The internet of things will be a top enforcement priority for the Federal Trade Commission and the Federal Communications Commission in 2017 – especially in the wake of the recent distributed-denial-of-service attacks against Dyn.
Dyn, which provides online infrastructure and domain services, was the victim of a DDOS onslaught that temporarily shut down major websites like Spotify, Twitter and The New York Times, disrupting ad delivery, obstructing publisher traffic, messing with reporting and causing revenue declines.
Hackers gained access through a massive IoT botnet.
The internet of things is a lot for the regulatory bodies to police – everything from washing machines, thermostats, refrigerators and doorbells to baby monitors, smart TVs and Xboxes.
The estimates vary, but most sources agree that somewhere between 6 billion and 12 billion devices are already connected to the internet, a number Cisco predicts will reach 50 billion by 2020.
“As we see the rise of mobile and the internet of things, we’re seeing a multiplicity of actors in the ecosystem,” said Maneesha Mithal, associate director of the FTC’s division of privacy and identity protection, speaking at an International Association of Privacy Professionals event in Washington, DC, on Wednesday.
“There’s going to be a lot of questions about the liability of these various actors,” Mithal said.
While the FTC’s concern is mainly about deceptive practices and consumer data privacy, the FCC is more focused on security protocol for IoT devices, which are notoriously slack on that front.
Security professionals have a quippy name for the IoT: the “internet of insecure things.”
In a Dec. 2 letter to Sen. Mark Warner (D-Va.) from FCC Chairman Tom Wheeler, the latter highlighted the cybersecurity threat created by connected things.
Wheeler laid out the FCC’s plans for IoT cybersecurity risk reduction, including collaborative efforts with key internet stakeholder groups, increased intra-agency cooperation and the potential for regulatory solutions to fill in whatever gaps private-market ISPs aren’t able to address on their own.
Of course, Wheeler is more than likely a lame-duck FCC chief. He acknowledged that the commission has had to postpone some of its work in light of the impending change in administrations, but “addressing IoT threats remains a national imperative and should not be stalled by the normal transition of a new president,” he wrote.
Future enforcers urgently need to address the lack of security in IoT devices, said FCC enforcement chief Travis LeBlanc, a Wheeler appointee also likely to move on after President-elect Trump is sworn in.
The next generation of IoT devices will probably have better security and privacy protection baked in, but there will still be billions of insecure devices out there from before – devices like smart doorbells, with longer life cycles than mobile phones – which are easy pickings for hackers looking to gain entry to a network, LeBlanc said.
And in toto the data that can be pulled from ubiquitous sensors is also far more comprehensive and personal than what can be obtained from online browsing behavior.
“It’s true that you can track everywhere someone goes on the web, but with IoT you can track where someone works, what food they eat, how long they exercise for, how much electricity they consume,” said Heather Zachary, a partner at law firm WilmerHale. “It’s a full picture of your entire life and that’s only going to become more the case.”
In a now-seminal report from 2012, the FTC laid out a series of core precepts to help protect consumer privacy in what the commission referred to as “an era of rapid change.”
Basic rules of thumb include privacy by design, the notion of building privacy protection into your product or service at the beginning during the development process, providing notice and choice and being transparent about what data you’re collecting, how you’re using it and who you’re sharing it with.
But in all likelihood, consumers are unaware of the data streaming out of their IoT devices and into the ecosystem, which makes providing notice and choice essential and a tricky thing to accomplish. What’s the process for consumers to opt in to data collection from their washing machines? There’s no clear precedent.
“It’s a lot harder to comply with those foundational privacy principles on these connected devices,” Zachary said. “Your Fitbit does have a tiny screen, but you can’t get a privacy policy onto that and many devices have no screen whatsoever.”
The FTC provided some guidance in a report on IoT privacy in 2015, with a few creative suggestions for how to handle notice and choice, including QR codes that take users to a site where they can opt in online, an opt-in screen during the initial setup process on another device or a video tutorial.
But it’s been almost two years since the report came out and companies are still grappling with how to provide notice and choice in a way that’s clear, contextual and prominent enough that the consumer will see it.
Opt-ins aside, however, cybersecurity issues loom.
In 2014, the FTC brought its first case against an IoT company called TRENDnet, which sells connected video cameras. A security breach in 2012 allowed hackers to take control of live video stream from people’s homes which were then posted online. The FTC was able to nail TRENDnet for falsely advertising that it could safely transfer video over the internet.
“There are all these sensors all over the world constantly collecting information,” Zachary said. “The risk is that unauthorized parties can gain access to and misuse [it].”
Because the fact is the internet of things is highly vulnerable, often the “weakest link in a chain,” she said. Just look at what happened to Dyn.
IoT devices are “a doorway to get into a system and then hackers move laterally through the network to get to more sensitive things,” Zachary said. “In the past, people used ordinary computing devices, [but with Dyn] they summoned an army of devices that could attack and shut down the Eastern seaboard’s internet.”