On November 19, 2013, the Federal Trade Commission held a workshop in Washington, D.C. to discuss The Internet of Things: Privacy & Security in a Connected World. FTC Chair Edith Ramirez and FTC Senior Attorney Karen Jagielski provided the opening remarks. Chairwoman Ramirez raised three key issues for workshop participants to consider:
- The Internet of Things will result in increased data collection, amplifying the importance of simplifying choices and giving control to individuals with just-in-time notices. Transparency will facilitate consumer understanding of the collection, use and sharing of personal data. Data privacy principles will still apply in The Internet of Things world, but will have to be adapted to respond to new realities.
- There is a real danger of data being used in unexpected ways. The trick will be to determine what “reasonable” expectations regarding data usage should be, and then manage consumer expectations accordingly.
- Security is taking on a new dimension, and the need to secure data in The Internet of Things will be paramount, as demonstrated by the recent FTC enforcement action against TrendNet. The FTC will not shy away from taking action again.
Following the opening remarks, National Science Foundation official Keith Marzullo discussed some current Foundation research focused on privacy and security issues with respect to the Internet of Things. For example, the Foundation has been examining technical vulnerabilities and security solutions to help protect pacemakers, vehicles, industrial control systems and telerobotics used by doctors engaged in remote surgery on soldiers in distant theaters of war.
In addition, Carolyn Nguyen, Director of the Technology Policy Group at Microsoft, discussed the findings of a recent Microsoft study of contextual data privacy and the factors that influence peoples’ sensitivities with respect to the use of their personal data. Microsoft identified objective variables (including the type of data, type of entity collecting the data, type of device, and the method of collection), as well as subjective variables such as the consumer’s level of trust in the entity and the perceived value to the consumer of the entity’s use of their data. Microsoft found that the relative importance of these variables differed by country and region. Ms. Nguyen concluded by discussing how these findings could be used to introduce contextual privacy in devices and applications.
The keynote address was delivered by Vint Cerf, Vice President and Chief Internet Evangelist of Google, Inc. He began by presenting statistics on current Internet usage, noting that there are 3 billion Internet users and 7 billion mobile devices in use worldwide. He then reviewed the growing variety of networked appliances, including consumer goods (refrigerators, bathroom scales, picture frames, beer kegs, and even surf boards), sensor systems, personal medical instruments, fitness sensors, remote controlled devices, wearable devices (like Google Glass), and self-driven cars. More broadly, he discussed the implications for smart cities, providing open access to city information and the implementation of the smart grid.
Cerf emphasized the many benefits of The Internet of Things, including:
- the huge potential for local, regional, national and global optimization of resource management;
- the creation of standards and interoperability for various products and services;
- improvements in the management of health and wellness through continuous monitoring (including early detection of epidemics);
- the democratization of access to learning and education for the masses; and
- great leaps forward in innovation affecting the products and services people use every day.
Cerf also highlighted a few notable challenges, including the transition to Internet Protocol Version 6 (“IPv6”), configurations for massive numbers of devices, dynamic self-configuration and access control.
FTC Commissioner Maureen Ohlhausen gave her remarks at the workshop in the afternoon, stating that The Internet of Things has great potential for industry and society, and it is important to realize these benefits while reducing risks to consumer privacy and security. In particular, Commissioner Ohlhausen identified three areas of the enhanced risks associated with The Internet of Things: data security, mobile services and Big Data.
Ohlhausen detailed the FTC’s role in balancing the benefits and risks of The Internet of Things by outlining a three-pronged approach for the FTC. The FTC’s approach will focus on (1) policymaking and research, to understand technology, new challenges and how existing regulation fits in; (2) providing information and consumer education to increase awareness and offer guidance to both business and consumers; and (3) bringing enforcement actions when violations occur.
During a later afternoon presentation on “Connected Health and Fitness,” panelists discussed examples of the significant medical benefits associated with the real-time sharing of medical data with doctors using networked devices such as insulin pumps. Vulnerability researchers, however, have publicly exposed security weaknesses of several leading insulin pump devices, and studies have revealed that many networked medical devices do not encrypt the health data that they collect. Many manufacturers of such devices have not established privacy policies, and those that do have policies often fail to follow them.
Finally, in her closing remarks, Jessica Rich, Director of the FTC’s Bureau of Consumer Protection, said that the FTC is not planning to issue new regulations on The Internet of Things. Instead, the FTC will be issuing a summary report of the workshop.
Search
Recent Posts
Categories
- Behavioral Advertising
- Centre for Information Policy Leadership
- Children’s Privacy
- Cyber Insurance
- Cybersecurity
- Enforcement
- European Union
- Events
- FCRA
- Financial Privacy
- General
- Health Privacy
- Identity Theft
- Information Security
- International
- Marketing
- Multimedia Resources
- Online Privacy
- Security Breach
- U.S. Federal Law
- U.S. State Law
- Workplace Privacy
Tags
- Aaron Simpson
- Accountability
- Adequacy
- Advertisement
- Advertising
- American Privacy Rights Act
- Anna Pateraki
- Anonymization
- Anti-terrorism
- APEC
- Apple Inc.
- Argentina
- Arkansas
- Article 29 Working Party
- Artificial Intelligence
- Australia
- Austria
- Automated Decisionmaking
- Baltimore
- Bankruptcy
- Belgium
- Biden Administration
- Big Data
- Binding Corporate Rules
- Biometric Data
- Blockchain
- Bojana Bellamy
- Brazil
- Brexit
- British Columbia
- Brittany Bacon
- Brussels
- Business Associate Agreement
- BYOD
- California
- CAN-SPAM
- Canada
- Cayman Islands
- CCPA
- CCTV
- Chile
- China
- Chinese Taipei
- Christopher Graham
- CIPA
- Class Action
- Clinical Trial
- Cloud
- Cloud Computing
- CNIL
- Colombia
- Colorado
- Committee on Foreign Investment in the United States
- Commodity Futures Trading Commission
- Compliance
- Computer Fraud and Abuse Act
- Congress
- Connecticut
- Consent
- Consent Order
- Consumer Protection
- Cookies
- COPPA
- Coronavirus/COVID-19
- Council of Europe
- Council of the European Union
- Court of Justice of the European Union
- CPPA
- CPRA
- Credit Monitoring
- Credit Report
- Criminal Law
- Critical Infrastructure
- Croatia
- Cross-Border Data Flow
- Cyber Attack
- Cybersecurity and Infrastructure Security Agency
- Data Brokers
- Data Controller
- Data Localization
- Data Privacy Framework
- Data Processor
- Data Protection Act
- Data Protection Authority
- Data Protection Impact Assessment
- Data Transfer
- David Dumont
- David Vladeck
- Delaware
- Denmark
- Department of Commerce
- Department of Health and Human Services
- Department of Homeland Security
- Department of Justice
- Department of the Treasury
- District of Columbia
- Do Not Call
- Do Not Track
- Dobbs
- Dodd-Frank Act
- DPIA
- E-Privacy
- E-Privacy Directive
- Ecuador
- Ed Tech
- Edith Ramirez
- Electronic Communications Privacy Act
- Electronic Privacy Information Center
- Elizabeth Denham
- Employee Monitoring
- Encryption
- ENISA
- EU Data Protection Directive
- EU Member States
- European Commission
- European Data Protection Board
- European Data Protection Supervisor
- European Parliament
- Facial Recognition Technology
- FACTA
- Fair Credit Reporting Act
- Fair Information Practice Principles
- Federal Aviation Administration
- Federal Bureau of Investigation
- Federal Communications Commission
- Federal Data Protection Act
- Federal Trade Commission
- FERC
- FinTech
- Florida
- Food and Drug Administration
- Foreign Intelligence Surveillance Act
- France
- Franchise
- Fred Cate
- Freedom of Information Act
- Freedom of Speech
- Fundamental Rights
- GDPR
- Geofencing
- Geolocation
- Georgia
- Germany
- Global Privacy Assembly
- Global Privacy Enforcement Network
- Gramm Leach Bliley Act
- Hacker
- Hawaii
- Health Data
- Health Information
- HIPAA
- HIPPA
- HITECH Act
- Hong Kong
- House of Representatives
- Hungary
- Illinois
- India
- Indiana
- Indonesia
- Information Commissioners Office
- Information Sharing
- Insurance Provider
- Internal Revenue Service
- International Association of Privacy Professionals
- International Commissioners Office
- Internet
- Internet of Things
- IP Address
- Ireland
- Israel
- Italy
- Jacob Kohnstamm
- Japan
- Jason Beach
- Jay Rockefeller
- Jenna Rode
- Jennifer Stoddart
- Jersey
- Jessica Rich
- John Delionado
- John Edwards
- Kentucky
- Korea
- Latin America
- Laura Leonard
- Law Enforcement
- Lawrence Strickling
- Legislation
- Liability
- Lisa Sotto
- Litigation
- Location-Based Services
- London
- Madrid Resolution
- Maine
- Malaysia
- Markus Heyder
- Maryland
- Massachusetts
- Meta
- Mexico
- Microsoft
- Minnesota
- Mobile App
- Mobile Device
- Montana
- Morocco
- MySpace
- Natascha Gerlach
- National Institute of Standards and Technology
- National Labor Relations Board
- National Science and Technology Council
- National Security
- National Security Agency
- National Telecommunications and Information Administration
- Nebraska
- NEDPA
- Netherlands
- Nevada
- New Hampshire
- New Jersey
- New Mexico
- New York
- New Zealand
- Nigeria
- Ninth Circuit
- North Carolina
- Norway
- Obama Administration
- OECD
- Office for Civil Rights
- Office of Foreign Assets Control
- Ohio
- Oklahoma
- Opt-In Consent
- Oregon
- Outsourcing
- Pakistan
- Parental Consent
- Payment Card
- PCI DSS
- Penalty
- Pennsylvania
- Personal Data
- Personal Health Information
- Personal Information
- Personally Identifiable Information
- Peru
- Philippines
- Phyllis Marcus
- Poland
- PRISM
- Privacy By Design
- Privacy Policy
- Privacy Rights
- Privacy Rule
- Privacy Shield
- Protected Health Information
- Ransomware
- Record Retention
- Red Flags Rule
- Regulation
- Rhode Island
- Richard Thomas
- Right to Be Forgotten
- Right to Privacy
- Risk-Based Approach
- Rosemary Jay
- Russia
- Safe Harbor
- Sanctions
- Schrems
- Scott Kimpel
- Securities and Exchange Commission
- Security Rule
- Senate
- Serbia
- Service Provider
- Singapore
- Smart Grid
- Smart Metering
- Social Media
- Social Security Number
- South Africa
- South Carolina
- South Dakota
- South Korea
- Spain
- Spyware
- Standard Contractual Clauses
- State Attorneys General
- Steven Haas
- Stick With Security Series
- Stored Communications Act
- Student Data
- Supreme Court
- Surveillance
- Sweden
- Switzerland
- Taiwan
- Targeted Advertising
- Telecommunications
- Telemarketing
- Telephone Consumer Protection Act
- Tennessee
- Terry McAuliffe
- Texas
- Text Message
- Thailand
- Transparency
- Transportation Security Administration
- Trump Administration
- United Arab Emirates
- United Kingdom
- United States
- Unmanned Aircraft Systems
- Uruguay
- Utah
- Vermont
- Video Privacy Protection Act
- Video Surveillance
- Virginia
- Viviane Reding
- Washington
- Whistleblowing
- Wireless Network
- Wiretap
- ZIP Code