IoT Device Makers Want E-Privacy Reform

The Internet Law Resource Center™ is the complete information solution for practitioners in cyberlaw. Follow the latest developments on ICANN’s gTLD program, keyword advertising, online privacy,...

By Joseph Wright

July 29 — Reforming federal electronic privacy law would help the nascent Internet of Things industry by providing greater certainty that it could pass on to its customers, industry representatives told a Congressional panel July 29.

“The problem comes when I have to tell a customer ‘I don't know' about the answer to the question of when I have to hand over information,” Morgan Reed, executive director of ACT - The App Association, said.

Reed said that the current Electronic Communications Privacy Act, 18 U.S.C. § 2510, et seq., provisions allowing the government broad access to older data stored in the cloud also affect U.S. companies' ability to protect consumers' data from foreign governments.

“If the United States government says we have access to any cloud data at any time on any person in any way we darn well please, regardless of where the data is stored or who it's on, we have to expect that Russia will want the same privileges from our companies, that China will want the same privileges from our companies,” Reed said. What is needed, he said, is stronger legal protection for such data so that it cannot simply be handed over.

Reed and others testified at a House Judiciary Committee panel hearing on the Internet of Things.

Shut the Back Door

Reed and other witnesses said that end-to-end encryption provides the best guarantee for the security of IoT devices in order to avoid incidents such as the recent controlled experiment hacking of a Jeep on a Missouri highway. In response to questioning from Rep. Suzan DelBene (D-Wash.), the witnesses all agreed that mandating law enforcement “backdoors” to that encryption was the wrong approach.

Calling backdoors a “Pandora's box,” Dean C. Garfield, president and chief executive office of the Information Technology Industry Council, said providing a backdoor for law enforcement necessarily gives bad actors another entryway into consumers' data as well.

“ I think the impact would be quite negative, both here and internationally, for a host of reasons,” Garfield said. “Security is a part of advancing privacy, and if you create any kind of door, it won't only be used by those you intend it to be used by.” Garfield suggested based on his own experience that law enforcement agencies should deploy technology to solve its problems rather than fighting technology.

Reed said such an approach would be “anathema” to telling customers that their data is secure. “We know the answer, and that is that end-to-end encryption with as few openings as possible is the best solution we can provide to all citizens in every country,” he said.

Gary Shapiro, president and CEO of the Consumer Electronics Association, said that although he sympathized with the difficult job of law enforcement, companies will “step up and help government” when crises such as the 2013 Boston Marathon bombing happens and law enforcement needs data from companies in order to act quickly.

Federal Bureau of Investigations Director James Comey has been an outspoken advocate of building backdoors for law enforcement into encrypted devices.

Sector-by-Sector Approach

Garfield echoed other witnesses in requesting a light touch to regulation that allows for the development of industry best practices as the pace of innovation outstrips that of regulation and allows markets to punish bad actors. To the extent the IoT industry requires regulation and enforcement, he said, a sector-by-sector approach is appropriate.

“We're talking about the Internet of Things as if it's a single thing, but it's not,” Garfield said. He said that sensors transmitting data about windshield wiper usage, which could tell others about rainfall, could require much less privacy protection than, for example, smart watches providing biometric health monitoring of an individual.

Reed said that the medical wearables industry is currently being held back by outdated privacy rules, as only 15 percent of doctors are recommending wearable monitoring devices for patients even though 50 percent of doctors think such devices would be helpful, citing a recent study. The gap was explained by privacy concerns, both from patients and from the doctors who would be charged with keeping patient data private.

The health technology industry is working on a series of best practices to address those concerns. “We believe the FTC will be a good enforcement mechanism for such best practices,” Reed said.

Rep. Jerrold Nadler (D-N.Y.) asked whether Congress should be setting clear rules, at least regarding notice to consumers regarding potentially giving up aspects of privacy. Shapiro agreed that clear and conspicuous notice makes sense but is already within the ambit of the Federal Trade Commission and can also be addressed through private civil lawsuits. The FTC's case-by-case approach, he said, “is a good approach, because this is a quickly evolving area.”

If Congress does choose to regulate, Nadler asked whether IoT services should be treated differently from other data collectors and companies connected to the Internet. Shapiro said that IoT provides a wide variety of capabilities in many different areas and should not be regulated in a generic way. “If you're going to legislate, it should be very specific, narrow and address a real problem,” Shapiro said.

To contact the reporter on this story: Joseph Wright in Washington at

To contact the editor responsible for this story: Thomas O'Toole at