U.S. Federal Trade Commission report: The Internet of Things

In January 2015, the U.S. Federal Trade Commission ("FTC") has released a report summarizing recommendations stemming from a workshop that addressed the privacy impact of the Internet of Things. On a basic level, the Internet of Things refers to the ability of everyday objects to connect to the Internet, collect data via sensors, and send and receive data to and from other surrounding objects. Internet-connected cameras that allow you to post pictures online with a single click, home automation systems scheduled to control temperature and lighting, fitness bracelets programmed to share running distances with friends and the Apple Watch, which seamlessly connects to your phone, monitors your health, plays music and allows you to use it as a payment device, are all examples of the Internet of Things.

The report, entitled The Internet of Things: Privacy and Security in a Connected World, cites some of the following surprising statistics regarding interconnected devices:

• In 2011, the number of "things" connected to the Internet surpassed the number of people;
• There were 25 billion connected devices in 2011 and an estimated 50 billion will be connected by 2020;
• There are currently 3.5 billion sensors in the marketplace, estimated to increase to trillions within the next decade; and
• Mobile data traffic will exceed fifteen exabytes each month by 2018 (one exabyte of storage is described as capable of containing 50,000 years worth of DVD-quality video).

The report focuses on both the benefits and risks of the Internet of Things. Benefits include cost-savings and efficiency advantages to the health care, energy and transportation sectors as well as significant improvements in safety (e.g., real-time vehicle diagnostics). Nonetheless, despite significant benefits, privacy and security present the biggest risks concerning the Internet of Things.

According to the report, 150 million discrete data points can be generated by fewer than 10,000 households using interconnected devices per day (one data point every six seconds for each household). Large data sets may result in the collection and disclosure of personally identifiable information and behaviour patterns. Moreover, such information and behaviour may be collected and used by third parties without the knowledge or consent of the affected individuals (e.g., data collected by a fitness tracker device may be used by insurance companies to price health or life insurance). Security vulnerabilities present in interconnected devices may facilitate attacks on other connected systems, create risks to personal safety and increase the risk of unauthorized access and misuse of personal information, including the use of historical data to make credit, insurance and employment decisions.

In minimizing these risks, FTC workshop participants debated how the Fair Information Practice Principles should apply to such devices and developed the following recommendations:

1. Security: Companies should adopt a "security by design" approach to data security for interconnected products. This means proactively incorporating security measures into a device at the outset rather than as security issues arise.
2. Data Minimization: Data collection and retention should be limited. Data minimization helps to mitigate against data breaches and mitigate against the risk of the data being used for an unauthorized purpose. Companies should also consider whether data can be collected and maintained in de-identified form.
3. Notice and Choice: Consumers should be notified and offered privacy choices with respect to unexpected uses of their data (e.g., privacy choices built into device's initial set-up wizard, opt-in choices at the time of purchase, video tutorials on privacy choices and settings, and links and QR codes directing consumers to a webpage setting out data practices and privacy choice selections).
4. Legislation: Specific legislation governing interconnected devices is premature, however, there is a need for broad, adaptable technology-neutral federal legislation which includes effective data breach notification mechanisms and the authority to issue rules and seek civil penalties from companies that violate the law.

In Canada, the Office of the Privacy Commissioner of Canada ("OPC") has recognized the need to examine the privacy and security risks associated with interconnected devices. In September 2014, the OPC listed "the internet of things" as an emerging privacy issue and topic of interest in its call for proposals under the 16-Contributions Program. In May 2014, during his Remarks at the Information Security Rendez-vous (ISR) 2014, Daniel Caron, legal counsel with the OPC, questioned the robustness of PIPEDA to deal with the challenges associated with interconnected devices.

The FTC Report, while helpful in illuminating the broad issues surrounding the Internet of Things, does not undertake a detailed examination of the practical and technical issues which make it difficult to implement the FTC's suggested best practices. While the FTC does urge further self-regulatory efforts on the Internet of Things, along with enactment of data security and broad-based privacy legislation, it remains to be seen how exactly the Internet Things will be regulated to protect consumer privacy given the vast array of technologies, industries and data that make up the Internet of Things infrastructure.

The full FTC report can be found here.