Privacy and Security in the coming ‘Internet of Things’

Estimates suggest that there will be 50 billion devices connected to the Internet by 2025

The US Federal Trade Commission (FTC) has released a detailed report on the Internet of Things (IoT), based on a workshop the FTC held in November 2014. A few years ago, we passed one of those milestones that goes unexamined until it pops up in the rearview mirror: the number of ‘Things’ connected to the Internet surpassed the number of people using it five or six years ago. Estimates suggest that there will be 50 billion devices connected to the Internet by 2025: like smart thermostats, smart watches, automobiles, fitness bracelets, and office lighting systems.

Note that the orientation of the FTC toward consumer protections means that they focused on consumer use of the IoT, and specifically avoiding the business use of such devices. However, I intend to extrapolate on their findings in the business setting, for several reasons. First, people at work are likely to be bringing their ‘Things’ to work, so we can expect the same consumerization of work trends that have upended business already to continue. Secondly, especially in small and medium sized business, we can expect that consumer products — like smart environmental solutions and employee geo-tracking, as just the most obvious examples — will be applied in the work setting.

The workshop participants noted a number of risks to consumers:

  1. enabling unauthorized access and misuse of personal information
  2. facilitating attacks on other systems
  3. creating risks to personal safety.

The participants wrangled over how Fair Information Practice Principles (FIPPs) should apply to the IoT, and in particular four FIPPs:

  • Security — It is hoped that vendors will build security into their offerings, including assessment and test of security provisions, minimizing data collection and retention, exhaustive training of employees in security provisions and best practices, and vendors should build on services that provide systemic security controls. Along with setting access controls that limit unauthorized people from accessing consumer data, device, or networks, vendors will need to continuously monitor their products across their lifecycles.
  • Data minimization — This FIPP is based on the premise that vendors should limit the amount of data they collect and retain, and hold onto it for the shortest possible time. Obviously, large data stores are attractive to cyber criminals, both inside and outside the vendors’ workforces. Likewise, large data stores increase the chance that the data will be used in ways that the consumers don’t expect. Whenever the principles of data minimization cannot be followed, the next FIPPs come into play.
  • Notice and Choice — The complexities of IoT involve large amounts of data being collected from various devices, many of which may have limited or no direct user interfaces, and this makes setting user expectations difficult. In the FTC’s 2012 Privacy Report, the FTC stated ‘companies should not be compelled to provide choice before collecting and using consumer data for practices that are consistent with the context of a transaction or the company’s relationship with the consumer’. The workshop participants agreed that this holds with the IoT, too, because reasonable use of the devices means that use of the data lines up with consumer expectations. There are likely to be a broad spectrum of acceptable notice and choice approaches, given the broad range of devices, apps, sensors, and networks involved. The motivating guideline should be to provide the consumer with information in a format that is readily accessible, and not buried in the small print of a 150 page document. Any use that is ‘inconsistent with the context of the interaction (i.e., unexpected), companies should offer clear and conspicuous choices’.

The workshop participants do not agree on the place of legislation in IoT, with some for and others against. Principally that is because the industry if relatively immature, and until best practices are defined and explored legislation may be premature.

This does not mean that the FTC is backing away from the principles of privacy and security detailed in the 2012 Privacy report, but because the Commission can only take action when vendors are involved in deceptive or unfair business practices. The FTC IoT workshop participants and staff restated their recommendations that ‘Congress enact broad-based (as opposed to IoT-specific) privacy legislation. Such legislation should be flexible and technology-neutral, while also providing clear rules of the road for companies about such issues as how to provide choices to consumers about data collection and use practices.’

My bet is that the general shape of privacy and security provisions in the consumer marketplace will likewise form the background of how these technologies are used in the workplace, principally because of the consumerization of work. Employers will want to take advantage of the devices that employees may already be using — like smart watches, fitness sensors, and the like — as well as work specific devices, sensors, and networks.

As just one example consider the likely application of Apple’s Healthkit in hospitals. Reuters recently reported that of 23 leading hospitals questioned, 14 have started pilot programs with Healthkit, so that patients can be monitored for various medical reasons.

The ubiquity of iOS and Android will mean that these sorts of targeted IoT solutions from vendors like Apple (working with partner IBM), Google, and Samsung will potentially go from next to nothing to almost total saturation in the next few years. Therefore, the FTC’s guidance is immensely important, and timely.

This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. I’ve been compensated to contribute to this program, but the opinions expressed in this post are my own and don’t necessarily represent IBM’s positions, strategies or opinions.

Work ecologist. Founder, Work Futures. The ecology of work and the anthropology of the future.

Work ecologist. Founder, Work Futures. The ecology of work and the anthropology of the future.