Who's in Charge of Regulating the Internet of Things?

Bakhtiar Zein/Shutterstock.com

It's complicated.

The “internet of things” refers to a group of technology so vast the term is beginning to lose meaning.

The internet of things hints at a vision of a ubiquitous network of electronics: refrigerators pinging their owners’ smartphones if they’ve run out of eggs, wearable devices that can detect the tell-tale vibrations of nuclear testing, and cars slowing down based on proximity to other cars. The future of the internet of things is a rich web of sensors constantly amassing more data.

Increasing interconnectivity might help consumers—who doesn’t want their washer-dryer to text them when their clothes are done?—but could also create new risks. The most granular data about individual consumers, down to their thermostat settings, might be available to hackers who can infiltrate the wireless networks that connect hundreds of devices, or even the devices themselves.

As the cyber and physical worlds become intertwined, intruders could also control tangible objects—remotely turning off someone’s lights, or worse, disabling the power grid.  

So, who governs the internet of things? Who ensures connected and self-driving cars don’t put their passengers in danger, that security cameras don’t relay video feeds of their users to third parties, or that data collected from billions of consumer devices can be used without compromising personal information?

For now, it’s still not clear.

Today, several agencies, including the Food and Drug Administration, the Federal Communications Commission, the Federal Trade Commission and the National Highway Traffic Security Administration have authority over some aspects of the internet of things.

Experts tell Nextgov the regulatory framework isn’t well defined and that agencies will likely need to work together as cases arise that expose the potential downsides of widespread connectivity.

As more IoT-related cases begin to test the regulatory framework, “the main thing that connects them is they’re going to have internet connectivity of some sort,” said Lee Tien, senior staff attorney at the Electronic Frontier Foundation. “Regulating a Fitbit is very different from regulating an automobile or regulating an implantable medical device like a defibrillator.”

Here’s a look at some of the discussions federal groups are having about regulating the internet of things.

What Is the ‘Internet of Things’?

Though they might be talking about the same general concept of connectivity, federal agencies don’t have an exact definition for the “internet of things.”

In the past, for one, FTC has defined it as “devices or sensors,” not including computers, smartphones and tablets, “that connect, store or transmit information with or between each other via the internet.”

The National Institute of Standards and Technology recently attempted to create a definitive lexicon for the concept. In its new outline, NIST distinguishes between a network of internet-enabled objects—an “internet of things”—and a group of objects and devices connected to each other, but not necessarily the internet: a “network of things.”

The intent, NIST wrote, is to give technologists a vocabulary that guarantees they’re talking about the same elements when discussing parts of the internet of things.   

NIST described the building blocks of such a connected network, which includes sensors, aggregators, communication channels, external systems and a decision trigger. For instance, a motion-sensing light might detect no one is in the room, transmit that information through some communications channel to an aggregator. The aggregator collects data from sensors and sends it to an external site, like a laptop, which relays it to a decision trigger that turns the light off.

In April, the Commerce Department began collecting public comment on the internet of things and what role the government should play.

“With respect to current or planned laws, regulations and/or policies,” the agency asked, “[a]re there examples that … foster IoT development and deployment, while also providing an appropriate level of protection to workers, consumers, patients and/or other users” of the internet of things? “Are there examples that … unnecessarily inhibit IoT?"

Commerce’s National Telecommunications and Information Administration would not discuss findings with Nextgov but eventually plans to issue a report in the fall identifying important policy issues

A Patchwork Project: What Might a Regulated Internet of Things Look Like?

Two FTC reports outline some of the government's concerns, including facilitating attacks on other systems and unauthorized access and misuse of personal information. For example, companies could harvest, and later use, the data collected from the internet of things in ways the consumer did not authorize.

Early conversations about regulations are primarily focused on keeping consumer data private, said Nyla Beth Gawel, a principal at Booz Allen Hamilton’s IoT business.

For hints as to what the government’s biggest concerns are, Gawel told Nextgov she looks to FTC case law and requests for comment on potential internet of things policy issues from NTIA. (Booz Allen’s customers include federal agencies trying to implement their own internet of things solutions.)

“Because of the huge amount of personal data that is being gathered, including data that, if one or two pieces are taken, might be technically anonymous ... it’s very easy to roll that up into a very detailed, very personalized picture of individuals,” Rick Parrish, an analyst with Forrester, told Nextgov.

Parrish said he also hears government leaders pushing for regulations protecting people’s physical safety—“parts of people’s cars and homes and toasters and everything.”

Asked which internet of things sub-sectors government leaders are most concerned about, EFF’s Tien said he thought medical devices and connected cars were likely to be the government’s first priorities for increased regulation, as those devices have a direct impact on people’s lives.

But “government’s not really trying to push any specific standards, because [the internet of things] is really market vertical,” Gawel said. “What I’m hearing from leaders is, ‘How do we smartly use the existing standards bodies?’”

There is also not a strong push to create a new regulatory body that would focus on the internet of things, Parrish said.

Parrish predicted the regulation of the internet of things could loosely be compared to that of airplanes. The Federal Aviation Administration handles flight safety, the Transportation Security Administration screens passengers, and state and local law enforcement groups also step in when needed.

“They all sort of triangulate around a single industry,” he said.

The bigger challenge is getting agencies to coordinate their regulatory efforts, Parrish said.


The Expectation of Privacy: Industry vs. Consumers

Tech companies and entrepreneurship advocates have warned Congress to avoid strict regulation of the internet of things.

Policymakers should “send a clear green light to entrepreneurs letting them know that our nation’s default policy position remains ‘innovation allowed,’” Adam Thierer, a research fellow at George Mason University’s Mercatus Center, testified during a Senate hearing on the internet of things last year.

And policy interventions shouldn’t be based on “hypothetical worst-case scenarios, or else best-case scenarios will never come about,” he said.

But consumer privacy advocates, including Justin Brookman, director of the Consumer Privacy Project at the Center for Democracy and Technology, have urged Congress to create a comprehensive law about collecting personal information.

During that hearing last year, Brookman pointed to Samsung’s SmartTV, which was found to have been collecting potentially sensitive information from viewers speaking close enough to the device for a microphone to detect their conversations.

“Companies should be required to offer consumers reasonable transparency and control over how their data is collected,” he said.

Morgan Reed, executive director of the Association for Competitive Technology, which represents app makers, urged Congress to step in on data privacy, during testimony for a House IoT hearing held last summer.

"The problem comes when I have to tell a customer, 'I don't know' when they ask which of their data could be passed along to the government,” he said then.

During that hearing, Rep. Ted Poe, R-Texas, suggested updating the Electronic Communications Privacy Act, under which cloud-based information is considered private for six months.

"But six months and one day, the government can have it and there's no expectation of privacy,” according to Poe.

Congress must “set the expectation of privacy for individuals that have shared their information with different entities," Poe said.

Regulating Lightly: The Discussion in Congress

Orhan Cam/Shutterstock.com

Not all lawmakers support strict regulation of the internet of things. Congress has issued two pieces of legislation promoting connected technology as a driver of economic activity in the U.S.: the Developing Innovation and Growing the Internet of Things, or DIGIT, Act, and a resolution calling for a national strategy for the internet of things.

“We should let consumers and entrepreneurs decide where [the internet of things] goes, rather than setting it on a Washington, D.C.-directed path,” Sen. John Thune, R-S.D., said during the Senate hearing on the topic last February. “Let’s not stifle the internet of things before we and consumers have a chance to understand its real promise and implications.”

Broadly, lawmakers have promoted the internet of things, EFF’s Tien told Nextgov.

“It’s one thing if something moves along unregulated, but you’re not being pushed by federal PR,” he said. “But here, they’re pushing it, and at the same time, it’s not particularly well regulated.”

The DIGIT Act

Sens. Deb Fischer, R-Neb., Kelly Ayotte, R-N.H., Cory Booker, D-N.J., and Brian Schatz, D-Hawaii, introduced the DIGIT Act in March, which directs FCC to produce a report on the internet of things’ potential spectrum needs and creates a working group led by the Commerce secretary that would study the internet of things.

“[P]olicies governing the internet of things should aim to maximize the potential and development ... the benefit of stakeholders including businesses, governments and consumers,” that bill says. The Senate Commerce Committee approved that legislation in April.

National Strategy on the Internet of Things

Last year, the Senate passed a resolution calling for a national strategy on the internet of things, and some critics have asked whether a top-down strategy is necessary to guide tech companies into the market.

It could be critical, says Daniel Castro, director of the Center for Data Innovation, a part of Washington think tank the Information Technology Innovation Foundation. CDI has published a report arguing the United States should have a stronger strategy on the topic.

Policies that support technological development and avoid “the impulse to regulate or if needed, [regulate] with a light tough” have propelled other systems, such as the internet or global positioning systems, into the mainstream, the report says.

“[I]f poorly designed, government regulations can make deploying IoT technologies more expensive and less valuable,” CDI says. For one, suggestions that FTC should require that devices collect the minimum amount of data “would be damaging as there may be one primary reason to collect data, but innumerable other ways to use the same data beneficially beyond its initial purpose.”

The internet of things national strategy could send “a clear message to legislators and regulators that this technology is important and that overregulation or poorly designed regulation would limit its growth.”

How the Federal Trade Commission Regulates the Internet of Things

In February, Taiwan-based computer hardware manufacturer ASUSTeK Computer settled charges from FTC that its routers had major security flaws that could expose users’ sensitive information.  

“ASUS could have prevented many problems if it had followed well-known, secure software design, coding and testing practices,” according to a blog post written by FTC attorney Lesley Fair. When security researchers tried to alert the company, ASUS’ response took months.

The ASUS case is one of a handful that have highlighted the risks the internet of things could pose to consumers. Another dealt with a security camera company whose video feeds were accessible to outsiders with just an IP address. Both are instructive for businesses trying to enter the internet of things market.

“Yes, you want to get your product to market ASAP, but take the time to design security in at the outset,” the blog post said. “That’s a particularly important consideration in the internet of things where the insecure design of one product can affect multiple connected devices.”

FTC has recommended Congress issue “strong, flexible and technology-neutral federal legislation” that would help it enforce data security and notify consumers of data breaches, according to a report published in 2015. Data security legislation could help “protect against unauthorized access to both personal information and device functionality itself.”

The internet of things also requires “baseline privacy standards,” that report said. FTC, however, can’t mandate privacy disclosures “absent a specific showing of deception or unfairness.”

More broadly, though, FTC has concluded that “while the internet of things has several unique practical challenges in privacy and data security … the legal framework that surrounds it is for the most part the same as the legal framework that applies to other types technology,” FTC Attorney Adviser Neil Chilson said.

But IoT manufacturers do face a unique challenge. “[A] lot of these devices are somewhat disposable and updating their security may [be] economical for a company, may not … but the device may still be out there in the wild, consumers may still be using it,” Chilson said.

Chilson described FTC’s approach to internet of things regulation as “post hoc.” In cases like that, “we wouldn’t be setting a role about how people should update their devices,” Chilson said. “We would bring a case against [companies] who failed to do that in a reasonable manner.”

Other companies could review FTC case law for guidance about “where somebody else got in trouble and what was considered not reasonable,” he said.

How FCC Looks at Internet of Things Spectrum

In July, FCC voted to open up certain new bands of spectrum—radio frequency that allow devices to communicate with each other—for licensed and unlicensed use.

The new bands could support parts of the internet of things such as "wearables, fitness and health care devices, autonomous driving cars, and home and office automation,” according to FCC.

Broadly, FCC has two main goals with the internet of things, a spokesperson told Nextgov: Making “ample suitable spectrum” available for the devices and service providers, and also ensuring “competitive access” for the data services that work alongside the internet of things.

Connected Cars

One of the most potentially problematic aspects of the internet of things is cars. A report last year in Wired demonstrated hackers could wirelessly access cars—stopping the accelerator or disabling the brakes— by taking control through the entertainment system.

Many cars manufactured in the past few years can get on wireless networks, often for the purposes of navigation or sharing information with other cars about where they are, but that same network can make it available to intruders.

From a regulatory perspective, self-driving cars may be even more problematic. A recent fatal crash involving a Tesla on auto-pilot showed that potential technical failures could cost human life, sparking debate about whether the tragedy was Tesla’s responsibility to prevent, or the driver’s.

Congress has been keenly aware of these risks. In November, Rep. Ted Lieu, D-Calif., introduced the Security and Privacy in Your Car, or SPY CAR, Act, which would require the National Highway Safety Transportation Commission to do a 1-year study on regulatory systems for car software cybersecurity.

Though “rushing to regulation” isn’t the answer, Lieu said during a House oversight hearing last year, “neither is a lack of accountability and standards.”

Sens. Richard Blumenthal, D-Conn., and Ed Markey, D-Mass., have introduced similar legislation.


Looking Into the Future: How Sustainable Is the Patchwork Approach?

chombosan/Shutterstock.com

A 2014 draft report from the National Security Telecommunications Advisory Committee concluded the world had “only three years—and certainly no more than five—to influence how IoT is adopted,” preventing new attacks and the ability to remotely “cause physical destruction.”

“There is a small—and rapidly closing—window to ensure that IoT is adopted in a way that maximizes security and minimizes risk,” the draft report said. “If the country fails to do so, it will be coping with the consequences for generations.”

But two years later, regulation is in its very early stages, Forrester’s Parrish told Nextgov.

“There are more and more people saying, ‘we can’t keep trying to shoehorn new technology into old regulatory structures; we need something new,'" he said.

“It’s easy to imagine conflicted regulations coming out and covering the same set of facts, simply because you have same set of agencies working with different priorities,” Mark Radcliffe, partner and co-chair of the IoT sector practice at DLA Piper, told Nextgov.

How the Government is Trying to Secure the Internet of Things

The federal government is doing its own research on securing the internet of things.

In one case, NIST awarded tech company Galois $1.86 million for a system it claims could protect users’ data collected by the internet of things by encrypting it, and not by forcing them to remember complex passwords.  

Last year, NIST released a Draft Framework for Cyber-Physical Systems, which intends to help manufacturers build products with user safety in mind.

NIST is also researching a new type of cryptography specifically for objects with basic RFID tags or sensors, which can’t support the same kind of protection used for servers and desktop computers, often with higher power supplies. This so-called lightweight cryptography would help protect devices with lower resources—a minimal power supply or a shorter time to decide whether a command it receives is authentic.

The Pentagon’s Defense Advanced Research Projects Agency awarded a contract for technology that could detect whether malware is installed on a device based on the device’s emissions, whether they’re electromagnetic, acoustic, thermal or fluctuations in power. The first phase of that contract is worth $36 million.

Encouraging Consumers to Keep Up With Security Patches

The National Telecommunications and Information Administration is planning to help consumers understand security upgrades for internet of things products.

After a recent request for comment about cybersecurity, “how to address potential security vulnerabilities in IoT devices or applications through patching and security upgrades” was of “particular concern,” Angela Simpson, deputy assistant secretary for communications and information, wrote in a blog post.

Consumers need a common set of definitions about upgrades to “know what they are getting,” Simpson wrote.  

NTIA is unveiling a new “multistakeholder process” in which various technology groups can come up with guidelines for security upgrades. That might result in “a set of common, shared terms or definitions” that would describe security upgrades more clearly.

NTIA is also researching how get companies to adopt a new internet protocol that would be able to support the number of devices expected to comprise the internet of things in the next several years. IPv4, the older version, can support just about 4.3 billion IP addresses; the newer system, IPv6, could support about "undecillion"—"340 followed by 36 digits," according to NTIA.

How Do Other Parts of the World Approach the Internet of Things?

The Singaporean government set aside about $1.6 billion for public-sector technology contracts in 2015, and has been testing so-called Smart Nation technology including cameras detecting when people smoke in smoke-free zones, the Wall Street Journal reported. Intel, which created its own internet of things division in 2013, recently opened a new facility dedicated to the technology, in Dubai—parts of the lab are dedicated to “Smart City” technology including pre-paid transportation cards.

Globally, these areas are among the most enthusiastic adopters of connected technology for the public infrastructure, Booz Allen's Gawel told Nextgov. Parts of Europe are also embracing the technology, CDI's Castro says. Barcelona, for instance, was ranked the top smart city in the world by Juniper Research last year.  

Castro, a proponent of “regulating with a light touch,” advocated for a government that invests heavily in the internet of things, but doesn’t attempt to limit the information that can be collected. Regulations in Europe, for instance, require businesses explain why they’re using consumer data and obtain consent first, which could limit businesses from exploring new ways to use that information, he argued.