Who's in Charge of Regulating the Internet of Things?

The “internet of things” refers to a group of technology so vast the term is beginning to lose meaning.

The internet of things hints at a vision of a ubiquitous network of electronics: refrigerators pinging their owners’ smartphones if they’ve run out of eggs, wearable devices that can detect the tell-tale vibrations of nuclear testing, and cars slowing down based on proximity to other cars. The future of the internet of things is a rich web of sensors constantly amassing more data.

Increasing interconnectivity might help consumers—who doesn’t want their washer-dryer to text them when their clothes are done?—but could also create new risks. The most granular data about individual consumers, down to their thermostat settings, might be available to hackers who can infiltrate the wireless networks that connect hundreds of devices, or even the devices themselves.

As the cyber and physical worlds become intertwined, intruders could also control tangible objects—remotely turning off someone’s lights, or worse, disabling the power grid.  

So, who governs the internet of things? Who ensures connected and self-driving cars don’t put their passengers in danger, that security cameras don’t relay video feeds of their users to third parties, or that data collected from billions of consumer devices can be used without compromising personal information?

For now, it’s still not clear.

Today, several agencies, including the Food and Drug Administration, the Federal Communications Commission, the Federal Trade Commission and the National Highway Traffic Security Administration have authority over some aspects of the internet of things.

Experts tell Nextgov the regulatory framework isn’t well defined and that agencies will likely need to work together as cases arise that expose the potential downsides of widespread connectivity.

As more IoT-related cases begin to test the regulatory framework, “the main thing that connects them is they’re going to have internet connectivity of some sort,” said Lee Tien, senior staff attorney at the Electronic Frontier Foundation. “Regulating a Fitbit is very different from regulating an automobile or regulating an implantable medical device like a defibrillator.”

Here’s a look at some of the discussions federal groups are having about regulating the internet of things.

What Is the ‘Internet of Things’?

Though they might be talking about the same general concept of connectivity, federal agencies don’t have an exact definition for the “internet of things.”

In the past, for one, FTC has defined it as “devices or sensors,” not including computers, smartphones and tablets, “that connect, store or transmit information with or between each other via the internet.”

The National Institute of Standards and Technology recently attempted to create a definitive lexicon for the concept. In its new outline, NIST distinguishes between a network of internet-enabled objects—an “internet of things”—and a group of objects and devices connected to each other, but not necessarily the internet: a “network of things.”

The intent, NIST wrote, is to give technologists a vocabulary that guarantees they’re talking about the same elements when discussing parts of the internet of things.   

NIST described the building blocks of such a connected network, which includes sensors, aggregators, communication channels, external systems and a decision trigger. For instance, a motion-sensing light might detect no one is in the room, transmit that information through some communications channel to an aggregator. The aggregator collects data from sensors and sends it to an external site, like a laptop, which relays it to a decision trigger that turns the light off.

In April, the Commerce Department began collecting public comment on the internet of things and what role the government should play.

“With respect to current or planned laws, regulations and/or policies,” the agency asked, “[a]re there examples that … foster IoT development and deployment, while also providing an appropriate level of protection to workers, consumers, patients and/or other users” of the internet of things? “Are there examples that … unnecessarily inhibit IoT?"

Commerce’s National Telecommunications and Information Administration would not discuss findings with Nextgov but eventually plans to issue a report in the fall identifying important policy issues

A Patchwork Project: What Might a Regulated Internet of Things Look Like?

Two FTC reports outline some of the government's concerns, including facilitating attacks on other systems and unauthorized access and misuse of personal information. For example, companies could harvest, and later use, the data collected from the internet of things in ways the consumer did not authorize.

Early conversations about regulations are primarily focused on keeping consumer data private, said Nyla Beth Gawel, a principal at Booz Allen Hamilton’s IoT business.

For hints as to what the government’s biggest concerns are, Gawel told Nextgov she looks to FTC case law and requests for comment on potential internet of things policy issues from NTIA. (Booz Allen’s customers include federal agencies trying to implement their own internet of things solutions.)

“Because of the huge amount of personal data that is being gathered, including data that, if one or two pieces are taken, might be technically anonymous ... it’s very easy to roll that up into a very detailed, very personalized picture of individuals,” Rick Parrish, an analyst with Forrester, told Nextgov.

Parrish said he also hears government leaders pushing for regulations protecting people’s physical safety—“parts of people’s cars and homes and toasters and everything.”

Asked which internet of things sub-sectors government leaders are most concerned about, EFF’s Tien said he thought medical devices and connected cars were likely to be the government’s first priorities for increased regulation, as those devices have a direct impact on people’s lives.

But “government’s not really trying to push any specific standards, because [the internet of things] is really market vertical,” Gawel said. “What I’m hearing from leaders is, ‘How do we smartly use the existing standards bodies?’”

There is also not a strong push to create a new regulatory body that would focus on the internet of things, Parrish said.

Parrish predicted the regulation of the internet of things could loosely be compared to that of airplanes. The Federal Aviation Administration handles flight safety, the Transportation Security Administration screens passengers, and state and local law enforcement groups also step in when needed.

“They all sort of triangulate around a single industry,” he said.

The bigger challenge is getting agencies to coordinate their regulatory efforts, Parrish said.

The Expectation of Privacy: Industry vs. Consumers

Tech companies and entrepreneurship advocates have warned Congress to avoid strict regulation of the internet of things.

Policymakers should “send a clear green light to entrepreneurs letting them know that our nation’s default policy position remains ‘innovation allowed,’” Adam Thierer, a research fellow at George Mason University’s Mercatus Center, testified during a Senate hearing on the internet of things last year.

And policy interventions shouldn’t be based on “hypothetical worst-case scenarios, or else best-case scenarios will never come about,” he said.

But consumer privacy advocates, including Justin Brookman, director of the Consumer Privacy Project at the Center for Democracy and Technology, have urged Congress to create a comprehensive law about collecting personal information.

During that hearing last year, Brookman pointed to Samsung’s SmartTV, which was found to have been collecting potentially sensitive information from viewers speaking close enough to the device for a microphone to detect their conversations.

“Companies should be required to offer consumers reasonable transparency and control over how their data is collected,” he said.

Morgan Reed, executive director of the Association for Competitive Technology, which represents app makers, urged Congress to step in on data privacy, during testimony for a House IoT hearing held last summer.

"The problem comes when I have to tell a customer, 'I don't know' when they ask which of their data could be passed along to the government,” he said then.

During that hearing, Rep. Ted Poe, R-Texas, suggested updating the Electronic Communications Privacy Act, under which cloud-based information is considered private for six months.

"But six months and one day, the government can have it and there's no expectation of privacy,” according to Poe.

Congress must “set the expectation of privacy for individuals that have shared their information with different entities," Poe said.

Regulating Lightly: The Discussion in Congress

Not all lawmakers support strict regulation of the internet of things. Congress has issued two pieces of legislation promoting connected technology as a driver of economic activity in the U.S.: the Developing Innovation and Growing the Internet of Things, or DIGIT, Act, and a resolution calling for a national strategy for the internet of things.

“We should let consumers and entrepreneurs decide where [the internet of things] goes, rather than setting it on a Washington, D.C.-directed path,” Sen. John Thune, R-S.D., said during the Senate hearing on the topic last February. “Let’s not stifle the internet of things before we and consumers have a chance to understand its real promise and implications.”

Broadly, lawmakers have promoted the internet of things, EFF’s Tien told Nextgov.

“It’s one thing if something moves along unregulated, but you’re not being pushed by federal PR,” he said. “But here, they’re pushing it, and at the same time, it’s not particularly well regulated.”

The DIGIT Act

Sens. Deb Fischer, R-Neb., Kelly Ayotte, R-N.H., Cory Booker, D-N.J., and Brian Schatz, D-Hawaii, introduced the DIGIT Act in March, which directs FCC to produce a report on the internet of things’ potential spectrum needs and creates a working group led by the Commerce secretary that would study the internet of things.

“[P]olicies governing the internet of things should aim to maximize the potential and development ... the benefit of stakeholders including businesses, governments and consumers,” that bill says. The Senate Commerce Committee approved that legislation in April.

National Strategy on the Internet of Things

Last year, the Senate passed a resolution calling for a national strategy on the internet of things, and some critics have asked whether a top-down strategy is necessary to guide tech companies into the market.

It could be critical, says Daniel Castro, director of the Center for Data Innovation, a part of Washington think tank the Information Technology Innovation Foundation. CDI has published a report arguing the United States should have a stronger strategy on the topic.

Policies that support technological development and avoid “the impulse to regulate or if needed, [regulate] with a light tough” have propelled other systems, such as the internet or global positioning systems, into the mainstream, the report says.

“[I]f poorly designed, government regulations can make deploying IoT technologies more expensive and less valuable,” CDI says. For one, suggestions that FTC should require that devices collect the minimum amount of data “would be damaging as there may be one primary reason to collect data, but innumerable other ways to use the same data beneficially beyond its initial purpose.”

The internet of things national strategy could send “a clear message to legislators and regulators that this technology is important and that overregulation or poorly designed regulation would limit its growth.”

How the Federal Trade Commission Regulates the Internet of Things

In February, Taiwan-based computer hardware manufacturer ASUSTeK Computer settled charges from FTC that its routers had major security flaws that could expose users’ sensitive information.  

“ASUS could have prevented many problems if it had followed well-known, secure software design, coding and testing practices,” according to a blog post written by FTC attorney Lesley Fair. When security researchers tried to alert the company, ASUS’ response took months.

The ASUS case is one of a handful that have highlighted the risks the internet of things could pose to consumers. Another dealt with a security camera company whose video feeds were accessible to outsiders with just an IP address. Both are instructive for businesses trying to enter the internet of things market.

“Yes, you want to get your product to market ASAP, but take the time to design security in at the outset,” the blog post said. “That’s a particularly important consideration in the internet of things where the insecure design of one product can affect multiple connected devices.”

FTC has recommended Congress issue “strong, flexible and technology-neutral federal legislation” that would help it enforce data security and notify consumers of data breaches, according to a report published in 2015. Data security legislation could help “protect against unauthorized access to both personal information and device functionality itself.”

The internet of things also requires “baseline privacy standards,” that report said. FTC, however, can’t mandate privacy disclosures “absent a specific showing of deception or unfairness.”

More broadly, though, FTC has concluded that “while the internet of things has several unique practical challenges in privacy and data security … the legal framework that surrounds it is for the most part the same as the legal framework that applies to other types technology,” FTC Attorney Adviser Neil Chilson said.

But IoT manufacturers do face a unique challenge. “[A] lot of these devices are somewhat disposable and updating their security may [be] economical for a company, may not … but the device may still be out there in the wild, consumers may still be using it,” Chilson said.

Chilson described FTC’s approach to internet of things regulation as “post hoc.” In cases like that, “we wouldn’t be setting a role about how people should update their devices,” Chilson said. “We would bring a case against [companies] who failed to do that in a reasonable manner.”

Other companies could review FTC case law for guidance about “where somebody else got in trouble and what was considered not reasonable,” he said.

How FCC Looks at Internet of Things Spectrum

In July, FCC voted to open up certain new bands of spectrum—radio frequency that allow devices to communicate with each other—for licensed and unlicensed use.

The new bands could support parts of the internet of things such as "wearables, fitness and health care devices, autonomous driving cars, and home and office automation,” according to FCC.

Broadly, FCC has two main goals with the internet of things, a spokesperson told Nextgov: Making “ample suitable spectrum” available for the devices and service providers, and also ensuring “competitive access” for the data services that work alongside the internet of things.

Connected Cars

One of the most potentially problematic aspects of the internet of things is cars. A report last year in Wired demonstrated hackers could wirelessly access cars—stopping the accelerator or disabling the brakes— by taking control through the entertainment system.

Many cars manufactured in the past few years can get on wireless networks, often for the purposes of navigation or sharing information with other cars about where they are, but that same network can make it available to intruders.

From a regulatory perspective, self-driving cars may be even more problematic. A recent fatal crash involving a Tesla on auto-pilot showed that potential technical failures could cost human life, sparking debate about whether the tragedy was Tesla’s responsibility to prevent, or the driver’s.

Congress has been keenly aware of these risks. In November, Rep. Ted Lieu, D-Calif., introduced the Security and Privacy in Your Car, or SPY CAR, Act, which would require the National Highway Safety Transportation Commission to do a 1-year study on regulatory systems for car software cybersecurity.

Though “rushing to regulation” isn’t the answer, Lieu said during a House oversight hearing last year, “neither is a lack of accountability and standards.”

Sens. Richard Blumenthal, D-Conn., and Ed Markey, D-Mass., have introduced similar legislation.

Looking Into the Future: How Sustainable Is the Patchwork Approach?