F.T.C. Says Internet-Connected Devices Pose Big Risks

By Natasha Singer    January 27, 2015 9:35 am

Updated, 7:44 p.m. | The Federal Trade Commission on Tuesday confirmed some of the worst fears about Internet-connected devices, saying the technology presented serious data security and privacy risks, and urged companies to make data protection a top priority.

While the agency noted the potential benefits for owners of smart devices like connected fitness bands, regulators also said the technology generated enormous amounts of personal data that could be misused or obtained by hackers.

“Many of us are using these devices,” Edith Ramirez, the chairwoman of the F.T.C., said in a telephone interview. But, she said, “if consumers feel that their information isn’t being protected, they won’t have the confidence level to embrace them.”

In a staff report, the agency urged companies to institute basic data security measures when they develop such devices and sensors, rather than as an afterthought. It also encouraged companies to develop new ways to communicate their data collection and handling practices — even if they market sensors that are too small to contain digital information displays for consumers.

“We are still at a time when we can have an impact on how the Internet of Things evolves,” Ms. Ramirez said in the interview, referring to an array of connected devices. “These important privacy principles still have a place in today’s world.”

Although the report highlights the issues that the agency intends to monitor and underlines the best practices regulators hope companies will adopt, it does not carry the weight of enforceable regulations. The agency has urged Congress to enact a baseline federal consumer privacy law. But such legislation is unlikely to pass with Congress controlled by Republicans.

Still, data security and privacy experts predicted that at least larger, well-known technology companies would take the agency’s data security recommendations into account — if only to reduce the business risk of federal investigations.

“I think everyone can agree that industry needs to do a better job, writ large, on addressing Internet of Things security issues,” said Justin Brookman, the director of the consumer privacy project at the Center for Democracy & Technology, a nonprofit group in Washington. But, he said, “smaller companies may not notice the report.” His group has received financing from companies including Apple, Qualcomm, Verizon and Palantir.

Around 4.9 billion connected items for consumers, enterprises, manufacturing and utilities will be in use this year, according to estimates from Gartner, an information technology research firm. That number is expected to rise to 25 billion by 2020, the company said.

One concern that comes with all these devices, the F.T.C. report noted, is that hackers could potentially hijack and misuse intimate information recorded by the technology, perhaps even creating physical safety risks for consumers.

Last year, for instance, an electronics company that marketed what it said were “secure” Internet-connected cameras, allowing parents to remotely monitor young children at home, settled a complaint by the F.T.C. that lax security practices had exposed its customers to privacy invasions. A security flaw allowed anyone with the cameras’ Internet addresses to view, and in some cases hear, what was happening in customers’ homes, the agency said.

The F.T.C. report recommended that companies consider putting limits on the volume of information their devices collect from consumers and on the amount of time they retain those records.

But companies may be reluctant to adopt those practices because data storage costs are decreasing and the ability to quickly analyze huge data sets is increasing.

“There are some forces that work against data minimization,” said Adam Towvim, the chief executive of TrustLayers, a start-up in Boston that helps companies institute systems for real-time monitoring of their data use.

If a company collected 300 to 400 facts about millions of individual consumers, he said, it would be costly and cumbersome to figure out which details to delete and which were important to retain. Mr. Towvim added: “And you might keep the information in multiple places or you may have derivative uses where you haven’t completely aggregated or anonymized it.”

Even so, regulators said they would be keeping watch to see that makers of connected devices limit the potential security and privacy risks of their products for consumers.

“For companies, it will be to their detriment if they don’t heed the issues we flag in the report,” Ms. Ramirez said.