Lawmakers and regulators in D.C. are focusing on the fast growing and soon ubiquitous space of the Internet of Things (IoT). Earlier this month, the U.S. Senate Committee on Commerce, Science, and Transportation held a full committee hearing on IoT, where both Republican and Democratic Senators deliberated the right balance between privacy, security, and innovation. Weeks prior, the Federal Trade Commission (FTC) released a report on IoT recommending concrete steps to ensure the protection of consumer privacy and security. The question remains whether regulation and standards will address these complex legal and policy questions without undermining the potential of IoT.
The hearing entitled the “Connected World: Examining the Internet of Things” included testimony from Michael Abbott, Justin Brookmarn, ,Lance Donny, Douglas Davis and Adam Thierer. Senate Chairman John Thune (R-SD) opened the floor by saying “the IoT may be the most important technology trend today” and invited committee members to act with regulatory humility in the name of innovation and growth. Meanwhile Senator Bill Nelson (D-Mass) focused on privacy and security threats in the IoT, where regulation can offer an answer. Some concrete areas where lawmakers have introduced or see potential for introducing new legislation include:
- Senators Kelly Ayotte (R-NH) and Jerry Moran (R-KS) proposed exploring legislation focused on data security and data breaches;
- Senators Edward J. Markey (D-Mass.) and Richard Blumenthal (D-Conn.) announced the introduction of legislation that focuses on establishing federal privacy and security standards for connected cards – See the report Tracking & Hacking Security & Privacy Gaps Put American Drivers at Risk
- Senator Amy Klobuchar (D-Mo.) discussed the Driver Privacy Act, which “ensures personal privacy of automobile data recorder information.”
- Senator Corey Booker (D-NJ) announced that he and Senator Marco Rubio reintroduced the Wi-Fi Innovation Act. Also Senators Nelson (D-FL) and Steve Daines (R-MT) mentioned that more spectrum re-allocation is needed.
- Senator Ayotte talked about the FTC’s reach in regulating the IoT
In his testimony, Douglas Davis mentioned the role of encryption in IoT, as did members of the Committee. In particular, Davis said that while encryption would help secure IoT, it would not be a panacea. As the committee considered a variety of issues related to IoT, one distinct aspect of this hearing was its non-partisanship. In fact, Adam Thierer dedicated a blog post to this very issue.
The hearing came right after the FTC released a report based on input gathered from technologists, academics, consumer advocates, and industry stakeholders who participated in the November, 2013 FTC’s IoT workshop. The FTC’s report provides recommendations that range from the adoption of strong data security, best practices, such as “security by design,” and data minimization to adoption of broad-based privacy legislation. While the FTC’s report does not recommend IoT-specific legislation, it does reiterate “its previous recommendation for Congress to enact strong, flexible and technology-neutral federal legislation to strengthen its existing data security enforcement tools and to provide notification to consumers when there is a security breach.” Also the report recommends the Commission adopt broadband privacy legislation; “such legislation should be flexible and technology-neutral, while also providing clear rules of the road for companies about such issues as how to provide choices to consumers about data collection and use practices.”
Republican Commissioner Joshua Wright dissented from the issuance of the FTC’s report, raising concerns about the lack of analytical content, “strong cost-benefit analysis” on recommendations such as broad-based privacy legislation and security by design. Furthermore, Wright notes “although agency recommendations regarding industry best practices do not carry the force of law, there is a very real danger that companies may reasonably perceive failure to achieve those practices or to adapt such recommendations as actionable.” His republican colleague Commissioner Maureen Ohlhausen on the other hand voted to approve issuance of the report, but disagreed with two of the staff recommendations:
- She objected to the recommendation on baseline privacy legislation on the grounds that the FTC’s section 5 authority to regulate “unfair and deceptive practices” has already given an active role to the FTC in enforcing privacy and data security violations;
- She objected to the report’s embrace of an approach on data minimization that embodies what she called the “precautionary principle.
Finally, she argues the report misses the opportunity “to explore fully the tension between information technology (including IoT) and the Fair Information Practice Principle (FIPPs) approach to protecting consumer privacy,” pointing out that the report fails to address relevant points that were found on the Whitehouse and PCAST reports.
It is not a coincidence that these events occurred one after the other; in fact, during the hearing the committee discussed the FTC’s role in regulating IoT. For instance, Senator Ayotte noted the ambiguity of Section 5 of the Federal Trade Commission Act to regulate “unfair and deceptive practices.” Regardless, whether or not the FTC has the authority to prosecute and enforce in the area of the IoT, it is clear that Republican Commissioners are paying close attention to the appropriate use of cost-befits analysis that justifies its enforcement intentions while avoiding constraints on the companies’ ability to take advantage of these technologies.
In sum, while the first Senate hearing dealt with a variety of issues regarding the IoT the predominant theme continues to be the question of how to ensure data safeguards, while resisting the urge to over regulate. What is at stake is huge, and as Senator Thune wisely recognized consumers and entrepreneurs should decide where IoT goes, rather than policymakers.