FTC’s Settlement in Vizio May Provide Hint at Direction of Internet of Things Regulation

Internet of ThingsThe Federal Trade Commission’s (FTC’s) Settlement in FTC v. Vizio, Inc.may signal the direction that agency is heading on Internet of Things (IoT) enforcement. With veteran FTC enforcer Jessica Rich leaving and new appointee Maureen Ohlhausen taking over, Ohlhausen’s separate concurring statement in that matter is insightful.

The settlement took a broad view on the types of data that require protection. While the “Covered Information” included information like personal identifiers, IP address, and geolocation, it also included “Viewing Data,” which is essentially data about the content viewed on a television. Ohlhausen criticized this expansion and the FTC’s foray into this public policy basis for alleging an unfair practice. She notes, “But here, for the first time, the FTC has alleged in a complaint that individualized television viewing activity falls within the definition of sensitive information.” Hinting that this broad view of personal data may not continue, Ohlhausen writes, “There may be good policy reasons to consider such information sensitive…. But, under our statute, we cannot find a practice unfair based primarily on public policy. Instead, we must determine whether the practice causes substantial injury that is not reasonably avoidable by the consumer and is not outweighed by benefits to competition or consumers.” She then promises that “[i]n the coming weeks I will launch an effort to examine this important issue further.”

© MICHAEL BEST & FRIEDRICH LLP

House Energy and Commerce Committee Holds Hearing on Security of Internet of Things

What the experts are saying.

The hearing was motivated by the revelation that cybersecurity is no longer just about protecting  laptops or securing digital data. IoT insecurity puts human safety at risk, as everything from home appliances to automobiles and medical technology are becoming connected to the Internet. Representatives from both committees pressed expert witnesses Mr. Dale Drew of Level 3 Communications, Dr. Kevin Fu of Virta Labs and the University of Michigan, and Mr. Bruce Schneier of the Harvard Kennedy School of Government for examples of legislation that could target the cybersecurity concerns related to the Internet of Things.

These experts shared conflicting opinions about whether it is in fact possible for the government to establish one set of security standards that covers all Internet-connected devices, as these devices do many different things and are powered by many different types of technology. Mr. Schneier reminded the subcommittees that “[your smartphone] is not a phone; it’s a computer that makes phone calls.” The same applies to a long list of devices including WiFi-connected baby monitors, thermostats, refrigerators, DVR players, GPS systems, children’s toys, and of course, electronic voting booths. In his testimony, Mr. Drew explained that “bad actors are increasingly attracted to IoT devices since they can use those devices without being detected for long periods of time, they know most devices will not be monitored or updated, and they know there are no endpoint protection capabilities on IoT devices to remove threats.” Nevertheless, they agreed that a collaborative and, above all, proactive approach by both the government and manufacturers of these devices will be essential.

Fortunately, we already have a potential starting point. The National Institute of Standards and Technology recently issued a comprehensive set of guidelines and best practices for securing IoT devices and systems throughout their entire life cycle. But simply establishing these best practices on paper will not be enough. Dr. Fu reiterated the most important takeaway from the hearing: that proper security measures for IoT devices must be “built in, not bolted on.” Protective measures like encryption must be incorporated into the fundamental design of a device, not tacked on as an afterthought. They also must secure a device from its creation, through its life with a consumer, and after “retirement” since old but active devices are still vulnerable to hijacking by botnets like the one used in last month’s massive distributed denial of service (“DDoS”) attack on global Internet routing company Dyn.

Looking ahead to the future.

Currently, there are few market incentives to spend time and money producing more secure encrypted devices.  There are likewise no significant legal or economic penalties for selling devices to consumers that are insecure. In short, consumers are focused on buying sleek and affordable new products rather than on the networks that connect them. However, if massive DDoS attacks continue the same way that data breaches have in recent years, the priorities of consumers and manufacturers alike are bound to evolve.

Will a greater focus on security slow down the rate of technological innovation? Despite some concerns, Dr. Fu and Mr Schneier reassured the subcommittees that efforts to improve cybersecurity will spur innovation in the tech industry, not hold it back. As consumers and manufacturers become more aware of the implications of poorly secured devices, incorporating features like end-to-end encryption will be understood not as necessary obstacles, but as valuable solutions to very real and costly problems.

ARTICLE BY Cynthia J. Larose, Michael B. Katz & Joanne Dynak of Mintz Levin
©1994-2016 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, P.C. All Rights Reserved.

FAST Act Calls for Examination of Internet of Things

The Internet of Things (IoT), as defined by Wikipedia, is the network of physical objects or “things” embedded with electronics, software, sensors, and network connectivity, which enables these objects to collect and exchange data. The IoT allows objects to be sensed and controlled remotely across existing network infrastructure, creating opportunities for more direct integration between the physical world and computer-based systems, and resulting in improved efficiency, accuracy and economic benefit.  Each thing is uniquely identifiable through its embedded computing system but is able to interoperate within the existing Internet infrastructure.

In short, if we look at the objects we use in everyday life – from our phones, to our laptops, to even our copy machines or printers at work – each is able to collect and potentially exchange vast amounts of data.  While the capabilities of these devices and objects to collect data and exchange data will likely improve our daily lives, it is also important to examine how to protect the privacy and security of the information and data which is collected and shared.

The Fixing America’s Surface Transportation Act (FAST Act) includes a number of provisions related to privacy, including an amendment to the Gramm-Leach-Bliley Act (GLBA) as well as the enactment of the Driver Privacy Act of 2015.  Interestingly, the FAST Act also requires a report on the potential of the IoT to improve transportation services in rural, suburban, and urban areas.

Specifically, Section 3024 of Title III, requires the Secretary of Transportation to submit a report to Congress not later than 180 days after December 4, 2015 (the enactment date of the FAST Act).  The report, presumably to address the issues discussed above, is to include (1) a survey of the communities, cities, and States that are using innovative transportation systems to meet the needs of ageing populations; (2) best practices to protect privacy and security, as determined as a result of such survey; and (3) recommendations with respect to the potential of the IoT to assist local, State, and Federal planners to develop more efficient and accurate projections of the transportation.

While it is unclear exactly what information will be captured in the report, it’s clear the drafters of Section 3024 have recognized the importance of data privacy and security while utilizing the IoT to improve transportation.  On a more personal note, I have to believe I am not alone in hoping that the report will finally address (and correct!) the traffic patters related to my daily commute!

Jackson Lewis P.C. © 2015

Three Trending Topics in IoT: Privacy, Security, and Fog Computing

Cisco has estimated that there will be 50 billion Internet of Things (IoT) devices connected to the Internet by the year 2020. IoT has been a buzzword over the past couple of years. However, the buzz surrounding IoT in the year 2015 has IoT enthusiasts particularly exerted. This year, IoT has taken center stage at many conferences around the world, including the Consumer Electronics Show (CES 2015), SEMI CON 2015, and Createc Japan, among others.

1. IoT will Redefine the Expectations of Privacy

Privacy is of utmost concern to consumers and enterprises alike. For consumers, the deployment of IoT devices in their homes and other places where they typically expect privacy will lead to significant privacy concerns. IoT devices in homes are capable of identifying people’s habits that are otherwise unknown to others. For instance, a washing machine can track how frequently someone does laundry, and what laundry settings they prefer. A shower head can track how often someone showers and what temperature settings they prefer. When consumers purchase these devices, they may not be aware that these IoT devices collect and/or monetize this data.

The world’s biggest Web companies, namely, Google, Facebook, LinkedIn, and Yahoo are currently involved in lawsuits where the issues in the lawsuits relate to consent and whether the Web companies have provided an explicit enough picture of what data is being collected and how the data is being used. To share some perspective on the severity of the legal issues relating to online data collection, more than 250 suits have been filed in the U.S. in the past couple of years against companies’ tracking of online activities, compared to just 10 in the year 2010. As IoT devices become more prevalent, legal issues relating to consent and disclosure of how the data is being collected, used, shared or otherwise monetized will certainly arise.

2. Data and Device Security is Paramount to the Viability of an IoT Solution

At the enterprise level, data security is paramount. IoT devices can be sources of network security breaches and as such, ensuring that IoT devices remain secure is key. When developing and deploying IoT solutions at the enterprise level, enterprises should conduct due diligence to prevent security breaches via the IoT deployment, but also ensure that even if an IoT device is compromised, access to more sensitive data within the network remains secure. Corporations retain confidential data about their customers and are responsible for having adequate safeguards in place to protect the data. Corporations may be liable for deploying IoT solutions that are easily compromised. As we have seen with the countless data breaches over the past couple of years, companies have a lot to lose, financially and otherwise.

3. Immediacy of Access to Data and Fog Computing

For many IoT solutions, timing is everything. Many IoT devices and environments are “latency sensitive,” such that actions need to be taken on the data being collected almost instantaneously. Relying on the “cloud” to process the collected data and generate actions will likely not be a solution for such IoT environments, in which the immediacy of access to data is important. “Fog computing” aims to bring the storage, processing and data intelligence closer to the IoT devices deployed in the physical world to reduce the latency that typically exists with traditional cloud-based solutions. Companies developing large scale IoT solutions should investigate architectures where most of the processing is done at the end of the network and closer to the physical IoT devices.

The Internet of Things has brought about new challenges and opportunities for technology companies. Privacy, security and immediacy of access to data are three important trends companies must consider going forward.

© 2015 Foley & Lardner LLP

Multistakeholder Group Seeks Comment on Draft Framework for IoT Device Manufacturers

Earlier this week, the Online Trust Alliance released a draft framework of best practices for Internet of Things device manufacturers and developers, such as connected home devices and wearable fitness and health technologies.  The OTA is seeking comments on its draft framework by September 14.

The framework acknowledges that not all requirements may be applicable to every product due to technical limitations and firmware issues.  However, it generally proposes a number of specific security requirements, including encryption of personally identifiable data at rest and in transit, password protection protocols, and penetration testing.  In addition, it proposes the following requirements:

  • A privacy policy that is readily available to review prior to product purchase, download or activation, and that discloses the consequences of declining to opt-in or opt-out of policies on key product functionality and features.

  • A privacy policy display that is optimized for the user interface to maximize readability.  The working group recommends layered privacy policies for this purpose.

  • Conspicuous disclosure of all personally identifiable data collected.

  • Data sharing is limited to service providers that agree to limit usage of data for specified purposes and maintain data as confidential or to other third parties as clearly disclosed to users.

  • Disclosure of the term and duration of the data retention policy.  In addition, the framework goes on to state that data generally should be retained only for as long as the user is using the device or to meet legal requirements.

  • Disclosure of whether the user has the ability to remove or anonymize personal and sensitive data other than purchase history by discontinuing device use.

  • Disclosure of what functions will work if “smart” functions are disabled or stopped.

  • For products and services designed to be used by multiple family members, the ability to create individual profiles and/or have parental or administrative controls and passwords.

  • Mechanisms for users to contact the company regarding various issues, transfer ownership, manage privacy and security preference.

In addition, the draft framework makes various other recommendations that go above and beyond the proposed baseline requirements, although acknowledging that the recommendations may not be applicable to every device or service.

© 2015 Covington & Burling LLP

FTC Releases Extensive Report on the “Internet of Things”

Mcdermott Will Emery Law Firm

On January 27, 2015, U.S. Federal Trade Commission (FTC) staff released an extensive report on the “Internet of Things” (IoT). The report, based in part on input the FTC received at its November 2013 workshop on the subject, discusses the benefits and risks of IoT products to consumers and offers best practices for IoT manufacturers to integrate the principles of security, data minimization, notice and choice into the development of IoT devices. While the FTC staff’s report does not call for IoT specific legislation at this time, given the rapidly evolving nature of the technology, it reiterates the FTC’s earlier recommendation to Congress to enact strong federal data security and breach notification legislation.

The report also describes the tools the FTC will use to ensure that IoT manufacturers consider privacy and security issues as they develop new devices. These tools include:

  • Enforcement actions under such laws as the FTC Act, the Fair Credit Reporting Act (FCRA) and the Children’s Online Privacy Protection Act (COPPA), as applicable;

  • Developing consumer and business education materials in the IoT area;

  • Participation in multi-stakeholder groups considering guidelines related to IoT; and

  • Advocacy to other agencies, state legislatures and courts to promote protections in this area.

In furtherance of its initiative to provide educational materials on IoT for businesses, the FTC also announced the publication of “Careful Connections: Building Security in the Internet of Things”.  This site provides a wealth of advice and resources for businesses on how they can go about meeting the concept of “security by design” and consider issues of security at every stage of the product development lifecycle for internet-connected devices and things.

This week’s report is one more sign pointing toward our prediction regarding the FTC’s increased activity in the IoT space in 2015.

It’s Data Privacy Day 2015

Mintz Levin Law Firm

Today is Data Privacy Day, and as you might expect, we have a few bits and bytes for you.

Use the Opportunity

Data Privacy Day is another opportunity to push out a note to employees regarding their own privacy and security — and how that can help the company.

The Federal Trade Commission Issues IoT (Internet of Things) Report

Following up on its November 2013 workshop on the Internet of Things, the Federal Trade Commission (“FTC”) has released a staff report on privacy and security in the context of the Internet of Things (“IoT”), “Internet of Things: Privacy & Security in a Connected World” along with a document that summarizes the best practices for businesses contained in the Report.  The primary focus of the Report is the application of four of the Fair Information Practice Principles (“FIPPs”) to the IoT – data security, data minimization, notice, and choice.

Data PrivacyThe report begins by defining IoT for the FTC’s purposes as “‘things’ such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the Internet,” but limits this to devices that are sold to or used by consumers, rather than businesses, in line with the FTC’s consumer protection mandate.  Before discussing the best practices, the FTC goes on to delineate several benefits and risks of the IoT.  Among the benefits are (1) improvements to health care, such as insulin pumps and blood-pressure cuffs that allow people avoid trips to the doctor the tools to monitor their own vital signs from home; (2) more efficient energy use at home, through smart meters and home automation systems; and (3) safer roadways as connected cars can notify drivers of dangerous road conditions and offer real-time diagnostics of a vehicle.

The risks highlighted by the Report include, among others, (1) unauthorized access and misuse of personal information; (2) unexpected uses of personal information; (3) collection of unexpected types of information; (4) security vulnerabilities in IoT devices that could facilitate attacks on other systems; and (5) risks to physical safety, such as may arise from hacking an insulin pump.

In light of these risks, the FTC staff suggests a number of best practices based on four FIPPs. At the workshop from which this report was generated, all participants agreed on the importance of applying the data security principle.  However, participants disagreed concerning the suitability of applying the data minimization, notice, and choice principles to the IoT, arguing that minimization might limit potential opportunities for IoT devices, and notice and choice might not be practical depending on the device’s interface – for example, some do not have screens.  The FTC recognized these concerns but still proposed best practices based on these principles.

Recommendations

Data Security Best Practices:

  • Security by design.  This includes building in security from the outset and constantly reconsidering security at every stage of development. It also includes testing products thoroughly and conducting risk assessments throughout a product’s development

  • Personnel practices.  Responsibility for product security should rests at an appropriate level within the organization.  This could be a Chief Privacy Officer, but the higher-up the responsible part, the better off a product and company will be.

  • Oversee third party providers.  Companies should provide sufficient oversight of their service providers and require reasonable security by contract.

  • Defense-in-depth.  Security measures should be considered at each level at which data is collected stored, and transmitted, including a customer’s home Wi-Fi network over which the data collected will travel.  Sensitive data should be encrypted.

  • Reasonable access control.  Strong authentication and identity validation techniques will help to protect against unauthorized access to devices and customer data.

Data Minimization Best Practices:

  • Carefully consider data collected.  Companies should be fully cognizant of why some category of data is collected and how long that data should be stored.

  • Only collect necessary data.  Avoid collecting data that is not needed to serve the purpose for which a customer purchases the device. Establish a reasonable retention limit on data the device does collect.

  • Deidentify data where possible.  If deidentified data would be sufficient companies should only maintain such data in a deidentified form and work to prevent reidentification.

Notice and Choice Best Practices:  The FTC initially notes that the context in which data is collected may mean that notice and choice is not necessary. For example, when information is collected to support the specific purpose for which the device was purchased.

When notice or choice are necessary, the FTC offers several suggestions for how a company might give or obtain that, including (1) offer choice at point of sale; (2) direct customers to online tutorials; (3) print QR codes on the device that take customers to a website for notice and choice; provide choices during initial set-up; (4) provide icons to convey important privacy-relevant information, such a flashing light that appears when a device connects to the Internet; (5) provide notice through emails or texts when requested by consumers; and (6) make use of a user experience approach, such personalizing privacy preferences based on the choices a customer already made on another device.

Legislation.  The FTC staff recommends against IoT-specific legislation in the Report, citing the infancy of the industry and the potential for federal legislation to stifle innovation.  Instead, the FTC recommends technology-neutral privacy and data security legislation.  Without saying it explicitly, this appears to be a recommendation for something akin to the Consumer Privacy Bill of Rights recently proposed by the President, along with giving the FTC authority to enforce certain privacy protections, including notice and choice, even in the absence of a showing of deceptive or unfair acts or practices.

In the meantime, the FTC notes that it will continue to provide privacy and data security oversight of IoT as it has in other areas of privacy.  Specifically, the FTC would continue to enforce the FTC Act, the Children’s Online Privacy Protection Act, and other relevant statutes.  Other initiatives would include developing education materials, advocating on behalf of consumer privacy, and participating in multi-stakeholder groups to develop IoT guidelines for industry.