FTC: Too soon for internet of things laws
The Federal Trade Commission sees risks and opportunity in internet of things applications, but thinks new laws specific to the technology would be premature.
Internet-connected devices, sensors and appliances are opening up benefits in health care, energy efficiency, transportation and more. But the data generated by these tools, known under the catchall category of internet of things presents potential security and privacy risks that the Federal Trade Commission believes could open up opportunities for theft or fraud.
At the same time, the FTC believes that general authorities used to protect data privacy can cover the internet of things without specific new laws, according to comments filed with the Commerce Department's National Telecommunications and Information Administration. NTIA was seeking comment on how the government can help foster IOT development.
For every promising application, the FTC told NTIA, there is the possibility for abuse. Security vulnerabilities in connected devices have the potential to support not only data theft, but to pose an actual threat to a person's physical safety.
As IOT chips become more inexpensive and disposable, devices are quickly replaceable with newer versions, it said. That could mean that businesses may not have much of an incentive to upgrade their software for a device's lifetime – also posing potential security risks.
Additionally, inaccurate or biased analysis of data generated from such applications and devices, it said, could put off potential employers of people from low-income and underserved population, or lead to denial of education or credit.
In its comments, the FTC stressed the importance of frequent software updates to reduce hacking opportunities and data minimization to reduce the risk of privacy violations. The comments also back some form of consumer opt-in for data collection, but note that given the nature of connected devices, that a one-size-fits-all model for consent is unlikely to develop.
The comments conclude that the connected device space could benefit from privacy and data breach legislation of the type FTC has been backing for some time.
FTC staffers observed that the push for such rules "stems from concerns about the lack of transparency regarding companies' data practices and the lack of meaningful consumer control over their data." According to the FTC, these "concerns permeate the IoT space, given the ubiquity of information collection, the broad range of uses that the IoT makes possible, the multitude of companies involved in collecting and using information, and the sensitivity of some of the data at issue."