Regulating Interconnectivity on the 'Internet of Things'
Consumer products, embedded with sensors and the ability to communicate, challenge traditional methods of managing the risks to privacy and security presented by these innovative offerings.1 Yet the rewards of capitalizing on these networks to create new marketing avenues and business models may give retailers the competitive edge they need to survive.
Technology now exists to enable consumers to purchase the products they see in a movie on their wireless devices in real-time. Facial recognition tools in mannequins can profile the demographics of customers entering a retail store and smart phones can identify customers as they walk by their favorite items and send them real-time advertisements and discount coupons. At the heart of the policy debate, and the regulatory activity surrounding this new technology, is whether a consumer can remain anonymous or opt out as various devices communicate and sometimes store consumer preference and location data. To succeed in this new world, consumer businesses will need to navigate turbulent and uncertain waters in consumer privacy and technology security.
Commonly referred to as the "Internet of things," sensors and actuators embedded in everything from tires to medical devices allow data to flow on the same pathways that connect data on the Internet. This connectivity comes from wireless use of radio-frequency electromagnetic fields (RFID) and other sound waves transmitted and received from chips embedded in different devices. These chips potentially expose both the identity and the location of the consumers who use these products. Consumers often have no idea that the products they buy contain these transmitters or that their identity and location can be accessed without their knowledge.
With adequate safeguards for consumer privacy, these new technologies offer significant commercial rewards for business. Retailers have used RFID technology for years to track inventory and reduce shoplifting losses. Newer applications can drive sales, target marketing based on consumer preference, and prevent counterfeits. Aggregating this data can also provide social benefits. Energy conservation trends might be observed by combining energy usage statistics with building operational information. Agricultural production might be increased by studying the data from sensors on farm equipment in combination with information on weather and crop conditions. Scientific research may benefit from combining electronic medical records with lifestyle choices reflected in data on grocery store purchases and physical activity monitors.2 These innovative uses depend on the ability to combine data sources that contain personally identifiable information in a safe and secure manner without risk to personal privacy.
Watching, Not Waiting
Federal regulators are keeping a close watch on these developments. On Nov. 19, 2013, the Federal Trade Commission held a public workshop on the Internet of Things to learn more about the technology breakthroughs in this area and explore the consumer privacy and security issues associated with these networks of data. The FTC's workshop notice acknowledged the penetration these technologies have already made in consumer activities:
Consumers already are able to use their mobile phones to open their car doors, turn off their home lights, adjust their thermostats, and have their vital signs, such as blood pressure, EKG, and blood sugar levels, remotely monitored by their physicians.3
Many of the technologies employed in consumer products today do not involve any interface with the consumer, and consequently, provide no opportunity for traditional methods of notice and choice that a consumer ordinarily uses to control access to sensitive data. Consumers may have no idea what data a device collects and how such information might be used. Yet consumers enjoy the convenience these technologies provide and the industry appears poised to respond to continued consumer demand. Indeed, Intel recently formed its Internet of Things Solutions Group combining its embedded chips division with the group responsible for building the systems needed to allow those chips to communicate with smart phones and tablets.4
Speaking to an audience at the Brand Activation Association Marketing Law Conference the day after the FTC's workshop, FTC Commissioner Julie Brill indicated that the FTC has "no plan to do regulations in this area." She stated that the goal is to enter the policy debate early, as market penetration is just beginning, and encourage best practices from the start. In pointing to the need for businesses to act without waiting for regulation, Brill referenced the story of a hacker able to take control of the speed of an automobile performing on a test track. The driver lost the ability to operate the gas pedal or brake as the hacker brought the vehicle up to a speed of over 140 miles per hour. Brill argued that manufacturers must partner their product engineers with privacy and security experts and employ best practices to prevent the damage consumers may face without robust protections.
What might those best practices be? The FTC has already engaged in one enforcement action, which provides some clues. The Commission's case against TRENDnet alleged that certain video baby monitors were vulnerable to cyber-hacking over the Internet and therefore did not sufficiently protect consumer privacy. The FTC wrote: "TRENDnet failed to use reasonable security to design and test its software, including a setting for the cameras' password requirement."5 In its consent decree ordering TRENDnet to address security risks that could result in unauthorized access to its products, the FTC requires, among other things:
• designation of an employee or employees accountable for security practices and administering a written security program;
• assessment and continued auditing of risks in hardware and software design as well as vulnerabilities caused by employees or human error;