New FTC report: a sneak preview of the coming regulated IoT

fcctemp
The US Federal Trade Commission (FTC), in a January, 2015 staff report titled 'Internet of Things: Privacy and Security in a Connected World', gives us a first glimpse of how Federal consumer protection policy for the IoT is likely to shape up.

The report warns of new risks, and familiar but amplified risks, stemming from the massively expanded attack surface that the IoT's billions of sensors and other networked devices - along with the copious amounts of data that they'll produce - will bring. Major areas of concern include:

  • Threats to personal safety and property - hackers disabling household locks, changing the settings on medical devices, commandeering cars, crashing drones into crowds of people, etc.
  • Harvesting and misusing personal information - everything we've been hearing about Internet privacy violations for the past few years, now coming to you on steroids. New and widely varied data sources - from sensors, for example - along with advances in data science, will allow marketers, cybercriminals, and other actors both friendly and otherwise, unprecedented insights into the attitudes and behavior of individuals. We're looking at a real double-edged sword here.
  • Compromised IoT devices, leveraged to launch attacks against consumer networks. Compromised consumer networks, leveraged to launch attacks against other networks. We've already seen cases of kitchen appliances being pressed into the service of botnets. That's just the beginning.

The FTC notes that these risks might be exacerbated by vendors who don't understand the security ramifications of their IoT-enabled products, maybe due to inexperience (washing machine vendors never had to worry about cyber attacks before). Or, who are focused on marketing inexpensive products to the point that they believe basic security controls - the ability to patch a sensor's firmware when a vulnerability is found, for example - can't be economically built into the product.

Not surprisingly, the FTC recommends that security be taken into account when designing, building, and operating any IoT-enabled system, and recommends the following:

  • Reasonably limit collection and retention of consumer credit information ("data minimization").
  • Build security into products from day one by conducting initial risk assessments, designing the products according to data minimization principles, and testing security controls - before taking them to market.
  • Give security training to employees, and make sure security issues are addressed at the appropriate level of responsibility in the organization.
  • Retain service providers that are capable of maintaining reasonable security and oversight.
  • Implement a defense-in-depth strategy for systems where material risks are found.
  • Limit access to information systems (relating both to the product and the manufacturing organization) to authorized individuals.
  • Monitor products for vulnerabilities throughout their life cycle, and patch known vulnerabilities if possible.
  • Give heightened attention to security if the product poses physical security or safety risks, collects personal information, or connects to other devices/networks in a way unauthorized access is possible.

On the privacy front, the FTC'S basic expectation is that vendors and operators will communicate their customer's privacy options to them both clearly and prominently - not buried in fine print somewhere. Some possible approaches on how to do this are suggested, including:

  • Setup wizards that provide privacy information.
  • Video tutorials to guide consumers through privacy settings.
  • Privacy information sent to customers via text or email while, or immediately after, the product is being configured.
  • QR codes attached to the product which, when scanned, would take the customer to a website with privacy information.
  • "User experience hubs” that store data locally and learn the customer's privacy preferences based on prior behavior.

Finally, the report calls for "strong, flexible, and technology-neutral" Federal legislation that would strengthen the FTC's ability to enforce cyber security policy in its domain, including mandatory notification by vendors and operators to affected consumers in the event of a data breach.

My take on the report? It's a landmark document and a positive first step. It acknowledges (at a high level) the IoT's key risks, and the need to protect consumers against them. The FTC does fall short here of taking a firm stance on privacy, beyond the very broad notion of data minimization. So the $64,000 question of how those petabytes of IoT-generated data will be throttled remains wide open. As the IoT develops and matures, I have a feeling that the FTC is going to be busy - really busy - dealing with this.

If you're a vendor or operator in the IoT space, I'd definitely recommend downloading the report here and incorporating it into your product thinking. But don't stop there. Good security - the kind that will protect your company's reputation and revenues when push comes to shove - never comes from just following compliance requirements to the letter. Especially when they're as high-level as this document. Go the distance, do your own risk assessments, hire qualified security help, and build an appropriate level of security into the DNA of your IoT-based products. That way, you'll be building a positive feedback loop of trust for both your company and the whole consumer IoT industry, at the same time.

A version of this post appeared originally on Peerlyst.