The US Federal Trade Commission (FTC) released a Staff Report [PDF] on the Internet of Things earlier today. The report is based on a workshop that the FTC had hosted in late 2013 and holds several recommendations for companies developing Internet of Things devices. Though many have already reported on the release, I would like to focus here on the separate statement [PDF] made by Maureen K. Ohlhausen and the dissenting statement [PDF] made by Commissioner Joshua D. Wright. While the former had hesitations but supported the publication, the latter was clear in his opposition to publication of the report.
The Report’s recommendations
As the focus here is on the separate statments, I will suffice with the words from the FTC itself in its press release summarising its recommendations to companies developing IoT devices:
- build security into devices at the outset, rather than as an afterthought in the design process;
- train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
- ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
- when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
- consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
- monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
The Separate Statement by Commissioner Maureen K. Ohlhausen
Though Commissioner Ohlhausen did vote in favour of publication of the report itself, she took the opportunity [PDF] to show her dissatisfaction with two of the staff report’s recommendations.
In her own words:
First, I do not support the recommendation for baseline privacy legislation because I do not see the current need for such legislation. The FTC’s Section 5 deception and unfairness authority already requires notice and opt-in consent for collecting consumers’ sensitive, personally identifiable information. It also protects against uses of personal information that cause substantial, unavoidable consumer harm not outweighed by benefits to consumers or competition. Furthermore, sector-specific laws, such as FCRA, provide additional protections for consumers. Thus, I question what current harms baseline privacy legislation would reach that the FTC’s existing authority cannot.
Second, I am concerned that the report’s support for data minimization embodies what scholar Adam Thierer has called the “precautionary principle,” and I cannot embrace such an approach. The report, without examining costs or benefits, encourages companies to delete valuable data – primarily to avoid hypothetical future harms. Even though the report recognizes the need for flexibility for companies weighing whether and what data to retain, the recommendation remains overly prescriptive.
As a final note she states that she would have liked to see the report include a full exploration of the emerging tension between information technology (including IoT) and the Fair Information Practice Principles’ approach to protecting consumer privacy. She continued:
The staff report acknowledges the conflict, but fails to grapple with it in a substantial way. We will need to address these issues in the relatively near future, and I look forward to playing a role in that effort.
The Dissenting Statement
The criticism by Commissioner Ohlhausen of the report’s lack of a rigorous cost-benefit analysis was shared by Commissioner Wright. But while the former considered that this was not a reason to vote against its release, Commissioner Wright did vote against publication of the report. In his Dissenting Statement he explains his reasons:
I dissent […, AB] because the Workshop Report includes a lengthy discussion of industry best practices and recommendations for broad-based privacy legislation without analytical support to establish the likelihood that those practices and recommendations, if adopted, would improve consumer welfare.
In the footnote accompanying the paragraph he explains that while the FTC’s reports do not have the force of law,
“there is a very real danger that companies may reasonably perceive failure to achieve those practices or to adopt such recommendations as actionable. Where an agency’s recommendations regarding best practices are not supported by cost-benefit analysis, firms may respond by adopting practices or engaging in expenditures that make consumers worse off.”
He continues his criticism by explaining that this report followed a very unusual procedure when it comes to the FTC practice of publishing public reports on “novel, emerging or otherwise important issues”. Leaving procedural issues aside, his problems with the content itself are (briefly & paraphrased) as follows:
(1) The report is based on a one-day workshop, that is hardly the stuff of solid exploration of best practices and a strong basis for legislative recommendations.
(2) The rigorous cost-benefit analysis argument. Without it, the recommendations are not based on a strong footing. Apart form some assertions, there is no analysis at all that came from the Workshop itself.
(3) Commissioner Wright remains unconvinced that the proposed framework which entails a combination of Fair Information Practice Principles and concepts such as “security by design” is the best way to go about the Internet of Things framework.
He concludes that based on the foregoing, that the FTC should do more research before publishing the Workshop Report’s recommendations.