On June 15, the Representation of the state North-Rhine Westphalia to the EU hosted a panel of renowned experts and high-level representatives from the European Commission and the industry, all gathered in Brussels to answer a daunting question: does the EU data economy need an industry data protection right?
Things that caught our eye
The US Federal Trade Commission (FTC) released a Staff Report [PDF] on the Internet of Things earlier today. The report is based on a workshop that the FTC had hosted in late 2013 and holds several recommendations for companies developing Internet of Things devices. Though many have already reported on the release, I would like to focus here on the separate statement [PDF] made by Maureen K. Ohlhausen and the dissenting statement [PDF] made by Commissioner Joshua D. Wright. While the former had hesitations but supported the publication, the latter was clear in his opposition to publication of the report.
The Report’s recommendations
As the focus here is on the separate statments, I will suffice with the words from the FTC itself in its press release summarising its recommendations to companies developing IoT devices:
- build security into devices at the outset, rather than as an afterthought in the design process;
- train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
- ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
- when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
- consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
- monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
The Separate Statement by Commissioner Maureen K. Ohlhausen
Though Commissioner Ohlhausen did vote in favour of publication of the report itself, she took the opportunity [PDF] to show her dissatisfaction with two of the staff report’s recommendations.
In her own words:
First, I do not support the recommendation for baseline privacy legislation because I do not see the current need for such legislation. The FTC’s Section 5 deception and unfairness authority already requires notice and opt-in consent for collecting consumers’ sensitive, personally identifiable information. It also protects against uses of personal information that cause substantial, unavoidable consumer harm not outweighed by benefits to consumers or competition. Furthermore, sector-specific laws, such as FCRA, provide additional protections for consumers. Thus, I question what current harms baseline privacy legislation would reach that the FTC’s existing authority cannot.
Second, I am concerned that the report’s support for data minimization embodies what scholar Adam Thierer has called the “precautionary principle,” and I cannot embrace such an approach. The report, without examining costs or benefits, encourages companies to delete valuable data – primarily to avoid hypothetical future harms. Even though the report recognizes the need for flexibility for companies weighing whether and what data to retain, the recommendation remains overly prescriptive.
As a final note she states that she would have liked to see the report include a full exploration of the emerging tension between information technology (including IoT) and the Fair Information Practice Principles’ approach to protecting consumer privacy. She continued:
The staff report acknowledges the conflict, but fails to grapple with it in a substantial way. We will need to address these issues in the relatively near future, and I look forward to playing a role in that effort.
The Dissenting Statement
The criticism by Commissioner Ohlhausen of the report’s lack of a rigorous cost-benefit analysis was shared by Commissioner Wright. But while the former considered that this was not a reason to vote against its release, Commissioner Wright did vote against publication of the report. In his Dissenting Statement he explains his reasons:
I dissent […, AB] because the Workshop Report includes a lengthy discussion of industry best practices and recommendations for broad-based privacy legislation without analytical support to establish the likelihood that those practices and recommendations, if adopted, would improve consumer welfare.
In the footnote accompanying the paragraph he explains that while the FTC’s reports do not have the force of law,
“there is a very real danger that companies may reasonably perceive failure to achieve those practices or to adopt such recommendations as actionable. Where an agency’s recommendations regarding best practices are not supported by cost-benefit analysis, firms may respond by adopting practices or engaging in expenditures that make consumers worse off.”
He continues his criticism by explaining that this report followed a very unusual procedure when it comes to the FTC practice of publishing public reports on “novel, emerging or otherwise important issues”. Leaving procedural issues aside, his problems with the content itself are (briefly & paraphrased) as follows:
(1) The report is based on a one-day workshop, that is hardly the stuff of solid exploration of best practices and a strong basis for legislative recommendations.
(2) The rigorous cost-benefit analysis argument. Without it, the recommendations are not based on a strong footing. Apart form some assertions, there is no analysis at all that came from the Workshop itself.
(3) Commissioner Wright remains unconvinced that the proposed framework which entails a combination of Fair Information Practice Principles and concepts such as “security by design” is the best way to go about the Internet of Things framework.
He concludes that based on the foregoing, that the FTC should do more research before publishing the Workshop Report’s recommendations.
Things that caught our eye
I’ve been interested in the concept of Smart Cities for two reasons: For one, part of my dissertation is based on the assumption that Smart Cities are the way governments in the near future are going to want to go. If that happens, government bodies will be collecting more and more data from civilians, thus, posing a threat to data protection. Secondly, because I think Smart Cities could entail great opportunities for us to live in a sustainable community, if regulated appropriately. But one problem remains:
“The smart city is full of barriers. First you must be able to connect to the network. Then you must show your credentials by logging in. It’s like showing your passport to take a walk in the park.”, as Dr. Anthony Townsend points out.
Much like inequality, usually people look to the legilsator to solve issues such as exclusion. But I am a strong defender of the idea that if everything we do, think, use, buy, eat and so on, is connected (“Internet of Things“), then the way to solve problems arising with this network of everything is not just to take a regulatory approach. We need interdisciplinary solutions.
Townsend’s presentation, he held as part of Delft University of Technology’s 173rd Dies Natalis, was titled: “Can engineers build inclusive Smart Cities?” and his answer was: YES. He showed three approaches which could help solve the exclusionary concerns Smart Cities entail. Therefore, providing three areas that could be improved by engineers without any help of the legislator:
I will leave you with that and hope to have given you some food for thought. Enjoy Townsend’s full presentation and others on Smart Cities here.
A nightmare from the Internet of Things has arrived just in time for Christmas: images from thousands of internet-connected cameras from all over the world are publicly available, online, and ready for anyone to easily view. In September, MailOnline reported about an unspecified website that allows ‘home hackers’ to spy on people through internet-connected cameras. About a week ago, Motherboard‘s Joseph Cox also reported on the website without explicitly mentioning the website’s URL in his article. However, by linking to a WHOIS-record of the website’s domain name, Cox gave away the website’s URL. Many Dutch media are now reporting about the website and mention the website’s URL: insecam.com.
From pictures of backyards to schoolyards, detention centres to daycare centers, and even living rooms, you can watch them all on insecam.com. After browsing the website for a while, I saw many pictures of recognizable people having a coffee or working at their office. Below are some less-intrusive examples that hopefully still illustrate the magnitude of the privacy problems at issue.
Things that caught our eye
The European Data Protection Supervisor (EUDPS), who “is an independent supervisory authority devoted to protecting personal data and privacy and promoting good practice in the EU institutions and bodies”, recently gave a speech in Mauritius on account of the 36th International Conference of Data Protection and Privacy Commissioners . In his speech (PDF), the EUDPS Peter Hustinx, dealt with the difficulties of enforcing privacy laws which are restricted to territorial borders in a world of “borderless Internet technology”.
Two of the examples he gave of problems in this area I would like to highlight here. In relation to the Internet of Things (IoT) he mentioned:
“[W]e have heard at this conference that very few objects or devices for the future IoT are being devised with serious attention for privacy implications. Therefore, boxes with diverse gadgets, just being sent off to other parts of the world, without any thought given or information provided on privacy aspects, are simply a disaster happening in slow motion.”
[T]he highly critical and sometimes aggressive reactions to the recent CJEU judgment in the Google Spain case show a disconnect between the assumption that available information can be re-used and the requirement that processing of personal information must always be legitimate and may be subject to rights of erasure or objection by the data subjects.
The remainder of the speech deals with questions on feasibility of privacy in a borderless world, which provides for an interesting status quo of what is done in this area.
Read the full speech here.
Interesting final note. Peter Hustinx, is currently the EU Data Protection Supervisor, but the procedure for appointing his successor is in full swing. Latest development here is that his current assistant, Giovanni Buttarelli, has received the most votes in the Civil Liberties Committee last week, and will therefore be the most likely successor of Mr. Hustinx for the role of EU Data Protection Supervisor.
Image Credit: “Internet of Things” by Wilgengebroed on Flickr – Cropped and sign removed from Internet of things signed by the author.jpg. Licensed under Creative Commons Attribution 2.0 via Wikimedia Commons