In January, the Federal Trade Commission ("FTC") released a nearly 70-page missive on privacy and security issues related to the Internet of Things, discussing what it wants – and expects – from both the private sector and Congress in the future.
What does the FTC want and expect? More power.
FTC seeks broader authority over the Internet of Things
The FTC's report, entitled "Internet of Things: Privacy and Security in a Connected World," advocates ideas outlined mostly in an FTC workshop that took place over a year ago(!). It represents a combination of Neo-Luddism and regulatory handwringing over the self-perceived limits of power the Commission currently possesses where the Internet of Things – combined with the Internet as a whole and networks in general – is concerned (with, granted, several recommendations on data privacy best practices thrown in for good measure).
In its report, the FTC asserts that because Congress has declined to enact certain legislation, "it is unclear who would decide additional uses [of consumer data] are beneficial or harmful" (because heavens forbid something go unregulated and the private sector make any decisions for itself). Still, by identifying a purported lack of "widely-adopted codes of conduct" as part of this issue and recommending the "establishment of...widely-accepted multistakeholder frameworks" in the absence of a legislative solution, the FTC continues to leave the door open for industry to engage in "voluntary self-regulatory efforts." This is, of course, with the ever-present implicit demand that US government bodies regularly make of the private sector: regulate yourselves or we'll do it for you, one way or another.
This has already begun to happen in the cybersecurity realm. Just over two years ago, President Obama issued Executive Order 13636 – "Improving Critical Infrastructure Cybersecurity" – directing the National Institute of Science and Technology ("NIST") to lead the establishment of a "Cybersecurity Framework…to reduce cyber risks to critical infrastructure [and] incorporate voluntary consensus standards and industry best practices to the fullest extent possible."
Today, the NIST Cybersecurity Framework, admittedly a good set of guidelines, has seen wide adoption for reasons that may as well carry the force of law. Speakers at this past fall's NRS Technology and Communication Compliance Forum pointed out that federal agencies are effectively holding regulated industries to NIST Cybersecurity Framework standards, and that government contractors (and subcontractors) too are required to comply with them.
To be sure, the FTC is proposing its own IoT "framework," along with data collection recommendations representing something close to a Hobson's Choice. Companies "can decide not to collect data at all" (castrating the usefulness of the Internet of Things device), "collect only the fields of data necessary to the product or service being offered" (declining the power of all other valuable data available), "collect data that is less sensitive" (what is "sensitive?" and how is that determination made?), "or de-identify the data they collect" – potentially expensive and potentially impossible.
Alternatively, the FTC notes, companies "can seek consumers' consent for collecting additional, unexpected categories of data." Even the FTC concedes the practical and technical difficulties of this in the IoT context, however, noting the lack of screens and interfaces on many IoT devices. The report goes on to cite the remarks of one workshop participant, Dr. Anand Iyer, Chief Data Science Officer of WellDoc, that if customers have "to consent to everything [they] will throw the bloody thing away."
Some FTC workshop participants expressed concern that giving consumers notice and choice would result in the burying of such notice and choice in lengthy contracts drafted by company lawyers. Their proposed solution? Burying terms of notice and choice in lengthy regulations and statutes drafted by government lawyers.
Unsurprisingly, the FTC seems to like this idea.
"Although the Commission currently has the authority to take action against some IoT-related practices, it cannot mandate certain basic privacy protections – such as privacy disclosures or consumer choice – absent a specific showing of deception or unfairness," reports the FTC. "Commission staff thus…recommends that Congress enact broad-based (as opposed to IoT-specific) privacy legislation. Such legislation should be flexible and technology-neutral[.]"
This raises the question as to whether the ability to regulate and enforce against deception and unfairness in business is not enough for a federal agency whose primary mission is to act against deception and unfairness in business. Certainly, the FTC concedes that it already holds broad powers that apply to IoT as well as anything else falling under, inter alia, the FTC Act, the Fair Credit Reporting Act ("FCRA"), the Health Information Technology for Economic and Clinical Health Act ("HITECH"), the Health Insurance Portability and Accountability Act ("HIPAA"), and the Children's Online Privacy Protection Act ("COPPA").
Furthermore, although the report's declination to recommend IoT-specific legislation seems like magnanimity on the FTC's part (e.g., "[FTC s]taff agrees with those commenters who stated that there is great potential for innovation in this area, and that legislation aimed specifically at the IoT at this stage would be premature"), it is in fact a self-serving, false concession. "Flexible and technology-neutral" legislation would stretch the FTC's jurisdiction and ability to act.
The pitfalls of "technology-neutral" IoT regulation
General technology legislation added to existing general technology legislation may only result in more industry confusion and smother innovation in Internet of Things and other network technologies. In New Zealand, for instance, the recently enacted Telecommunications (Interception Capability and Security) Act has led researchers to pull a major SDN project out of the country because of simultaneously stringent and unclear requirements that the New Zealand government be kept apprised of significant network changes. This is an impractical task with virtualized networking technologies like SDN and NFV, where changes are constantly happening.
(Incidentally, the NIST Cybersecurity Framework, too, is purported to be "technology neutral[.]")
To be fair, at present the legal environment for IoT data privacy lacks certainty. In its report, for instance, the FTC expresses the fear that employers, insurers, and potential creditors could make an end run around the FCRA by obtaining protected consumer data from Internet of Things device sellers, but it seems unlikely that the FTC would be powerless to protect consumers from such a scenario, given its already broad authority to enforce against unfair and deceptive trade practices (to say nothing of state laws and enforcement actions on the same).
Things like regulatory certainty, data privacy, and collaboration between the public and private sectors can be good. New laws where existing ones already suffice, however, are wasteful at best, damaging at worst, and exist only to strengthen those who would perpetuate them at a cost to others.
Public domain image courtesy of ComicBooksPlus.com.
Joe Stanganelli is a writer, attorney, and communications consultant. He is also principal and founding attorney of Beacon Hill Law in Boston. Follow him on Twitter at @JoeStanganelli.