Who's in Charge of Regulating the Internet of Things?

Bakhtiar Zein/Shutterstock.com

It's complicated.

The “internet of things” refers to a group of technology so vast the term is beginning to lose meaning.

The internet of things hints at a vision of a ubiquitous network of electronics: refrigerators pinging their owners’ smartphones if they’ve run out of eggs, wearable devices that can detect the tell-tale vibrations of nuclear testing, and cars slowing down based on proximity to other cars. The future of the internet of things is a rich web of sensors constantly amassing more data.

Increasing interconnectivity might help consumers—who doesn’t want their washer-dryer to text them when their clothes are done?—but could also create new risks. The most granular data about individual consumers, down to their thermostat settings, might be available to hackers who can infiltrate the wireless networks that connect hundreds of devices, or even the devices themselves.

As the cyber and physical worlds become intertwined, intruders could also control tangible objects—remotely turning off someone’s lights, or worse, disabling the power grid.  

So, who governs the internet of things? Who ensures connected and self-driving cars don’t put their passengers in danger, that security cameras don’t relay video feeds of their users to third parties, or that data collected from billions of consumer devices can be used without compromising personal information?

For now, it’s still not clear.

Today, several agencies, including the Food and Drug Administration, the Federal Communications Commission, the Federal Trade Commission and the National Highway Traffic Security Administration have authority over some aspects of the internet of things.

Experts tell Nextgov the regulatory framework isn’t well defined and that agencies will likely need to work together as cases arise that expose the potential downsides of widespread connectivity.

As more IoT-related cases begin to test the regulatory framework, “the main thing that connects them is they’re going to have internet connectivity of some sort,” said Lee Tien, senior staff attorney at the Electronic Frontier Foundation. “Regulating a Fitbit is very different from regulating an automobile or regulating an implantable medical device like a defibrillator.”

Here’s a look at some of the discussions federal groups are having about regulating the internet of things.

What Is the ‘Internet of Things’?

Though they might be talking about the same general concept of connectivity, federal agencies don’t have an exact definition for the “internet of things.”

In the past, for one, FTC has defined it as “devices or sensors,” not including computers, smartphones and tablets, “that connect, store or transmit information with or between each other via the internet.”

The National Institute of Standards and Technology recently attempted to create a definitive lexicon for the concept. In its new outline, NIST distinguishes between a network of internet-enabled objects—an “internet of things”—and a group of objects and devices connected to each other, but not necessarily the internet: a “network of things.”

The intent, NIST wrote, is to give technologists a vocabulary that guarantees they’re talking about the same elements when discussing parts of the internet of things.   

NIST described the building blocks of such a connected network, which includes sensors, aggregators, communication channels, external systems and a decision trigger. For instance, a motion-sensing light might detect no one is in the room, transmit that information through some communications channel to an aggregator. The aggregator collects data from sensors and sends it to an external site, like a laptop, which relays it to a decision trigger that turns the light off.

In April, the Commerce Department began collecting public comment on the internet of things and what role the government should play.

“With respect to current or planned laws, regulations and/or policies,” the agency asked, “[a]re there examples that … foster IoT development and deployment, while also providing an appropriate level of protection to workers, consumers, patients and/or other users” of the internet of things? “Are there examples that … unnecessarily inhibit IoT?"

Commerce’s National Telecommunications and Information Administration would not discuss findings with Nextgov but eventually plans to issue a report in the fall identifying important policy issues

A Patchwork Project: What Might a Regulated Internet of Things Look Like?

Two FTC reports outline some of the government's concerns, including facilitating attacks on other systems and unauthorized access and misuse of personal information. For example, companies could harvest, and later use, the data collected from the internet of things in ways the consumer did not authorize.

Early conversations about regulations are primarily focused on keeping consumer data private, said Nyla Beth Gawel, a principal at Booz Allen Hamilton’s IoT business.

For hints as to what the government’s biggest concerns are, Gawel told Nextgov she looks to FTC case law and requests for comment on potential internet of things policy issues from NTIA. (Booz Allen’s customers include federal agencies trying to implement their own internet of things solutions.)

“Because of the huge amount of personal data that is being gathered, including data that, if one or two pieces are taken, might be technically anonymous ... it’s very easy to roll that up into a very detailed, very personalized picture of individuals,” Rick Parrish, an analyst with Forrester, told Nextgov.

Parrish said he also hears government leaders pushing for regulations protecting people’s physical safety—“parts of people’s cars and homes and toasters and everything.”

Asked which internet of things sub-sectors government leaders are most concerned about, EFF’s Tien said he thought medical devices and connected cars were likely to be the government’s first priorities for increased regulation, as those devices have a direct impact on people’s lives.

But “government’s not really trying to push any specific standards, because [the internet of things] is really market vertical,” Gawel said. “What I’m hearing from leaders is, ‘How do we smartly use the existing standards bodies?’”

There is also not a strong push to create a new regulatory body that would focus on the internet of things, Parrish said.

Parrish predicted the regulation of the internet of things could loosely be compared to that of airplanes. The Federal Aviation Administration handles flight safety, the Transportation Security Administration screens passengers, and state and local law enforcement groups also step in when needed.

“They all sort of triangulate around a single industry,” he said.

The bigger challenge is getting agencies to coordinate their regulatory efforts, Parrish said.


The Expectation of Privacy: Industry vs. Consumers

Tech companies and entrepreneurship advocates have warned Congress to avoid strict regulation of the internet of things.

Policymakers should “send a clear green light to entrepreneurs letting them know that our nation’s default policy position remains ‘innovation allowed,’” Adam Thierer, a research fellow at George Mason University’s Mercatus Center, testified during a Senate hearing on the internet of things last year.

And policy interventions shouldn’t be based on “hypothetical worst-case scenarios, or else best-case scenarios will never come about,” he said.

But consumer privacy advocates, including Justin Brookman, director of the Consumer Privacy Project at the Center for Democracy and Technology, have urged Congress to create a comprehensive law about collecting personal information.

During that hearing last year, Brookman pointed to Samsung’s SmartTV, which was found to have been collecting potentially sensitive information from viewers speaking close enough to the device for a microphone to detect their conversations.

“Companies should be required to offer consumers reasonable transparency and control over how their data is collected,” he said.

Morgan Reed, executive director of the Association for Competitive Technology, which represents app makers, urged Congress to step in on data privacy, during testimony for a House IoT hearing held last summer.

"The problem comes when I have to tell a customer, 'I don't know' when they ask which of their data could be passed along to the government,” he said then.

During that hearing, Rep. Ted Poe, R-Texas, suggested updating the Electronic Communications Privacy Act, under which cloud-based information is considered private for six months.

"But six months and one day, the government can have it and there's no expectation of privacy,” according to Poe.

Congress must “set the expectation of privacy for individuals that have shared their information with different entities," Poe said.

Regulating Lightly: The Discussion in Congress

Orhan Cam/Shutterstock.com

Not all lawmakers support strict regulation of the internet of things. Congress has issued two pieces of legislation promoting connected technology as a driver of economic activity in the U.S.: the Developing Innovation and Growing the Internet of Things, or DIGIT, Act, and a resolution calling for a national strategy for the internet of things.

“We should let consumers and entrepreneurs decide where [the internet of things] goes, rather than setting it on a Washington, D.C.-directed path,” Sen. John Thune, R-S.D., said during the Senate hearing on the topic last February. “Let’s not stifle the internet of things before we and consumers have a chance to understand its real promise and implications.”

Broadly, lawmakers have promoted the internet of things, EFF’s Tien told Nextgov.

“It’s one thing if something moves along unregulated, but you’re not being pushed by federal PR,” he said. “But here, they’re pushing it, and at the same time, it’s not particularly well regulated.”

The DIGIT Act

Sens. Deb Fischer, R-Neb., Kelly Ayotte, R-N.H., Cory Booker, D-N.J., and Brian Schatz, D-Hawaii, introduced the DIGIT Act in March, which directs FCC to produce a report on the internet of things’ potential spectrum needs and creates a working group led by the Commerce secretary that would study the internet of things.

“[P]olicies governing the internet of things should aim to maximize the potential and development ... the benefit of stakeholders including businesses, governments and consumers,” that bill says. The Senate Commerce Committee approved that legislation in April.

National Strategy on the Internet of Things

Last year, the Senate passed a resolution calling for a national strategy on the internet of things, and some critics have asked whether a top-down strategy is necessary to guide tech companies into the market.

It could be critical, says Daniel Castro, director of the Center for Data Innovation, a part of Washington think tank the Information Technology Innovation Foundation. CDI has published a report arguing the United States should have a stronger strategy on the topic.

Policies that support technological development and avoid “the impulse to regulate or if needed, [regulate] with a light tough” have propelled other systems, such as the internet or global positioning systems, into the mainstream, the report says.

“[I]f poorly designed, government regulations can make deploying IoT technologies more expensive and less valuable,” CDI says. For one, suggestions that FTC should require that devices collect the minimum amount of data “would be damaging as there may be one primary reason to collect data, but innumerable other ways to use the same data beneficially beyond its initial purpose.”

The internet of things national strategy could send “a clear message to legislators and regulators that this technology is important and that overregulation or poorly designed regulation would limit its growth.”

How the Federal Trade Commission Regulates the Internet of Things

In February, Taiwan-based computer hardware manufacturer ASUSTeK Computer settled charges from FTC that its routers had major security flaws that could expose users’ sensitive information.  

“ASUS could have prevented many problems if it had followed well-known, secure software design, coding and testing practices,” according to a blog post written by FTC attorney Lesley Fair. When security researchers tried to alert the company, ASUS’ response took months.

The ASUS case is one of a handful that have highlighted the risks the internet of things could pose to consumers. Another dealt with a security camera company whose video feeds were accessible to outsiders with just an IP address. Both are instructive for businesses trying to enter the internet of things market.

“Yes, you want to get your product to market ASAP, but take the time to design security in at the outset,” the blog post said. “That’s a particularly important consideration in the internet of things where the insecure design of one product can affect multiple connected devices.”

FTC has recommended Congress issue “strong, flexible and technology-neutral federal legislation” that would help it enforce data security and notify consumers of data breaches, according to a report published in 2015. Data security legislation could help “protect against unauthorized access to both personal information and device functionality itself.”

The internet of things also requires “baseline privacy standards,” that report said. FTC, however, can’t mandate privacy disclosures “absent a specific showing of deception or unfairness.”

More broadly, though, FTC has concluded that “while the internet of things has several unique practical challenges in privacy and data security … the legal framework that surrounds it is for the most part the same as the legal framework that applies to other types technology,” FTC Attorney Adviser Neil Chilson said.

But IoT manufacturers do face a unique challenge. “[A] lot of these devices are somewhat disposable and updating their security may [be] economical for a company, may not … but the device may still be out there in the wild, consumers may still be using it,” Chilson said.

Chilson described FTC’s approach to internet of things regulation as “post hoc.” In cases like that, “we wouldn’t be setting a role about how people should update their devices,” Chilson said. “We would bring a case against [companies] who failed to do that in a reasonable manner.”

Other companies could review FTC case law for guidance about “where somebody else got in trouble and what was considered not reasonable,” he said.

How FCC Looks at Internet of Things Spectrum

In July, FCC voted to open up certain new bands of spectrum—radio frequency that allow devices to communicate with each other—for licensed and unlicensed use.

The new bands could support parts of the internet of things such as "wearables, fitness and health care devices, autonomous driving cars, and home and office automation,” according to FCC.

Broadly, FCC has two main goals with the internet of things, a spokesperson told Nextgov: Making “ample suitable spectrum” available for the devices and service providers, and also ensuring “competitive access” for the data services that work alongside the internet of things.

Connected Cars

One of the most potentially problematic aspects of the internet of things is cars. A report last year in Wired demonstrated hackers could wirelessly access cars—stopping the accelerator or disabling the brakes— by taking control through the entertainment system.

Many cars manufactured in the past few years can get on wireless networks, often for the purposes of navigation or sharing information with other cars about where they are, but that same network can make it available to intruders.

From a regulatory perspective, self-driving cars may be even more problematic. A recent fatal crash involving a Tesla on auto-pilot showed that potential technical failures could cost human life, sparking debate about whether the tragedy was Tesla’s responsibility to prevent, or the driver’s.

Congress has been keenly aware of these risks. In November, Rep. Ted Lieu, D-Calif., introduced the Security and Privacy in Your Car, or SPY CAR, Act, which would require the National Highway Safety Transportation Commission to do a 1-year study on regulatory systems for car software cybersecurity.

Though “rushing to regulation” isn’t the answer, Lieu said during a House oversight hearing last year, “neither is a lack of accountability and standards.”

Sens. Richard Blumenthal, D-Conn., and Ed Markey, D-Mass., have introduced similar legislation.


Looking Into the Future: How Sustainable Is the Patchwork Approach?

chombosan/Shutterstock.com

A 2014 draft report from the National Security Telecommunications Advisory Committee concluded the world had “only three years—and certainly no more than five—to influence how IoT is adopted,” preventing new attacks and the ability to remotely “cause physical destruction.”

“There is a small—and rapidly closing—window to ensure that IoT is adopted in a way that maximizes security and minimizes risk,” the draft report said. “If the country fails to do so, it will be coping with the consequences for generations.”

But two years later, regulation is in its very early stages, Forrester’s Parrish told Nextgov.

“There are more and more people saying, ‘we can’t keep trying to shoehorn new technology into old regulatory structures; we need something new,'" he said.

“It’s easy to imagine conflicted regulations coming out and covering the same set of facts, simply because you have same set of agencies working with different priorities,” Mark Radcliffe, partner and co-chair of the IoT sector practice at DLA Piper, told Nextgov.

How the Government is Trying to Secure the Internet of Things

The federal government is doing its own research on securing the internet of things.

In one case, NIST awarded tech company Galois $1.86 million for a system it claims could protect users’ data collected by the internet of things by encrypting it, and not by forcing them to remember complex passwords.  

Last year, NIST released a Draft Framework for Cyber-Physical Systems, which intends to help manufacturers build products with user safety in mind.

NIST is also researching a new type of cryptography specifically for objects with basic RFID tags or sensors, which can’t support the same kind of protection used for servers and desktop computers, often with higher power supplies. This so-called lightweight cryptography would help protect devices with lower resources—a minimal power supply or a shorter time to decide whether a command it receives is authentic.

The Pentagon’s Defense Advanced Research Projects Agency awarded a contract for technology that could detect whether malware is installed on a device based on the device’s emissions, whether they’re electromagnetic, acoustic, thermal or fluctuations in power. The first phase of that contract is worth $36 million.

Encouraging Consumers to Keep Up With Security Patches

The National Telecommunications and Information Administration is planning to help consumers understand security upgrades for internet of things products.

After a recent request for comment about cybersecurity, “how to address potential security vulnerabilities in IoT devices or applications through patching and security upgrades” was of “particular concern,” Angela Simpson, deputy assistant secretary for communications and information, wrote in a blog post.

Consumers need a common set of definitions about upgrades to “know what they are getting,” Simpson wrote.  

NTIA is unveiling a new “multistakeholder process” in which various technology groups can come up with guidelines for security upgrades. That might result in “a set of common, shared terms or definitions” that would describe security upgrades more clearly.

NTIA is also researching how get companies to adopt a new internet protocol that would be able to support the number of devices expected to comprise the internet of things in the next several years. IPv4, the older version, can support just about 4.3 billion IP addresses; the newer system, IPv6, could support about "undecillion"—"340 followed by 36 digits," according to NTIA.

How Do Other Parts of the World Approach the Internet of Things?

The Singaporean government set aside about $1.6 billion for public-sector technology contracts in 2015, and has been testing so-called Smart Nation technology including cameras detecting when people smoke in smoke-free zones, the Wall Street Journal reported. Intel, which created its own internet of things division in 2013, recently opened a new facility dedicated to the technology, in Dubai—parts of the lab are dedicated to “Smart City” technology including pre-paid transportation cards.

Globally, these areas are among the most enthusiastic adopters of connected technology for the public infrastructure, Booz Allen's Gawel told Nextgov. Parts of Europe are also embracing the technology, CDI's Castro says. Barcelona, for instance, was ranked the top smart city in the world by Juniper Research last year.  

Castro, a proponent of “regulating with a light touch,” advocated for a government that invests heavily in the internet of things, but doesn’t attempt to limit the information that can be collected. Regulations in Europe, for instance, require businesses explain why they’re using consumer data and obtain consent first, which could limit businesses from exploring new ways to use that information, he argued.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.