CDT Comments on Internet of Things Emphasize Need for Strong Privacy and Security Standards
Last Friday, CDT submitted comments to the Federal Trade Commission (FTC) following the its November 2013 workshop on the “Internet of Things” (IoT). Much ink has been spilled about the promise of networked devices and the possibility of increased user control and access over the data that household devices can monitor and transmit. Google’s recent $3.2 billion acquisition of Nest Labs, which manufactures smart thermostats and smoke detectors, illustrates the intense interest from companies creating IoT devices.
In our comments, we highlight a few important points. First, there are heightened privacy and security concerns in IoT systems that the FTC cannot ignore. Second, the Fair Information Practice Principles (FIPPs) are only more relevant in an IoT environment; the complexity that comes with increased sensor- and Internet-enabled devices cannot be used to justify hidden, unbounded, and comprehensive data collection by all device manufacturers without a consumer’s insight or control. Finally, we discuss health-specific applications of IoT, from which we can draw more general principles about applying the FIPPs to IoT devices and systems.
The privacy and security issues with IoT devices are far from abstract. Justin Brookman, CDT’s Director of Consumer Privacy, wrote in November on the LG Smart TV that reported user activity – including channel changes and network file lists – back to the manufacturer. This sort of comprehensive data collection by an Internet-connected device is completely unnecessary and unexpected, and LG should have gotten consumers’ informed permission before collecting this information. This was a very clear privacy and security issue that could have been avoided had LG used a privacy by design approach in developing the Smart TV, rather than waiting for a PR problem before addressing the problem. If IoT devices take off to the extent promised and hoped for by industry, incorporating privacy and security measures from the initial stages of design will be crucial. Additionally, privacy by design would instruct LG that surreptitiously monitoring user behavior is an out of context action that users would not expect, as users would not expect an intermediary like LG to comprehensively collect this type of data, and therefore would be a violation of contextual integrity, (a concept developed at length by Helen Nissenbaum).
The FIPPs have been a successful framework for creating strong privacy protections for decades, and our comments urge the FTC to reaffirm the application of FIPPs to the IoT space. The FIPPs are a longstanding set of principles – including purpose specification, use limitation, notice, transparency, data minimization, user control, security, and accountability – that were developed in the United States in the 1970s and have been adopted internationally. Challenging the continued relevancy of the FIPPs has been a cause célèbre for some who find them to be too onerous or outdated, but we at CDT consider the FIPPs to be a tried and trusted standard. New technologies don’t necessarily require new solutions, and the IoT space is not fundamentally different from previous applications like Smart Grid technology, for which we have advocated the application of the FIPPs. We think that the FIPPs are just as applicable to IoT technologies as they are to Smart Grid technology. Furthermore, the use of the FIPPs in the IoT space will limit the dangers of unchecked comprehensive data collection in sensitive spaces such as homes or offices, providing more effective choice to consumers. Fortunately, other privacy advocates are starting to push back against efforts to substitute corporate decisionmaking and vague prohibitions on harmful uses for the full range of individual rights under the FIPPs. We call on the FTC to stand up for consumers and reject the trend toward data paternalism in the Internet of Things and, in general, the world of Big Data.
Finally, we discuss health applications of IoT technology as a case study for how the FIPPs should apply. Telehealth technologies are designed to provide medical support and wellness assistance outside of traditional healthcare settings. The possibilities of sophisticated IoT devices are very promising for individuals and healthcare providers who seek accurate, fine-grained, and non-invasive measurements of their body signals. But there are serious concerns, as eavesdropping, unauthorized access, or data leaks from IoT telehealth devices could endanger individuals’ privacy, health, or even life. We therefore emphasize the importance of the FIPPs in the critical case of telehealth as a way of highlighting the broader application and necessity for the FIPPs in the IoT context.
Given the vast range of applications that IoT devices could bring to consumers, we are excited and interested to see what technologies develop over the coming years. Strong privacy and security protections, ideally based on the FIPPs, and the regulatory oversight of the FTC, will be crucial in ensuring that consumers are confident that such devices will be beneficial additions to their lives.