The FTC Report on IoT: The Debate over Opportunity, Liability, and Privacy Begins
Over the weekend, I combed through the FTC’s recent report – all 71 pages – on the Internet of Things (IoT), entitled, The Internet of Things – Privacy and Security in a Connected World.
Everything that I had previously read online about the report didn’t revel anything novel about IoT that I had not already heard – or said myself. But since it took the FTC over a year to produce, I thought a close inspection of the report was warranted. Surely there would be some nuggets of substantive information lodged within six-dozen pages of bureaucratic conjecture, right?
Luckily for me, Ofcom, the communications regulator in the UK, also released a similar report just days before the FTC, which I also traversed through for comparison purposes. In the end, neither report, by and large, produced any earth shattering revelations or actionable advice. Both were not much more than a situation analysis at best.
Nonetheless, there are four key takeaways central to the report worth discussion.
Key Takeaway #1: IoT Holds Promise
In what comes as no surprise to the IoT enthusiast, both reports proclaim healthcare to be the industry that stands to benefit the most, from IoT, mainly through embedded devices. The idea of instant, data driven reporting to doctors will provide a huge leap forward in the treatment of chronic conditions, like diabetes. The idea that people will no longer have to rely solely on patient reporting means that healthcare treatments can become more timely and accurate, potentially yielding a significant improvement to patient healthcare and a cost savings for doctors, hospitals and pharmaceuticals. Both reports also speculate transportation and energy to be the secondary industries to see the most benefit from IoT. We already know this to be true, as major enterprises like GE and AT&T are steadily driving Machine-to-Machine innovations (M2M), also referred to as the “Industrial Internet of Things.”
Additionally, we’re already witnessing rapid adoption of any and all IoT by consumers. In fact, IoT is exploding so rapidly that, Gartner there to be a quarter billion connected cars by 2020! Other devices, such as Smart TV’s, IoT fitness bands and digital thermostats like NEST are also gaining popularity en mass.
But as the FTC appropriately states, the one barrier to IoT reaching its mass-market potential is directly correlated to the degree in which they are successful in the establishment of consumer trust. Ultimately, if people don’t feel safe with the constant communication of IoT devices, then that person is likely to impede adoption. Whether he or she is a CIO that is leery of a new industrial control system, or a consumer worried about their healthcare data being compromised, IoT vendors must continue to make strides that reinforce consumer confidence in their products.
Key Takeaway #2: Developer Liability is Minimal at Best
Both the FTC and Ofcom strongly recommend that IoT device manufacturers start producing devices with “security by design,” meaning that security must be considered at the onset of product development.
However, in somewhat of a contradiction to this recommendation, the FTC openly questions whether or not device manufacturers actually have the security experience and expertise to really ensure that products coming to market are safe. The FTC also cautions that many devices are inexpensive or “disposable,” essentially calling into question whether the threat assessment and internal productivity outweighs any reward of consistently patching new attack vectors each time one is discovered.
As you might suspect, billions of connected devices have increased the attack surface exponentially. In fact, 2014 was referred to as “the year of the hack” by multiple news outlets. But what many people don’t know is that the Home Depot and Target breaches are actually the result of exploited IoT within the enterprise. Of course, there were also notable IoT breeches to consumer devices in 2014, German researchers, for example, were able to hack a smart meter to determine what TV shows you watch. Hackers even heckled a toddler through a baby monitor and a third party app proved to be a playground for misuse.
One of the most critical discussion points left out of the FTC paper, but highlighted in the Ofcom paper, was the IoT communication infrastructure. IoT devices are currently operating on a broad range of the RF spectrum. While the report noted that availability would not be a barrier to the success of the IoT, it did bring up the long-term viability of available bands. The same holds true to for network availability for all of the millions – potentially billions – of devices in our future. Simply put, enterprise security and detection for devices that operate on the wireless spectrum outside of Wi-Fi is non-existent; making corporations highly susceptible to increasingly sophisticated adversaries with tangible motives.
In my opinion, both reports were void, probably intentionally so, of actionable advice, reinforcing my belief that we’re still charting new territory. The truth is simply that none of us, including the FTC, fully know or understand the extent for which the unintended consequences of IoT will shot its ugly head. That’s probably why the FTC also decided that any government regulation at this point could stifle innovation, more than ease consumer concerns. So, Americans will still be faced with a buyer beware scenario, at least in the short term.
Key Takeaway #3: The Parable of Privacy – IoT is all about Data
The word parable is often used to describe a story intended to teach a lesson. Perhaps the greatest lesson we have yet to learn is how to truly protect our data. As the IoT ushers in modern conveniences like not having to call our doctors to report pacemaker information and provides us with the ability to access enterprise control systems remotely – the real value for adversaries will reside in the data that is being collected and if they are successful at manipulating it to meet their purpose.
In a sense, IoT devices are really just a courier for data flow, allowing us to analyze trends and, ultimately, make more informed decisions about our lives and our businesses. In order for this to happen, however, we must not only agree to give up our data, but also allow it to be transmitted to our vendors – and potentially their vendors – so that in turn, we can access actionable insights into our performance. But, how much of our data should be up for grabs?
Data privacy was one of the most contentious issues addressed in the FTC’s report. Device manufacturers are looking to harvest as much data as they can, seeing infinite possibilities for future product enhancements and offerings. However, the FTC warns that any accumulation of data only serves to make companies and consumers more attractive to criminals that want to misuse it.
The FTC thus recommends data limitation – only collecting what is necessary and destroying data after it’s needed; in addition to plainspoken privacy statements and opt-in abilities for consumers to choose what they share. Of course, we encounter so many of these lengthy documents (averaging around 2,500 words) each year that we rarely have the time to read them. But as long as consumers are willing to give up everything in the name of convenience, which many Millennials have proven they will, IoT device manufacturers will continue to collect all available information to profit off your patterns in the future.
As the entirety of the IoT market now hinges on consumer adoption driven by trust, it’s probable that manufacturers will advance their focus on security to some extent, just like the FTC recommends.
Key Takeaway #4: Prepare for the Debate to Continue
I found it both interesting and also annoying that the FTC used the word ‘reasonable’ 32 times, calling on IoT providers to implement “reasonable security,” meet “reasonable privacy expectations,” and offer “reasonable data protection” for IoT devices. The use of this subjective adjective ensures that the conversation around what is reasonable will continue.
The FTC report, in large part, is nothing more than a starting point for a debate on IoT and the security concerns it creates. Those of us in the industry likely read the report and were disappointed or surprised by its actual content. But in hindsight, what exactly should have been expected? It’s likely that we’ll need to see more substantial breaches from the IoT before we ever get a clear definition of what’s reasonable in our connected world. It’s something that we all must consider, individually and as businesses, what exactly constitutes reasonable risk for the rewards of technology.
Chris Rouland is a cybersecurity expert and entrepreneur, and founder and CEO of Bastille, the first company to detect and mitigate threats to the Internet of Things.You can follow Chris on Linkedin and Twitter @chris_rouland.