pay $2.2 million to settle charges brought by the FTC and the New Jersey attorney general.  The settlement said that Vizio, beginning in 2014, installed software on its television sets “to collect viewing data on 11 million consumer TVs without consumers’ knowledge or consent.”

Ms. Mithal noted that while the FTC’s complaint and proposed settlement was approved by agency commissioners unanimously, acting Chairman Maureen Ohlhausen said in a concurring statement that while she supported the second count of the agency’s complaint, “which alleges that Vizio deceptively omitted information about its data collection and sharing program,” she said that the first count of the complaint, which alleges that “granular (household or individual) television viewing activity is sensitive information,” marked the first time the FTC has alleged that individualized television viewing activity falls within the definition of “sensitive information.”

“There may be good policy reasons to consider such information sensitive,” Ms. Ohlhausen said in her concurring statement. “Indeed, Congress has protected the privacy of certain video viewing activity by passing specific laws, such as the Cable Privacy Act of 1984. But, under our statute, we cannot find a practice unfair based primarily on public policy. Instead, we must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers.”

But, the commissioner continued, “This case demonstrates the need for the FTC to examine more rigorously what constitutes ‘substantial injury’ in the context of information about consumers. In the coming weeks I will launch an effort to examine this important issue further.” Ms. Mithal said today that “we will do more work on harms.” – John Curran, john.curran@wolterskluwer.com

Courtesy TRDaily