The agenda at this year’s PrivacyCon read like the Federal Trade Commission’s to-do list.
Nearly 20 researchers from around the country converged on Washington, DC, Friday to dig into the privacy implications of the Internet of Things and big data, mobile privacy, consumer privacy expectations, online behavioral advertising, information security, the dangers of cross-app tracking via Bluetooth devices, the almost impossible-to-navigate third-party mobile ecosystem and other thorny consumer privacy and security-related topics.
In terms of focus, the FTC has made it clear that IoT security in particular will be a top enforcement priority this year, as will the protection of health data and data security overall.
IoT & The FTC
Soon-to-be former FTC Chairwoman Edith Ramirez (she’ll step down in February, a few weeks after Donald Trump’s inauguration) took time in early January to attend the Consumer Electronics Show in Las Vegas, where IoT was the topic du jour as she walked the showroom floor.
And between the passenger-carrying drones, the robotic vacuum cleaner that doubles as a home security camera and air humidifier and the smart trash can that scans the bar codes of discarded items in order to populate shopping lists, one observation stuck out in her mind.
The fact is that almost all of these technologies “rely to varying degrees on the collection of consumer information – and data collection is growing exponentially,” Ramirez said. “Just around the corner are huge advances in artificial intelligence fueled in part of by IoT data … [and] if all of this innovation is going to achieve its potential, consumers need to be assured that the risks do not outweigh the benefits.”
Just last week, the FTC announced an IoT security challenge, offering $25,000 in prize money to anyone who can create a tool to help consumers quickly identify security vulnerabilities in internet-connected devices and who can push out updates to address those vulnerabilities.
R&D & The FTC
The FTC increasingly looks to academic researchers to set its enforcement agenda, which makes an event like PrivacyCon a significant bellwether.
“At the FTC, research and data play a key role in helping to guide our work … [and] to identify potential areas for investigation and enforcement,” Ramirez said.
The cross-device report recently released by OTech, the FTC’s Office of Technology Research and Investigation, relied heavily on a tool that automates the evaluation of privacy on websites. That tool was developed by researchers at Princeton University and was presented at last year’s PrivacyCon.
Using the tool, OTech was able to relatively easily survey the privacy policies of the Alexa top 100 websites, the majority of which were vague and provided no clarity as to whether the sites would share data for cross-device tracking.
“As a result, it would be very challenging for even a very sophisticated user to determine how much cross-device tracking is taking place,” Ramirez said. “We think this type of research is incredibly helpful for informing industry, consumers and policymakers about what’s happening in the marketplace, and it was a tool that was presented at PrivacyCon that let us do this.”
The commission has also been active on the mobile security front with several recent enforcement actions, including one against mobile ad network inMobi for illegal geolocation tracking and another against demand-side platform Turn for using Verizon tracker cookies even after a user had opted out.
In both the inMobi and Turn cases, outside tech researchers were the first to bring the alleged infractions to the FTC’s attention.
And the consumer?
But the question remains as to whether and how much consumers really care about their privacy in practice.
Consumers are downloading ad blockers in record numbers, said Jessica Rich, director of the FTC’s Bureau of Consumer Protection, but at the same time, “we all know that consumers don’t hesitate to use websites and apps that collect enormous amounts of information despite their stated concerns about privacy.”
That dissonance is a good reminder that trying to regulate this space isn’t as simple as giving consumers more controls or more robust notice and choice.
PrivacyCon “has been very much the weeds and we need to think about the forest that this is part of and how it all fits together,” said Howard Beales, a professor of strategic management and public policy at George Washington University and former director of the FTC’s Bureau of Consumer Protection.
“Do consumers care? Well, some do, some don’t,” Beales said. “[But] it isn’t feasible, it isn’t reasonable to expect consumers to make instance by instance decisions about what they’re going to do. … If you approved each mobile app request for data, there would be 231 requests per hour. And that doesn’t work.”