With a proliferation of Internet-of-Things products set to saturate the market, what privacy and security obligations should companies follow during the lifecycle of their device? How long is a company obligated to provide security updates to their “smart toaster”? Can it be considered a deceptive business practice if the digital calendar embedded in a “smart refrigerator” stops working after four years, when the average fridge lasts 10 years?
These were some of the questions asked by Andrea Peterson, a reporter for The Washington Post, and tackled by FTC Commissioner Terrell McSweeny and security researcher Ashkan Soltani at the Global Privacy Summit this week. “This issue is flagged in our Internet-of-Things report,” said McSweeny, “But consumers will not be delighted if products that used to last 10 years now only last four. We need to have a conversation about this.”
Out of date IoT devices also pose a security vulnerability, even if it’s a low-level one, Soltani pointed out. “The presence of a smart light bulb can be a stepping stone into a private network. It’s not just a risk of harm to individuals, it adds to security pollution,” he said. Soltani likened the low-level security risks to an overall polluted networked environment. Such an ecosystem could have a broader negative effect on all kinds of networks.
Soltani, a former chief technologist at the FTC, also argued that a shorter shelf life for products - where customers traditionally would expect longer ones - could be considered deception. “I’m not aware of any self-regulatory efforts on disclosing to consumers how long the product is expected to work or be compatible” with the Internet or cloud, he said. “Until that self regulation comes out, the FTC has a role to play here.”
The panel discussed the way security researchers have already demonstrated the vulnerabilities found in connected cars by hacking into a Jeep and taking over its controls, including its steering wheel and brakes. As a result, Chrysler-Fiat issued the first-ever recall of an IoT product because of a security vulnerability.
“I’ve been vocal on the fact that the auto industry needs to learn what technology companies already do by working with white hat hackers,” McSweeny said. “The criminalization of hacking is a bad response. A good response is to learn how to work with the white hats.”
“This is a huge conversation that we’re going to have over the next couple of years,” she added.
Could requiring companies to follow extra rules to ensure a connected product lives up to traditional shelf life expectations chill innovation? McSweeny doubted it. There are plenty of ways the FTC can help influence business practices – outside of Section 5 enforcement – through letters to companies pointing out potential issues. “I think brands are going to care about the experience their customers have,” she said. Plus, if a “connected tea kettle” isn’t functional, people just won’t buy the product. The market will determine the viability of it.
The proliferation of IoT devices is also creating regulatory gaps, according to Soltani. For example, the Federal Aviation Administration has said it will not regulate for privacy with drones. “Government agencies need to coordinate better as they relate to security and privacy,” he noted.
McSweeny offered the FTC as a good resource for other agencies getting into privacy regulation. “There are agencies without the necessary expertise,” she said, "this is something the FTC can help with and share our expertise.”
Soltani went further and proposed that the federal government should create a new federal technology commission. Technologists would comprise the agency and would work across all federal government agencies. He also said the next presidential administration should build upon the technological advances made by the Obama White House. For example, he said it should offer other agencies APIs on which they can build apps for government use.
For now, though, the FTC is clearly in the driver’s seat in the data security realm, and consumers want more privacy and security built into their products. The move by WhatsApp to include end-to-end encryption to its one billion users is one such example. “I’m happy that companies are competing on privacy,” Soltani said.
His next move? He said he aims to help the film and television industries flesh out technological issues on screen. “I want to help them create accurate portrayals of hacking” and other security issues because popular culture can have such a strong effect, not only on popular perception, but on national policy as well.
He cited the Regan-era movie War Games and its direct effect on federal policy. The 1983 movie, in which a teenager hacks into NORAD, setting off World War III, caught the attention of then President Ronald Regan. As a direct result, 15 months later, Regan signed NSDD-145, the “National Policy on Telecommunications and Automated Information Systems Security,” to help prevent such an intrusion.
“War Games changed hearts and minds,” Soltani said.
If you want to comment on this post, you need to login.