FTC Chairs warns of threats from the Internet of Things (IoT)

Posted

The Internet of Things (IoT), whereby miniature computers are embedded into objects and devices and connected via the internet using wireless technology, offers many advantages, such as smart thermostats which have the ability to remotely monitor and adjust your heating at home, and medical devices / apps which are used by patients to enable remote monitoring (e.g. a dangerous change in a patient’s insulin levels).

Speaking recently at CES 2015, Las Vegas’ annual hi-tech trade show, the chair of the US Federal Trade Commission, Edith Ramirez, warned of a future where smart interconnected devices enable technology firms to build a “deeply personal” and increasingly detailed and granular picture of consumers that will subject consumers to highly targeted advertising of products and services, as well as leaving them vulnerable to data attack.  Ms. Ramirez said that smart devices could potentially collect data such as an individual’s health, religious and other lifestyle preferences, and asked “will this information be used to paint a picture of you that you won’t see but that others will?”  Data should only be gathered for a specific purpose, said Ms. Ramirez…“I question the notion that we must put sensitive consumer data at risk on the off-chance a company might someday discover a valuable use for the information”.

Regulators around the world are increasingly concerned to ensure that security and privacy issues are taken seriously by device manufacturers.  For example, the Article 29 Working Party (the independent European advisory body on data protection and privacy) issued an Opinion in September last year which reviewed the IoT and the specific data protection and privacy challenges raised by it, assessed the state of the applicable law (in Europe) and made a number of recommendations applicable to relevant IoT stakeholders. These include a call for IoT device, O/S and application manufacturers, and developers to apply the principles of Privacy by Design and Privacy by Default and to undertake Privacy Impact Assessments (PIAs) before any new application is launched in the IoT.

We can expect the IoT to be increasingly subject to regulatory (and judicial) scrutiny over the next few years.  And for good reason. Last year, a study by HP found that the average IoT device has at least 25 security flaws, and there have been an increasingly number of disturbing real life events reported, including attempts to hack web-connected baby monitors as well as numerous hacks demonstrated by security experts and researchers, including internet routers, smart TVs, connected fridges and driverless cars.