This week the Federal Trade Commission published a report focused on privacy and security issues related to the massive Internet of Things (IoT) trend, which includes the growing number of connected health devices. The report summarizes the discussions that took place at an FTC-hosted workshop in November 2013, and it also includes recommendations for the industry from FTC's staff, which they put together based on the workshop's discussion.
The workshop's health panel included five people: Scott Peppet, a professor at the University of Colorado Law School; Stan Crosley, director of the Indiana University Center for Law, Ethics, and Applied Research in Health Information, and counsel to Drinker, Biddle, and Reath; Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology; Jay Radcliffe, a senior security analyst for InGuardians; and Anand Iyer, president and COO at WellDoc. A full transcript of the entire workshop can be found here (PDF) -- the health-related discussion starts on page 164.
Notably, one FTC Commissioner -- Jeffrey Wright -- filed a dissenting opinion and argued that the FTC should not have published recommendations for IoT companies based on one workshop and public comments.
"If the purpose of the workshop is to examine dry cleaning methods or to evaluate appliance labeling, the limited purpose of the workshop and the ability to get all relevant viewpoints on the public record may indeed allow the Commission a relatively reasonable basis for making narrowly tailored recommendations for a well-defined question or issue. But the Commission must exercise far greater restraint when examining an issue as far ranging as the 'Internet of Things' – a nascent concept about which the only apparent consensus is that predicting its technological evolution and ultimate impact upon consumers is difficult. A record that consists of a one-day workshop, its accompanying public comments, and the staff’s impressions of those proceedings, however well-intended, is neither likely to result in a representative sample of viewpoints nor to generate information sufficient to support legislative or policy recommendations," Wright wrote.
He goes on to argue the FTC should have researched a rigorous cost-benefit analysis prior to offering its recommendations -- and not just acknowledge in passing that the FTC recommendations would carry potential costs and benefits.
The report notes that, in general, IoT brings up a number of security risks for consumers.
"IoT presents a variety of potential security risks that could be exploited to harm consumers by: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety. Participants also noted that privacy risks may flow from the collection of personal information, habits, locations, and physical conditions over time. In particular, some panelists noted that companies might use this data to make credit, insurance, and employment decisions. Others noted that perceived risks to privacy and security, even if not realized, could undermine the consumer confidence necessary for the technologies to meet their full potential, and may result in less widespread adoption."
Some of the FTC staff's recommendations include a push for Congressional action related to general data security regulation -- not specific to IoT -- and a broad-based approach to privacy legislation: "Such legislation should be flexible and technology-neutral, while also providing clear rules of the road for companies about such issues as when to provide privacy notices to consumers and offer them choices about data collection and use practices," the write.
While it is pushing for a broad-based law, the agency specifically cited health-related data and that HIPAA doesn't cover all health-related data.
"Workshop participants discussed the fact that HIPAA protects sensitive health information, such as medical diagnoses, names of medications, and health conditions, but only if it is collected by certain entities, such as a doctor’s office or insurance company," the wrote. "Increasingly, however, health apps are collecting this same information through consumer-facing products, to which HIPAA protections do not apply. Commission staff believes that consumers should have transparency and choices over their sensitive health information, regardless of who collects it. Consistent standards would also level the playing field for businesses."