The IoT needs PByD: FTC Looking at Privacy and Security in the Age of Smart Homes

The Internet of Things is the phrase used to describe technology that talks to technology – connected sensors and embedded technology.  Think of smart homes – your refrigerator knows what and when to restock; your HVAC adjusts to your schedule; personal tech – your heart monitor talks to your health care provider.  The FTC recently convened a workshop to address privacy and security considerations surrounding the use of such applications; see:

http://www.ftc.gov/bcp/workshops/internet-of-things/FINALAGENDA-11-13-13.pdf

In conjunction with the event, the Future of Privacy Forum  released “a whitepaper arguing for a new privacy paradigm in the new highly connected world.”

http://www.futureofprivacy.org/2013/11/19/fpf-releases-a-new-privacy-paradigm-for-the-internet-of-things/

The whitepaper authors argue that the consent/notice issues in dealing with the usual customer/consumer paradigm of managing privacy issues may not be relevant or sufficient in a world where the uses of data cannot be discovered until after the data has been collected, employed.  The argument now focuses on Privacy By Design strategies to tackle these thorny issues: anonymizing of data; transparency; codes of conduct; accountability/accessibility.

See IAPP summary of the workshop issues at:  https://www.privacyassociation.org/publications/is_notice_and_consent_possible_with_the_internet_of_things

If we don’t get a handle on this now, that wristband I’m wearing  may soon force me to add another mile to my jog because it knows what I had for lunch!  Let’s move, indeed!Exclamation Point with Social Technology and Internet Color Icon

And in more IoT news, along comes the worm:

http://allthingsd.com/20131130/a-new-worm-proves-that-the-internet-of-things-is-vulnerable-to-attack/#!

My new excuse – the bathroom scale’s been hacked!

Wow Scale

UPDATE:

Google has acquired Nest, the maker of “connected” thermostats and smoke detectors.  According to a statement one of Nest’s founders delivered to TechCrunch, Nest will only use customer information for “providing and improving Nest’s products and services,” indicating it will not be used for Google’s larger advertising schemes.  Of course, the commentators are lining up to speculate about what Google will do with all that data collected straight from a consumer’s home., much in the way consumers have been using connectivity in their cars.  And now Detroit is increasing that connectivity with cars that will be able to connect to the Internet independently, with the car using the custom apps on their own.

See info on Google acquisition of Nest: http://www.engadget.com/2014/01/13/google-acquires-nest/

And, GM’s 2015 roll-out of more connected cars: http://business.time.com/2014/01/07/your-car-is-about-to-get-smarter-than-you-are/

Fun from tomfishburne.com:

 

And then along came Fridge Spam:

-More than 750,000 Phishing and SPAM emails Launched from “Thingbots” Including Televisions, Fridge-

“The attack is believed to be one of the first to exploit lax security on devices that are part of the ‘internet of things.”

See press release from Proofpoint: http://www.proofpoint.com/about-us/press-releases/01162014.php

And, BBC update:

http://www.bbc.co.uk/news/technology-25780908#!

 

 

 

DNTK – Do Not Track Kids – Proposed Legislation

No real eraser button?
No real eraser button?

Senator Ed Markey (D-Mass.) has introduced a bill to amend the Children’s Online Privacy Protection Act of 1998 to “extend, enhance, and revise the provisions relating to the collection, use and disclosure of personal information of children, to establish certain other protections for personal information of children and minors, and for other purposes.”  In the Findings included in the Bill, the proponents note that a Wall Street Journal study (2010) found that websites directed to children and teens were more likely to use cookies and other tracking tools than sites directed to a general audience.  The legislation is aimed at prohibiting “operators” (including mobile apps) from collecting personal information, including location data, from children ages fifteen and younger without that person’s permission (guardian permission already required under COPPA for minors 12 and under).

A Republican sponsor, Rep. Joe Barton (R-Tex.) says that “It is important that our teenagers receive protections.  They are prone to mistakes; we need to make sure those mistakes aren’t exploited online.”

http://www.markey.senate.gov/documents/2013-11-14_Markey_DNTK.pd

Meanwhile, California also just passed the online “eraser” law.  California SB 568 requires “the operator of an Internet Web site, online service, online application, or mobile application to permit a minor who is a registered user of the operator’s Internet Web site, online service, online application, or mobile application, to remove, or to request and obtain removal of, content or information posted”.  The law kicks in on January 1st.   It also prohibits websites from targeting minors with products like e-cigarettes and tattoos.

Despite the DNTK proposal, it remains that state legislatures and attorneys general continue to take the lead in privacy legislation and enforcement.  See, http://www.nytimes.com/2013/10/31/technology/no-us-action-so-states-move-on-privacy-law.html

See also, State AGs Chuckle at Idea of Federal Breach Law:   https://www.privacyassociation.org/publications/amidst_u.s._govt_shutdown_state_ags_chuckle_at_idea_of_federal_breach_law

calstreetsigniStock_000015398858Small

And, in other California news, California also enacted AB370, its own “Do Not Track” law.  The legislation requires owners of commercial websites and online service providers (again, “operators”) to conspicuously post a privacy policy, which policy must disclose the categories of personally identifiable information the operator collects and with whom the operator shares such information. The law also addresses Do-Not-Track (“DNT”) signals sent from browsers, in that it requires operators of websites and online services to notify users about how they handle DNT signals.

“Operators” include website operators, and per the CA AG, that would be software operators and mobile apps that transmit and collect PII online.  The law does not prohibit commercial websites or online services from tracking and gathering personal information from its users – just addresses notice policies and procedures.  In that regard it does not prompt an “opt in” option on the operator’s website or app – which would require a consumer/customer to affirmatively allow the operator to share PII.  It is an update to CalOPPA (“California Online Privacy Protection Act of 2003”).

http://leginfo.legislature.ca.gov/faces/billNavClient.xhtml?bill_id=201320140AB370

And see also: The FTC has denied an application seeking approval of a proposed verifiable parental consent method submitted by AssertID, Inc., under COPPA.

In a letter to AssertID, the Commission noted that the company’s proposal failed to provide sufficient evidence that its method would meet the requirements set out under the rule. Specifically, the Commission noted that there was not yet adequate research or market testing to show the effectiveness of the AssertID “social-graph verification” method.