The agency provided data security steps and promoted data minimization as well as consumer choice about collected data.
The agency provided data security steps and promoted data minimization as well as consumer choice about collected data.

After hosting an Internet of Things (IoT) workshop in 2013 and inviting public comment on the event, the Federal Trade Commission has published a report to help manufacturers develop connected devices with security in mind.

Released Tuesday, the report, called “Internet of Things: Privacy and Security in a Connected World,” provides an overview of the expanding threats present in the space. As FTC Chairwoman Edith Ramirez told attendees at the International Consumer Electronic Show (CES) earlier this month, experts estimate that, as of this year, there will be 25 billion connected devices to contend with from a privacy standpoint.

In the 71-page report (PDF), the FTC offered a number of recommendations for IoT device makers, namely steps for enhancing data security, implementing data minimization, and giving consumers choices about how information collected by such devices will be used.

The FTC defined IoT as “'things' such as devices or sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit information with or between each other through the internet,” the report said.

“Consistent with the FTC's mission to protect consumers in the commercial sphere, our discussion of IoT is limited to such devices that are sold to or used by consumers,” which excludes devices sold in a “business-to-business context,” like sensors in hotel or airport networks, the Commission explained.

Data security recommendations were that device makers implement security by design, “building security into their devices at the outset, rather than as an afterthought,” and that companies educate employees, so that “personnel practices promote good security.” The report also advised that third-party service providers maintain reasonable security, and that, when addressing vulnerable systems, businesses implement a defense-in-depth approach, “where security measures are considered at several levels.” Lastly, the FTC recommended that access control measures be implemented to limit authorized users from accessing consumers' sensitive data, and that connected devices are continuously monitored throughout their lifecycle and known vulnerabilities are patched “to the extent feasible.”

Data minimization – limiting the collection of consumer information when possible as well as retaining data for a set length of time – was also detailed in the report, along with a section on “notice and choice,” which advocated that consumers be notified, or have choices, regarding data-collection practices that impact their privacy.

Eve Maler, vice president of innovation and emerging technology at identity management firm ForgeRock, told SCMagazine.com in emailed commentary that, while she agrees with the “push for a fair and reasonable understanding between customers and companies leveraging IoT to provide more personalized services,” that “building trust and addressing consumers' fears requires more than security by design – it requires privacy by design.”

“The most practical way to build in privacy is to use consistent, well-vetted open standards and platforms that enable secure, user-consented connections between devices, services and applications,” Maler added later. “Once consumers feel that they have control over their information, we will truly see the full potential of connected devices, services and applications," she said.