FTC IoT Report Released

Grapples with security, data collection and privacy for consumer IoT

In a report published earlier this week, the Federal Trade Commission dug into issues of security and privacy, as well as the collection and retention of consumer data, that were raised during the agency's November 2013 workshop on the Internet of Things.

The report summarizes findings from the daylong workshop and its related public comments, which focused on consumer-facing technologies. It provides broad recommendations for companies, industry groups, and lawmakers in several areas.

The commissioners took a clear stand on the importance of security, writing that it should be designed into devices and services from the outset. Companies should perform risk analyses, thoroughly train employees to be conscious of security concerns, and prepare multiple redundant systems to prevent and address security breaches.

The section on the collection, retention and use of consumers' data was more nuanced. Although many companies rely on novel uses of data to innovate their products and services, the commissioners wrote that consumers should be given plenty of notice and choice in what data they allow companies to collect and how they allow that data to be used. At the same time, the report acknowledged that it can be challenging to provide notice when many IoT devices don't have direct user interfaces.

When it comes to legislation, the report shied away from IoT-specific laws and regulations, which might suppress innovation in a budding industry. Instead it called on Congress to pass broad, technology-agnostic laws to further protect consumers' privacy and require better device security along with policies to ensure that consumers are notified of security breaches.

Interestingly, several commissioners took issue with elements of the report -- particularly some of the recommendations on data minimization, which they said were not properly supported by data and economic analysis. One even went so far as to publicly oppose publishing the report without further study.

You can read the full text of the report, as well as the report's dissenting opinion, for yourself at FTC.gov.

Related: FTC workshop considers privacy, security on the Internet of Things