FTC report on IoT and privacyThe FTC has weighed in on privacy and security and the Internet of Things (IoT) in a report published on 27th January 2015. When it comes to IoT and devices that connect to the internet, the FTC will focus on

  • Enforcing privacy laws
  • Educating consumers and business on privacy and security for connected devices
  • Participate in multi-stakeholder groups such as the NTIA’s team considering guidelines for facial recognition, and
  • Advocate with other agencies, at the state level, and with courts.

The report summarizes input received in a FTC workshop conducted in November 2013 with IoT industry experts, and offers recommendations in the areas of security, data minimization, notice and choice (to consumers), privacy legislation. That workshop convened four panels, covering the smart home, connected health and fitness, connected cars, and an overall privacy/security discussion.

It’s useful to call out the definition of IoT used in this report: IoT refers to ‘things’ such as devices or sensors that connect, communicate or transmit information with or between each other through the internet. (This definition does not include computers, smartphones or tablets).

Many benefits (and especially health benefits) can emerge from the IoT: the report speaks to connected devices for glucose management that enable people with diabetes to better manage health; preventing re-admissions to hospital or long-term care facility through real-time information collection; and, medication adherence management.

Where there are benefits there are attendant risks, and the report enumerates many: one health-related risk concerned security breaches where data “leakage” could lead to insurance companies setting health premiums for an individual based on their breached personal information, for example.

Some 87% of consumers are concerned about the type of data collected through smart devices according to the 2014 TRUSTe Internet of Things Privacy Index, the report notes.

FTC LogoHealth Populi’s Hot Points:  “Whether it is a remote valet parking assistant, which allows drivers to get out of their cars and remotely guide their empty car to a parking spot; a new fashionable bracelet that allows consumers to check their texts and see reviews of nearby restaurants; or smart glucose meters, which make glucose readings accessible both to those afflicted with diabetes and their doctors, the IoT has the potential to transform our daily lives,” FTC Chairwoman Edith Ramirez told attendees of the 2015 Consumer Electronics Show during a session on regulatory issues in consumer electronics on January 6, 2015.

Ramirez went on to note 3 steps companies should take to promote consumer privacy and security and build trust in IoT:

  1. Adopting security by design
  2. Engage in data minimization
  3. Increase transparency and provide consumers with notice and choice for unexpected data uses.

Data breaches expected in 2015 Frost Jan 2015Each one of these has particular relevance for health and health care. Security by design should begin during health device/tool conception, bringing consumer perspectives into the user-centered design process early and throughout the iterative process. Data minimization means for health that only the key bits of data to manage the health process or objective should be collected to mitigate the risk of huge data mines falling into the wrong hands and being mis-used. Notice and choice in health should translate into simplified choices that consumers understand and opt into quite clearly and explicitly.

It may be inevitable that 2015 will be the year for a major data breach, noted by Frost & Sullivan in their 2015 health care forecast. The FTC will keep a watchful on developments in the IoT in health, and a much heavier hand could be played if industry stakeholders don’t make “careful connections” in building the IoT. Interestingly enough, that’s the title of the FTC’s publication targeting small businesses keen to be part of the IoT economy.