Internet of Things (IoT)
"The Internet of Things" (IoT) refers to the capability of everyday devices to connect to other devices and people through the existing Internet infrastructure. Devices connect and communicate in many ways. Examples of this are smartphones that interact with other smartphones, vehicle-to-vehicle communication, connected video cameras, and connected medical devices. They are able to communicate with consumers, collect and transmit data to companies, and compile large amounts of data for third parties.
This increased connectivity raises a myriad of consumer privacy and data security issues. Government agencies, like the Federal Trade Commission, are concerned with issues such as data security, mobile privacy, and big data. The development of the IoT means that companies preserve privacy. Among other things, this involves adopting privacy and data security best practices, only collecting consumer information with express consumer consent, and providing consumers with access to their data.
A brief history of the IoT gives background for those who are looking for the base of this shift. Professors Jerry Kang and Dana Cuff published a case study about this kind of "pervasive computing" and "four basic design principles" including privacy, transparency, open access, and publicity.
- Senators Introduce Legislation to Strengthen Cybersecurity for Internet of Things: A bipartisan group of Senators, including Senators Mark R. Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-WA) and Steve Daines (R-MT), have introduced legislation to improve security of Internet-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require "Internet of Things" devices purchased by the U.S. government to meet minimum security standards. IoT device manufacturers who sell products to the federal government must commit that their IoT devices: (1) are patchable; (2) do not contain known vulnerabilities; (3) rely on standard protocols; and (4) do not contain hard-coded passwords. "The proliferation of insecure Internet-connected devices presents an enormous security challenge," said EPIC Advisory Board member Bruce Schneier, "The risks are no longer solely about data; they affect flesh and steel." EPIC has been at the forefront of policy efforts to establish safeguards for IoT devices, connected cars, "smart homes," consumer products, and "always on" devices. A 2015 report from the Aspen Institute also explores "Policies for the Internet of Things." (Aug. 1, 2017)
- EPIC Recommends National Safety Standard for "Self-Driving" Vehicles: In remarks today to a joint workshop of the FTC and NHTSA, EPIC President Marc Rotenberg called for the establishment of national safety standards prior to the deployment of "self-driving" vehicles on the nation's highways. "Given the current vulnerabilities of networked communications, self-driving vehicles are simply unsafe at any speed," said Mr. Rotenberg. EPIC has participate in numerous NHTSA rule makings on auto safety, proposed stronger data protection standards for connected vehicles, and sided with consumers in a case concerning the risks of autonomous vehicles. In extensive comments for the FTC/NHTSA workshop, EPIC pointed to known vulnerabilities with bluetooth communications, auto hacking, "level 3" control, malware and ransomware, auto repossession remote deactivation, and safety defects. EPIC urged the FTC and NHTSA to focus on "data protection, vehicle safety, consumer protection, and privacy." EPIC also said that the ability of states to develop safety standards must be maintained. EPIC warned that the failure to establish robust safety standards could be "catastrophic." (Jun. 28, 2017)
- FTC Updates Guidance on Children's Privacy Law, Includes Connected Toys + (Jun. 27, 2017)
- EPIC Recommendations for Tech Week Meeting: Protect U.S. Consumers + (Jun. 20, 2017)
- EPIC Urges House Committee to Back Consumer Safeguards for Internet of Things + (Jun. 13, 2017)
- EPIC to Congress: Data Protection Needed for Financial Technologies + (Jun. 9, 2017)
- Pew Survey Explores Internet of Things + (Jun. 6, 2017)
- EPIC Recommends Privacy Safeguards for Vehicle Networks + (Apr. 14, 2017)
- EPIC Seeks Information on Sessions-Jourova Encryption Discussion + (Apr. 3, 2017)
- EPIC Urges Senate Commerce Committee to Back Algorithmic Transparency, Safeguards for Internet of Things + (Mar. 22, 2017)
- EPIC Urges Congress to Examine "Connected Devices," Safeguard Consumer Privacy and Protect Public Safety + (Feb. 2, 2017)
- Trump Order Threatens Consumer Protection, Public Safety + (Jan. 31, 2017)
- Aspen Institute Report Explores Artificial Intelligence + (Jan. 30, 2017)
- EPIC Urges Senate Committee to Safeguard Consumer Privacy in Internet of Things and Telemarketing Bills + (Jan. 24, 2017)
- EPIC Urges Senate Committee to Press Transportation Nominee on Drones, Connected Cars + (Jan. 12, 2017)
- FTC Sues D-Link Over Poor Security in Internet Routers and Cameras + (Jan. 12, 2017)
- Senate Explores Security of Ground Transportation, Witnesses Express Privacy Concerns + (Dec. 9, 2016)
- EPIC Recommends Privacy and Safety Standards for Autonomous Vehicles + (Nov. 23, 2016)
- House Members Urge FTC to Examine Internet-of-Things + (Nov. 4, 2016)
- EPIC Propose Privacy, Security Protections for "Internet of Things" + (Jun. 4, 2016)
- Senators Introduce Bill to Block Broad Remote Hacking Rules + (May. 19, 2016)
- EPIC to Testify on Car Privacy and Data Security + (Nov. 17, 2015)
- New OECD Report Finds Increased Privacy Concern, Lagging National Policies + (Jul. 28, 2015)
- Senators Markey and Blumenthal Introduce Bill to Protect Drivers from Remote Hacking + (Jul. 21, 2015)
- EPIC Urges Investigation of "Always On" Consumer Devices + (Jul. 9, 2015)
- Senator Markey Report Warns of Risks with "Connected Cars" + (Feb. 10, 2015)
- FTC Chair Warns About Risks of Connected Devices + (Jan. 7, 2015)
- EPIC Urges Department of Transportation to Protect Driver Privacy + (Oct. 21, 2014)
- Data Protection Commissioners Urge Limits on "Big Data" + (Oct. 17, 2014)
- Department of Transportation Seeks Public Comment on Connected Cars + (Aug. 21, 2014)
- Senator Schumer Calls On Regulators to Make Fitness Data Private + (Aug. 14, 2014)
- EPIC Submits Comments on the "Internet of Things" + (Jun. 3, 2013)
More top news
Smartphones are able to connect to the Internet, household appliances, personal computers, and personal vehicles, many times controlling these items remotely.
Vehicle-to-Vehicle (V2V) Communication allows the exchange of data between nearby vehicles. The Department of Transportation states that V2V communication will lead to "significant safety improvements..that can assist drivers in preventing 76 percent of the crashes on the roadway."
The term "Smart Grid" encompasses a host of inter-related technologies rapidly moving into public use to reduce or better manage electricity consumption. Smart grid systems may be designed to allow electricity service providers, users, or third party electricity usage management service providers to monitor and control electricity use. Privacy implications for smart grid technology deployment centers on the collection, retention, sharing, or reuse of electricity consumption information on individuals, homes, or offices.
Event Data Recorders
Automobiles are integrating computing technology that enhance the ability of others to collect location and operation data in near real time. In the data driven economy, this data is of value.
GPS capabilities in vehicles mean that the location of the vehicle is recorded at all times, leading monitoring of cars and collection of all location data.
Smarthome connectivity is when one's appliances, such as an oven, security system, or lights, are connected to one's smartphone through the Internet. The owner of these smarthome devices is able to control them remotely through his or her smartphone.
Connected Health and Fitness
Medical and fitness devices can monitor one's health and track changes and physical activity. These devices can be connected to a person's smartphone or laptop for data aggregation and tracking.
Protecting consumer privacy becomes increasingly difficult as the IoT becomes more prevalent. More devices are connected to different types of devices and this increase in connectivity and data collection results in less control. Both control of data and control of the very devices that are connected are at stake.
Control can be lost if someone hacks into the smartphone or computer acting as a remote for the other devices. In the case of computers and smartphones, this hacking can be done remotely and often undetected. Smartphones, just like computers, carry an enormous amount of personal information about their owners. They often link to bank accounts, email accounts, and in some cases household appliances. Stolen data can result in serious problems. Vehicles contain many computers that control their function. Initially, these computers could not be hacked into. With the increased connectivity of the IoT, however, vehicles are now at risk due to being connected to the Internet.
In another sense, control can be lost as more and more companies collect data about users. This data often paints a detailed picture of individual users through the collection of activities online. Everything you search, all of your activities online, are being tracked by companies that use that data. These companies often use the data to improve the user's experience, but they also use this data to sell users products or sell to other companies who sell users products.
Innovation in this realm means that companies must alter the privacy policies that are in place as well as how they interact with these devices. Companies will need to take another look at the policies that they have in place to ensure that consumers are offered opportunities to access and control their own data. Consumers will become increasingly aware of the privacy implications of this level of connectivity through interaction with the IoT and exposure to the policies that companies provide to them.
Frank Pasquale, law professor and EPIC advisory board member discusses privacy concerns related to the IoT in a May 2014 Pew Research Report. Pasquale states that the expansion of the IoT will result in a world that is more "prison-like" with a "small class of 'watchers' and a much larger class of the experimented upon, the watched." In another article, he reinforces the idea that the IoT "will be a tool for other people to keep tabs on what the populace is doing.
EPIC President, Marc Rotenberg, explains in the Pew Research Report that the problem with the IoT is that "users are just another category of things," and states that this "is worth thinking about more deeply about in the future."
Because IoT devices are connected to the Internet, they are vulnerable to the same kinds of cyber-attacks that can afflict consumer, commercial, industrial, and governmental computer systems. In September 2016, weak security in IoT devices was exploited on a massive scale by the “Mirai” botnet, which gained control of hundreds of thousands of such devices, and subsequently used them to launch massive distributed denial of service attacks, capable of effectively shutting down targeted websites. Because IoT devices rely on connectivity to function, they create a common attack vector for hackers to gain access to an entire network. Many IoT devices are built using very similar underlying hardware and software, and are frequently not designed with cybersecurity in mind, which increases the risks they pose.
Security flaws in most computer systems are patched via regular updates. However, IoT devices may not be designed with the ability to easily patch their software, meaning that security flaws may go unaddressed for many years. In the case of IoT devices with particularly long shelf-lives there is also a risk that the manufacturer will discontinue support, or goes out of business.
There are also unique security risks posed by IoT devices’ use of cloud services. Storing data on remote servers necessarily increases the possibility that the data will be compromised. Splitting control over the device and the data reduces the ability of any one provider to limit access, and consistent security becomes dependent on harmonization of data security practices among the various parties responsible for its collection, transmission, and storage. The most promising response to the increasing complexity of these systems would be a widespread adoption of a single, consistent set of standards. The NIST Cybersecurity Framework, which is one of the most important standards at the federal level, was recently updated in January 2017.
Depending on the functions of various IoT devices, weak cybersecurity can lead to serious consequences, including physical damage and injury. Perhaps the most visceral example is the hacking of an automobile by a bad actor, which could lead to vehicular homicide. Researchers have already demonstrated the ability to access and control vital functions of a car, including its brakes, by compromising its connected features. Another category of IoT devices that could be hacked with horrific consequences are personal medical devices, such as defibrillators, pacemakers, and insulin pumps; hacking of any of these devices could lead to physical injury or death. Other vulnerable devices include IoT cameras, which can surreptitiously record audio and video, HVAC systems that control heating and cooling levels, and alarm systems that can provide access to user’s homes and other secure areas.
- GAO, Internet of Things: Status and Implications of an Increasingly Connected World (May 2017)
- Lily Hay Newman, Medical Devices Are the Next Security Nightmare, Wired (Mar. 2017)
- FDA, Medical Devices Cybersecurity
- Daniel Coats, Director of National Intelligence, Worldwide Threat Assessment of the U.S. Intelligence Community (May 2017)
- Brian Krebs, IoT Reality: Smart Devices, Dumb Defaults, Krebs on Security (Feb 2016)
- Brian Krebs, Dahua, Hikvision IoT Devices Under Siege, Krebs on Security (March 2017)
- Andy Greenberg, Hackers Remotely Kill a Jeep on the Highway - With Me In It, Wired (July 2015)
EPIC has a long history of protecting consumer privacy.
In 1995, EPIC sent a letter to the Federal Trade Commission (FTC) urging it to support online privacy. This was one of EPIC's earliest involvements in working with the FTC to ensure the protection of consumer privacy, especially online.
In May 2001, EPIC sent a request to the new FTC chairman, Timothy Muris, urging the FTC to devote time and attention to privacy issues. This letter led to Muris agreeing to meet with the Privacy Coalition on July 17, 2001 to discuss recommendations for further FTC action on privacy issues. This meeting led to the FTC announcing a new privacy agenda that called for 50% increase in privacy resources, improved privacy complaint handling, more protection for consumers, and increased enforcement of privacy policies and existing laws such as the Fair Credit Reporting Act (FCRA) and the Children's Online Privacy Protection Act (COPPA). While this shift in focus was welcomed, Chairman Muris concluded it was "too soon" to recommend broad-based online privacy legislation.
In 2007, EPIC recommended better notification and strong privacy safeguards for security breach investigations in comments to the FTC. The request urged the FTC to limit the disclosure of personal information related to security breach investigations.
On June 1, 2013, EPIC submitted comments to the FTC regarding the privacy and security implications of the Internet of Things.
In 2014, EPIC President, Marc Rotenberg, presented at the Aspen Institute Communication and Society Program on "Developing Policies for the Internet of Things."
In November 2015, EPIC Associate Director Khaliah Barnes testified at a hearing on "The Internet of Cars" before the House Oversight and Government Reform.
EPIC submitted several recommendations in a comment to the Federal Trade Commission ("FTC" or "the Commission") regarding the Internet of Things. Overall, the recommendations focused on promoting transparency from those operating or owning Internet-connected systems and devices, as well as encouraging the FTC to enforce Fair Information Practices and require that companies adopt Privacy Enhancing Techniques.
The comment focused on a number of privacy and security risks associated with the Internet of Things. A major point as that data collected from the Internet of Things may reveal sensitive behavior patterns that consumers wish to keep private. Next, the comment highlighted the fact that data collected could be used for secondary purposes that lack consumer consent. The Internet of Things has the potential to increase the power inbalance between consumers and companies, as well as the potential to threaten users' security both on and offline. These considerations produced the following recommendations:
- First, EPIC recommended that the Commission enforce Fair Information Practices.
- Second, EPIC recommended that the FTC require companies to adopt Privacy Enhancing Techniques.
- Third, EPIC recommended that the FTC require companies to respect a consumer's choice not to be tracked, profiled, or monitored.
- Fourth, EPIC recommended that the FTC require companies to minimize data collection.
- Finally, EPIC recommended that the FTC ensure transparency in both design and operation of Internet-connected devices.
- Sarthak Grover and Nick Feamster: Who Will Secure the Internet of Things? (January 2016)
- Sarthak Grover - The Internet of Unpatched Things - PrivacyCon 2016 (Video) (Presentation)
- US News & World Report: Would Your Smart Car Brake for Hackers? (July 23, 2015)
- FTC Staff Report: Internet of Things: Privacy & Security in a Connected World (January 2015)
- EPIC: Department of Transportation Seeks Public Comment on Connected Cars (August 21, 2014)
- The Internet of Things: When Things Talk Among Themselves Remarks of Commissioner Maureen K. Ohlhausen FTC Internet of Things Workshop (November 19, 2013)
- EPIC: Cahen v. Toyota Motor Corporation
- EPIC: Medical Record Privacy
- EPIC: Comments on "Unmanned Aircraft System Test Sites" (May 8, 2012)
- EPIC: The Smart Grid and Privacy
- EPIC: Comments of EPIC on Proposed Policies and Findings Pertaining to the EISA Standard Regarding Smart Grid and Customer Privacy(December 18, 2008)
- EPIC: Automobile Event Data Recorders and Privacy
- Pew Research Report: The Internet of Things Will Thrive by 2025 (May 14, 2014)
- Department of Transportation: Connected Vehicles Applications"
- International Telecommunications Union: The Internet of Things Executive Summary
- Trans Atlantic Consumer Dialogue: Resolution on Internet of Things(May 2012)
- Federal Trade Commission: All Things Connected" (April 17, 2013)
- Federal Trade Commission: Slides: Internet of Things - Privacy & Security in a Connected World Event (November 19, 2013)
- Federal Trade Commission: Event Materials: Internet of Things - Privacy & Security in a Connected World Event (November 19, 2013)
- Stanford: Secure Internet of Things Project
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
by Ryan Calo, A. Michael Froomkin,