Internet of Things demands security by design

Vendors developing products in the broad and fast-growing area of Internet-connected devices need to embrace security by design and adopt meaningful policies to limit data collection and provide users with meaningful notice and choices about how their information is used, according to the nation’s top consumer protection regulator.

In remarks at the annual Consumer Electronics Show in Las Vegas, Federal Trade Commission Chairwoman Edith Ramirez touted the potential of the so-called Internet of things — encompassing wearable health monitors, networked household appliances and everything in between — but cautioned that those devices can pose a threat to consumer privacy if manufacturers and service providers don’t include adequate protections.

“There’s no question that the Internet of Things (IoT) has the potential to transform our daily lives,” Ramirez says. “It has the potential to provide enormous consumer benefits, but it also has significant privacy and security implications.”

FTC on Lookout for Companies That Misrepresent Security and Privacy Practices

The IoT is a hot topic at this year’s CES, where vendors from around the world are showcasing apps and devices that aim to advance healthcare, energy efficiency and smart cities, to name just a few. But it’s also an area that the FTC has been scrutinizing closely, including settlements in the last year involving alleged privacy violations against security-camera maker TRENDnet and SnapChat, a mobile messaging app.

The commission has long been on patrol for companies that misrepresent their security or data-collection and usage practices, and in the industry’s rush to network previously standalone devices, Ramirez is warning IoT vendors to tread carefully.

“Connected devices are effectively allowing companies to digitally monitor our otherwise private activities,” Ramirez says. “This pervasive collection inevitably gives rise to concerns about how this data will be used.”

She points to “ubiquitous data collection” and the potential for consumers’ information to be used or shared in ways they would not expect as particular areas of concern, along with the worry that manufacturers and service providers aren’t adequately securing the data they collect.

Vendors Need to Adopt Security by Design for IoT

Ramirez is urging vendors to adopt a “security by design” approach as they develop Internet-connected devices, though experts note that many of those products, particularly those marketed as inexpensive and intended for widespread deployment, can be a challenge to secure.

“The small devices are sort of a problem. You have limited capabilities in terms of computation,” says Joseph Lorenzo-Hall, CTO at the Center for Democracy and Technology, a Washington digital rights group. “Some of them are meant to be very disposable and lightweight, which is going to be difficult to maintain and make a business case and do security upgrades for.”

Some observers advise that the common development approach in the tech industry — pushing a product quickly out to market, then following up with patches and other updates — might no longer apply in an IoT world, particularly when networked systems are appearing in people’s homes and cars, where a digital security risk can quickly become a physical one.

[ Related: Intel’s IoT Vision Sees Far More Than Chips ]

Embedded sensors and other small IoT devices also raise another challenge as far as the FTC is concerned. Ramirez cautions firms to adopt data minimization policies that limit the types of information they collect, and to shorten the amount of time they hold onto it.

“Data that hasn’t been collected or has already been destroyed can’t fall into the wrong hands,” she points out.

In addition to data minimization policies, the FTC is appealing to IoT vendors to improve the way that they provide consumers with notice about how their data is used and shared, and then to offer tools allowing consumers to turn off certain types of information collection and sharing.

“This means notice and choice outside of lengthy and convoluted privacy policies and terms of use,” Ramirez said. “Companies are investing billions of dollars into this new industry. They should also be making appropriate investments in privacy and security — the stakes are too high to do otherwise.”