With the Internet of Things (“IoT”) comes yet another technology-driven advancement that challenges businesses with promising opportunities and potentially vexing responsibilities. In particular, manufacturers and retailers who plan to sell (or are already selling) IoT devices increasingly face consumer questions about data security and privacy. Though such inquiries are properly directed at the users of data collected by IoT, a solid understanding of best practices for customer data privacy and security will help those who collect, store, and use the data to manage the IoT’s potential risks and rewards.
Understanding the IoT
Though a single definition of the IoT has yet to emerge, most commentators agree that the term “Internet of Things” covers everyday wireless, web-enabled devices that communicate without direct human input. These devices currently include products ranging from thermostats and refrigerators to fitness monitors and Apple’s new smartwatch.
But the field is ever expanding.
2015’s International Consumer Electronics Show in Las Vegas—the industry’s big kahuna—featured a host of new IoT products including performance athletic wear, pet tracking devices, and smart home and automobile innovations. This growth in connectivity may very well lead to what’s been dubbed the “Internet of Everything.”
Under this scenario, nearly all conceivable products and the people using them will have multiple wireless data communication outputs, sending constant data flows between users and machines, from machines to machines, and among users.
Many see an opportunity in this constant data flow. Technology forecaster Gartner Group predicts 26 billion IoT units will be installed by 2020, with a $1.9 trillion added annual global economic impact. Cisco Systems—an early IoT entrant—thinks even bigger, estimating that IoT technology will generate $14.4 trillion by 2022. Others, however, are looking beyond the dollar signs. They see the potential for significant privacy invasions and other problems if everything we do, eat, see, and touch generates data about and around us.
Technical barriers to success
In truth, before any of these hopes or fears are realized, the wider connectivity associated with an expanding IoT universe has to overcome some immediate technological issues. Primary among these is the lack of a common communications standard that will ensure the seamless connectivity that the IoT realm demands. Various industry groups have come together in an effort to address this “common standard” concern, but no single solution appears inevitable.
Getting to a place of seamless integration will ultimately involve some very expensive competitor battles and failures, as history’s common-standard wars in the fields of railroads, VCRs, and cell phones vividly illustrate. Further, any standard used will have to be flexible enough to embrace all devices and capable of incorporating future technological advancements. In addition, many first-generation IoT devices have yet to achieve meaningful user security.
In July of 2014, Hewlett-Packard conducted a study of 10 of the most popular IoT devices available to consumers, including wireless TVs, webcams, home thermostats, sprinkler controllers, home alarms, scales, and garage door openers. The study found that an incredible 70% of the devices were vulnerable to hacking, identifying an average of 25 faults in each device, or 250 different security vulnerabilities overall. The study named privacy concerns, insufficient authorization, lack of transport encryption, insecure web interface, and inadequate software protection as the most common security problems. This study demonstrates the very real IoT problems facing both consumers and businesses.
For example, the infamous Target credit card hackers gained access to Target’s entire network by exploiting weaknesses in a third-party heating and ventilation monitoring software system.
Regulating the IoT
Governments around the world have already begun addressing consumer privacy and data security concerns, doing so thus far without stifling IoT innovation. In the United States, the Federal Trade Commission (FTC) has taken the lead in the conversation.
While no specific regulations governing the IoT exist, the FTC says it is empowered to protect consumers and their data under the FTC Act, which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The FTC has already exercised that authority to police an IoT device that threatened to compromised consumer data and privacy.
Just last year, the FTC settled an enforcement action against TRENDNet, a company whose Internet-enabled home security system lacked adequate security, potentially exposing users’ live video streams to the public. Going forward, FTC Chairwoman Edith Ramirez has identified the three main IoT privacy challenges on which the Commission will focus:
Ubiquitous data collection
Potential adverse consequences from unexpected uses of consumer data
And heightened security risks
Similar concerns have led to the adoption of the Mauritius Declaration on the IoT in the European Union, which has traditionally been on the vanguard of privacy protection, The Declaration takes more extensive steps to ensure the highest possible guarantees of privacy, causing many to be concerned that it will either impede innovation or end up being ignored.
Making the IoT work
For now, good data protection and consumer communication practices offer the best chance to balance IoT opportunities and risks. In the words of FTC Chairwoman Ramirez, when it comes to the IoT, manufacturers and data collectors and users should “bake” a set of best practices into their business models, including:
Adopting a “security by design” viewpoint: From initial design through release and upgrades, companies must assess IoT device privacy and security and demand that merchandising partners be savvy enough to communicate how this has been accomplished.
Developing data minimization discipline: Though big data has an insatiable appetite for all information, the potential harm arising from a breach increases exponentially if more data is kept. Companies must remember relevant privacy statutes, rules on PII (personally identifiable information), and the litigation risks that come from keeping huge data stores, just as IoT data users must understand how to aggregate, anonymize, or alter the data to keep it from getting linked back to consumers.
Ensuring clear and honest customer communications: IoT product developers need to provide clear notice and explanations of what data is being collected and how it will be used. More importantly, they must keep promises to customers about data uses or sharing with third parties.
In addition, Chairwoman Ramirez identifies the Safe Harbor program as a useful tool for bridging the gap between EU and U.S. privacy requirements.
Overwhelming consumer acceptance and adoption means the IoT and its astounding devices are here to stay. Manufacturers, retailers, and data users looking to make the most of this opportunity must understand the laws and best practices to use now and monitor regulatory actions in order to stay current on changes that are sure to follow. Consumers, too, must share the burden of understanding what data they are creating and make informed decisions about how they will permit that information to be disseminated and used.
Michael D. Reif is a trial