FTC in Cyberspace: Ready, or Not, for Coming Wave of Connected Devices

The Telecommunications Law Resource Center is the most comprehensive reference and news platform for communications law, covering broadcasting, cable, broadband, telephony and wireless;...

By David McAuley  

Nov. 15 --Along with data security and telecommunications, the Federal Trade Commission is facing yet another large regulatory challenge in cyberspace: how to protect consumer rights against the breaking tidal wave of Internet-connected devices capable of compiling and transmitting--without notice to or involvement by the consumer--vast amounts of personal information.

The agency's task is further complicated by looming budget and resource constraints that could blunt the agency's ability to maintain a track record of aggressive, effective consumer protection in the rapidly emerging “Internet of things.”

Internet industry professionals who spoke with Bloomberg BNA credit the FTC as a small but highly effective agency that has so far coped well with the risks to consumer privacy and security resulting from the growth of the Internet. But more rapid and technologically varied change is coming now, they said, in the form of the Internet of things.

What is the 'Internet of Things?'

The Internet of things refers to the ability of everyday, technologically advanced devices such as cars, cameras, and appliances to link with each other over the Internet, and in the process to create, collect, and transmit data back to companies, health-care providers, and other third parties. The number of cars connected to the Internet, for example, has been forecast to grow from 1 million in 2009 to more than 42 million in 2017.

Many objects in the Internet of things are able to measure and record the surrounding environment and to transmit that information elsewhere, whether to another device in a machine-to-machine (M2M) communication or to a person. A refrigerator, for instance, might send an alert that a power outage has lasted long enough to create a potential food-safety hazard; a thermostat could let a homeowner control the temperature at home from a smartphone app across town or across the globe; and a sensor that monitors indoor climate could tell a building manager that the humidity level is such that the plants need to be watered.

These capabilities will revolutionize just about every industry, from manufacturing (automatic parts replenishment) to medicine (connected implanted devices like pacemakers) to transportation systems (smart cars, buses, trucks, and roads).

Even farming will be impacted. In October, the Court of Justice of the European Union upheld a European Union law requiring that individual sheep and goats be fitted with electronic tracking devices to record their movements, as part of an effort to deal more effectively with outbreaks of disease.

“There is a wave of Internet of things devices coming, but we have experienced waves in the past.”


FTC Commissioner Julie Brill

And investment continues to rise as companies including Bosch, Cisco Systems Inc., Ericsson, General Electric Co., and International Business Machines Corp. launch new Internet of things products and services.

Dealing with Connected Devices

FTC Commissioner Julie Brill told Bloomberg BNA that the FTC is focused on figuring out how its rules on privacy and security will apply to the Internet of things, and how consumer notice and choice rights will be honored with respect to devices that have no user interface.

Brill said she does not currently see the need for new rulemaking. More important, she said, will be that the FTC get the message out “to the long tail of entities that are creating connected devices that we have appropriate laws governing privacy and security of consumers' data in place.”

And, she added, if there are data-security or data-use practices that cross the unfairness or deception line, then “we will continue to use our law enforcement authority as appropriate.”

She pointed to the agency's first enforcement action touching on the Internet of things, the TRENDnet Inc. settlement, wherein a developer of Internet-connected video cameras for home security and surveillance settled charges that hackers exploited lax security protocols in the system.

The FTC claimed that TRENDnet engaged in a number of practices that, taken together, failed to provide reasonable security measures to prevent unauthorized access to sensitive information (live feeds from Internet-connected cameras, many of which were in homes). It cited the company's poor handling of user login credentials, for instance. The agency said that TRENDnet's security claims constituted false or misleading representations, and its failure to provide reasonable security against unauthorized access to the live feeds was an unfair act or practice.

Christopher G. Cwalina, a partner with Holland & Knight LLP in Washington and co-chairman of the firm's data privacy and security team, told Bloomberg BNA that TRENDnet exemplifies how the FTC is adapting to the new mobile Internet environment. In TRENDnet, Cwalina said, the FTC went well beyond a misrepresentation claim and made a much more substantive claim--that the company failed to implement appropriate security architecture and to do critical vulnerability testing.

“This is much more substantive under the unfairness prong than a simple notice and consent case under the deception prong,” he said.

This was telling, Cwalina said, demonstrating the FTC's skill in adaptation and showing that “what the FTC was doing changed the landscape of legal practice in this area as we saw it.”

FTC Commissioner Maureen Ohlhausen also recently sounded a note of caution concerning the Internet of things. “I am very inspired by the transformative potential of the Internet of things but am also sensitive to the fact that the ability to collect large amounts of information and, in some cases, to act on that information also raises important consumer privacy and data security issues,” she said in remarks at a U.S. Chamber of Commerce conference Oct. 18.

FTC Experience With Technology Waves

Like Ohlhausen, Commissioner Brill has been active in efforts to protect consumer privacy in the face of new technological challenges. She called on engineers to help create technological solutions to some of the vexing privacy problems arising on the Internet in a speech at the Polytechnic Institute of New York University on Oct. 23.

“There is a wave of Internet of things devices coming, but we have experienced waves in the past, for instance in the area of data security and online tracking of consumers. I believe the FTC faces a tough task but that we are up to it,” Brill said.

In addition, the agency prides itself on its in-house technological skills and ability to keep up with evolving challenges, Brill said. “We work very hard to stay abreast of technological developments in something approaching real time so that we're not behind the curve.”

Despite the agency's relatively small size, Brill said she believes the FTC has a significant influence through the enforcement actions it undertakes. “We try to make sure that our cases are properly selected to have an appropriate impact especially as trends start to develop,” she said.

Nor is the agency acting alone, Brill observed. There are other agencies--state attorneys general, for example--that are active in this field as well.

Kirk Nahra, a partner at Wiley Rein LLP, Washington, told Bloomberg BNA that the FTC has used its authority well in coping with new challenges. For instance, he said, in the mobile technology field the FTC recognized several years ago that there were major privacy and security issues that were implicated that had not been addressed by existing regulatory structures.

He cited the settlement with Aaron's Inc., a rent-to-own chain, some of whose franchisees installed and used monitoring software and cameras on rental computers that secretly peered in on their customers' activities their homes.

The FTC charged Aaron's with playing a direct role in its franchisees' use of the monitoring software. Aaron's settled with the FTC Oct. 22.

“It's not clear precisely what authority the FTC acted on in that case or exactly what principles drove the enforcement decision but it was a clear, common sense outcome given that wherever the line of their authority was, this was way over it,” Nahra said.

While the FTC has been diligent, the technology is simply exploding, Nahra said, and inevitably the agency will struggle both in keeping pace with technology and in deciding how best to protect privacy and security without impeding technological growth.

Moreover, even as connected devices grow in number and complexity, the FTC's resource footprint may be held in check. Earlier this year, the FTC submitted a program budgetjustification to Congress for fiscal year 2014 that was pegged at $301 million and a full time staff of 1,176. This represents a decrease of just over $10.5 million from the FY 2013 “enacted” budget level.

So far, however, the agency has been able to soldier on under the impact of the budget sequester, Brill said. But, she added, “I personally worry about the next round coming in January.” The coming round, she said, might have an adverse impact on expenses that normally arise from litigation.

Is New Authority Needed?

The FTC's principal source of law enforcement authority stems from 15 U.S.C. Section 45, which authorizes the agency to prevent persons or corporations, with some exceptions, from using unfair methods of competition or unfair or deceptive acts or practices in their businesses.

Brill said that the FTC has many of the enforcement tools it needs to deal with the constantly evolving challenges that flow from Internet and mobile technologies.

Christopher Wolf, a partner at Hogan Lovells LLP, Washington, and founder and co-chairman of the Future of Privacy Forum, a Washington think tank aimed at advancing responsible data practices, agreed, telling Bloomberg BNA that the FTC is well prepared to address the coming wave of the Internet of things and other new issues that technology is throwing its way.

“This is an enormously effective law enforcement agency with knowledgeable professionals.”


Christopher Wolf, Hogan Lovells LLP

Wolf said that there are plenty of targets and plenty of opportunities to extend the agency's enforcement practices, although he noted that most businesses have gotten the message to take privacy and security seriously. Even though there are no new laws, there are various permutations of enforcement actions that “have effectively created a common law of consent decrees for companies to follow. I think that pattern will continue,” he said.

Wolf said that specialized laws will probably not be needed for FTC supervision of consumer issues associated with the Internet of things because existing principles can be adapted to new technologies.

To be sure, the FTC will need to think of new ways to deal with notice and choice in the context of devices having no user interface, but Wolf believes it is up to the task. “This is an enormously effective law enforcement agency with knowledgeable professionals,” Wolf said.

Plenty of Enforcement Tools at Hand

In addition to the FTC Act's baseline prongs dealing with unfair methods of competition and unfair or deceptive acts or practices, the FTC enforces several other laws and rules that impact electronic commerce and the Internet, including the agency's telemarketing sales and do-not-call rules, the CAN-SPAM Act, the Children's Online Privacy Protection Act (COPPA), the Gramm-Leach Bliley Act, the Health Insurance Portability and Accountability Act (HIPPA), especially with respect to security breach notifications, and the Fair Credit Reporting Act (FCRA).

Brill said that she would like to see federal regulation of data that currently falls outside the reach of FCRA. FCRA gives consumers an element of control of the use of data pertaining to them through notice, choice and an opportunity to require correction of mistakes. “I support data broker legislation to develop greater transparency around the data broker industry, legislation that would complement the FCRA,” Brill said.

For instance, she said, such legislation could allow consumers to suppress use of their collected information for marketing purposes, and would give them an opportunity to correct mistakes.

Whether the FTC will need new legislative authority to keep up will depend in large part on the outcome in the Wyndham case, Wiley's Nahra said (FTC v. Wyndham Worldwide Corp., No. 13-cv-01887-ES-JAD (D. N.J. originally filed June 26, 2012)). “If the court strikes down the FTC's ability to act in this kind of situation, there will be a significant enforcement void and Congress will face real pressure to give the FTC authority to act,” Nahra said.

The FTC sued Wyndham June 26, 2012, alleging that its failure to remedy a security system after a 2008 breach led to two later breaches and amounted to a violation of the unfairness prong of Section 5 of the FTC Act. Wyndham moved to dismiss the case Aug. 27, 2012, asserting that the FTC lacked legal authority to regulate data security practices via the FTC Act's “unfairness” prong.

Nahra added that one area where Congress could help the FTC would be to give them monetary enforcement capability. Their settlements generally oblige companies to obey the law, but those who get entangled with the FTC in an enforcement action don't feel the large monetary pain that a Department of Justice probe can bring, Nahra said.

Nahra said that the FTC has smart, talented, well qualified people, but in the mobile app area they face a real challenge in enforcing reasonable controls while not undermining technological development. “There's no law that solves that problem,” he said.

Dealing with Evolving Issues

Brill said she is concerned about “non-consumer-facing companies that are creating profiles about consumers--I worry about how those profiles are going to be used.” Consumer-facing companies have market-based incentives to be responsive to pressures from consumers and consumer advocates, “but these other entities don't face the same market pressures,” Brill said.

The wave and pace of technological development could impact how law firms advise their clients in this area, Steven B. Roosa, a partner at Holland and Knight, New York, told Bloomberg BNA. Roosa said that Holland & Knight established a computer research lab that enables it to conduct website, mobile app and product communication testing. He said the firm's lab was created in response to new tools at the FTC's disposal.

One of the most significant developments in the last three years with respect to FTC enforcement has been the rise of the “independent researcher,” Roosa said. “There is a group of extremely skilled researchers who are doing in-depth reviews of company websites, especially with respect to privacy representations, and they love to 'out' companies not living up to their privacy promises,” Roosa said.

The FTC at times contracts with such researchers, he added, to supplement their own sophisticated in-house technical skill level.

Roosa said what the firm's lab finds in client's websites and mobile applications is generally a disconnect between the persons responsible for managing the sites and those who maintain them, leading to noncompliance issues.

The firm's computer lab has tested hundreds of websites and apps and is now starting to test medical devices and even network-aware toys from the consumer's point of view, Cwalina said. For example, he said, a test may uncover that a client's website is working with third parties that are engaged in online behavioral advertising (OBA) but not adhering to the voluntary OBA standards of the Digital Advertising Alliance. That is something that the client would want to know, he said.

The lab, Cwalina said, helps answer clients' most important question, “What should we be worried about?”

FTC, Other Governments Looking Ahead

In all, 29 organizations submitted comments in preparation for an FTC Internet of things workshop to be held Nov. 19.

Among them was a comment from AAA suggesting addition of a vehicle technology session, at which the balance between consumers' demand for connectivity and the safety and privacy of motorists could be discussed. The agency's recently released workshop agenda included a session on privacy and security issues arising from “connected cars.”

The Consumer Electronics Association, in its comments, said the Internet of things will play a critical role in future job creation and economic growth. The government should refrain from creating regulations here until we fully understand the privacy and security risks that are implicated in this developing area, it said. “[C]onsumers will recognize that the sweeping benefits of the connected world are not possible without the collection of information and the sharing of information among devices.”

The Center for Digital Democracy, an advocacy group, urged the FTC to develop privacy safeguards quickly. “The combined impact of the mobile marketing and real time data revolution and the Internet of Things places consumer privacy at greater risk than ever before,” CDD wrote.

Meanwhile, the European Commission requested public comments in April 2012, with a view toward developing a potential regulatory framework to govern the Internet of things, but so far has not taken action on the idea. It did publish conclusions from public consultations on the subject, however.

The International Telecommunication Union, the United Nation's telecommunication agency, issued a report on the Internet of things in 2005. In the following years it convened a number of meetings aimed at developing global technical standards for the Internet of things; the ninth such meeting will take place in Geneva in late February.

This is the third story in a three-part series.  

To contact the reporter on this story: David McAuley in Washington at dmcauley@bna.com

To contact the editor responsible for this story: Bob Emeritz at bemeritz@bna.com

The FTC has scheduled a public Internet of things workshop on Nov. 19 to help it consider the consumer privacy and security issues posed by the growing connectivity of devices. For more information, visit http://www.ftc.gov/bcp/workshops/internet-of-things/.