Internet of Things (IoT)

Background

IoT image"The Internet of Things" (IoT) refers to the capability of everyday devices to connect to other devices and people through the existing Internet infrastructure. Devices connect and communicate in many ways. Examples of this are smartphones that interact with other smartphones, vehicle-to-vehicle communication, connected video cameras, and connected medical devices. They are able to communicate with consumers, collect and transmit data to companies, and compile large amounts of data for third parties.

This increased connectivity raises a myriad of consumer privacy and data security issues. Government agencies, like the Federal Trade Commission, are concerned with issues such as data security, mobile privacy, and big data. The development of the IoT means that companies preserve privacy. Among other things, this involves adopting privacy and data security best practices, only collecting consumer information with express consumer consent, and providing consumers with access to their data.

A brief history of the IoT gives background for those who are looking for the base of this shift. Professors Jerry Kang and Dana Cuff published a case study about this kind of "pervasive computing" and "four basic design principles" including privacy, transparency, open access, and publicity.

Top News

  • EPIC Urges European Commission to Regulate Connected Toys: In comments to the European Commission, EPIC highlighted the safety and security risks of IoT toys and wrote "There should be 'smart' regulations for 'smart' toys." The European Commission sought public comment on the EU Toy Directive, which establishes toy safety guidelines to protect children's health and safety but ignores connected toys. EPIC has repeatedly demonstrated the risks of IoT and smart toys before Congress, the Federal Trade Commission, and the Consumer Product Safety Commission in testimony, agency comments, petitions, and investigative complaints. (Dec. 11, 2018)
  • EPIC Urges Department of Transportation to Improve Framework on Connected Car Safety: In detailed comments to the Department of Transportation EPIC urged the agency to establish national privacy and safety standards for connected cars. The agency requested comment on its revised framework that establishes "voluntary guidance" for the development of autonomous vehicles. "A connected car is the ultimate Internet of Things device," EPIC explained, highlighting the risks of autonomous vehicles. EPIC has diligently advocated for stronger regulation of IoT. EPIC has called attention to the privacy and security risks of connected cars in comments to NTHSA, complaints to the CFPB, congressional testimony, FTC workshops, petitions to NHTSA and an amicus brief to Ninth Circuit. (Dec. 10, 2018)
  • More top news

  • EPIC Urges European Commission to Address Security Risks of Connected Cars + (Dec. 5, 2018)
    In comments to the European Commission, EPIC identified several key privacy and security concerns related to the development of connected cars. EPIC emphasized the need for comprehensive regulation to ensure the safety of connected vehicles and encouraged the Commission to require developers to build in safety measures, and not place new burdens on drivers. "Safety features should be under the hood, not on the dash board," EPIC wrote. EPIC has diligently advocated for stronger regulation of the Internet of Things , including connected vehicles. EPIC has highlighted the risks of connected cars in testimony before Congress, at the Federal Trade Commission, in comments to federal agencies, and in amicus briefs.
  • California Bans Anonymous Bots, Regulates Internet of Things + (Oct. 2, 2018)
    California Governor Jerry Brown recently signed two modern privacy laws, including a first in the nation law governing the security of the Internet of Things. SB327 sets baseline security standards for IoT devices. EPIC recently submitted comments to the Consumer Product Safety Commission recommending similar action. Governor Brown also signed a bill banning anonymous bots. The law makes it illegal to use a bot, or automated account, to mislead California residents or communicate without disclosing the identity of the actual operator. EPIC President Marc Rotenberg had earlier proposed that Asimov's Laws of Robotics be updated to require that robots reveal the basis of their decisions (Algorithmic Transparency) and that robots reveal their actual identity.
  • EPIC Urges Safety Commission to Regulate Privacy and Security of IoT Device + (Jun. 15, 2018)
    EPIC submitted comments to the Consumer Product Safety Commission, urging the agency to regulate the privacy and security of Internet of Things devices. EPIC advised the Commission to require IoT manufacturers to (1) minimize data collection, (2) conduct privacy impact assessments, and (3) implement Privacy Enhancing Techniques (“PETs”). EPIC recently told Congress that “CPSC should establish mandatory privacy and security standards, and require certification to these standards before IoT devices are allowed into the market stream.” EPIC has also called out the CPSC for its reluctance to address the privacy and security challenges of IoT. In the statement to Congress, EPIC described the increasing risks to American consumers.
  • EPIC to Senate Commerce: Work with NTIA to Update U.S. Privacy Laws + (Jun. 12, 2018)
    EPIC sent a statement to the Senate Commerce Committee in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing both data breaches and "always on" devices that record users' private conversations. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC urged Congress and the NTIA to work together to update U.S. privacy laws and establish a data protection agency. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices.
  • Amazon Echo Secretly Recorded And Disclosed User's Private Conversation + (May. 24, 2018)
    "Alexa" secretly recorded the private conversation of a Portland woman and sent it to one of her contacts, according to a news report. The Federal Wiretap Act makes it a crime to intentionally intercept a private communication. In 2015, EPIC urged the Federal Trade Commission and the Department of Justice to investigate whether "always on" smart home devices violated federal wiretap law. EPIC recently warned the Consumer Product Safety Commission that the Google Home Mini continuously record users' private conversations because of a product defect. And EPIC recently testified before the CPSC on the need to regulate privacy and security hazards posed by Internet of Things devices.
  • EPIC Urges Congress to Regulate the Internet of Things + (May. 22, 2018)
    In advance of a hearing on the Internet of Things (IoT), EPIC wrote to Congress on the need for privacy and security regulations for IoT consumer products. EPIC explained that regulation is necessary "because neither the manufacturers nor the owners of those devices have incentive to fix weak security." EPIC has called upon the Consumer Product Safety Commission to regulate IoT products, saying that the privacy and security of IoT devices, such as Internet-connected door locks and thermostats, are critical concerns for American consumers. Last week, EPIC testified before the Safety Commission on IoT hazards and promoted baseline standards to protect consumer safety. EPIC previously testified before Congress on the "Internet of Cars."
  • EPIC Testifies Before Safety Commission on IoT Privacy Hazards + (May. 17, 2018)
    EPIC testified before the Consumer Product Safety Commission at the hearing on "The Internet of Things and Consumer Product Hazards." EPIC International Law Counsel Sunny Kang urged the Commission to focus on privacy and security. EPIC's Kang told the Commission that "IoT is the weakest link to privacy and security vulnerabilities in consumer products." EPIC recommended baseline rules for IoT device manufacturers adopted by the UK government in a recent report on privacy and security for IoT devices. EPIC and a coalition of consumer groups previously urged the Commission to recall the Google Home Mini device which was designed to always record conversations.
  • Safety Groups Urge Congress to Regulate "Autonomous Vehicles" + (May. 6, 2018)
    A coalition of consumer safety groups wrote to senators asking them to delay passing the AV START Act (S. 1885) until the National Transportation Safety Board finished its investigation of two recent crashes involving autonomous vehicles. The groups said: "we are very concerned that provisions in the bill put others sharing the road with AVs at unnecessary and unacceptable risk." EPIC has called for national safety standards for connected cars in comments to NHTSA. In a recent amicus brief to the Supreme Court, EPIC also underscored the privacy risks of rental cars, which collect vast troves of personal data.
  • EPIC Advises Safety Commission on Dangers of IoT + (May. 2, 2018)
    EPIC submitted comments to the Consumer Product Safety Commission for an upcoming hearing on "The Internet of Things and Consumer Product Hazards." EPIC urged the Commission to focus on privacy and security issues, which the Commission claims are outside its scope. EPIC told the Consumer Product Safety Commission that "Holding a hearing in the year 2018 to discuss IoT without addressing privacy and security is akin to holding a hearing in the last century about kitchen appliances without addressing the risk that a toaster might catch fire because of bad wiring." EPIC recommended that the Commission implement thirteen rules for manufacturers of IoT devices that were laid out by the UK government in a recent report on privacy and security for IoT devices. EPIC and a coalition of consumer groups preciously urged the Commission to order the recall of the Google Home Mini "smart speaker" and received a response saying that it does not pursue privacy or data security issues.
  • Safety Commission Responds to EPIC's Google Home Mini Complaint + (Apr. 2, 2018)
    The Consumer Product Safety Commission responded to a complaint from EPIC and a coalition of consumer groups, urging the Commission to order the recall of the Google Home Mini "smart speaker." The touchpad on the device was permanently set to "on" so that Google recorded all conversations without a consumer's knowledge or consent. The groups wrote "this is a classic manufacturing defect that places consumers at risk. The defect in Google Home Mini is well within the purview of the Consumer Product Safety Commission." In the response, the Commission claimed that it monitors the hazards of IoT but said that it does not pursue privacy or data security issues. IoT devices are frequently the target of botnet attacks. According to Hacker News, "the DDoS threat landscape is skyrocketing" and the UK National Cyber Security Centre's report has called for comprehensive safeguards for IoT devices. EPIC Senior Counsel Alan Butler has written about products liability for IoT manufacturers.
  • EPIC to Congress: Examine "Connected Devices," Safeguard Consumer Privacy + (Mar. 6, 2018)
    EPIC sent a statement to a House Committee on Energy and Commerce in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing both data breaches and "always on" devices that record users' private conversations. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC warned of growing risks to consumer safety and public safety. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices.
  • EPIC Warns Congress of Risks of "Internet of Things" + (Jan. 18, 2018)
    In advance of a hearing on Internet of Things, EPIC urged Congress to consider the privacy and safety risks of internet-connected devices. EPIC told Congress that the Internet of Things "poses risks to physical security and personal property" because data "flows over networks that are not always secure, leaving consumers vulnerable to malicious hackers." EPIC said that Congress should protect consumers. EPIC is a leader in the field of the Internet of Things and consumer protection. EPIC has advocated for strong standards to safeguard American consumers and testified before Congress on the "Internet of Cars."
  • EPIC, Coalition Urge Action on Toys that Spy + (Dec. 19, 2017)
    EPIC and a coalition of consumer privacy groups have asked the Federal Trade Commission to crack down on companies that sell internet-connected toys and smartwatches. The statement highlights an FTC complaint concerning My Friend Cayla and I-Que Intelligent Robot, toys that recorded and analyzed children's conversations filed more than a year ago. Many retailers worldwide have pulled these toys from their shelves, but the FTC has yet to take action on the complaint. "Connected toys raise serious privacy concerns," said EPIC President Marc Rotenberg. "Kids should play with their toys and their friends, and not with surveillance devices dressed as dolls." EPIC has backed many efforts to limit the risks of internet-connected toys. Recently, EPIC joined consumer groups in asking Mattel to cancel plans to sell Aristotle, an "always on" device that records the private conversations of young children. EPIC also supported a coalition letter asking the FTC to investigate smartwatches that track the location of children. The Norwegian Consumer Council has uncovered similar problems with Cayla and i-Que, and recently released a report on toys that track children.
  • Consumer Groups Ask Safety Commission to Recall Google Home + (Oct. 13, 2017)
    EPIC and a coalition of leading consumer groups have asked the Consumer Product Safety Commission to recall the Google Home Mini "smart speaker." The touchpad on the Google device is permanently set to "on" so that it records all conversations without a consumer's knowledge or consent. The consumer groups said that "as new risks to consumers arise in consumer products, it is the responsibility of the Consumer Product Safety Commission to respond." The groups also urged the Safety Commission to enforce the Duty to Report to CPSC against manufacturers of "IoT" devices. Last year, a coalition of consumer groups pursued a complaint about My Friend Cayla, an Internet connected toy that recorded the private conversations of young children. The Cayla complaint spurred a Congressional investigation and toy stores across Europe removed the doll from their shelves.
  • Mattel Cancels "Aristotle," an Internet Device that Targeted Children + (Oct. 5, 2017)
    Mattel will scrap its plans to sell Aristotle, an Amazon Echo-type device that collects and stores data from young children. The Campaign for a Commercial-Free Childhood sent a letter and 15,000 petition signatures to the toymaker, warning of privacy and childhood development concerns. CFCC said that "young children shouldn't be encouraged to form bonds and friendships with data-collecting devices." Senator Markey (D-MA) and Representative Barton (R-TX) also chimed in, demanding to know how Mattel would protect families' privacy. EPIC backed the CFCC campaign and urged the FTC in 2015 to regulate "always-on" Internet devices. A pending EPIC complaint at the FTC concerns the secret scoring of young athletes.
  • Pew Survey Explores the Future of Online Trust + (Aug. 14, 2017)
    The Pew Research Center has released a report of its survey of experts on "The Fate of Online Trust in the Next Decade." Although nearly half (48%) of the over 1,000 respondents said that they expected trust to increase, 24% predicted that trust would decrease. "Technology is far outpacing security, privacy and reliability," said EPIC President Marc Rotenberg in the survey. "The problem will intensify with the Internet of Things, as the internet connects more machines in the physical world." EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices.
  • Senators Introduce Legislation to Strengthen Cybersecurity for Internet of Things + (Aug. 1, 2017)
    A bipartisan group of Senators, including Senators Mark R. Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-WA) and Steve Daines (R-MT), have introduced legislation to improve security of Internet-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require "Internet of Things" devices purchased by the U.S. government to meet minimum security standards. IoT device manufacturers who sell products to the federal government must commit that their IoT devices: (1) are patchable; (2) do not contain known vulnerabilities; (3) rely on standard protocols; and (4) do not contain hard-coded passwords. "The proliferation of insecure Internet-connected devices presents an enormous security challenge," said EPIC Advisory Board member Bruce Schneier, "The risks are no longer solely about data; they affect flesh and steel." EPIC has been at the forefront of policy efforts to establish safeguards for IoT devices, connected cars, "smart homes," consumer products, and "always on" devices. A 2015 report from the Aspen Institute also explores "Policies for the Internet of Things."
  • EPIC Recommends National Safety Standard for "Self-Driving" Vehicles + (Jun. 28, 2017)
    In remarks today to a joint workshop of the FTC and NHTSA, EPIC President Marc Rotenberg called for the establishment of national safety standards prior to the deployment of "self-driving" vehicles on the nation's highways. "Given the current vulnerabilities of networked communications, self-driving vehicles are simply unsafe at any speed," said Mr. Rotenberg. EPIC has participate in numerous NHTSA rule makings on auto safety, proposed stronger data protection standards for connected vehicles, and sided with consumers in a case concerning the risks of autonomous vehicles. In extensive comments for the FTC/NHTSA workshop, EPIC pointed to known vulnerabilities with bluetooth communications, auto hacking, "level 3" control, malware and ransomware, auto repossession remote deactivation, and safety defects. EPIC urged the FTC and NHTSA to focus on "data protection, vehicle safety, consumer protection, and privacy." EPIC also said that the ability of states to develop safety standards must be maintained. EPIC warned that the failure to establish robust safety standards could be "catastrophic."
  • FTC Updates Guidance on Children's Privacy Law, Includes Connected Toys + (Jun. 27, 2017)
    The Federal Trade Commission has updated its guidance for businesses on complying with the Children's Online Privacy Protection Act. The new guidance clarifies that connected toys, Internet of Things devices, and other products intended for children must comply with the Act. "When companies surreptitiously collect and share children's information, the risk of harm is very real," FTC acting Chair Maureen Ohlhausen recently wrote. An EPIC-led coalition filed a complaint with the FTC in 2016 alleging that Intenet-connected dolls violate U.S. privacy law. EPIC's complaint spurred a congressional investigation and toy stores across Europe have removed Cayla from their shelves. The FTC acknowledged EPIC's complaint but has yet to act on it.
  • EPIC Recommendations for Tech Week Meeting: Protect U.S. Consumers + (Jun. 20, 2017)
    In advance of a White House / OSTP meeting on "emerging technologies," EPIC has sent a statement to the Office of Science and Technology Policy. EPIC urged the Administration to focus on consumer protection and address the numerous privacy and security risks related to the "Internet of Broken Things." EPIC recommended recommended Privacy Enhancing Technologies, data minimization, and security measures for Internet-connected devices. EPIC also urged the Administration to issue regulations on drone privacy as mandated by Congress and to establish minimum safety standards for connected cars. EPIC warned that "The unregulated collection of personal data and the growth of the Internet of Things has led to staggering increases in identity theft, security breaches, and financial fraud in the United States."
  • EPIC Urges House Committee to Back Consumer Safeguards for Internet of Things + (Jun. 13, 2017)
    EPIC has sent a statement to the House Energy and Commerce Committee in advance of a hearing on "IOT Opportunities and Challenges." EPIC raised the "significant privacy and security risks" of the Internet of Things. A recent report from the Pew Research Center on the Internet of Things underscores the need to develop new safeguards for what some call "The Internet of Broken Things." EPIC has been at the forefront of policy efforts to establish safeguards for connected cars, "smart homes," consumer products, and "always on" devices.
  • EPIC to Congress: Data Protection Needed for Financial Technologies + (Jun. 9, 2017)
    EPIC submitted a statement to a House Committee hearing on financial technologies on the risks with new financial services. Companies now use social media data and secret algorithms to make determinations about consumers. They are also reaching out, through the "Internet of Things," to control consumers. EPIC's recently filed a complaint with the CFPB about "starter interrupt devices," deployed by auto lenders to remotely disable cars when individuals are late on their payments.
  • Pew Survey Explores Internet of Things + (Jun. 6, 2017)
    The Pew Research Center has released a report surveying experts about the security implications of the Internet of Things. The survey found a broad consensus that growth in the IoT will bring with it an increased risk of real-world physical harm. "The essential problem is that it will be impractical for people to disconnect," said EPIC President Marc Rotenberg in the survey. "Cars and homes will become increasingly dependent on internet connectivity. The likely consequence will be more catastrophic events." The ACM recently released a Statement of IoT Privacy and Security, which lists principles for protecting privacy and security in IoT devices. EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices.
  • EPIC Recommends Privacy Safeguards for Vehicle Networks + (Apr. 14, 2017)
    In comments to the National Highway Traffic Safety Administration, EPIC recommended stronger privacy protections for vehicle-to-vehicle communications. EPIC urged the agency to allow consumers to turn off pre-installed V2V communications and to required automobile manufacturers to be transparent about the collection of personal data. EPIC also urged that agency to establish basic cybersecurity safeguards and require encryption for all vehicle networks and ensure data minimization techniques. EPIC has previously submitted comments to NHTSA on connected cars and has submitted several statements to Congress.
  • EPIC Seeks Information on Sessions-Jourova Encryption Discussion + (Apr. 3, 2017)
    EPIC has filed an urgent Freedom of Information Act request for documents concerning a recent meeting between Attorney General Jeff Sessions and EU Commissioner Věra Jourová. The two reportedly discussed "a proposal [on] how to 'solve this problem'" of encryption. EPIC said in the FOIA request that "strong encryption is the cornerstone of the modern internet economy" and that encryption "is critical to preserving human rights and information security around the world." A proposal on encryption policy may be taken up at a June 2017 meeting between the United States and the European Union. EPIC has advocated for strong encryption since its founding and published the first comprehensive survey of encryption use around the world. In the FOIA request, EPIC also noted the growing risk to users of Internet-connected devices.
  • EPIC Urges Senate Commerce Committee to Back Algorithmic Transparency, Safeguards for Internet of Things + (Mar. 22, 2017)
    EPIC has sent a letter to the Senate Commerce Committee concerning "The Promises and Perils of Emerging Technologies for Cybersecurity." EPIC urged the Committee to support "Algorithmic Transparency," an essential strategy to make accountable automated decisions. EPIC also pointed out the "significant privacy and security risks" of the Internet of Things. EPIC has been at the forefront of policy work on the Internet of Things and Artificial Intelligence, opposing government use of "risk-based" profiling, and recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices.
  • EPIC Urges Congress to Examine "Connected Devices," Safeguard Consumer Privacy and Protect Public Safety + (Feb. 2, 2017)
    EPIC sent a letter to a House Subcommittee on Communications and Technology in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing recent examples of hacks of devices, including home locks and cars, connected to the internet. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC warned of growing risks to consumer safety and public safety. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices.
  • Trump Order Threatens Consumer Protection, Public Safety + (Jan. 31, 2017)
    The President has issued an executive order requiring every new regulation to be offset by the repeal of at least two existing regulations. The Order could directly impact rules that safeguard consumers against data breach, financial fraud, and identity theft. EPIC has also recommended new public safety regulations concerning aerial drones, connected vehicles, and the Internet of Things. In EPIC v. FAA, EPIC is challenging the failure of the agency to protect the public from aerial surveillance.
  • Aspen Institute Report Explores Artificial Intelligence + (Jan. 30, 2017)
    The Aspen institute released a report on the Artificial Intelligence workshop on connected cars, healthcare, and journalism. "Artificial Intelligence Comes of Age" explored issues at "the intersection of AI technologies, society, economy, ethics and regulation." The Aspen report notes that "malicious hacks are likely to be an ongoing risk of self-driving cars" and that "because self-driving cars will generate and store vast quantities of data about driving behavior, control over this data will become a major issue." The Aspen report discusses the tension between privacy and diagnostic benefits in healthcare AI and describes "some of the alarming possible uses of AI in news media." EPIC has promoted Algorithmic Transparency and has been at the forefront of vehicle privacy through testimony before Congress, amicus briefs, and comments to the NHTSA.
  • EPIC Urges Senate Committee to Safeguard Consumer Privacy in Internet of Things and Telemarketing Bills + (Jan. 24, 2017)
    EPIC sent a letter to the Senate Commerce Committee on Monday about privacy and security concerns in two pending bills. The DIGIT Act would "encourage the growth" of the Internet of Things and "help identify barriers to its advancement." The Spoofing Prevention Act would extend the laws prohibiting Caller ID spoofing to text messages, international calls, and Voice-over-IP calls. EPIC pointed out the "significant privacy and security risks" to American consumers of the Internet of Things. EPIC also argued for "a requirement that any automated calls reveal (1) the actual identity of the caller and (2) the purpose of the call." EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices. EPIC also supports robust telephone privacy protections and recently advised Congress on modernizing telemarketing rules.
  • EPIC Urges Senate Committee to Press Transportation Nominee on Drones, Connected Cars + (Jan. 12, 2017)
    EPIC has sent a statement to the Senate Commerce Committee, highlighting two significant privacy issues: drones and autonomous vehicles. The Senate Committee met this week to consider the nomination of Elaine Chao for Secretary of Transportation. EPIC sued the FAA, an agency subject to the Committee's oversight, for its failure to establish drone privacy rules, as required by Congress. EPIC also testified last year before the Committee on the risks of connected cars, EPIC has recently submitted comments on federal automated vehicles policy and filed an amicus brief in federal appeals court on the risks to consumers of connected vehicles.
  • FTC Sues D-Link Over Poor Security in Internet Routers and Cameras + (Jan. 12, 2017)
    The Federal Trade Commission has filed a lawsuit against Internet of Things device maker D-Link. The complaint alleges that D-Link failed to use adequate security in its internet cameras and routers despite promises that the devices were "easy to secure" and used "advanced network security." The poor security practices alleged by the FTC include using easily-guessed default passwords, mishandling code-signing keys, and storing usernames and passwords in plaintext. EPIC has worked extensively on the risks of the Internet of Things, recommending safeguards for connected cars, "smart homes," and "always on" devices. In 2013, EPIC submitted comments to the FTC addressing the security and privacy risks of IoT devices.
  • Senate Explores Security of Ground Transportation, Witnesses Express Privacy Concerns + (Dec. 9, 2016)
    The Senate Commerce Committee examined security issues in road and railroad transportation. Witnesses expressed concerns about the cybersecurity of commercial trucking networks, customer data, and hacking of a truck's braking systems. Witnesses also proposed a credentialing system for access port facilities. EPIC has submitted comments to NHTSA and testified before Congress on the safety and privacy risks of automated vehicles.
  • EPIC Recommends Privacy and Safety Standards for Autonomous Vehicles + (Nov. 23, 2016)
    In comments to the National Highway Traffic Safety Administration, EPIC has backed strong privacy and safety standards. Responding to the "Federal Automated Vehicles Policy," EPIC said self-regulation would not be enough to protect drivers in the United States. EPIC urged the safety agency to mandate the Consumer Privacy Bill of Rights, establish new oversight authority, and protect state privacy rules for autonomous vehicles. EPIC is on the front lines of vehicle privacy as well as efforts to regulate the "Internet of Things." EPIC also defends the right of states to develop strong privacy laws.
  • House Members Urge FTC to Examine Internet-of-Things + (Nov. 4, 2016)
    In the wake of October's massive distributed denial of service attack, two members of Congress have sent a letter to Federal Trade Commission Chairwoman Edith Ramirez urging the FTC to protect consumers from insecure Internet of Things devices. Rep. Frank Pallone, Jr. and Rep. Jan Schakowsky, senior members of the House Energy and Commerce Committee, wrote that the FTC should "immediately use all the tools at its disposal to ensure that manufacturers of IoT devices implement strong security measures." EPIC is at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," 'consumer products, and "always on" devices. EPIC recently urged the federal government to establish legal requirements to promote Privacy Enhancing Technologies, limit user tracking, minimize data collection, and "ensure security in both design and operation of Internet-connected devices."
  • EPIC Propose Privacy, Security Protections for "Internet of Things" + (Jun. 4, 2016)
    EPIC has recommended new safeguard for the “Internet of Things.” EPIC proposed laws requiring companies to adopt Privacy Enhancing Technologies, promote data minimization, and ensure security for IoT devices. EPIC also recommend a prohibition on tracking, profiling, and monitoring of consumers using IoT services. As EPIC explained, “Protecting consumer privacy will become increasingly difficult as the Internet of Things becomes increasingly prevalent.” EPIC has worked extensively on the risks of the Internet of Things, including connected cars and “smart homes.”  An EPIC complaint concerning “always on” devices, such as “smart TVs,” is pending at the Federal Trade Commission.
  • Senators Introduce Bill to Block Broad Remote Hacking Rules + (May. 19, 2016)
    Senators Wyden, Paul, Baldwin, Daines, and Tester have introduced the Stop Mass Hacking Act of 2016.  The law would block amendments to Rule 41 of the Federal Rules of Criminal Procedure that were recently issued by the Supreme Court. The amendments authorized judges to issue "remote access" warrants to search computers even when the targets are outside the jurisdiction of the court. EPIC criticized the Rule 41 change in a statement last year. Unless Congress takes action to block the Rule 41 amendments by December 1, the government’s surveillance authority will be expanded significantly.
  • EPIC to Testify on Car Privacy and Data Security + (Nov. 17, 2015)
    EPIC Associate Director Khaliah Barnes will testify at a hearing on "The Internet of Cars" before the House Oversight and Government Reform on Wednesday, November 18, 2015. The hearing will address the safety and privacy issues confronting drivers in vehicles connected to the Internet. EPIC's prepared statement urges Congress to pass legislation establishing privacy and cybersecurity rules to protect driver data and prohibit malicious hacking of connected cars. EPIC states, "New vehicle technologies raise serious safety and privacy concerns that Congress needs to address." EPIC has previously examined the privacy and data security implications of the Internet of Things and the "Internet of Cars", and recommended strong safeguards for consumers.
  • New OECD Report Finds Increased Privacy Concern, Lagging National Policies + (Jul. 28, 2015)
    The OECD Digital Economy Outlook 2015 explores recent developments in the digital economy. The OECD report finds that Internet "users are increasingly concerned, 64% of respondents are more concerned about privacy than they were a year ago" even as few countries include online privacy in national digital strategies.The OECD also warns that the "Internet of Things" will lead to the rise of autonomous machines. Civil society groups are planning to report to the OECD at the 2016 Ministerial Meeting on the Digital Economy.
  • Senators Markey and Blumenthal Introduce Bill to Protect Drivers from Remote Hacking + (Jul. 21, 2015)
    Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have introduced the "Security and Privacy in Your Car Act of 2015." The SPY Car Act would establish cybersecurity and privacy requirements for new passenger vehicles, and inform consumers about the risks of remote hacking. The SPY Car Act follows a report from Senator Markey, which "detailed major gaps in how auto companies are securing connected features in cars against hackers." The bill would also prohibit manufacturers from using consumer driver data for marketing purposes without consumer consent. EPIC has urged the Transportation Department to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and has also said that "cars should not spy on drivers."
  • EPIC Urges Investigation of "Always On" Consumer Devices + (Jul. 9, 2015)
    EPIC has asked the Federal Trade Commission and the Department of Justice to conduct a workshop on 'Always-On' Consumer Devices. EPIC described the increasing presence of internet-connected devices in consumer's homes, such as TVs, toys, and thermostats, that routinely record and store private communications. EPIC urged the agencies to conduct a comprehensive investigation to determine whether "always on" devices violate the Wiretap Act, state privacy laws, or the FTC Act. Earlier this year, EPIC filed a formal complaint with the FTC concerning Samsung TV, arguing that the recording of private communications in the home is an unfair and deceptive trade practice.
  • Senator Markey Report Warns of Risks with "Connected Cars" + (Feb. 10, 2015)
    A report from Senator Edward Markey (D-MA) finds lax privacy practices at leading auto manufacturers. The Senator said the safeguards in the auto industry for data collection are "inconsistent" and "haphazard." The investigation also revealed, "automobile manufacturers collect large amounts of data on driving history and vehicle performance." Senator Markey has called on the Department of Transportation and the Federal Trade Commission to issue rules to protect driver privacy and security. EPIC has urged the Department of Transportation to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and said also that "cars should not spy on drivers."
  • FTC Chair Warns About Risks of Connected Devices + (Jan. 7, 2015)
    In a speech at the CES conference this week, FTC Chair Edith Ramirez warned of the privacy risks of connected home devices. "In the not-too-distant future, many, if not most, aspects of our everyday lives will be digitally observed and stored," Ramirez said. EPIC has written extensively on interconnected devices, known as the "Internet of Things." In comments to the FTC, EPIC described several risks, including the hidden collection of sensitive data. EPIC recommended that companies adopt Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: FTC and EPIC: Big Data.
  • EPIC Urges Department of Transportation to Protect Driver Privacy + (Oct. 21, 2014)
    EPIC has submitted detailed comments to the National Highway Traffic Safety Administration, urging the agency to protect driver privacy for "vehicle-to-vehicle" (V2V) technology. The technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes." NHTSA is in the initial stages of mandating vehicle-to-vehicle technology. EPIC's comments pointed to several privacy and security risks with V2V techniques. EPIC urged NHTSA to "complete a more detailed privacy and security assessment of V2V communications" and to: "(1) not collect PII without the express, written authorization of the vehicle owner; (2) ensure that no data will be stored either locally or remotely; (3) require end-to-end encryption of V2V communications; (4) require end-to-end anonymity; and (5) require auto manufacturers to adhere to the Consumer Privacy Bill of Rights." Last year EPIC, joined by a coalition of consumer privacy organizations and members of the public, urged NHTSA to protect driver privacy and establish privacy safeguards for car "black boxes." For more information, see EPIC: Event Data Recorders and EPIC: Internet of Things.
  • Data Protection Commissioners Urge Limits on "Big Data" + (Oct. 17, 2014)
    The International Data Protection Commissioners have adopted a resolution on Big Data. The resolution endorses several privacy safeguards, including purpose specification, data minimization, individual data access, anonymization, and meaningful consent when personal data is used for big data analysis. The data protection commissioners also passed a resolution supporting the UN High Commissioner's report on Privacy in the Digital Age and the Mauritius Declaration on the Internet of Things. Earlier this year, EPIC joined by 24 organizations petitioned the White House to accept public comments on its review of Big Data and the Future of Privacy. EPIC also submitted extensive comments detailing the privacy risks of big data and calling for the swift enactment of the Consumer Privacy Bill of Rights and the end of opaque algorithmic profiling. For more information, see EPIC: Big Data and EPIC: Internet of Things.
  • Department of Transportation Seeks Public Comment on Connected Cars + (Aug. 21, 2014)
    The National Highway Traffic Safety Administration, at the Department of Transportation, is soliciting public comments on the privacy and security implications of connected "vehicle-to-vehicle" technology. According to the agency, the technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes." The agency plans to mandate vehicle-to-vehicle technology. NHTSA is also soliciting comments on a connected car research report. Comments on both are due October 20, 2014. Last year EPIC, joined by a coalition of privacy and consumer rights organizations and members of the public, urged NHTSA to protect driver privacy and establish privacy safeguards for car "black boxes." For more information, see EPIC: Event Data Recorders and EPIC: Comments on the Privacy and Security Implications of the Internet of Things.
  • Senator Schumer Calls On Regulators to Make Fitness Data Private + (Aug. 14, 2014)
    Senator Charles Schumer has denounced the data collection practices of "activity trackers" such as FitBit. "Activity trackers" are mobile devices that record highly personal information about the wearer and constantly analyze the wearer's activities, including their diet, exercise, sleep, and even sexual habits. However, it is not clear whether federal privacy law protects this personal data from disclosure to third parties. EPIC has commented extensively on the privacy protections that are necessary in the "internet of things." EPIC has frequently pointed out the potential for misuse when companies collect data about sensitive consumer behavior. EPIC has made several recommendations to improve the privacy protections on devices such as "activity trackers," including requiring companies to adopt Privacy Enhancing Techniques, respect a consumer’s choice not to tracked, profiled, or monitored, minimize data collection, and ensure transparency in both design and operation of Internet-connected devices. For more information, see EPIC: FTC and EPIC: Practical Privacy Tools.
  • EPIC Submits Comments on the "Internet of Things" + (Jun. 3, 2013)
    EPIC has submitted comments to the Federal Trade Commission in advance of a workshop on the Internet of Things. The "Internet of Things" refers to the growing capacity of devices to communicate via the Internet. EPIC’s comments listed several privacy and security risks posed by the Internet of Things, such as the collection of data about sensitive behavior patterns and an increase in the power imbalance between consumers and service providers. EPIC then made several recommendations, such as requiring companies to adopt Privacy Enhancing Techniques, respect a consumer’s choice not to tracked, profiled, or monitored, minimize data collection, and ensure transparency in both design and operation of Internet-connected devices. For more information see EPIC: Federal Trade Commission.

IoT Technical Capabilities

Smartphone Connectivity

Smartphones are able to connect to the Internet, household appliances, personal computers, and personal vehicles, many times controlling these items remotely.

Vehicle-to-Vehicle Communication

Vehicle-to-Vehicle (V2V) Communication allows the exchange of data between nearby vehicles. The Department of Transportation states that V2V communication will lead to "significant safety improvements..that can assist drivers in preventing 76 percent of the crashes on the roadway."

SmartGrid

The term "Smart Grid" encompasses a host of inter-related technologies rapidly moving into public use to reduce or better manage electricity consumption. Smart grid systems may be designed to allow electricity service providers, users, or third party electricity usage management service providers to monitor and control electricity use. Privacy implications for smart grid technology deployment centers on the collection, retention, sharing, or reuse of electricity consumption information on individuals, homes, or offices.

Event Data Recorders

Automobiles are integrating computing technology that enhance the ability of others to collect location and operation data in near real time. In the data driven economy, this data is of value.

GPS Connectivity

GPS capabilities in vehicles mean that the location of the vehicle is recorded at all times, leading monitoring of cars and collection of all location data.

Smarthome Connectivity

Smarthome connectivity is when one's appliances, such as an oven, security system, or lights, are connected to one's smartphone through the Internet. The owner of these smarthome devices is able to control them remotely through his or her smartphone.

Connected Health and Fitness

Medical and fitness devices can monitor one's health and track changes and physical activity. These devices can be connected to a person's smartphone or laptop for data aggregation and tracking.

Privacy Issues

Protecting consumer privacy becomes increasingly difficult as the IoT becomes more prevalent. More devices are connected to different types of devices and this increase in connectivity and data collection results in less control. Both control of data and control of the very devices that are connected are at stake.

Control can be lost if someone hacks into the smartphone or computer acting as a remote for the other devices. In the case of computers and smartphones, this hacking can be done remotely and often undetected. Smartphones, just like computers, carry an enormous amount of personal information about their owners. They often link to bank accounts, email accounts, and in some cases household appliances. Stolen data can result in serious problems. Vehicles contain many computers that control their function. Initially, these computers could not be hacked into. With the increased connectivity of the IoT, however, vehicles are now at risk due to being connected to the Internet.

In another sense, control can be lost as more and more companies collect data about users. This data often paints a detailed picture of individual users through the collection of activities online. Everything you search, all of your activities online, are being tracked by companies that use that data. These companies often use the data to improve the user's experience, but they also use this data to sell users products or sell to other companies who sell users products.

Innovation in this realm means that companies must alter the privacy policies that are in place as well as how they interact with these devices. Companies will need to take another look at the policies that they have in place to ensure that consumers are offered opportunities to access and control their own data. Consumers will become increasingly aware of the privacy implications of this level of connectivity through interaction with the IoT and exposure to the policies that companies provide to them.

Frank Pasquale, law professor and EPIC advisory board member discusses privacy concerns related to the IoT in a May 2014 Pew Research Report. Pasquale states that the expansion of the IoT will result in a world that is more "prison-like" with a "small class of 'watchers' and a much larger class of the experimented upon, the watched." In another article, he reinforces the idea that the IoT "will be a tool for other people to keep tabs on what the populace is doing.

EPIC President, Marc Rotenberg, explains in the Pew Research Report that the problem with the IoT is that "users are just another category of things," and states that this "is worth thinking about more deeply about in the future."

Security Issues

Because IoT devices are connected to the Internet, they are vulnerable to the same kinds of cyber-attacks that can afflict consumer, commercial, industrial, and governmental computer systems. In September 2016, weak security in IoT devices was exploited on a massive scale by the “Mirai” botnet, which gained control of hundreds of thousands of such devices, and subsequently used them to launch massive distributed denial of service attacks, capable of effectively shutting down targeted websites. Because IoT devices rely on connectivity to function, they create a common attack vector for hackers to gain access to an entire network. Many IoT devices are built using very similar underlying hardware and software, and are frequently not designed with cybersecurity in mind, which increases the risks they pose.

Security flaws in most computer systems are patched via regular updates. However, IoT devices may not be designed with the ability to easily patch their software, meaning that security flaws may go unaddressed for many years. In the case of IoT devices with particularly long shelf-lives there is also a risk that the manufacturer will discontinue support, or goes out of business.

There are also unique security risks posed by IoT devices’ use of cloud services. Storing data on remote servers necessarily increases the possibility that the data will be compromised. Splitting control over the device and the data reduces the ability of any one provider to limit access, and consistent security becomes dependent on harmonization of data security practices among the various parties responsible for its collection, transmission, and storage. The most promising response to the increasing complexity of these systems would be a widespread adoption of a single, consistent set of standards. The NIST Cybersecurity Framework, which is one of the most important standards at the federal level, was recently updated in January 2017.

Depending on the functions of various IoT devices, weak cybersecurity can lead to serious consequences, including physical damage and injury. Perhaps the most visceral example is the hacking of an automobile by a bad actor, which could lead to vehicular homicide. Researchers have already demonstrated the ability to access and control vital functions of a car, including its brakes, by compromising its connected features. Another category of IoT devices that could be hacked with horrific consequences are personal medical devices, such as defibrillators, pacemakers, and insulin pumps; hacking of any of these devices could lead to physical injury or death. Other vulnerable devices include IoT cameras, which can surreptitiously record audio and video, HVAC systems that control heating and cooling levels, and alarm systems that can provide access to user’s homes and other secure areas.

Resources

EPIC's Interest

EPIC has a long history of protecting consumer privacy.

In 1995, EPIC sent a letter to the Federal Trade Commission (FTC) urging it to support online privacy. This was one of EPIC's earliest involvements in working with the FTC to ensure the protection of consumer privacy, especially online.

In May 2001, EPIC sent a request to the new FTC chairman, Timothy Muris, urging the FTC to devote time and attention to privacy issues. This letter led to Muris agreeing to meet with the Privacy Coalition on July 17, 2001 to discuss recommendations for further FTC action on privacy issues. This meeting led to the FTC announcing a new privacy agenda that called for 50% increase in privacy resources, improved privacy complaint handling, more protection for consumers, and increased enforcement of privacy policies and existing laws such as the Fair Credit Reporting Act (FCRA) and the Children's Online Privacy Protection Act (COPPA). While this shift in focus was welcomed, Chairman Muris concluded it was "too soon" to recommend broad-based online privacy legislation.

In 2007, EPIC recommended better notification and strong privacy safeguards for security breach investigations in comments to the FTC. The request urged the FTC to limit the disclosure of personal information related to security breach investigations.

On June 1, 2013, EPIC submitted comments to the FTC regarding the privacy and security implications of the Internet of Things.

In 2014, EPIC President, Marc Rotenberg, presented at the Aspen Institute Communication and Society Program on "Developing Policies for the Internet of Things."

In November 2015, EPIC Associate Director Khaliah Barnes testified at a hearing on "The Internet of Cars" before the House Oversight and Government Reform.

EPIC's Recommendations

EPIC submitted several recommendations in a comment to the Federal Trade Commission ("FTC" or "the Commission") regarding the Internet of Things. Overall, the recommendations focused on promoting transparency from those operating or owning Internet-connected systems and devices, as well as encouraging the FTC to enforce Fair Information Practices and require that companies adopt Privacy Enhancing Techniques.

The comment focused on a number of privacy and security risks associated with the Internet of Things. A major point as that data collected from the Internet of Things may reveal sensitive behavior patterns that consumers wish to keep private. Next, the comment highlighted the fact that data collected could be used for secondary purposes that lack consumer consent. The Internet of Things has the potential to increase the power inbalance between consumers and companies, as well as the potential to threaten users' security both on and offline. These considerations produced the following recommendations:

  • First, EPIC recommended that the Commission enforce Fair Information Practices.
  • Second, EPIC recommended that the FTC require companies to adopt Privacy Enhancing Techniques.
  • Third, EPIC recommended that the FTC require companies to respect a consumer's choice not to be tracked, profiled, or monitored.
  • Fourth, EPIC recommended that the FTC require companies to minimize data collection.
  • Finally, EPIC recommended that the FTC ensure transparency in both design and operation of Internet-connected devices.

Additional Resources

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.