FTC: Security risks within ‘Internet of Things’ may require new industry regulations

Reuters / Andrew Kelly
The “Internet of Things” consists of roughly 25 billion objects sending invisible signals to communicate in a way that was unheard of a decade ago. Now, according to a new report, the risks involved are growing rapidly and might warrant new rules.

Telephones, automobiles, refrigerators and seemingly anything that can host a computer chip are quickly becoming part of the Internet of Things (IoT) – a concept that the US Federal Trade Commission (FTC) defined in a report this week as “the ability of everyday objects to connect to the internet and to send and receive data.”

Only seven billion items belonged to that IoT infrastructure in 2009, the FTC acknowledged in the report, and that number is expected to reach 50 billion – twice the current statistic – in just five years.

But as the benefits of delivering and distributing data in this manner grow day by day (and device by device), the FTC report suggests that so do the security risks. In order to counter as much, the FTC has published suggestions for corporations to consider while creating IoT-ready devices, and says that Congress should ensure that security legislation stays current with the pace of technology.

The 55-page report compiled by FTC staffers, 'Internet of Things: Privacy and Security in a Connect World,' was published on Tuesday and contains the agency’s findings following a November 2013 working in which it set out to see what problems could amount as more and more consumer devices rapidly become part of the IoT world.

According to the report, the FTC feels that companies that work within the IoT realm need to thoroughly examine their security practices and adopt new standards in order to safeguard the exponentially growing amount of sensitive data being sent from internet-ready devices.

Potential security risks, the report continues, includes “enabling unauthorized access and misuse of personal information” and “facilitating attacks on other systems,” as well as “creating risks to personal safety.”

Participants also noted that privacy risks may flow from the collection of personal information, habits, locations and physical conditions over time. In particular, some panelists noted that companies might use this data to make credit, insurance, and employment decisions. Others noted that perceived risks to privacy and security, even if not realized, could undermine the consumer confidence necessary for the technologies to meet their full potential, and may result in less widespread adoption,” the report continued.

To curb as much, the report concludes that the participants in the 2013 workshop largely agree that companies working with IoT devices must implement “security by design,” a practice to ensure that data is protected from the get-go and not reliant on any mechanisms or maneuvers that must be performed by the end user.

Implementing “reasonable security,” as the report insists, might be considered a no-brainer. In recent years, however, hackers have routinely found their way inside IoT devices by exploiting weak, or entirely absent, protections. Richard Clarke, a State Department official-turned-special advisor to several United States presidents, told the Huffington Post in 2013 that hacking modern automobiles is “not that hard.” And last October, a Department of Homeland Security report warned that federal officials were examining “about two dozen cases of suspected cybersecurity flaws” relevant to the medical industry, including infusion pumps and implantable heart devices. On Monday this week, a nanny from Houston, Texas said she became one of the latest victims to have her personal privacy violated through a supposed flaw in a baby monitor she was using while watching a one-year-old girl. According to KPRC-TV, the woman, Ashley Stanley, said someone was spying on her after hacking the security camera.

READ MORE:Feds investigating two dozen potential hacks targeting life-saving medical devices

"They kept telling me that it's a cute baby and 'wow that is a poopy diaper,'" Stanley said. "I was like, 'My goodness, are they watching me like right now?'"

"We unplugged it and I'm afraid to plug it back in," she told the network.

According to the FTC report, one participant in the 2013 workshop noted that the “explosion of fitness and health monitoring devices is no doubt highly beneficial to public health and worth encouraging,” but warned that hackers weren’t their only issue. Aside from concerns of cyberattacks, the person said, were worries about how corporations would use this kind of data.

“At the same time, data from these Internet of Things devices should not be usable by insurers to set health, life, car or other premiums. Nor should these data migrate into employment decisions, credit decisions, housing decisions or other areas of public life. To aid the development of the Internet of Things – and reap the potential public health benefits these devices can create – we should reassure the public that their health data will not be used to draw unexpected inferences or incorporated into economic decision making,” the person said.

Indeed, the FTC report concludes that not only must IoT companies crack down on lax security, but also make sure that other measures are adopted to ensure data isn’t mismanaged.

The “pervasiveness of information collection and use that the IoT makes possible reinforces the need for baseline privacy standards,” the report reads.

Congress shouldn’t consider implementing IoT-specific legislation at this time, the paper goes on to say, but should, however, focus on security protections more broadly.

“Staff does not believe that the privacy and security risks, though real, need to be addressed through IoT-specific legislation at this time,” the report reads.

With regards to broader legislation, though, the report continues: “Staff believes such legislation will help build trust in new technologies that rely on consumer data, such as the IoT. Consumers are more likely to buy connected devices if they feel that their information is adequately protected.”

“Such legislation should be flexible and technology-neutral, while also providing clear rules of the road for companies about such issues as when to provide privacy notices to consumers and offer them choices about data collection and use practices.”

But while Congress could be a long way from coming to terms with any legislation, Edith Ramirez, the chairwoman of the FTC, told Politico this week that it’s imperative for companies to consider implementing the best practices in the meantime.

“The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” she said. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”

Not everyone is on board with Ramirez and the rest of her agency, however. “At best, this is just another exercise in workshop theatre; at worst, the FTC is trying to regulate the Internet of Things by stealth,” warned TechFreedom president Berin Szoka, according to the Daily Mail.