FTC report focuses on security, 'data minimization' for Internet of Things

Security is a big concern among a lot players in the Internet of Things (IoT), so it's no wonder that federal regulators would zero in on that as they look for ways to prevent fraud and unfair business practices.

The Federal Trade Commission's (FTC) report on the IoT urges companies to adopt best practices to address consumer privacy and security risks and to build security  into devices at the outset, rather than as an afterthought in the design process.  

The report is based in part on input from technologists and academics, industry representatives, consumer advocates and others who participated in the FTC's Internet of Things workshop held in Washington, D.C., on Nov. 19, 2013, as well as those who submitted public comments to the commission.

Of note, the FTC staff defined the IoT as devices or sensors--other than computers, smartphones, or tablets--that connect, store or transmit information with or between each other via the Internet. The scope of the report is limited to IoT devices that are sold to or used by consumers. The report does not discuss devices sold in a business-to-business context, and it does not address broader machine-to-machine (M2M) communications that enable businesses to track inventory, functionality or efficiency.

The FTC has had its eye on the IoT for quite some time. Last year, the Information Technology and Innovation Foundation's (ITIF) Center for Data Innovation, a non-partisan Washington think tank, released 10 guidelines for how regulators should think about the IoT. ITIF leaders pointed out that a lot of the IoT conversation in Washington revolved around risks and concerns, when they should be more positive and centered on how government can be an active partner in working with industry.

It might be encouraging for a lot of IoT engineers and business leaders to note that the FTC staff says it concurs with many stakeholders that any IoT-specific legislation would be premature at this point in the game "given the rapidly evolving nature of the technology." The report does, however, reiterate the commission's repeated call for strong data security and breach notification legislation. On that point, the commission appears to be in sync with President Barack Obama's call for stronger data security and privacy actions.

The FTC staff are also recommending that companies consider data minimization, which refers to the practice of limiting the collection of consumer data and retaining that information only for a set period of time--not indefinitely. The report notes that data minimization addresses two key privacy risks: the risk that a company with a large amount of consumer data will become a more enticing target for data thieves or hackers and that consumer data will be used in ways contrary to consumers' expectations.

"The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers," said FTC Chairwoman Edith Ramirez in a statement. "We believe that by adopting the best practices we've laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized."

In the UK, telecom regulator Ofcom this week announced that it is taking steps to ensure the UK plays a leading role in developing the IoT. Ofcom says it wants to create a regulatory environment that fosters investment and innovation. Among its priorities are ensuring enough spectrum is available; protecting individuals' personal information and data privacy; ensuring network security and resilience; and continuing to monitor the progress of Internet service providers' support of IPv6 connectivity.

Ofcom says it already released spectrum for M2M uses, making the UK among the first countries in Europe to do so. The regular says it will explore how it can support and work with government and the Information Commissioner's Office, other regulators and industry to facilitate progress at both a national and international level. 

For more:
- see the FTC report and the FTC release
- see this Engadget story
- see The Verge story
- see this TeleGeography article

Related articles
Senators request hearing on Internet of Things before year's end
Think tank calls on regulators to think more positively about IoT
FTC casting wary glance at Internet of Things