FTC says data and privacy are top security concerns
Policy makers, academics, and innovators came together last week to discuss “Security, Privacy and the IoT: A Policy Perspective” at the second annual Security of Things forum hosted by The Security Ledger and Christian Science Monitor Passcode in Cambridge, Mass.
Julie Brill, commissioner, Federal Trade Commission (FTC), said “The state of things in Washington around policy for IoT is a schizophrenic approach.” Brill recognized the opportunity for improving lives in terms of health and transportation, but also noted that there are privacy concerns that need to be addressed.
“Everyone wants to ensure that there is the opportunity for innovation to flourish, but there is also a desire to ensure the intimate collection of information is protected,” Brill said. For the FTC, the trick to creating policy is that they have to take an approach that allows for continued development and invention but also provides for the security of data and the security of privacy.
“Job number one,” Brill said, “is the security of privacy.” Referencing a 2014 study by Hewlett Packard, Brill noted that 90 percent of connected devices are collecting personal information and 70 percent of that information flows over unencrypted networks.
Because privacy is important, Brill said, “We need to figure out how to deal with security issues when addressing privacy issues.” Patching vulnerabilities doesn’t necessarily make a device or the data it collects more secure.
For larger companies, the idea of pushing through patches might not be an economic burden, but for startups or smaller developers that find vulnerabilities, pushing through patches can be costly. Brill noted, “They are going to worry about patching.” Instead, they might release a newer version, but that earlier version with the vulnerability is still insecure.
“The answer is not IoT legislation,” said Brill. “We need data security legislation."
Peter Lefkowitz, chief privacy and data protection counsel and chief privacy officer, GE agreed. “From a corporate perspective, security is job one.”
Julie Brill, commissioner, Federal Trade Commission
For GE, which has come out with everything from light bulbs to wind turbines and connected medical devices, Lefkowitz recognized, “The FDA came out with guidelines for medical devices, and god help the company that doesn’t follow them.”
The larger and more important message for Lefkowitz is to make sure that there is an understanding of the value and impact of connected devices. “These are incredible areas of development for society, and there is a much more complicated discussion to make sure we get it right,” said Lefkowitz.
Andrea Matwyshyn, professor of Law at Northeastern University and Microsoft Visiting Professor at Princeton’s Center for Information Technology Policy, said, “Security enables good functionality and consumer trust, but we need a regulatory scalpel, not a regulatory ax.”
Regulations can ensure better quality, functionality, security, and privacy, but Matwyshyn warned, “Some regulation can be damaging. When we start to apply a heavier lens, we’re disrupting innovation.”
Arguing for diversity in the marketplace, Matwyshyn raised the question of technology suitability. “Just because we can add Bluetooth or WiFi doesn’t mean it’s optimal. There are consumers that don’t want the most advanced highly connected device.”
While Matwyshyn argued that fewer connected devices is a market opportunity, the IoT has infiltrated itself into our society, and the latest innovations—whether needed or not—are in high demand. In order to secure the data and the devices, information sharing needs to change.
“One key focus is the idea of information sharing,” said Matwyshyn. “The average quality of security advisories is not good. We need information rich security advisories.”
Failing to provide reasonable security could result in trouble with the FTC for enterprises, trouble that companies have been dealing with since long before the explosion of IoT. Brill spoke of a recent case that came out of the 3rd circuit ruling that the FTC has the authority to prohibit unfair acts in commerce if a company fails to provide reasonable security.
The courts have established that it is reasonable to expect companies are protecting data and privacy, which means that developers need to do more to protect privacy and security by design. To that end, the FTC has started a new enterprise education initiative to educate businesses on promoting good data and privacy security practices.
Seal programs like those available through United Labs, a safety consulting and certification company, are one way to bring greater awareness of privacy and security to the enterprise, but Brill argued, “It needs to be a real program and a good program. There is also a role for self-regulation.”
For many businesses, staying out of the headlines is motivation enough to self-regulate. Lefkowitz said, “If there is a breach of a product or a device, my first concern is not the FTC. It’s the front page of the Wall Street Journal.”
Lefkowitz argued that there is a really important place in the IoT for certification and seal programs. “When putting out a baby monitor, is it important to have a seal Yes. But GE is putting out airplane engines.” Does a seal really mean anything when it is stamped on an engine or a wind turbine
GE is a company betwixt the world of old and new, as it has successfully transitioned to a company that is putting out connected devices. Though they’ve been in the space a long time, the industrial internet has brought attention to its newer more connected devices. “We’ve developed internal standards, and there is the ongoing paranoia about oopsies,” said Lefkowitz.
Yes, oopsies. Making the headlines, data leaving the network. Whatever euphemism businesses chose, they are referring to the potential of being breached. That ongoing paranoia can be productive if it provokes dialogue and raises awareness.
In talking about the things that could go wrong, the moderator and editor in chief at The Security Ledger, Paul Roberts asked whether technology in devices should have an expiration date. Matwyshyn argued, “A limited expiration is not viable since vulnerabilities can be found by third parties on day one.”
Lefkowitz suggested that depending on the device functionality, data collection can be, “allow unless you prohibit or prohibit unless you allow.”
The conversations about data and privacy security in IoT are ongoing as are the number of detected vulnerabilities. Between the regulatory concerns and consumer confidence, businesses need to look at their established standards and rely on third-party audits and security researchers to protect themselves.