Internet of Things (IoT)

• Top News |
• Technical Capability |
• Privacy Issues |
• EPIC's Interest |
• EPIC's Recommendations |
• Additional Resources |
• Latest News

Background

"The Internet of Things" (IoT) refers to the capability of everyday devices to connect to other devices and people through the existing Internet infrastructure. Devices connect and communicate in many ways. Examples of this are smartphones that interact with other smartphones, vehicle-to-vehicle communication, connected video cameras, and connected medical devices. They are able to communicate with consumers, collect and transmit data to companies, and compile large amounts of data for third parties. The FTC estimates that over 25 billion devices will be hooked up to the Internet.

This increased connectivity raises a myriad of consumer privacy and data security issues. Government agencies, like the Federal Trade Commission, are concerned with issues such as data security, mobile privacy, and big data. The development of the IoT means that companies preserve privacy. Among other things, this involves adopting privacy and data security best practices, only collecting consumer information with express consumer consent, and providing consumers with access to their data.

A brief history of the IoT gives background for those who are looking for the base of this shift.Professors Jerry Kang and Dana Cuff published a case study about this kind of "pervasive computing" and "four basic design principles" including privacy, transparency, open access, and publicity.

In a 2005 report by the International Telecommunications Union (ITU) titled "The Internet of Things," the ITU states that "protection of data and privacy" is one of the largest hurdles for widespread adoption of emerging technologies amongst consumers. The report recommends that informed consent, data security, and data confidentiality efforts must be made as the IoT expands.

Top News

• EPIC to Testify on Car Privacy and Data Security: EPIC Associate Director Khaliah Barnes will testify at a hearing on "The Internet of Cars" before the House Oversight and Government Reform on Wednesday, November 18, 2015. The hearing will address the safety and privacy issues confronting drivers in vehicles connected to the Internet. EPIC's prepared statement urges Congress to pass legislation establishing privacy and cybersecurity rules to protect driver data and prohibit malicious hacking of connected cars. EPIC states, "New vehicle technologies raise serious safety and privacy concerns that Congress needs to address." EPIC has previously examined the privacy and data security implications of the Internet of Things and the "Internet of Cars", and recommended strong safeguards for consumers. (Nov. 17, 2015)
• New OECD Report Finds Increased Privacy Concern, Lagging National Policies: The OECD Digital Economy Outlook 2015 explores recent developments in the digital economy. The OECD report finds that Internet "users are increasingly concerned, 64% of respondents are more concerned about privacy than they were a year ago" even as few countries include online privacy in national digital strategies.The OECD also warns that the "Internet of Things" will lead to the rise of autonomous machines. Civil society groups are planning to report to the OECD at the 2016 Ministerial Meeting on the Digital Economy. (Jul. 28, 2015)
More top news »
Senators Markey and Blumenthal Introduce Bill to Protect Drivers from Remote Hacking » (Jul. 21, 2015)
Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have introduced the "Security and Privacy in Your Car Act of 2015." The SPY Car Act would establish cybersecurity and privacy requirements for new passenger vehicles, and inform consumers about the risks of remote hacking. The SPY Car Act follows a report from Senator Markey, which "detailed major gaps in how auto companies are securing connected features in cars against hackers." The bill would also prohibit manufacturers from using consumer driver data for marketing purposes without consumer consent. EPIC has urged the Transportation Department to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and has also said that "cars should not spy on drivers."
EPIC Urges Investigation of "Always On" Consumer Devices » (Jul. 9, 2015)
EPIC has asked the Federal Trade Commission and the Department of Justice to conduct a workshop on 'Always-On' Consumer Devices. EPIC described the increasing presence of internet-connected devices in consumer's homes, such as TVs, toys, and thermostats, that routinely record and store private communications. EPIC urged the agencies to conduct a comprehensive investigation to determine whether "always on" devices violate the Wiretap Act, state privacy laws, or the FTC Act. Earlier this year, EPIC filed a formal complaint with the FTC concerning Samsung TV, arguing that the recording of private communications in the home is an unfair and deceptive trade practice.
Senator Markey Report Warns of Risks with "Connected Cars" » (Feb. 10, 2015)
A report from Senator Edward Markey (D-MA) finds lax privacy practices at leading auto manufacturers. The Senator said the safeguards in the auto industry for data collection are "inconsistent" and "haphazard." The investigation also revealed, "automobile manufacturers collect large amounts of data on driving history and vehicle performance." Senator Markey has called on the Department of Transportation and the Federal Trade Commission to issue rules to protect driver privacy and security. EPIC has urged the Department of Transportation to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and said also that "cars should not spy on drivers."
FTC Chair Warns About Risks of Connected Devices » (Jan. 7, 2015)
In a speech at the CES conference this week, FTC Chair Edith Ramirez warned of the privacy risks of connected home devices. "In the not-too-distant future, many, if not most, aspects of our everyday lives will be digitally observed and stored," Ramirez said. EPIC has written extensively on interconnected devices, known as the "Internet of Things." In comments to the FTC, EPIC described several risks, including the hidden collection of sensitive data. EPIC recommended that companies adopt Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: FTC and EPIC: Big Data.
EPIC Urges Department of Transportation to Protect Driver Privacy » (Oct. 21, 2014)
EPIC has submitted detailed comments to the National Highway Traffic Safety Administration, urging the agency to protect driver privacy for "vehicle-to-vehicle" (V2V) technology. The technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes." NHTSA is in the initial stages of mandating vehicle-to-vehicle technology. EPIC's comments pointed to several privacy and security risks with V2V techniques. EPIC urged NHTSA to "complete a more detailed privacy and security assessment of V2V communications" and to: "(1) not collect PII without the express, written authorization of the vehicle owner; (2) ensure that no data will be stored either locally or remotely; (3) require end-to-end encryption of V2V communications; (4) require end-to-end anonymity; and (5) require auto manufacturers to adhere to the Consumer Privacy Bill of Rights." Last year EPIC, joined by a coalition of consumer privacy organizations and members of the public, urged NHTSA to protect driver privacy and establish privacy safeguards for car "black boxes." For more information, see EPIC: Event Data Recorders and EPIC: Internet of Things.
Data Protection Commissioners Urge Limits on "Big Data" » (Oct. 17, 2014)
The International Data Protection Commissioners have adopted a resolution on Big Data. The resolution endorses several privacy safeguards, including purpose specification, data minimization, individual data access, anonymization, and meaningful consent when personal data is used for big data analysis. The data protection commissioners also passed a resolution supporting the UN High Commissioner's report on Privacy in the Digital Age and the Mauritius Declaration on the Internet of Things. Earlier this year, EPIC joined by 24 organizations petitioned the White House to accept public comments on its review of Big Data and the Future of Privacy. EPIC also submitted extensive comments detailing the privacy risks of big data and calling for the swift enactment of the Consumer Privacy Bill of Rights and the end of opaque algorithmic profiling. For more information, see EPIC: Big Data and EPIC: Internet of Things.
Department of Transportation Seeks Public Comment on Connected Cars » (Aug. 21, 2014)
The National Highway Traffic Safety Administration, at the Department of Transportation, is soliciting public comments on the privacy and security implications of connected "vehicle-to-vehicle" technology. According to the agency, the technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes." The agency plans to mandate vehicle-to-vehicle technology. NHTSA is also soliciting comments on a connected car research report. Comments on both are due October 20, 2014. Last year EPIC, joined by a coalition of privacy and consumer rights organizations and members of the public, urged NHTSA to protect driver privacy and establish privacy safeguards for car "black boxes." For more information, see EPIC: Event Data Recorders and EPIC: Comments on the Privacy and Security Implications of the Internet of Things.
Senator Schumer Calls On Regulators to Make Fitness Data Private » (Aug. 14, 2014)
Senator Charles Schumer has denounced the data collection practices of "activity trackers" such as FitBit. "Activity trackers" are mobile devices that record highly personal information about the wearer and constantly analyze the wearer's activities, including their diet, exercise, sleep, and even sexual habits. However, it is not clear whether federal privacy law protects this personal data from disclosure to third parties. EPIC has commented extensively on the privacy protections that are necessary in the "internet of things." EPIC has frequently pointed out the potential for misuse when companies collect data about sensitive consumer behavior. EPIC has made several recommendations to improve the privacy protections on devices such as "activity trackers," including requiring companies to adopt Privacy Enhancing Techniques, respect a consumer’s choice not to tracked, profiled, or monitored, minimize data collection, and ensure transparency in both design and operation of Internet-connected devices. For more information, see EPIC: FTC and EPIC: Practical Privacy Tools.
EPIC Submits Comments on the "Internet of Things" » (Jun. 3, 2013)
EPIC has submitted comments to the Federal Trade Commission in advance of a workshop on the Internet of Things. The "Internet of Things" refers to the growing capacity of devices to communicate via the Internet. EPIC’s comments listed several privacy and security risks posed by the Internet of Things, such as the collection of data about sensitive behavior patterns and an increase in the power imbalance between consumers and service providers. EPIC then made several recommendations, such as requiring companies to adopt Privacy Enhancing Techniques, respect a consumer’s choice not to tracked, profiled, or monitored, minimize data collection, and ensure transparency in both design and operation of Internet-connected devices. For more information see EPIC: Federal Trade Commission.

IoT Technical Capabilities

Smartphone Connectivity

Smartphones are able to connect to the Internet, household appliances, personal computers, and personal vehicles, many times controlling these items remotely.

Vehicle-to-Vehicle Communication

Vehicle-to-Vehicle (V2V) Communication allows the exchange of data between nearby vehicles. The Department of Transportation states that V2V communication will lead to "significant safety improvements..that can assist drivers in preventing 76 percent of the crashes on the roadway."

SmartGrid

The term "Smart Grid" encompasses a host of inter-related technologies rapidly moving into public use to reduce or better manage electricity consumption. Smart grid systems may be designed to allow electricity service providers, users, or third party electricity usage management service providers to monitor and control electricity use. Privacy implications for smart grid technology deployment centers on the collection, retention, sharing, or reuse of electricity consumption information on individuals, homes, or offices.

Event Data Recorders

Automobiles are integrating computing technology that enhance the ability of others to collect location and operation data in near real time. In the data driven economy, this data is of value.

GPS Connectivity

GPS capabilities in vehicles mean that the location of the vehicle is recorded at all times, leading monitoring of cars and collection of all location data.

Smarthome Connectivity

Smarthome connectivity is when one's appliances, such as an oven, security system, or lights, are connected to one's smartphone through the Internet. The owner of these smarthome devices is able to control them remotely through his or her smartphone.

Connected Health and Fitness

Medical and fitness devices can monitor one's health and track changes and physical activity. These devices can be connected to a person's smartphone or laptop for data aggregation and tracking.

Privacy Issues

Protecting consumer privacy becomes increasingly difficult as the IoT becomes more prevalent. More devices are connected to different types of devices and this increase in connectivity and data collection results in less control. Both control of data and control of the very devices that are connected are at stake.

Control can be lost if someone hacks into the smartphone or computer acting as a remote for the other devices. In the case of computers and smartphones, this hacking can be done remotely and often undetected. Smartphones, just like computers, carry an enormous amount of personal information about their owners. They often link to bank accounts, email accounts, and in some cases household appliances. Stolen data can result in serious problems. Vehicles contain many computers that control their function. Initially, these computers could not be hacked into. With the increased connectivity of the IoT, however, vehicles are now at risk due to being connected to the Internet.

In another sense, control can be lost as more and more companies collect data about users. This data often paints a detailed picture of individual users through the collection of activities online. Everything you search, all of your activities online, are being tracked by companies that use that data. These companies often use the data to improve the user's experience, but they also use this data to sell users products or sell to other companies who sell users products.

Innovation in this realm means that companies must alter the privacy policies that are in place as well as how they interact with these devices. Companies will need to take another look at the policies that they have in place to ensure that consumers are offered opportunities to access and control their own data. Consumers will become increasingly aware of the privacy implications of this level of connectivity through interaction with the IoT and exposure to the policies that companies provide to them.

Frank Pasquale, law professor and EPIC advisory board member discusses privacy concerns related to the IoT in a May 2014 Pew Research Report. Pasquale states that the expansion of the IoT will result in a world that is more "prison-like" with a "small class of 'watchers' and a much larger class of the experimented upon, the watched." In another article, he reinforces the idea that the IoT "will be a tool for other people to keep tabs on what the populace is doing.

EPIC President, Marc Rotenberg, explains in the Pew Research Report that the problem with the IoT is that "users are just another category of things," and states that this "is worth thinking about more deeply about in the future."

EPIC's Interest

EPIC has a long history of protecting consumer privacy.

In 1995, EPIC sent a letter to the Federal Trade Commission (FTC) urging it to support online privacy. This was one of EPIC's earliest involvements in working with the FTC to ensure the protection of consumer privacy, especially online.

In May 2001, EPIC sent a request to the new FTC chairman, Timothy Muris, urging the FTC to devote time and attention to privacy issues. This letter led to Muris agreeing to meet with the Privacy Coalition on July 17, 2001 to discuss recommendations for further FTC action on privacy issues. This meeting led to the FTC announcing a new privacy agenda that called for 50% increase in privacy resources, improved privacy complaint handling, more protection for consumers, and increased enforcement of privacy policies and existing laws such as the Fair Credit Reporting Act (FCRA) and the Children's Online Privacy Protection Act (COPPA). While this shift in focus was welcomed, Chairman Muris concluded it was "too soon" to recommend broad-based online privacy legislation.

In 2007, EPIC recommended better notification and strong privacy safeguards for security breach investigations in comments to the FTC. The request urged the FTC to limit the disclosure of personal information related to security breach investigations.

On June 1, 2013, EPIC submitted comments to the FTC regarding the privacy and security implications of the Internet of Things.

Now, in 2014, EPIC President, Marc Rotenberg, presented at the Aspen Institute Communication and Society Program on "Developing Policies for the Internet of Things."

EPIC's Recommendations

EPIC submitted several recommendations in a comment to the Federal Trade Commission ("FTC" or "the Commission") regarding the Internet of Things. Overall, the recommendations focused on promoting transparency from those operating or owning Internet-connected systems and devices, as well as encouraging the FTC to enforce Fair Information Practices and require that companies adopt Privacy Enhancing Techniques.

The comment focused on a number of privacy and security risks associated with the Internet of Things. A major point as that data collected from the Internet of Things may reveal sensitive behavior patterns that consumers wish to keep private. Next, the comment highlighted the fact that data collected could be used for secondary purposes that lack consumer consent. The Internet of Things has the potential to increase the power inbalance between consumers and companies, as well as the potential to threaten users' security both on and offline. These considerations produced the following recommendations:

Additional Resources

• EPIC: Department of Transportation Seeks Public Comment on Connected Cars (August 21, 2014)
• EPIC: Medical Record Privacy
• EPIC: Comments on "Unmanned Aircraft System Test Sites" (May 8, 2012)
• EPIC: The Smart Grid and Privacy
• EPIC: Comments of EPIC on Proposed Policies and Findings Pertaining to the EISA Standard Regarding Smart Grid and Customer Privacy(December 18, 2008)
• EPIC: Automobile Event Data Recorders and Privacy
• Pew Research Report: The Internet of Things Will Thrive by 2025 (May 14, 2014)
• Department of Transportation: Connected Vehicles Applications"
• International Telecommunications Union: The Internet of Things Executive Summary
• Trans Atlantic Consumer Dialogue: Resolution on Internet of Things(May 2012)
• Federal Trade Commission: All Things Connected" (April 17, 2013)
• Federal Trade Commission: Slides: Internet of Things - Privacy & Security in a Connected World Event (November 19, 2013)
• Federal Trade Commission: Event Materials: Internet of Things - Privacy & Security in a Connected World Event (November 19, 2013)
• Stanford: Secure Internet of Things Project

Latest News

• Forbes: Where Will You Buy The Internet of Things? (September 29, 2014)
• The Star Online: IDF14: Internet of Things and the challenges of connecting everything (September 29, 2014)
• CNET: SAM: A DIY internet of things (September 29, 2014)
• Computer World: Why the 'Internet of Things' may never happen (January 18, 2014)
• Forbes: Securing the Internet of Things (September 25, 2014)
• Washington Post: Why Shellshock is bad news for the Internet of things (September 25, 2014)
• Security Info Watch: Cisco develops security solutions to address the 'Internet of Things' quandry for end users (September 29, 2014)
• InformationWeek: Internet of Things Intrigues Intelligence Community (September 24, 2014)
• Wall Street Journal: Ted Leonsis: An Exciting Time for the Internet of Things (September 22, 2014)
• Information Age: Why the Internet of Things is more than just a smart fridge (September 22, 2014)
• Gigaom: Six reasons why enterprise IoT needs three tiers to succeed (September 23, 2014)
• Forbes: Who Will Build The 'God Platform' For The Internet Of Things? (September 23, 2014)
• Wall Street Journal: Intel Taps Internet of Things to Predict Shop Floor Tool Failure (September 23, 2014)
• Tech World: Driving unconventional growth through the industrial internet of things (September 29, 2014)
• The Economist: The language of the internet of things (September 6, 2014)
• Washington Post: Lobbying on the 'Internet of Things' (September 14, 2014)
• The Guardian: Apple Watch will power the internet of things (September 15, 2014)
• Bloomberg Businessweek: The Internet of Things Is Getting Its Own Wireless Networks (September 9, 2014)
• ComputerWorld: IEEE standards group wants to bring order to Internet of Things (September 19, 2014)
• National Law Review: Internet of Things Poses a Number of Significant Data Protection Challenges, say EU Watchdogs (September 29, 2014)
• Lexology: 3 IoT cyber threats to privacy in your home that might surprise you (September 19, 2014)
• USA Today: Privacy integral to future of the Internet of Things (July 11, 2014)
• InfoWorld: Welcome to the Internet of things. Please check your privacy at the door. (November 18, 2013)
• PC World: Study: & in 10 concerned about security of Internet-of-Things (June 23, 2014)
• IEEE Spectrum: Most Technologists Upbeat About Future Internet of Things, Says Pew Survey (May 16, 2014)
• Government Technology: 6 Things to Expect from the Internet of Things by 2025(May 14, 2014)
• The Telegraph: Privacy matters in 'internet of things' innovation race (May 5, 2014)
• Wired: Why Tech's Best Minds Are Very Worried About the Internet of Things (May 19, 2014)
• NPR: As Police Drones Take Off, Washington State Pushes Back (Feb. 22, 2013)
• Wall Street Journal: Setting Rules for the Internet of Things (January 9, 2014)
• CNN: Explainer: What is the 'Internet of Things?' (June 4, 2013)
• Huffington Post: The Internet of Things: Monopoly Capitalism vs. Collaborative Commons (April 7, 2014)
• New York Times (Opinion): The Internet Gets Physical (December 17, 2011)
• Wall Street Journal: 'Internet of Things' in Reach (January 5, 2014)
• Wired: In the Programmable World, All Our Objects Will Act as One (May 14, 2013)
• EE Times: Stringent Requirements Needed for the Industrial Internet of Things (April 3, 2014)
• New York Times: At Newark Airport, te Lights Are On, and They're Watching You (February 17, 2014)
• Venture Beat: The Internet of things is coming on faster than ever thanks to a new, huge alliance (December 9, 2013)
• Tech Crunch: Making Sense Of The Internet Of Things (May 25, 2013)
• Gigaom: The frightening truth about the security of our healthcare data (March 30, 2014)
• Silicon Angle: Predictive security goes beyond the network (March 28, 2014)
• Washington Post: New skills are needed to work on Internet of Things (February 16, 2014)
• The Economist: Spam in the fridge: When the Internet of Things misbehaves (January 25, 2014)