FTC Says IoT Focus Should Be on Security, Privacy

In its report, the regulators say tech vendors and device makers must ensure that their systems and the data they collect are safe.

Download the authoritative guide: The Ultimate Guide to IT Security Vendors

IT security

Federal regulators say that while the growing Internet of things is already benefiting consumers in many ways, technology vendors and businesses building the connected devices must keep security and privacy at the forefront of their efforts.

In a report issued Jan. 27, the Federal Trade Commission laid out steps that vendors and businesses should take to ensure that as the Internet of things (IoT) grows by tens of billions of devices over the next few years, and that end users can be sure that the devices and systems they're using and the data those systems are collecting are safe.

"The only way for the Internet of things to reach its full potential for innovation is with the trust of American consumers," FTC Chairwoman Edith Ramirez said in a statement. "We believe that by adopting the best practices we've laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of things to be fully realized."

The bulk of the FTC's report is based on input from attendees—including technology experts, consumer advocates and academics—at the commission's IoT workshop in November 2013, as well as public comments submitted to the agency. Security was a key topic during the workshop, according to FTC officials.

Among the FTC's recommendations are ensuring that security is built into the devices from the start, rather than tacking it on during the design process, and making sure that employees are trained about the importance of security. In addition, outside service providers also should be able to meet minimum security requirements, and companies should ensure that unauthorized people can't access consumers' devices or data that is stored on the network, and that they have a comprehensive strategy for responding to a security situation.

The commission also recommended "data minimization," the practice of limiting the amount of consumer data collected and the amount of time that data is held.

The IoT is expected to grow rapidly over the next few years, and more devices and systems—from smartphones and tablets to wearable devices, home appliances, cars, home security systems and industrial systems—connect to the Internet and each other, exchanging massive amounts of data. Cisco Systems estimates that there were 25 billion connected devices worldwide last year, and that number will double by 2020.

Security and privacy have been ongoing concerns as the Internet of things has grown. The large number of connected devices increases the attack surface for hackers and other cyber-criminals, and many of these devices are not built with security in mind. In addition, the devices and systems that make up the IoT span a broad range of uses, from baby clothing to highly sophisticated security systems, and security needs.

Tech vendors are looking at ways to increase security for the IoT. For example, Cisco last year sponsored a $300,000 contest to find the best IoT security solutions.

The commissioners are putting much of the responsibility now on the tech vendors and business community, both in developing security and privacy measures and communicating with consumers about security issues and about how their data is—and should—be used.

The FTC's report also said the agency agreed with others that it's too early in the development of the IoT for specific legislation due to how quickly it's evolving. However, the commission is recommending laws regarding data security and breach notifications.