FTC to Internet of Stuff: Security, motherf****r, do you speak it?

No new laws yet – emphasis on the word yet

US regulator the FTC says now is not the time for new laws on the "Internet of Things" – but security needs to be improved as we enter the era of always-on, always-connected gadgets, sensors and machines embedded in homes, streets and pockets.

In a report [PDF] published today, the commission's staff make a number of policy recommendations for the wave of new devices that collect and transmit data on our everyday lives.

From the camera that posts pictures online with a click, to automated home lighting and heating, to FitBits and Apple Watches, the Internet of Things (IoT) was the focus of this year's Consumer Electronic Show, as well as a speech by FTC chairwoman Edith Ramirez.

There will be 25 billion devices connected to the internet by the end of the year, doubling to 50 billion by 2020, according to Cisco's estimates. The problem is that many of the companies churning out these gizmos are not properly considering the risks associated with gathering masses of personal sensitive data, we're told.

Security, and ultimately the safeguarding of privacy, is the biggest problem, says the FTC. And it needs to be built "into devices at the outset rather than as an afterthought." Employees also need to be trained up on the importance of security so there is a company-wide understanding and approach to protecting data, both internally and with any third parties that companies work with.

Additional measures such as good network defenses to prevent unauthorized users from getting access to data, and keeping an eye on security holes and providing security patches on time, should also be key considerations.

Given that, for example, home router makers are so slow to patch security vulnerabilities in firmware, what luck does anyone have fixing critical flaws in their IoT light switches, boilers and shoes?

As well as security, companies jumping on the IoT bandwagon should also think about "data minimization", meaning limit the amount of information that is gathered and only retain it for a certain period of time.

The FTC's logic of that approach is that the fewer sensitive bytes companies hold, the less of a target their database will be (in theory) and the less opportunity exists for it to be used in ways that customers would be unhappy about.

Alternatively, companies could go out of their way to "de-indentify" data so it cannot be linked to specific individuals.

What you got?

In a related point, the FTC recommends that businesses adopt a "notice and choice" approach to data, ie: customers are informed what records the company gathers and are given the choice to opt out of its collection.

In order to prevent people from being overwhelmed with approval requests, the commission recommends that this "notice and choice" approach is adopted for any uses that would be "unexpected", ie: not immediately obvious to the consumer.

Obviously, this is something for lawyers to have fun with: sadly, is a photo-sharing app monitoring your movements really "unexpected" in this day and age?

If companies immediately de-identify data – erase any way to pick out a particular person from the information – the need to offer choices is greatly reduced, apparently.

As for legislation, the FTC report acknowledges that new laws may be needed at some point, but that it is too early to do so "given the rapidly evolving nature of the technology." As such, it sees self-regulation as the best way forward.

It does note however that the commission called for broad privacy legislation back in 2012, including breach notification laws, and that remains its position.


It is worth noting that the report was published only after four of the five commissioners voted in favor of doing so. The fifth commissioner, Joshua D Wright, published a dissenting opinion [PDF] and argued that the document is a weird hybrid between a writeup of discussions and a formal policy statement.

He would prefer one or the other, not a seemingly rushed mix of the two.

The report itself was based on a workshop held back in November 2013, and referred to subsequent public comments on the session. But the report as presented includes a range of policy recommendations.

Wright argues that if the FTC's staff wishes to produce policy recommendations, it needs to back them up with data, rather than "merely rely upon its own assertions." A workshop report should be a report of what people said; a formal report should "possess and present evidence that its policy recommendations are more likely to foster competition and innovation than to stifle it," he argues. ®

Similar topics

Narrower topics

Other stories you might like

  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading
  • Big Tech loves talking up privacy – while trying to kill privacy legislation
    Study claims Amazon, Apple, Google, Meta, Microsoft work to derail data rules

    Amazon, Apple, Google, Meta, and Microsoft often support privacy in public statements, but behind the scenes they've been working through some common organizations to weaken or kill privacy legislation in US states.

    That's according to a report this week from news non-profit The Markup, which said the corporations hire lobbyists from the same few groups and law firms to defang or drown state privacy bills.

    The report examined 31 states when state legislatures were considering privacy legislation and identified 445 lobbyists and lobbying firms working on behalf of Amazon, Apple, Google, Meta, and Microsoft, along with industry groups like TechNet and the State Privacy and Security Coalition.

    Continue reading
  • SEC probes Musk for not properly disclosing Twitter stake
    Meanwhile, social network's board rejects resignation of one its directors

    America's financial watchdog is investigating whether Elon Musk adequately disclosed his purchase of Twitter shares last month, just as his bid to take over the social media company hangs in the balance. 

    A letter [PDF] from the SEC addressed to the tech billionaire said he "[did] not appear" to have filed the proper form detailing his 9.2 percent stake in Twitter "required 10 days from the date of acquisition," and asked him to provide more information. Musk's shares made him one of Twitter's largest shareholders. The letter is dated April 4, and was shared this week by the regulator.

    Musk quickly moved to try and buy the whole company outright in a deal initially worth over $44 billion. Musk sold a chunk of his shares in Tesla worth $8.4 billion and bagged another $7.14 billion from investors to help finance the $21 billion he promised to put forward for the deal. The remaining $25.5 billion bill was secured via debt financing by Morgan Stanley, Bank of America, Barclays, and others. But the takeover is not going smoothly.

    Continue reading

Biting the hand that feeds IT © 1998–2022