Preserving Privacy Without Harming Innovation Key Question at IoT Hearing

“No one is talking about overregulating,” said ranking member Bill Nelson, D-Fla., in opening remarks. “The promise of the Internet of Things must be balanced with real concerns over privacy,” because it’s one thing for a refrigerator to tell a consumer he or she needs to buy more milk, but it’s another for a refrigerator to tell a store the same thing for marketing purposes, he said. Another concern for Nelson is the vulnerability to hackers, because he said that hacking into the devices, which include insulin pumps and pacemakers, threatens U.S. cybersecurity and people's physical safety.

While consumer confidence is “paramount” to the success of the IoT, government “must not overregulate and stifle innovation,” said Mike Abbott, general partner at Kleiner Perkins, a venture capital firm that has more than $300 million in IoT investments. “My bet is that these technologies will likewise become unobtrusive, another chapter in how entrepreneurs and their innovations can help improve the quality of life for new generations, in this country and around the world.” Due to the rapid changes in the IoT sector, Adam Thierer, senior research fellow at Mercatus Center at George Mason University, recommended the government adopt a “flexible policy regime,” similar to what policymakers created in the mid-1990s related to the Internet. One-size-fits-all regulation “will limit innovative opportunities,” Thierer said. “Long-term privacy and security protection requires a multifaceted approach,” and the FTC will continue to play an “important backstop role” to police “unfair and deceptive” practices, Thierer said.

“Connected devices and data fundamentally change how people and industries work and agriculture has not escaped that,” said Lance Donny, CEO of OnFarm, a company focused on solving the interoperability and use of devices and data in agriculture. “Data is everywhere. It drives decisions and enables farmers that adopt it to be globally competitive.” The “flood of data” is overwhelming to farmers, Donny said. “Analytics or ‘big data’ software that create order and provide insights is the key to delivering the promise of the Internet of Things,” he said. “Industry is in the best position to develop the technological standards and solutions to address global IoT ecosystem opportunities and challenges,” said Doug Davis, vice president of Intel’s worldwide IoT Group. “Government should encourage industry to collaborate in open participation global standardization efforts to develop technological best practices and standards.”

If IoT devices are going to be used to improve Americans' lives, “these sensor- and Internet-enabled devices must be purposefully designed with consumer privacy and empowerment in mind,” said Justin Brookman, Center for Democracy & Technology director-consumer privacy. He rhetorically questioned the value of a smart toaster and posed the question, “Even if there are incremental advantages to some connected devices, might the downsides in some cases outweigh the benefits?” Security vulnerabilities have been documented by academics for years, Brookman said, because computer chips used in the devices are often cheaply produced, rarely updated or patched, and are highly susceptible to hacks.

Given that data brokers earn more than $600 billion in annual revenue, Sen. Joe Manchin, D-W.Va., said he understood why many companies don’t want any kind of privacy law. “It’s a big moneymaker,” he said. “If you’re smart enough to create an algorithm to send information around the world, you should be able to create an algorithm to protect consumer privacy and security,” said Sen. Ed Markey, D-Mass. If a device is found to be fundamentally insecure, “class-action lawsuits will fly,” Thierer said. Sen. Richard Blumenthal, D-Conn., asked Thierer what law would allow consumers to proceed with a lawsuit and how consumers would know their privacy had been violated. Thierer said consumers would be protected under current consumer protection laws and general torts. Markey and Blumenthal at the hearing introduced legislation to protect drivers' privacy and security in IoT devices in automobiles (see 1502110043">1502110043).

Sen. Kelly Ayotte, R-N.H., asked whether the FTC definition of fair and deceptive practices was clear enough for businesses. Thierer said the definition has been flexible throughout history, later saying some companies are challenging the agency’s authority. The FTC and other federal agencies have done a lot to educate and protect consumers, Thierer said in response to a question from Sen. Steve Daines, R-Mont. Sen. Cory Booker, D-N.J., used the bulk of his time asking his colleagues to encourage innovation, not restrict it. However, there are a lot of legitimate fears, Booker said.

Harms should be addressed as they develop instead of pre-emptively figuring out every problem before technology can go forward, Thierer said, recommending to Sen. Deb Fischer, R-Neb., that the government create a vision instead of a plan to regulate the IoT. Encryption will help protect consumers’ privacy but is not a “panacea,” Abbott responded to a question by Sen. Brian Schatz, D-Hawaii. Davis agreed. Blumenthal said a majority of IoT devices have no encryption. Given that there's a spectrum of information collected, from thermostats to medical devices, Abbott said he didn’t think it was appropriate to have a single security policy or data sharing policy. Brookman sought broader data breach legislation that would require consumers to be notified, even if their financial information weren't affected. “If my pictures or email was hacked, I would want to know about it,” he said.