FTC's unrealistic Internet of Things report calls for smaller data

The FTC issued a report on Internet of Things privacy and security that only highlights how unresolved the issue still is.

internet of things

The Federal Trade Commission (FTC) released a report today (pdf) with recommendations on how to reduce the security and privacy risks for consumers adopting the Internet of Things (IoT).

The report briefly touches on some of the well-known consumer benefits of the IoT – sharing personal health data with doctors, monitoring energy consumption of household appliances, etc. – but focuses primarily on the risks that could arise when more consumer devices are collecting data on their users (the FTC clarified that its report focuses solely on consumer uses for the IoT and not enterprise applications).

"First, larger data stores present a more attractive target for data thieves, both outside and inside a company – and increases the potential harm to consumers from such an event," the report reads. "Second, if a company collects and retains large amounts of data, there is an increased risk that the data will be used in a way that departs from consumers' reasonable expectations."

To remedy this trend, the FTC recommends "data minimization" practices to reverse the trend of data collection. Specifically, these companies "can decide not to collect data at all; collect only the fields of data necessary to the product or service being offered; collect data that is less sensitive; or deidentify the data they collect."

Failing that, the FTC recommended that businesses notify consumers if it is collecting data that is not considered typical for the device – a Nest thermostat, for example, could reasonably be expected to record data on temperature changes but not necessarily voice or video of the people near it (hypothetically speaking).

However, the FTC does not seem to have reached a consensus on how smart devices can realistically inform consumers of their data collection practices, nor how they can reduce their data collection without also limiting their potential.

"Staff acknowledges the practical difficulty of providing choice when there is no consumer interface and recognizes that there is no one-size-fits-all approach," the report reads. "Some options include developing video tutorials, affixing QR codes on devices, and providing choices at point of sale, within set-up wizards, or in a privacy dashboard."

Perhaps the least realistic suggestion in the report – and it's pretty unrealistic considering the document expects tech companies to collect less data on their customers – involves privacy policies for the IoT moving forward:

"Whatever approach a company decides to take, the privacy choices it offers should be clear and prominent, and not buried within lengthy documents."

Anyone who's even glanced at a website's privacy policy or terms of service knows that that suggestion is a dead end. The privacy policy for Facebook, a website for sharing memes and for occasional text messaging, is longer than the U.S. constitution. How many companies will be able to briefly summarize the privacy implications of internet-connected devices designed to be installed throughout consumers' homes and cars and worn on their bodies?

The FTC's attempt at reaching a happy middle ground involved a "use-based approach" to IoT data privacy, which would basically mean that businesses would only notify consumers when collecting data that consumers shouldn't expect to be collected by the device, and only if they decline to deidentify that data.

However, the FTC also pointed out that "use-based limitations are not comprehensively articulated in legislation, rules, or widely-adopted codes of conduct," and acknowledged that "it is unclear who would decide which additional uses are beneficial or harmful." And although the FTC claimed that legislation or frameworks could resolve privacy issues, the group also agreed "IoT-specific legislation at this stage would be premature."

Considering the vague conclusions reached in the report, it's not much of a surprise that FTC Commissioner Joshua D. Wright issued a dissenting statement (pdf) that denounced the report for making policy recommendations without evidence to support them. The Information Technology and Innovation Foundation (ITIF) also publicly criticized the report, calling the implications of limiting data use "disheartening."

This is hardly the first time the FTC has warned consumers about the privacy risks involved with the IoT. During her keynote speech at CES 2015 in Las Vegas earlier this month, FTC Chairwoman Edith Ramirez warned that consumers' growing wariness of privacy invasion could ultimately hold back adoption of the IoT.

In fact, the IoT industry has had no shortage of warnings that this emerging technology should protect user privacy and security. As this report shows, there does appear to be a shortage of details showing on how exactly the industry can accomplish that.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2015 IDG Communications, Inc.

IT Salary Survey: The results are in