IoT could be a privacy-buster warns FTC
via Flickr © opensourceway (CC BY-SA 2.0)
The US Federal Trade Commission has issued a pre-warning warning about the Internet of Things. The FTC says the way the technology looks likely to be deployed potentially presents data security and privacy risks - companies should be aware now and take prudent steps to ensure that deployments and applications of IoT don’t become a problem.
Perhaps the members of the FTC were deeply affected by a visit to this year’s CES in Las Vegas where the ‘buzz’ at the exhibition was IoT all the way. The plethora of gadgets on display was one thing, all claiming to bring always-on connectivity to all manner of home automation and security devices.
But further concern might have been generated had the commissioners listened in to the Samsung CEO, BK Yoon. He was enthusiastic about the upcoming ability to track IoT users and then sell them goods and services. His company would be investing over US$100 million to fund developers and create an open system in IoT, which of course Samsung would be curating and presumably harvesting the data.
Whether consumers will want their expensive gizmos to be digital spies, reporting back to Samsung on potential sales opportunities, is something the likes of BK Yoon seems not to have thought of.
The FTC, however, is thinking about it, although it has not fallen into the trap of rushing into rule-making before the risks and therefore the remedies can be properly thought through. It doesn’t think the time is yet right for any new laws but it does see that both data security and, ultimately, safeguarding privacy is the biggest problem and it thinks it might be prudent for the companies involved to try and head off any potential problems at the pass - if we believe there will actually be billions of such devices connected by 2020 of course (Cisco thinks there will be 50 billion connected devices by then) - still a moot point.
As well as singing from the usual network security hymn-sheet (safeguarding stored data, getting security patches out to devices in a timely manner etc) it suggests “data minimisation” as a good preventative strategy. This is where risk is reduced by limiting both the amount of information collected and the period it is retained, on the basis that the less held, the less will escape if security were breached and the less damage done.
Companies, it suggests, could also energetically "de-identify" data so it can not be linked to specific individuals.