Internet of Things

FTC On IoT: Attempting To Reign In The Wild West (of Things)

When it comes to IoT, the possibilities seem endless, along with the security issues. In PYMNTS’ March Internet of Things Tracker, sponsored by Intel, we interview FTC Commissioner Terrell McSweeny about the FTC’s role when it comes to IoT, which they consider to be a big deal. The Tracker also highlights the moves of 51 IoT players (including 10 new additions), as well as the latest notable news spanning the IoT ecosystem.

To put it in terms of things, things are rocky when it comes to security, privacy and the Internet of Things (IoT). In many ways IoT is the Wild West of connected technology. The creation of regulation and development guidelines, which have the potential to foster the creation of safer, more secure products, is a tall order.

But not only are government efforts underway to create and enforce IoT regulation, perhaps somewhat surprisingly, the premiere consumer protection enforcer, the Federal Trade Commission, wants privacy and security practices to be a good thing for both consumers and the IoT space itself.

PYMNTS caught up with Terrell McSweeny, the Commissioner of the FTC, immediately following her Innovation Project 2016 roundtable, to talk about IoT and how the FTC’s mission – namely, to protect consumers – is extending into the space.

Consumers in the driver’s seat

Consumer adoption drives IoT development. And consumer trust, McSweeny said, is at the core of the FTC’s focus on IoT. Consumer adoption of products is based on trust, she said. Trust, because for IoT to work as designed, it requires user data to feed upon. The relationship between consumer and connected things breaks down with there’s a privacy or security breach, which inevitably becomes a breach of trust. “It’s one thing to give up my privacy to you as a company about certain information I may be sharing,” she said. “It’s a completely different thing to a consumer when you don’t secure my private information. And I think that’s the thing that people really get upset about.”

The role of the FTC when it comes to IoT, McSweeny said, is to “protect consumers from bad consequences of being tricked or unavoidable bad security practices.” Although consumers can do their homework, she said, by trying to understand a product from its website or reading Consumer Reports or other reviews, it’s not possible for a consumer to become completely knowledgeable, especially when attempting to research products that are so new.

“You can’t know, if you’re a consumer, what the data security practices are of a company,” McSweeny said. “You have to assume that they’re good, because how are you going to figure that out?” The FTC’s role, she said, is to figure it out for the consumer. And to do that, they are studying the industry and, she said, “We also engage in the conversation around what choices, what context, how transparent do you need to be with consumers about how your information is being used?” To demonstrate her point, McSweeny turned to the example of mapping apps. “Do consumers like the convenience of using a mapping app that knows location information and everybody else’s so you can understand where the traffic jams are? Absolutely. And, I think, they are willing to trade their data. I think the question then becomes, how much do they need to know about where that data will end up?”

For what it’s worth, McSweeny herself sees a lot of value in the IoT space. The innovation in health care, the innovation in transportation, energy efficiency – there are some really terrific new products that we’re going to be using, but also new ways in which data flowing from them are going to provide new tools that are going to be revolutionary.” It’s the risks, she said, referring to the ripple effect of insecure products, which has the potential to be very serious. 

So how exactly does this ripple effect occur? First, there’s obviously the omnipresent risk of personal information being hacked. But it’s more than just personal information, McSweeny said. “As we fill our lives with connected devices, we are filling our lives with things that can create vulnerabilities,” she said. “There are risks associated at the edge of devices being hijacked, being used to attack systems, that could have far more severe consequences as well.” Take for example, she said, a “bunch of connected meters being taken over somehow and then launching an attack – a DDoS attack – on a network, on a grid, and shutting down a grid; that’s a serious consequence.” These same types of risks, she said, exist around connected technology related to health care and even connected cars, which puts public health and safety at risk.

“Data Ethics By Design”

The FTC, McSweeny said, doesn’t prescribe what technology companies need to use to secure consumer data. They are, however, decidedly pro-encryption. “We don’t say you need to use encryption, but we suggest in some of our material that encrypting data, at rest or in transit, is a really good way of securing consumer information. And it is.”

When it comes to the uproar around the San Bernardino iPhone encryption case, she noted that it is a high-profile case that “has catalyzed a broader policy discussion about how we get the balance between the security of a device and law enforcement right. And that’s a really important conversation and it’s really important that we get that balancing correct.” McSweeny continued to explain, “One of the things that I think needs to be appreciated when you’re weighing the scales here is the consequence to consumers of weakening their data security as we adopt more and more connected devices in our daily lives. It’s an enormous consequence. So I’m deeply concerned about attacks on encryption or chilling innovation in better security, because it’s going to really undermine consumers being able to trust all of these IoT products and it’s going to undermine the innovation there.”

The conversation around San Bernardino, McSweeny said, is at the core about “data ethics.” And, she noted, the FTC has created initiatives called Privacy by Design and Start With Security, intended to help guide business on best data security practices. “I like to think of it as data ethics by design,” she said. “So you see companies that are making choices about who is going to get to use their data and how it’s going to be used based on making sure that they want to protect consumers from unanticipated uses of their data.”

If a backdoor is opened to the San Bernardino iPhone, she said, it will ultimately affect the IoT ecosystem negatively. “The cars that we’re driving, the sensors in our homes, the thermostats that we’re using, the wearables that we’re wearing, the medical devices that are keeping us alive, are really hardened,” she explained. “And if we weaken that because our reaction at the policy level is to pass a law mandating backdoors, that’s a disaster for consumer data security and I don’t think it’s going to be a good thing for the IoT space.”

Adapting for the unknown

It’s in the best interest of IoT companies and developers to protect consumers, McSweeny said, because it’s not just the right thing to do, but it’s also a beneficial business investment. She used the auto industry as an example. “When we saw high-profile hacks of cars last year, one reaction from the auto industry was to say, ‘we ought to outlaw hacking of cars.’ And the other reaction, also from the auto industry, was to say, ‘Wow, we better work with hacker platforms to vulnerability test our products.’ I think the latter is a more efficient security investment because I think bad actors are going to act, especially against high-profile consumer targets like cars.”

Passing a law isn’t going to stop bad practices, she said, but incentivization to adopt security measures can. “When you’re kind of crowdsourcing the testing of your product, you get the benefit of the learning from the crowd and the information from the crowd,” she said. “I see the movement towards bounty programs or hackathons or conferences or that kind of thing and trying to work with the security researcher community as a really positive step in the space and an important one.”

In order to spread the gospel, McSweeny explained that the FTC is growing its technological capabilities accordingly. “Last year we announced the formation of our Office of Technology Research and Investigations, which is housed not just by investigators and lawyers doing enforcement, but also technologists. So we have our own in-house capabilities to test some of the products and practices that we’re taking a look at,” she said. “It’s absolutely essential, if we’re going to be an enforcement agency protecting consumers’ data security, privacy or from new FinTech practices or whatever it is that we understand the technology as a key part of the case. And having people that are not just tech-savvy but literally are technologists is very important for that.”

McSweeny went on to say that the FTC has been recruiting from all over the place. “I went to DEF CON and Black Hat last year and made a pitch to have hackers come work for the FTC,” she said. And she thinks the pitch is compelling. “I think because the FTC has this mission that’s really aligned with all of us, because we’re all consumers, it’s a kind of interesting place for people to work. We’ve really been able to entice people to come do a bit of public service and help protect people.”

When asked if there was a ping-pong table in the FTC offices, McSweeny acknowledged that there is not. “It’s the government,” she said, adding, “there is a tradeoff.”


To download the March edition of the Internet of Things Tracker, sponsored by Intel, click the button below.



New PYMNTS Report: Preventing Financial Crimes Playbook – July 2020 

Call it the great tug-of-war. Fraudsters are teaming up to form elaborate rings that work in sync to launch account takeovers. Chris Tremont, EVP at Radius Bank, tells PYMNTS that financial institutions (FIs) can beat such highly organized fraudsters at their own game. In the July 2020 Preventing Financial Crimes Playbook, Tremont lays out how.

Click to comment