Federal Trade Commission
Disclaimer: The viewpoints expressed by the author are his own and do not necessarily reflect the opinions, viewpoints and official policies of Practising Law Institute, the FTC, the Commission, any Commissioner, or anyone else.
“The first step is remarkably hard: understanding that you have a problem. More precisely, it’s understanding that you’re in the networked software business, with all that implies, rather than in the phone, thermostat, printer, light bulb, or what have you business.”
Internet of Things (IoT) devices provide significant benefits to consumers. In healthcare, for example, connected insulin pumps and blood-pressure cuffs can reduce healthcare costs while giving consumers the ability to record, track, and monitor their vital signs. By being connected to the internet, these devices can give more real-time advice but also provide accessibility to professional healthcare providers. Home connected devices can achieve greater energy efficiency while allowing homeowners to spot from afar significant issues such as water intrusions. Connected cars lead to safety and convenience benefits, offering real-time vehicle diagnostics to drivers and service facilities. Aggregation of big data can lead to research and breakthroughs. But IoT can present significant concerns for the privacy and security of consumers and their sensitive information.
There are several serious privacy issues presented by IoT devices. First, IoT devices can capture highly personal information about consumers’ sleeping patterns, driving habits, movie preferences, and household activities, but consumers may not appreciate or understand that an IoT device is sharing such highly personal information with third parties, including the manufacturer. Second, as with desktop or laptop computers, a lack of security can enable intruders to access and misuse personal information collected or stored on a device, potentially leading to identity theft. Security vulnerabilities in IoT devices can potentially lead to not only data security risks but also threats to a person’s physical safety. For example, vulnerabilities in an IoT insulin pump or pacemaker can result in significant injury or even death to a consumer; an attack on a vulnerable connected car can lead to engine failure or a loss of control; and an insecure IoT alarm system can open up a home to danger. Although similar risks exist with traditional computers and computer networks, they may be heightened in the IoT, in part because many IoT chips are inexpensive and disposable, and many IoT devices are quickly replaceable with newer versions. Accordingly, businesses may not have an incentive to support software updates for the full useful life of these devices, potentially leaving consumers with vulnerable devices. Moreover, it may be difficult or impossible to apply updates to certain devices.
As a result, the FTC, an independent federal administrative agency responsible for, inter alia, protecting the privacy and security of consumer data relating to IoT devices, has its work cut out for it in this area. The FTC has used a two-prong approach that includes enforcement and policy/education outreach.
Enforcement is one of the FTC’s primary tools for protecting consumers’ information. The FTC has brought over 500 privacy and security-related cases, including cases against IoT device manufacturers related to (i) privacy and security of children’s information; (ii) security of devices; and (iii) supply chain management and vendor oversight. The FTC’s enforcement actions send an important message to manufacturers about the need to take reasonable steps to safeguard the privacy and security of IoT devices. At the same time, the FTC has recognized that there is no such thing as perfect security. Rather, security is a continuous process of risk management.
The Commission’s main enforcement vehicle is Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices. As explained in the FTC’s Policy Statement on Deception, the FTC Act empowers the Commission to stop companies from making misleading statements or omissions about data security when such material statements or omissions are likely to mislead reasonable consumers. Indeed, the Commission has settled dozens of matters challenging companies’ express and implied claims that they provide reasonable security for consumers’ personal data when they allegedly failed to use readily available, cost-effective measures to reduce data security risks.
The Commission has also used the FTC Act’s prohibition on unfair practices to stop unreasonable data security practices. Under the statute, if a company’s data security practices cause or are likely to cause substantial injury to consumers that is neither reasonably avoidable by consumers nor outweighed by countervailing benefits to consumers or to competition, those practices are “unfair.” The Commission has settled over 20 cases alleging that a company’s failure to reasonably safeguard consumer data was an unfair practice.
The Commission also enforces a number of statutes that have provisions specifically related to data security. The Commission’s Safeguards Rule, which implements the Gramm-Leach-Bliley Act (GLB Act), requires non-bank financial institutions to safeguard nonpublic personal information. The Fair Credit Reporting Act (FCRA) requires consumer reporting agencies to use reasonable procedures to verify that recipients of sensitive consumer information act with a permissible purpose and requires those entities that maintain consumer reports to use safe disposal procedures. Also, the Children’s Online Privacy Protection Act (COPPA) requires website operators to use reasonable security for the personal information they collect from children online.
In the realm of IoT, the agency has brought cases against Vizio and Vtech alleging that IoT providers failed to inform consumers about how their personal information is collected, used and protected. The FTC has also brought cases against IoT companies that allegedly failed to keep consumers’ personal information reasonably secure. Those cases are D-Link, AsusTeK, Trendnet, HTC America, BLU, and Tapplock. In most of these cases, the FTC also alleged that the company claimed its systems were secure, when, in reality, they were not.
All told, these cases set forth key lessons for IoT manufacturers in ensuring that consumers are, first, fully informed about how their personal information is collected, used and protected; and, second, that their personal information is in fact kept secure and that any claims of security are, in fact, truthful.
The FTC alleged that Vtech, a manufacturer of connected kids’ toys, had collected the personal information of children without giving notice to parents and gaining their consent. This, the FTC alleged, violated both COPPA and Section 5 of the FTC Act.
What do these cases teach IoT companies? First, because connected devices do not have a traditional user interface, companies need to consider explaining collection, use, and protection of personal information in ways that will provide users with clear and conspicuous notice about how their information is being collected. Deceptive or confusing user interfaces will not cut it. Consumers must be given clear notice—at point of sale or at time of set-up—as well as clear and conspicuous controls—for example, through management portals or dashboards—to allow them to make choices about how their personal information is collected and used.
FTC cases involving IoT products—such as D-Link (wireless routers and Internet-connected cameras), AsusTeK (routers), TRENDnet (Internet-connected cameras), HTC America (smart phones and tablet computers), BLU (mobile device), and Tapplock (smart locks) —set forth some guideposts to ensure that IoT companies are keeping consumers’ personal information secure. First, the software (device firmware, companion app, backend services) must be secure. Reasonable security means, for example, having a system to receive and address third party information about security vulnerabilities in the products. HTC America, for example, involved a company that allegedly failed to implement a robust process to receive information about vulnerabilities and address them rapidly. Reasonable security also means securing the systems of contractors in the IoT companies’ supply chain, as the BLU case shows. In that matter, involving a mobile device provider, the FTC alleged that the company failed to reasonably oversee the security of its China-based service provider. As a result, this service provider was able to collect the content of consumers’ text messages, real-time location information, call and text logs, and contact list information without consumers’ knowledge or consent. Companies should exercise due diligence when selecting vendors and spell out, in writing, the privacy and security expectations it has for its vendors. Second, the IoT device must transmit data securely. The FTC alleged in D-Link, TrendNet and AsusTeK failures to properly transmit data security. Third, if the IoT device uses APIs, those APIs must be secure.
If an IoT company claims that its product is secure, it had better be the case. Last April, the FTC brought a case against a Canadian company called Tapplock that, the FTC alleged, falsely claimed that its Internet-connected fingerprint-enabled smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data it collected from users. These smart locks interact with a companion mobile app that allows users to lock and unlock their locks when they are within Bluetooth range. The FTC alleged that, in fact, the company failed to even test if its locks were secure or to implement a security program to help the company discover any vulnerabilities. Security researchers identified both physical and electronic vulnerabilities that allowed them to unlock Tapplock’s smart locks by, for example, unscrewing the product’s back panel or exploiting the unencrypted Bluetooth connection between the app and the lock. Other electronic vulnerabilities prevented consumers from effectively revoking access to their locks and allowed researchers to bypass the account authentication process and access Tapplock user accounts, including their usernames, email addresses, profile photos, location history, and the precise locations of the locks.
Security is an ongoing process, so IoT companies need to have a process for receiving, managing and addressing security vulnerability reports. IoT companies’ products should be able to receive security updates automatically. If automatic updates are impossible, the manufacturer should adopt a uniform notification method for updates and help consumers sign up for notifications about security support (aside from marketing communications). If the IoT company is not going to support the smart aspects of the IoT product beyond a certain date, the manufacturer should state the exact end date and provide that information upfront, preferably pre-sale. For IoT products whose “dumb” aspects could be rendered unusable by this loss of the product’s smart—say, a toaster that no longer works if it loses support for its smart aspects—the manufacturer should tell the consumer pre-sale. Finally, when support is about to end, real-time notifications need to be provided to the consumer.
The Commission has also undertaken numerous policy initiatives to explore privacy and data security issues related to the IoT. For example, the FTC hosted an IoT workshop in 2015 and issued a report about the benefits, risks, and privacy principles that should be applied to IoT devices. In June 2018, Commission staff also filed comments with the NTIA and the Consumer Product Safety Commission relating to IoT, including recommending best practices for IoT manufacturers, such as informing consumers of the security support period for their IoT devices. The Commission’s “Careful Connections” guidance addresses IoT device manufacturers specifically.
In 2017, the Commission held an “IoT Home Inspector Challenge,” a public competition aimed at creating tools (like security update wizards) to protect IoT devices in consumer homes. The top prize went to a software developer who came up with an app that 1) would allow consumers to scan their home WiFi and Bluetooth devices to identify and inventory connected devices; 2) flag those with out-of-date software and other common vulnerabilities; and 3) provide instructions on how to update the device’s software and fix the vulnerabilities.
The FTC has also hosted workshops exploring the privacy and security implications of specific IoT devices (drones, smart TVs, and connected cars). In 2018, the FTC issued a report on mobile device security updates based on information that the Commission collected from eight mobile device manufacturers. Also in 2018, FTC staff issued a report about Connected Cars.
IoT devices can provide significant benefits to consumers, but they also come with unique privacy and data security issues. As the quote at the top of this piece from Steve Bellovin, former FTC Chief Technologist, shows, IoT device manufacturers must recognize that they are selling networked software, not a car, or a toaster or a lock, and “bake in” privacy protections to their products. The FTC’s cases—as well as its policy and education materials —offer a wealth of practical information to assist IoT device manufacturers in ensuring that they in fact protect their users’ privacy.
For more information, check out Tom’s The Internet of Things and the Wired Life program segment, available from PLI Programs On Demand.
Tom Dahdouh is Director of the FTC’s Western Region San Francisco office. He has worked at the FTC for nearly 30 years on privacy, consumer protection and antitrust matters, and has spoken at numerous privacy outreach events.
PLI Programs you may be interested in:
Also available from PLI Press:
To submit an article for consideration, please contact the editor at: firstname.lastname@example.org
This article is published on PLI PLUS, the online research database of PLI. The entirety of the PLI Press print collection is available on PLI PLUS—including PLI's authoritative treatises, answer books, course handbooks and transcripts from our original and highly acclaimed CLE programs.
Sign up for a free trial of PLI PLUS at pli.edu/pliplustrial.