From connected cars to connected appliances, the Internet of Things (IoT) is enabling new product capabilities and services that would not otherwise be possible. When even the most mundane of devices are connected, either to each other or to the cloud, the sheer volume of personal data being generated is almost incomprehensible. And given the volume estimates of connected sensors and devices expected in the coming years, generated data will scale up exponentially.
Consumer data privacy and security as it relates to the IoT ecosystem has been a concern to anyone paying attention to its potential for abuse. Connected devices inside and outside of the car compromise the integrity of the best embedded systems, while consumers struggle to understand how much of their personal data is shared, by whom and for what purposes. No surprise, therefore, that the Federal Trade Commission is officially on the record with warnings to IoT industry players that they should take consumer privacy and security more seriously.
In a statement, FTC Chairwoman Edith Ramirez said “The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers.” A 71-page report issued this week warned that data generated by connected devices could create consumer privacy and security invasions and that IoT developers need to take stronger measures to shield consumers from such breaches.
Practical suggestions from the FTC include implementing security measures into products during the design stage, supporting devices throughout their lifetime via software patches, and creating rapid-response processes for dealing with security breaches when they occur. This is important as many companies are rushing products to market with incompatible platforms and very little inoperability with other IoT devices and hardware. Without firm standardization of communication protocols, the level of data security in these systems is suspicious at best
More controversial is the FTC’s recommended “data minimization,” or the practice of using less data and retaining it for a limited time frame. And the report’s “notice and choice” section provides guidance on permission-based usage of data by consumers, even though data ownership legalities have yet to be determined.
“We commend the FTC for recognizing the enormous personal, economic and societal benefits that IoT enables, and the agency’s efforts to engage and educate businesses on how to secure the IoT ecosystem,” CEA president Gary Shapiro said. But, he added, “it’s too early to rush out laws that may choke off innovation.” The Future of Privacy Forum agrees and further stated that FTC’s report suggests legislation instead of industry judgment to manage how data is used in the marketplace, which could threaten innovation and discourage private-sector investment.
One solution here would be for IoT companies and developers to demonstrate a visible, coordinated self-regulatory approach to data security and privacy. An example of industry self-regulation is the collaborative effort by the Alliance of Automotive Manufacturers and the Association of Global Automakers in developing consumer data Privacy Principles, voluntary guidelines presented that govern the fundamentals of how automakers handle various data that is generated inside the vehicle, generated outside the vehicle, generated as required by law and generated for the purposes of sharing.
We applaud the effort that brought us the Privacy Principles and highly recommend a similar effort be made by industry groups and companies residing in the IoT space. Self-regulation and respect for consumers is good business practice, something the hotel industry needed to learn the hard way. Let’s get organized on consumer security and privacy before government regulators step in and become “too helpful.”
Source: FTC to connected device makers: Focus on security and privacy – Engadget