On Tuesday, November 19, 2013, the Federal Trade Commission (FTC) held a day-long workshop to discuss and explore the consumer protection and privacy issues surrounding the so-called “Internet of Things,” namely, the expanded ability of web-enabled devices to communicate directly with one another and create an increasingly seamless integration between the physical and digital world. As these technologies advance, they raise a number of data security and privacy issues, and create technology and public policy challenges both from that perspective and others. The workshop explored some of these issues, and also provided some insight into the FTC’s likely approach going forward.
The workshop focused on a range of different types of devices, including “smart meters” (which show hour by hour household energy consumption), home security monitors, electronic health records, portable health monitors and testing devices, and vehicle event data recorders. These types of devices have the ability to record and communicate data such as how fast you are driving, how much air is in your front right tire, whether you left your oven on, whether your blood pressure has risen or your glucose level has dropped, or whether a certain pace of running is taxing your heart at a dangerous level. These devices have obvious consumer benefits, but they come with a cost -- they generate personal information about you and they transmit that information in channels and formats that may risk the confidentiality of the information. To date, rarely is data sent through these devices in encrypted form.
Evaluating the benefits and risks of such “smart” devices entails considering a host of questions, and the FTC workshop provided a forum for addressing many of those questions. For example, will your health insurer or life insurer be able to demand access to your Fitbit (a fitness bracelet that tracks fitness data such as how many calories the user burns) information to find out if you are exercising regularly? Will your auto insurer be able to demand information from your car to find out how safely you drive? Who will control access to such information and how can device manufacturers ensure that informed choices may be made by consumers about such control? What can be done to make mobile device privacy policies set forth on mobile devices accessible and understandable given the challenges of a small screen? Should legal mandates be imposed to guarantee uniform content and placement of privacy policies for mobile devices and for particular standards for the security of personal information collected and transmitted through such devices?
Throughout the workshop, there was broad agreement that consumer demand for these devices is growing and that the rapid technological developments are outpacing decisions on how to ensure consumer protection in using the devices. Without laws or regulations yet governing these devices in any comprehensive or meaningful way, a fundamental question is who currently bears the responsibility to implement measures and standards to provide such protection. FTC Chairwoman Ramirez and Commissioner Olhausen called on industry to prioritize privacy and data security. Other speakers and panelists questioned whether that was practical, and in particular emphasized the need for consumers to carefully consider the trade-offs inherent in these devices and choose wisely when deciding whether or not to use them. The Commission is planning to issue a report on the findings of this workshop, and that will likely serve as a helpful prompt for continued focus on the key issues it aired. But industry is in many respects “in the driver’s seat” right now, and its proactive efforts at self-regulation can serve both it and consumers if properly motivated and designed.