As an ever-increasing number of connected devices expands the Internet of things (IoT) there needs to be a focus on security and privacy by manufacturers and consumers, new FTC Commissioner Rebecca Kelly Slaughter and panelists said today during a New America event.
“It’s important that consumers have meaningful, accurate information about their device security, as well as data sharing, to make informed decisions,” Commissioner Slaughter said during a speech. “We are at a critical point in the IoT era in terms of getting privacy and security right. At the precipice of exponential growth, we have the opportunity both to thoughtfully develop products that start and stay secure and to educate consumers early on about how to assess the risks of connected devices, how to choose brands that take privacy and security seriously, and how to maintain device security with patches over the lifespan of the product. I cannot overstate the importance of getting this right, now.”
Consumer trust can be fostered by “ensuring that the devices are reasonably secure” and “ensuring consumers have a clear and accurate picture” of what data their devices collect and how that data is stored and used. “With all of this cutting edge and truly transformative technology comes legitimate concern about the potential risks these devices pose to our safety, our autonomy, and our privacy,” she said. “The many benefits of IoT devices may be delayed or foreclosed if consumers cannot trust them.”
She pointed to reports of hackers taking advantage of security flaws to gain access to data, as well as cases where domestic abusers and stalkers gained information about their victims from IoT devices. “Our law and our rhetoric often treat our privacy and security as distinct,” she said, adding: “But the world of IoT shows us that the line between privacy and security is not bright, even blurry. The two concepts are overlapping and intrinsically related. There can be no assurance of privacy without sound security and most security vulnerabilities pose threats to privacy as well.”
The FTC is seeing some “basic trouble spots” crop up already with IoT devices, including “some very basic failures in product design” in pre-release testing, she said. “We encourage and expect companies to consider security at the outset, understand well-known vulnerabilities affecting their class of products, and take advantage of low-cost, widely available measures to protect against them,” she said. Companies also need to make sure they have processes in place to identify new security threats after products are released, and also implement security updates and patches.
The FTC has an important enforcement role to play in IoT device security privacy, Ms. Slaughter said, noting actions taken against makers of connected toys, routers, and televisions.
Ms. Slaughter also said she favors the idea of forming a technology bureau at the FTC. “I believe that would be a valuable way to make sure we have a deep bench of technologists who can help spot issues.”
Panelists at the event all stressed the importance of ensuring IoT devices are secure and protect privacy, though they did not all agree on how that should be accomplished. IoT is “more of a Wild West” with widely varying levels of security available in devices, Consumers Union Director of Privacy and Technology Policy Justin Brookman said. There is a “growing recognition” that there are security and privacy concerns about IoT devices that need to be addressed, he said.
Mr. Brookman echoed concerns that many device makers have not taken security into account, or have no way to provide patches over time. “I don’t like regulation for its own sake,” he said. “But the way these things have been developed so far [addressing security] has been insufficient.”
Center for Democracy and Technology Senior Technologist Maurice Turner said he thinks “we may already be a little bit past that point” where self-regulation by IoT device makers is sufficient. “There’s definitely room for market experimentation, to have companies big and small weigh in and find out for themselves what the sweet spot is for self-regulation,” he said. “But at some point, it needs to be codified on a government level.”
Mr. Turner said there is a “great deal of burden that’s being borne by the consumer about being educated” regarding whether devices are secure. IoT devices lack the kind of security standards that would be akin to safety certifications on other products, he said.
U.S. Chamber of Commerce Vice President of Cybersecurity Policy Matthew Eggers said the key to ensuring IoT security is “making sure we’ve got the policy right, making sure we get some of the technical aspects of this right.” Mr. Eggers disputed the notion that regulation is necessary. “Trying to regulate more in this space is not the right approach,” he said. “We think that regulatory humility is the way to go.”
The business community should lead the way on IoT security issues, he said.
Andi Wilson Thompson, a policy analyst at New America’s Open Technology Institute argued there “needs to be guidance” for companies developing IoT devices. “A lot of the IoT devices in people’s homes are either created by companies that have been manufacturing washing machines, refrigerators for decades but only recently connected one of those devices,” she said. “So they might be a big company with a lot of skills. But they don’t have the sort of security/privacy expertise infrastructure that other more established companies do.”
Another concern, she said, is that many IoT devices are developed by small companies and start-ups that do not have security experience. There are “unique privacy concerns” with IoT devices, which collect all manner of data about their users, Ms. Thompson said. “Privacy and security go together,” she said. “It’s very difficult to separate them.” —Jeff Willams