Out-Law News 2 min. read
07 Jan 2015, 12:17 pm
Speaking at the Consumer Electronics Show in Las Vegas (8-page / 52KB PDF), Edith Ramirez, chair of the Federal Trade Commission, said that whilst the IoT "has the potential to provide enormous benefits for consumers" it also "has significant privacy and security implications".
Ramirez said data generated by connected devices can be "highly personal" in nature, and said the privacy risks associated with the collection and use of the data "undermine consumer trust" and could therefore impinge on "the widespread consumer adoption of new IoT products and services".
To address the issue of "ubiquitous data collection", she said businesses should strive to collect the least amount of personal data necessary and "de-identify" that information "where possible".
"Companies should collect only the data needed for a specific purpose and then safely dispose of it afterwards," Ramirez said. "Data that has not been collected or that has already been destroyed cannot fall into the wrong hands. Collecting and retaining large amounts of data greatly increases the potential harm that could result from a data breach."
"We often hear the argument that to realise the benefits of big data, businesses should not face limits on the collection and retention of data because the value lies in its unanticipated uses. But I question the notion that we must put sensitive consumer data at risk on the off-chance a company might someday discover a valuable use for the information. I agree that we need more dialogue on acceptable and unacceptable uses of consumer data. But I continue to believe that reasonable limits on data collection and retention are a necessary first line of protection for consumers," she said.
Ramirez said businesses need also need to explain to consumers how their data could be used so as to obtain their consent to that data use. This means giving consumers "clear notice" and "simplified choices for unexpected collection or uses of their data", she said.
"Consumers should be given clear and simple notice of the proposed uses of their data and a way to consent," Ramirez said. "This means notice and choice outside of lengthy privacy policies and terms of use. I recognise that providing notice and choice in an IoT world is easier said than done. Connected devices may have little or no interfaces that readily permit choices. And we risk inundating consumers with too many choices as connected devices and services proliferate. But in my mind, the question is not whether consumers should be given a say over unexpected uses of their data; rather, the question is how to provide simplified notice and choice."
"I am confident that the same ingenuity, design acumen, and technical know-how that is bringing us the IoT can also provide innovative ways to give consumers easy-to-understand choices," she said.
In her speech, Ramirez also warned of the threat of IoT devices being "hijacked" by online hackers if security features are insufficiently strong. She called on businesses developing IoT devices to consider device security when designing those products.
"Specifically, companies should: conduct a privacy or security risk assessment as part of the design process; test security measures before products launch; use smart defaults – such as requiring consumers to change default passwords in the set-up process; consider encryption, particularly for the storage and transmission of sensitive information, such as health data; and monitor products throughout their life cycle and, to the extent possible, patch known vulnerabilities," Ramirez said.
"In addition, companies should implement technical and administrative measures to ensure reasonable security, including designating people responsible for security in the organisation, conducting security training for employees, and taking steps to ensure service providers protect consumer data," she said.