Cybersecurity and the Internet of Things (IoT)
ABA Homeland Security Law Institute 2016
Washington, D.C. — August 25, 2016
Lucy L. Thomson, Esq. CISSP
∗
I. Sensitive Data and Critical Infrastructures at Risk
Devices designed and fielded with minimal security requirements and testing, and an everincreasing complexity of networks could lead to widespread vulnerabilities in civilian infrastructure
and U.S. Government systems.
Broader adoption of IoT devices and AI [artificial intelligence]—in setting s such as public utilities
and health care—will only exacerbate these potential effects.
Statement for the Record, Worldwide Threat
1
Assessment of the US Intelligence Community (2016)
In the simplest terms, the Internet of Things (IoT) consists of a wide variety of devices/things,
sensors, and hardware/firmware. IoT devices have a computer chip, software, and an Internet
connection. A “thing” can be a car or a refrigerator, or it can encompass an entire house or a
“smart city.” As many objects in the environment become connected to the Internet and to each
other, IoT devices and their implementations are creating numerous vulnerabilities that can lead
to cyber attacks and compromise the security, privacy, and safety of individuals, homes, vehicles,
businesses, and industrial control systems (ICS).
By 2020, it is predicted that there will be more than 26 billion devices connected to the Internet.
Despite the risks, the promises and benefits of IoT are enormous. A McKinsey Global Institute
analysis predicted that IoT may improve performance and create value in a number of important
areas.2 The largest source of potential impact is improving operating efficiency. Referred to as
operations optimization, this category includes:
Lucy Thomson is principal of Livingston PLLC, a Washington, D.C. law firm that advises government and private
sector clients on legal and technology issues related to cybersecurity, global data privacy, and compliance and risk
management. She was 2012-13 Chair of the ABA Section of Science & Technology Law and is a member of the
Cybersecurity Legal Task Force. She is the editor of the ABA Data Breach and Encryption Handbook (2011) that
provides a roadmap through the security failures that lead to massive data breaches and demystifies encryption, and
a contributing author to the ABA Cybersecurity Handbook. A career federal criminal prosecutor at the U.S.
Department of Justice and a former senior engineer at CSC, a global technology company, she was appointed
Consumer Privacy Ombudsman in 20 federal bankruptcy cases and has overseen the disposition of 240 million
electronic records. She received a Master’s degree from Rensselaer Polytechnic Institute (RPI) in 2001, earned the
CISSP and CIPP/US/G certifications, and holds a J.D. degree from the Georgetown University Law Center.
∗
Portions of this article were published in ABA The SciTech Lawyer, 12 SCITECH LAW, no. 3, Spring 2016, at 32-35.
1
James R. Clapper, Director of National Intelligence, February 9, 2016, available at
http://www.dni.gov/files/documents/SASC_Unclassified_2016_ATA_SFR_FINAL.pdf.
“’Smart’ devices incorporated into the electric grid, vehicles – including autonomous vehicles – and household
appliances are improving efficiency, energy conservation, and convenience. However, security industry analysts
have demonstrated that many of these new systems can threaten data privacy, data integrity, or continuity of
services. In the future, intelligence services might use the IoT for identification, surveillance, monitoring, location
tracking, and targeting for recruitment, or to gain access to networks or user credentials.” 2
James Manyika et al., MCKINSEY GLOBAL INST., THE INTERNET OF THINGS: MAPPING THE VALUE BEYOND THE
HYPE 111 (2015).
Lucy L. Thomson © 2016 All Rights Reserved

Inventory management: Tracking inventory and supplies in retail environments, factories,
warehouses, and hospitals.

Condition-based maintenance: Deploying sensor data to determine when maintenance is
needed, reducing breakdowns and costs.

Human productivity: Using IoT to teach skills, redesign work, and manage performance.

Other optimizations: Remotely monitoring and tracking equipment, as well as
automatically adjusting machinery based on IoT data.
Health management involves improving health and wellness using IoT monitoring data.
Sales enablement exploits IoT usage data to generate new sales, and safety and security
uses IoT sensors to mitigate safety and security risks.
Other areas of potential impact include:

Energy management: Using IoT sensors and smart meters to better manage energy.

Environmental management: Improving stewardship of the environment using IoT
technology, such as using sensor data to reduce air pollution.

Product development: Employing IoT usage data for research and development.

Autonomous vehicles: Adopting fully or partially self-driving cars, trucks, and public
transportation vehicles.
Global Threats
IoT devices and their implementations create numerous weaknesses that can compromise the
security of individuals, homes, businesses, and ICS. With little security and with documented
vulnerabilities in devices ranging from home appliances, medical devices, and toys to drones and
ICS, IoT is greatly increasing the risk of cyber attacks and the compromise of privacy in our
homes, offices, vehicles and in many critical infrastructure sectors.
In its 2015 strategic assessment of global threats, the Worldwide Threat Assessment concluded
that while the likelihood of a catastrophic attack from any particular actor that debilitates the
entire U.S. infrastructure is remote at this time, “[w]e foresee an ongoing series of low-tomoderate level cyber attacks from a variety of sources over time, which will impose cumulative
costs on U.S. economic competitiveness and national security.” 3
With the recent high-profile cyber attacks on the electric grid in western Ukraine that shut down
electricity to 80,000 customers, and on Sony Pictures that disabled its financial and IT systems,
among other widespread damage, executives and security experts are becoming alert to the
significant risks cyber attacks pose not only to data but also to physical assets. In its assessment
of the Sony breach, the Federal Bureau of Investigation (FBI) said: “We are deeply concerned
about the destructive nature of this attack on a private sector entity and the ordinary citizens who
3
Worldwide Threats: Hearing before the S. Comm. on Armed Servs. 114th Congr. (Feb. 26, 2015) (Statement of
James R. Clapper, Director of National Intelligence), available at
http://www.dni.gov/files/documents/Unclassified_2015_ATA_SFR_-_SASC_FINAL.pdf
Lucy L. Thomson © 2016 All Rights Reserved
worked there. Further, North Korea’s attack on [Sony] reaffirms that cyber threats pose one of
the gravest national security dangers to the United States.”4
Previously criminals launched cyber attacks primarily for financial gain; now nation states
(including North Korea, Russia, Iran, and China) and organized criminal groups are attempting
to damage, disrupt, or modify infected ICS and networks. The U.S. obtained indictments against
seven Iranian hackers for launching a massive coordinated campaign of denial of service attacks
(DDoS) against 46 of the nation’s largest financial institutions.
One of the hackers gained unauthorized remote access in 2013 to the supervisory control and
data acquisition (SCADA) systems of the Bowman Dam located in Rye, New York, allowing
him to obtain information about water levels and the status of the sluice gate, which is
responsible for controlling water levels and flow rates.5 Justice Department officials assessed the
situation by stating: “The infiltration of the Bowman Avenue dam represents a frightening new
frontier in cybercrime…. We now live in a world where devastating attacks on our financial
system, our infrastructure, and our way of life can be launched from anywhere in the world, with
a click of a mouse.”6
Cyber attacks on organizations generally, and on critical infrastructure in particular, can have
catastrophic effects on safety and public health, disrupting or cutting off essential services (e.g.,
health care and emergency services, food, transportation, energy and power, and water supply
and waste management, to highlight just a few). The FBI considers the most significant cyber threats as “those with high intent and high
capability to inflict damage or death in the U.S., to illicitly acquire assets, or to illegally obtain
sensitive or classified U.S. military, intelligence, or economic information.”7 In an analysis of
the threats, the FBI observed that while cyber criminal threats to the U.S. result in significant
economic losses, the threat against financial institutions is only part of the problem.
Emphasizing the potential for physical harm, the FBI stated: “Also of serious concern are threats
to critical infrastructure, the theft of intellectual property, and supply chain issues.”
Risk Factors – ICS and IoT Vulnerabilities
While everyone is familiar with the massive data breaches that have made headline news, less
attention has been focused on cyber attacks that caused physical damage and bodily injury.
Vulnerabilities in IoT devices create new attack vectors (i.e., entry points) for hackers. They
increase the “surface area,” and interoperability expands the potential scope of breaches and the
damage they can cause.
4
FBI National Press Office, Update on Sony Investigation, December 19, 2014, available at
https://www.fbi.gov/news/pressrel/press-releases/update-on-sony-investigation.
5
See U.S. v. Fathi, Firoozi, et. al., No. 16-cr-48 (S.D. N.Y. Mar. 24, 2016).
6
Press Release, DOJ, Manhattan U.S. Attorney Announces Charges against Seven Iranians for Conducting
Coordinated Campaign of Cyber Attacks against U.S. Financial Sector on Behalf of Islamic Revolutionary Guard
Corps-Sponsored Entities (Mar. 24, 2016), available at http://www.justice.gov/usao-sdny/pr/manhattan-us-attorneyannounces-charges-against-seven-iranians-conducting-coordinated.
7
Gordon M. Snow, Assistant Director, FBI Cyber Division, Statement Before the Senate Judiciary Committee,
Subcommittee on Crime and Terrorism (April 12, 2011), available at
https://www.fbi.gov/news/testimony/cybersecurity-responding-to-the-threat-of-cyber-crime-and-terrorism.
Lucy L. Thomson © 2016 All Rights Reserved
The convergence of information technology and physical operations creates security risks to the
operations of major critical infrastructure systems. The U.S. critical infrastructure8 is often
referred to as a “system of systems” because of the interdependencies that exist between its
various industrial sectors, both physically and through a host of information and communications
technologies. An incident in one infrastructure can affect other infrastructures through cascading
and escalating failures.
IoT architecture represents the cyber-physical convergence that is seen in major ICS. Control
systems are vulnerable to cyber attack from inside and outside the control system network.9
Internet-based technologies were introduced into ICS designs in the late 1990s, exposing them to
new types of threats. Now ICS include protocols and technologies with:



known vulnerabilities;
open standards that are published widely, providing a roadmap into systems; and
insecure and rogue ICS connections (e.g., modems) that hackers can use to bypass
security controls, creating significant risk.
Many low power IoT devices are inherently insecure. Because low cost and speed to market are
often priorities, security is not built into the IoT design and it may be minimal. Vulnerabilities
are not eliminated and software is not updated regularly. When these devices hit the market,
they do not have the ability to respond to the complex evolving threat landscape. Home security
systems and household appliances, for example, whose device lifecycle is much longer (>10
years) than the software on the devices (~two years) may introduce risk for years to come when
vendors fail to provide patching or support the software in the future.
IoT devices are being used in ways they were not designed for, particularly medical devices that
were originally intended to be stand-alone. With minimal or no security and now connected to
hospital networks, they are creating insecurities throughout the entire healthcare computing
environment. The FDA has documented the risks and issued security guidance to address these
problems.10
Each critical sector has varying levels of potential risk and impact. IoT security breaches may
pose life-and-death risks, the inappropriate use of personal data, or theft and fraud. A hacker
attack on a smart grid system could potentially turn off power to millions of households and
businesses, creating massive economic harm and threats to health and safety. Other potential
consequences of an ICS incident can range from disruption of operations and services (damaging
equipment, reduction or loss of production at one site or multiple sites simultaneously) to
catastrophic – jeopardizing national security or public safety (terrorist attack; release, diversion,
or theft of hazardous materials; product contamination; or environmental damage).11
8
The private sector owns and operates the vast majority of the nation’s critical infrastructure and key resources –
approximately 85-90 percent. Homeland Security Presidential Directive 7 designated 16 government and private
industry sectors as critical infrastructure, see http://www.dhs.gov/homeland-security-presidential-directive-7.
9
Overview of Cyber Vulnerabilities, ICS-CERT, available at https://ics-cert.us-cert.gov/content/overview-cybervulnerabilities#under.
10
Cybersecurity, FDA, available at http://www.fda.gov/MedicalDevices/DigitalHealth/ucm373213.htm. The FDA
is collaborating with the National Health Information Sharing and Analysis Center (NH-ISAC) to disseminate
cybersecurity information and coordinate incident response.
11
NAT’L INST. OF STANDARDS & TECH., NIST SPECIAL PUB. 800-82 REV. 2, GUIDE TO INDUSTRIAL CONTROL
SYSTEMS (ICS) SECURITY § 4.1.2, at 4-3 (2015).
Lucy L. Thomson © 2016 All Rights Reserved
II. Types of Incidents Involving IoT Devices and ICS
Many cyber attacks on IoT devices are the result of insecure wireless connections that can be
hijacked and used by hackers to install malware, gain control of the device or system, and steal
personal data or corporate information or cause widespread damage to physical systems. The
devices are poorly protected and consumers have virtually no way to detect or fix infections
when they do occur.
Televisions and refrigerators are not the only concern. Any appliance that connects to the
Internet – a cable box, thermostat, smart water meter, dishwasher, clothes dryer, coffee maker,
toaster, oven, garage door opener, security alarm, door lock, or medical device can be
compromised.
Toys that connect to the Internet can be compromised through their WiFi connections. A hacker
can insert malware into Mattel’s Talking Barbie via WiFi and override its push button
connection and encryption. Compromise of the doll’s system information will violate privacy
and enable a hacker to steal account information, stored audio files, and obtain direct access to
the doll’s microphone.
Thermostats present a problem common to all IoT devices – the inability of patching over their
long lifetime. It is very difficult to detect compromise of a thermostat, and often it will stay
compromised until it is replaced. Samsung’s “smart-fridge” technology connects the appliance
via Wi-Fi to various apps, and integrates users’ Gmail Calendar with the refrigerator’s display.
Hackers can compromise unpatched software and potentially gain access to sensitive contacts
and e-mail.
Security flaws are pervasive in the healthcare industry.12 Medical devices (dialysis machines,
insulin pumps, pacemakers, and ICU climate controls) that lack appropriate security can
potentially impact their safety and effectiveness. Among the dangers, they can disrupt the
accurate delivery of medicine to patients, alter medicine dispensary inventory to produce the
incorrect medicine, or deliver the wrong dosage to patients. The FDA has issued two safety
communications documenting the vulnerabilities of Hospira Infusion Pump Systems.13
Vehicles are vulnerable because Internet-connected computers in the entertainment systems are
not properly isolated from the dashboard functions and driving systems (steering, brakes, and
transmission). The vehicles’ onboard diagnostic port can be used to hack into a car, and an
attacker can gain wireless control remotely via the Internet. A number of incidents have been
reported in which hackers have disabled driving systems, including killing the engine or abruptly
engaging the brakes, putting passengers, other cars, and pedestrians at risk of serious damage,
injury or death. Similarly, hackers have taken control of unmanned aerial vehicles by inserting
malware into the software controls, stopping their motors, killing the autopilot, and taking over
the video camera. Critical infrastructure owners and operators continue to experience increasingly sophisticated
cyber intrusions that provide malicious actors the ability to disrupt the delivery of essential
services, cause physical damage to critical infrastructure assets, and potentially produce severe
12
Independent Security Evaluators (ISE), Securing Hospitals (2016), available at
https://securityevaluators.com/hospitalhack/securing_hospitals.pdf.
13
Ibid, FDA Cybersecurity.
Lucy L. Thomson © 2016 All Rights Reserved
cascading effects.14 Incidents involving critical infrastructures have been collected over the
years and can be found in the Repository of Security Incidents (RISI), available at
http://www.risidata.com/.
In fiscal year 2015, the Industrial Control Systems Cyber Emergency Response Team (ICSCERT)15 responded to 295 cyber incidents impacting U.S. critical infrastructures. Reported
incidents in the Critical Manufacturing Sector nearly doubled from last year, overtaking
Energy as the leading sector.16 FY 2015 Incidents Reported to ISC-CERT by Sector (295 total)17
Source: ICS-CERT Monitor, November/December 2015
Of the various techniques used in the intrusion attempts, spear-phishing represented the
“infection vector” in 37 percent of the total incidents. While sophisticated intrusions against asset
owners persist, ICS-CERT reported that it responded to a significant number of incidents enabled
by insufficiently architected networks, such as ICS networks being directly connected to the
Internet or to corporate networks where a spear-phishing attack can enable unauthorized access.
14
Ibid, DHS 2014 Quadrennial Review, page 23.
15
ICS-CERT collaborates with international and private sector Computer Emergency Response Teams (CERT) to
share control systems-related security incidents and mitigation measures.
16
ICS-CERT Fiscal Year 2015: Final Incident Response Statistics, ICS-CERT Monitor, Nov./Dec. 2015 at 4,
available at http://ics-cert.us-cert.gov/sites/default/files/Monitors/ICS-CERT_Monitor_Nov-Dec2015_S508C.pdf.
17
Ibid, page 7.
Lucy L. Thomson © 2016 All Rights Reserved
FBI data show that ransomware18 is currently one of the most serious global cyber threats to the
computer systems that control ICS and IoT in all industry sectors.19
FY 2015 Mid-Year: Attempted Infection Vector Source: ICS-CERT Monitor, November/December 2015
Attack methodologies used to both steal data and cause damage to ICS and IoT devices are
remarkably similar. Thus, the indictment of a Russian national charged in the largest known
data breach prosecution is instructive; the case provides details of attack methodology used by
hackers in several of the major data breaches and will also shed light on how an ICS attack may
unfold.20 III. Addressing IoT/ICS Security Challenges
Security is only as strong as its weakest link. Failed security has resulted in thousands of data
breaches that have led to the loss or compromise of millions of personally identifiable records, as
well as the theft of classified information, valuable intellectual property and trade secrets, and the
compromise of critical infrastructure.21 In many cases, data breaches or other types of cyber
incidents could have been prevented or detected early and the risks of the incident mitigated if
18
A type of malware (or malicious software) that blocks access to a computer system or files until a monetary
amount is paid.
19
FBI Alert, Criminals Continue to Defraud and Extort Funds from Victims Using CryptoWall Ransomware
Schemes, Alert No. 1-0623150PSA (June 23, 2015), available at http://www.ic3.gov/media/2015/150623.aspx.
Recent IC3 reporting identifies CryptoWall as the most current and significant ransomware threat targeting U.S.
individuals and businesses.
20
United States v. Drinkman, et. al., No. 09-626 (JBS) (S-2) (D. N.J. Feb. 18, 2015) available at
http://www.justice.gov/sites/default/files/opa/pressreleases/attachments/2015/02/18/drinkman_vladimir_et_al_indictment_comp.pdf (second superseding indictment);
http://www.justice.gov/opa/pr/russian-national-charged-largest-known-data-breach-prosecution-extradited-unitedstates (Feb. 17, 2015).
21
White House, Cyberspace Policy Review, pages 1-2, 17, available at
http://www.whitehouse.gov/assets/documents/Cyberspace_Policy_Review_final.pdf.
See, Ibid, Lucy Thomson, Data Breach and Encryption Handbook, chapter 5, pages 57-85.
Lucy L. Thomson © 2016 All Rights Reserved
the organization had undertaken proper security planning and implemented appropriate security
safeguards.
IoT presents daunting security challenges that must be addressed in the coming years. In light of
the massive data breaches and well-documented ICS vulnerabilities, consensus is developing
around the need for all private and public sector organizations to develop, implement, and
maintain an appropriate cybersecurity program.22 The many accepted frameworks and standards
can serve as a reference for developing, implementing, and maintaining an appropriately-tailored
cybersecurity program.
Conducting a risk assessment is essential for organizations to determine how much risk is being
introduced and what can be done to mitigate it.23 Risk assessments are the basis for the selection
of appropriate security controls and the development of remediation plans so that risks and
vulnerabilities are reduced to a reasonable and appropriate level. The NIST Framework for
Improving Critical Infrastructure Cybersecurity provides an excellent roadmap for organizations
to use in assessing security risks and a framework for determining the maturity of their
cybersecurity program.24
Implementing technology and using IoT devices with known vulnerabilities is not “reasonable
security.” Many IoT breaches and ICS incidents involve exploitation of devices with little or no
security, known vulnerabilities, and violations of well-accepted security practices. With the
publication of assessments of the threats, risks, and vulnerabilities of IoT, big data, cloud
computing, and ICS, and as well as best practices for addressing cyber risks, standards of care
are beginning to emerge.
At a minimum, company and government executives should follow these principles:

To properly support an organization’s risk management framework, security must be
incorporated into the architecture and design of the organization’s information systems
and supporting information technology (IT) assets.

An organization should employ a defense-in-depth strategy.

Do not implement devices, software, or systems with known vulnerabilities. Work and
contract with vendors and business partners who provide products and services with
appropriate security.
22
The American Bar Association adopted the following Resolution in 2014:
The American Bar Association encourages all private and public sector organizations to develop, implement,
and maintain an appropriate cybersecurity program that complies with applicable ethical and legal obligations,
and is tailored to the nature and scope of the organization, and the data and systems to be protected. 23
See Lucy L. Thomson and Dr. Robert Thibadeau, Security Challenges of the Big Data Ecosystem Require a
Laser-Like Focus on Risk, 12 SCITECH LAW, no. 2, Winter 2016, at 6.
24
NIST, FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY (2014), available at
http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214-final.pdf.
Lucy L. Thomson © 2016 All Rights Reserved
Statement for the Record
Worldwide Threat Assessment
of the
US Intelligence Community
Senate Armed Services Committee
James R. Clapper
Director of National Intelligence
February 9, 2016
STATEMENT FOR THE RECORD
WORLDWIDE THREAT ASSESSMENT
of the
US INTELLIGENCE COMMUNITY
February 9, 2016
INTRODUCTION
Chairman McCain, Vice Chairman Reed, Members of the Committee, thank you for the invitation to offer
the United States Intelligence Community’s 2016 assessment of threats to US national security. My
statement reflects the collective insights of the Intelligence Community’s extraordinary men and women,
whom I am privileged and honored to lead. We in the Intelligence Community are committed every day to
provide the nuanced, multidisciplinary intelligence that policymakers, warfighters, and domestic law
enforcement personnel need to protect American lives and America’s interests anywhere in the world.
The order of the topics presented in this statement does not necessarily indicate the relative importance
or magnitude of the threat in the view of the Intelligence Community.
Information available as of February 3, 2016 was used in the preparation of this assessment.
i
TABLE OF CONTENTS
Page
GLOBAL THREATS
Cyber and Technology
1
Terrorism
4
Weapons of Mass Destruction and Proliferation
6
Space and Counterspace
9
Counterintelligence
10
Transnational Organized Crime
11
Economics and Natural Resources
12
Human Security
13
REGIONAL THREATS
East Asia
16
16
17
17
China
Southeast Asia
North Korea
Russia and Eurasia
17
17
19
19
Russia
Ukraine, Belarus, and Moldova
The Caucasus and Central Asia
Europe
20
20
20
21
Key Partners
The Balkans
Turkey
Middle East and North Africa
21
21
22
23
23
24
Iraq
Syria
Libya
Yemen
Iran
ii
Lebanon
Egypt
Tunisia
25
25
25
South Asia
26
26
27
27
Afghanistan
Bangladesh
Pakistan and India
Sub-Saharan Africa
27
27
28
28
28
28
Central Africa
Somalia
South Sudan
Sudan
Nigeria
Latin America and Caribbean
28
28
29
29
29
Central America
Cuba
Venezuela
Brazil
iii
GLOBAL THREATS
CYBER AND TECHNOLOGY
Strategic Outlook
The consequences of innovation and increased reliance on information technology in the next few years
on both our society’s way of life in general and how we in the Intelligence Community specifically perform
our mission will probably be far greater in scope and impact than ever. Devices, designed and fielded
with minimal security requirements and testing, and an ever-increasing complexity of networks could lead
to widespread vulnerabilities in civilian infrastructures and US Government systems. These
developments will pose challenges to our cyber defenses and operational tradecraft but also create new
opportunities for our own intelligence collectors.
Internet of Things (IoT). “Smart” devices incorporated into the electric grid, vehicles—including
autonomous vehicles—and household appliances are improving efficiency, energy conservation, and
convenience. However, security industry analysts have demonstrated that many of these new systems
can threaten data privacy, data integrity, or continuity of services. In the future, intelligence services
might use the IoT for identification, surveillance, monitoring, location tracking, and targeting for
recruitment, or to gain access to networks or user credentials.
Artificial Intelligence (AI). AI ranges from “Narrow AI” systems, which seek to execute specialized
tasks, such as speech recognition, to “General AI” systems—perhaps still decades away—which aim to
replicate many aspects of human cognition. Implications of broader AI deployment include increased
vulnerability to cyberattack, difficulty in ascertaining attribution, facilitation of advances in foreign weapon
and intelligence systems, the risk of accidents and related liability issues, and unemployment. Although
the United States leads AI research globally, foreign state research in AI is growing.
The increased reliance on AI for autonomous decisionmaking is creating new vulnerabilities to
cyberattacks and influence operations. As we have already seen, false data and unanticipated algorithm
behaviors have caused significant fluctuations in the stock market because of the reliance on automated
trading of financial instruments. Efficiency and performance benefits can be derived from increased
reliance on AI systems in both civilian industries and national security, as well as potential gains to
cybersecurity from automated computer network defense. However, AI systems are susceptible to a
range of disruptive and deceptive tactics that might be difficult to anticipate or quickly understand. Efforts
to mislead or compromise automated systems might create or enable further opportunities to disrupt or
damage critical infrastructure or national security networks.
Foreign Data Science. This field is becoming increasingly mature. Foreign countries are openly
purchasing access to published US research through aggregated publication indices, and they are
collecting social media and patent data to develop their own indices.
1
Augmented Reality (AR) and Virtual Reality (VR). AR and VR systems with three-dimensional imagery
and audio, user-friendly software, and low price points are already on the market; their adoption will
probably accelerate in 2016. AR provides users with additional communications scenarios (e.g. by using
virtual avatars) as well as acquisition of new data (e.g. from facial recognition) overlaid onto reality. VR
gives users experiences in man-made environments wholly separate from reality.
Protecting Information Resources
Integrity. Future cyber operations will almost certainly include an increased emphasis on changing or
manipulating data to compromise its integrity (i.e., accuracy and reliability) to affect decisionmaking,
reduce trust in systems, or cause adverse physical effects. Broader adoption of IoT devices and AI—in
settings such as public utilities and health care—will only exacerbate these potential effects. Russian
cyber actors, who post disinformation on commercial websites, might seek to alter online media as a
means to influence public discourse and create confusion. Chinese military doctrine outlines the use of
cyber deception operations to conceal intentions, modify stored data, transmit false data, manipulate the
flow of information, or influence public sentiments—all to induce errors and miscalculation in
decisionmaking.
Infrastructure. Countries are becoming increasingly aware of both their own weaknesses and the
asymmetric offensive opportunities presented by systemic and persistent vulnerabilities in key
infrastructure sectors including health care, energy, finance, telecommunications, transportation, and
water. For example, the US health care sector is rapidly evolving in ways never before imagined, and the
cross-networking of personal data devices, electronic health records, medical devices, and hospital
networks might play unanticipated roles in patient outcomes. Such risks are only heightened by largescale theft of health care data and the internationalization of critical US supply chains and service
infrastructure.
A major US network equipment manufacturer acknowledged last December that someone repeatedly
gained access to its network to change source code in order to make its products’ default encryption
breakable. The intruders also introduced a default password to enable undetected access to some target
networks worldwide.
Interoperability. Most governments are exploring ways to exert sovereign control over information
accessible to and used by their citizens and are placing additional legal requirements on companies as
they seek to balance security, privacy, and economic concerns. We assess that many countries will
implement new laws and technologies to censor information, decrease online anonymity, and localize
data within their national borders. Although these regulations will restrict freedoms online and increase
the operating costs for US companies abroad, they will probably not introduce obstacles that threaten the
functionality of the Internet.
Identity. Advances in the capabilities of many countries to exploit large data sets almost certainly
increase the intelligence value of collecting bulk data and have probably contributed to increased
targeting of personally identifiable information. Commercial vendors, who aggregate the bulk of digitized
information about persons, will increasingly collect, analyze, and sell it to both foreign and domestic
customers. We assess that countries are exploiting personal data to inform a variety of
counterintelligence operations.
2
Accountability. Information security professionals will continue to make progress in attributing cyber
operations and tying events to previously identified infrastructure or tools that might enable rapid
attribution in some cases. However, improving offensive tradecraft, the use of proxies, and the creation
of cover organizations will hinder timely, high-confidence attribution of responsibility for state-sponsored
cyber operations.
Restraint. Many actors remain undeterred from conducting reconnaissance, espionage, and even
attacks in cyberspace because of the relatively low costs of entry, the perceived payoff, and the lack of
significant consequences. Moscow and Beijing, among others, view offensive cyber capabilities as an
important geostrategic tool and will almost certainly continue developing them while simultaneously
discussing normative frameworks to restrict such use. Diplomatic efforts in the past three years have
created the foundation for establishing limits on cyber operations, and the norms articulated in a 2015
report of the UN Group of Governmental Experts suggest that countries are more likely to commit to
limitations on what cyber operations can target than to support bans on the development of offensive
capabilities or on specific means of cyber intervention. For example, in 2015, following a US-Chinese
bilateral agreement, G-20 leaders agreed that that no country should conduct or sponsor cyber
espionage for the purpose of commercial gain.
Leading Threat Actors
Russia. Russia is assuming a more assertive cyber posture based on its willingness to target critical
infrastructure systems and conduct espionage operations even when detected and under increased
public scrutiny. Russian cyber operations are likely to target US interests to support several strategic
objectives: intelligence gathering to support Russian decisionmaking in the Ukraine and Syrian crises,
influence operations to support military and political objectives, and continuing preparation of the cyber
environment for future contingencies.
China. China continues to have success in cyber espionage against the US Government, our allies, and
US companies. Beijing also selectively uses cyberattacks against targets it believes threaten Chinese
domestic stability or regime legitimacy. We will monitor compliance with China’s September 2015
commitment to refrain from conducting or knowingly supporting cyber-enabled theft of intellectual property
with the intent of providing competitive advantage to companies or commercial sectors. Private-sector
security experts have identified limited ongoing cyber activity from China but have not verified state
sponsorship or the use of exfiltrated data for commercial gain.
Iran. Iran used cyber espionage, propaganda, and attacks in 2015 to support its security priorities,
influence events, and counter threats—including against US allies in the region.
North Korea. North Korea probably remains capable and willing to launch disruptive or destructive
cyberattacks to support its political objectives. South Korean officials have concluded that North Korea
was probably responsible for the compromise and disclosure of data from a South Korean nuclear plant.
Nonstate Actors. Terrorists continue to use the Internet to organize, recruit, spread propaganda, collect
intelligence, raise funds, and coordinate operations. In a new tactic, ISIL actors targeted and released
sensitive information about US military personnel in 2015 in an effort to spur “lone-wolf” attacks.
Criminals develop and use sophisticated cyber tools for a variety of purposes such as theft, extortion, and
3
facilitation of other criminal activities such as drug trafficking. “Ransomware” designed to block user
access to their own data, sometimes by encrypting it, is becoming a particularly effective and popular tool
for extortion for which few options for recovery are available. Criminal tools and malware are increasingly
being discovered on state and local government networks.
TERRORISM
The United States and its allies are facing a challenging threat environment in 2016. Sunni violent
extremism has been on an upward trajectory since the late 1970s and has more groups, members, and
safe havens than at any other point in history. At the same time, Shia violent extremists will probably
deepen sectarian tensions in response to real and perceived threats from Sunni violent extremists and to
advance Iranian influence.
The Islamic State of Iraq and the Levant (ISIL) has become the preeminent terrorist threat because of its
self-described caliphate in Syria and Iraq, its branches and emerging branches in other countries, and its
increasing ability to direct and inspire attacks against a wide range of targets around the world. ISIL’s
narrative supports jihadist recruiting, attracts others to travel to Iraq and Syria, draws individuals and
groups to declare allegiance to ISIL, and justifies attacks across the globe. The ISIL-directed November
2015 attacks in Paris and ISIL-Sinai’s claim of responsibility for the late October downing of a Russian
airliner in the Sinai underscore these dynamics.
Al-Qa'ida's affiliates have proven resilient and are positioned to make gains in 2016, despite
counterterrorism pressure that has largely degraded the network's leadership in Afghanistan and
Pakistan. They will continue to pose a threat to local, regional, and even possibly global interests as
demonstrated by the January 2015 attack on French satirical newspaper Charlie Hebdo by individuals
linked to al-Qa’ida in the Arabian Peninsula (AQAP). Other Sunni terrorist groups retain the ability to
attract recruits and resources.
The United States will almost certainly remain at least a rhetorically important enemy for most violent
extremists in part due to past and ongoing US military, political, and economic engagement overseas.
Sunni violent extremists will probably continually plot against US interests overseas. A smaller number
will attempt to overcome the logistical challenges associated with conducting attacks on the US
homeland. The July 2015 attack against military facilities in Chattanooga and December 2015 attack in
San Bernardino demonstrate the threat that homegrown violent extremists (HVEs) also pose to the
homeland. In 2014, the FBI arrested approximately one dozen US-based ISIL supporters. In 2015, that
number increased to approximately five dozen arrests. These individuals were arrested for a variety of
reasons, predominantly for attempting to provide material support to ISIL.
US-based HVEs will probably continue to pose the most significant Sunni terrorist threat to the US
homeland in 2016. The perceived success of attacks by HVEs in Europe and North America, such as
those in Chattanooga and San Bernardino, might motivate others to replicate opportunistic attacks with
little or no warning, diminishing our ability to detect terrorist operational planning and readiness. ISIL
involvement in homeland attack activity will probably continue to involve those who draw inspiration from
4
the group’s highly sophisticated media without direct guidance from ISIL leadership and individuals in the
United States or abroad who receive direct guidance and specific direction from ISIL members or leaders.
ISIL’s global appeal continues to inspire individuals in countries outside Iraq and Syria to travel to join the
group. More than 36,500 foreign fighters—including at least 6,600 from Western countries—have
traveled to Syria from more than100 countries since the conflict began in 2012. Foreign fighters who
have trained in Iraq and Syria might potentially leverage skills and experience to plan and execute attacks
in the West. Involvement of returned foreign fighters in terrorist plotting increases the effectiveness and
lethality of terrorist attacks, according to academic studies. A prominent example is the November 2015
attacks in Paris in which the plotters included European foreign fighters returning from Syria.
ISIL’s branches continue to build a strong global network that aims to advance the group’s goals and
often works to exacerbate existing sectarian tensions in their localities. Some of these branches will also
plan to strike at Western targets, such as the downing of a Russian airliner in October by ISIL’s selfproclaimed province in Egypt. In Libya, the group is entrenched in Surt and along the coastal areas, has
varying degrees of presence across the country, and is well positioned to expand territory under its
control in 2016. ISIL will seek to influence previously established groups, such as Boko Haram in Nigeria,
to emphasize the group’s ISIL identity and fulfill its religious obligations to the ISIL “caliphate.”
Other terrorists and insurgent groups will continue to exploit weak governance, insecurity, and economic
and political fragility in an effort to expand their areas of influence and provide safe havens for violent
extremists, particularly in conflict zones. Sunni violent extremist groups are increasingly joining or
initiating insurgencies to advance their local and transnational objectives. Many of these groups are
increasingly capable of conducting effective insurgent campaigns, given their membership growth and
accumulation of large financial and materiel caches. This trend increasingly blurs the lines between
insurgent and terrorist groups as both aid local fighters, leverage safe havens, and pursue attacks against
US and other Western interests.
No single paradigm explains how terrorists become involved in insurgencies. Some groups like ISIL in
Syria and al-Qa’ida in the Islamic Maghreb (AQIM) in Mali have worked with local militants to incite
insurgencies. Others, like Boko Haram, are the sole instigators and represent the primary threat to their
respective homeland’s security. Still others, including al-Shabaab, are the primary beneficiaries of an
insurgency started by others. Finally, other groups, such as core al-Qa‘ida, have taken advantage of the
relative safe haven in areas controlled by insurgent groups to build capabilities and alliances without
taking on a primary leadership role in the local conflict.
Although al-Qa‘ida’s presence in Afghanistan and Pakistan has been significantly degraded, it aspires to
attack the US and its allies. In Yemen, the proven capability of AQAP to advance external plots during
periods of instability suggests that leadership losses and challenges from the Iranian-backed Huthi
insurgency will not deter its efforts to strike the West. Amid this conflict, AQAP has made territorial gains
in Yemen including the seizure of military bases in the country’s largest province. Al-Qa’ida nodes in
Syria, Pakistan, Afghanistan, and Turkey are also dedicating resources to planning attacks. Al-Shabaab,
al-Qaida's affiliate in East Africa, continues its violent insurgency in southern and central Somalia despite
losses of territory and influence and conflict among senior leaders.
5
Iran—the foremost state sponsor of terrorism—continues to exert its influence in regional crises in the
Middle East through the Islamic Revolutionary Guard Corps—Qods Force (IRGC-QF), its terrorist partner
Lebanese Hizballah, and proxy groups. It also provides military and economic aid to its allies in the
region. Iran and Hizballah remain a continuing terrorist threat to US interests and partners worldwide.
Terrorists will almost certainly continue to benefit in 2016 from a new generation of recruits proficient in
information technology, social media, and online research. Some terrorists will look to use these
technologies to increase the speed of their communications, the availability of their propaganda, and
ability to collaborate with new partners. They will easily take advantage of widely available, free
encryption technology, mobile-messaging applications, the dark web, and virtual environments to pursue
their objectives.
Long-term economic, political, and social problems, as well as technological changes, will contribute to
the terrorist threat worldwide. A record-setting 60 million internally displaced persons (IDPs) and
refugees as of 2014—one half of whom are children, according to the United Nations—will stress the
capacity of host nations already dealing with problems relating to assimilation and possibly make
displaced populations targets for recruitment by violent extremists. Among Sunni violent extremist
groups, ISIL is probably most proficient at harnessing social media to disseminate propaganda and solicit
recruits among a broad audience. It is likely to continue these activities in 2016 by using videos, photos,
and other propaganda glorifying life under ISIL rule and promoting the group’s military successes. In
addition, violent extremist supporters will probably continue to publicize their use of encrypted messaging
applications on social media to let aspiring violent extremists know that secure avenues are available by
which they can communicate.
The acute and enduring nature of demographic, economic, political, social, and technological factors
contribute to the motivation of individuals and groups and their participation in violent extremist activities.
These factors ensure that terrorism will remain one of several primary national security challenges for the
United States in 2016.
WEAPONS OF MASS DESTRUCTION AND PROLIFERATION
Nation-state efforts to develop or acquire weapons of mass destruction (WMD), their delivery systems, or
their underlying technologies constitute a major threat to the security of the United States, its deployed
troops, and allies. Use of chemical weapons in Syria by both state and nonstate actors demonstrates that
the threat of WMD is real. Biological and chemical materials and technologies, almost always dual use,
move easily in the globalized economy, as do personnel with the scientific expertise to design and use
them. The latest discoveries in the life sciences also diffuse rapidly around the globe.
North Korea Developing WMD-Applicable Capabilities
North Korea’s nuclear weapons and missile programs will continue to pose a serious threat to US
interests and to the security environment in East Asia in 2016. North Korea’s export of ballistic missiles
and associated materials to several countries, including Iran and Syria, and its assistance to Syria’s
6
construction of a nuclear reactor, destroyed in 2007, illustrate its willingness to proliferate dangerous
technologies.
We judge that North Korea conducted a nuclear test on 6 January 2016 that it claimed was a successful
test of a “hydrogen bomb.” Although we are continuing to evaluate this event, the low yield of the test is
not consistent with a successful test of a thermonuclear device. In 2013, following North Korea’s third
nuclear test, Pyongyang announced its intention to “refurbish and restart” its nuclear facilities, to include
the uranium enrichment facility at Yongbyon and its graphite-moderated plutonium production reactor,
which was shut down in 2007. We assess that North Korea has followed through on its announcement by
expanding its Yongbyon enrichment facility and restarting the plutonium production reactor. We further
assess that North Korea has been operating the reactor long enough so that it could begin to recover
plutonium from the reactor’s spent fuel within a matter of weeks to months.
North Korea has also expanded the size and sophistication of its ballistic missile forces—from closerange ballistic missiles to intercontinental ballistic missiles (ICBMs)—and continues to conduct test
launches. In May 2015, North Korea claimed that it successfully tested a ballistic missile from a
submarine. Pyongyang is also committed to developing a long-range, nuclear-armed missile that is
capable of posing a direct threat to the United States; it has publicly displayed its KN08 road-mobile ICBM
on multiple occasions. We assess that North Korea has already taken initial steps toward fielding this
system, although the system has not been flight-tested.
Although North Korea issues official statements that include its justification for building nuclear weapons
and threats to use them as a defensive or retaliatory measure, we do not know the details of Pyongyang’s
nuclear doctrine or employment concepts. We have long assessed that Pyongyang’s nuclear capabilities
are intended for deterrence, international prestige, and coercive diplomacy.
China Modernizing Nuclear Forces
The Chinese People’s Liberation Army’s (PLA’s) has established a Rocket Force—replacing the
longstanding Second Artillery Corps—and continues to modernize its nuclear missile force by adding
more survivable road-mobile systems and enhancing its silo-based systems. This new generation of
missiles is intended to ensure the viability of China’s strategic deterrent by providing a second-strike
capability. In addition, the PLA Navy continues to develop the JL-2 submarine-launched ballistic missile
(SLBM) and might produce additional JIN-class nuclear-powered ballistic missile submarines. The JINclass submarines—armed with JL-2 SLBMs—will give the PLA Navy its first long-range, sea-based
nuclear capability.
Russian Cruise Missile Violates the INF Treaty
Russia has developed a ground-launched cruise missile that the United States has declared is in violation
of the Intermediate-Range Nuclear Forces (INF) Treaty. Russia has denied it is violating the INF Treaty.
In 2013, a senior Russian administration official stated publicly that the world had changed since the INF
Treaty was signed 1987 and noted that Russia was “developing appropriate weapons systems” in light of
the proliferation of intermediate- and shorter-range ballistic missile technologies around the world, and
Russian officials have made statements in the past regarding the unfairness of a Treaty that prohibits
7
Russia, but not some of its neighbors, from developing and processing ground-launched missiles with
ranges between 500 to 5,500 kilometers.
Chemical Weapons in Syria and Iraq
We assess that Syria has not declared all the elements of its chemical weapons program to the Chemical
Weapons Convention (CWC). Despite the creation of a specialized team and months of work by the
Organization for the Prohibition of Chemical Weapons (OPCW) to address gaps and inconsistencies in
Syria’s declaration, numerous issues remain unresolved. Moreover, we continue to judge that the Syrian
regime has used chemicals as a means of warfare since accession to the CWC in 2013. The OPCW
Fact-Finding Mission has concluded that chlorine had been used on Syrian opposition forces in multiple
incidents in 2014 and 2015. Helicopters—which only the Syrian regime possesses—were used in several
of these attacks.
We assess that nonstate actors in the region are also using chemicals as a means of warfare. The
OPCW investigation into an alleged ISIL attack in Syria in August led it to conclude that at least two
people were exposed to sulfur mustard. We continue to track numerous allegations of ISIL’s use of
chemicals in attacks in Iraq and Syria, suggesting that attacks might be widespread.
Iran Adhering to Deal To Preserve Capabilities and Gain Sanctions Relief
Iran probably views the Joint Comprehensive Plan of Action (JCPOA) as a means to remove sanctions
while preserving some of its nuclear capabilities, as well as the option to eventually expand its nuclear
infrastructure. We continue to assess that Iran’s overarching strategic goals of enhancing its security,
prestige, and regional influence have led it to pursue capabilities to meet its nuclear energy and
technology goals and give it the ability to build missile-deliverable nuclear weapons, if it chooses to do so.
Its pursuit of these goals will dictate its level of adherence to the JCPOA over time. We do not know
whether Iran will eventually decide to build nuclear weapons.
We also continue to assess that Iran does not face any insurmountable technical barriers to producing a
nuclear weapon, making Iran’s political will the central issue. Iran’s implementation of the JCPOA,
however, has extended the amount of time Iran would need to produce fissile material for a nuclear
weapon from a few months to about a year. The JCPOA has also enhanced the transparency of Iran’s
nuclear activities, mainly through improved access by the International Atomic Energy Agency (IAEA) and
investigative authorities under the Additional Protocol to its Comprehensive Safeguard Agreement.
As a result, the international community is well postured to quickly detect changes to Iran’s declared
nuclear facilities designed to shorten the time Iran would need to produce fissile material. Further, the
JCPOA provides tools for the IAEA to investigate possible breaches of prohibitions on specific R&D
activities that could contribute to the development of a nuclear weapon.
We judge that Tehran would choose ballistic missiles as its preferred method of delivering nuclear
weapons, if it builds them. Iran’s ballistic missiles are inherently capable of delivering WMD, and Tehran
already has the largest inventory of ballistic missiles in the Middle East. Iran’s progress on space launch
vehicles—along with its desire to deter the United States and its allies—provides Tehran with the means
and motivation to develop longer-range missiles, including ICBMs.
8
Genome Editing
Research in genome editing conducted by countries with different regulatory or ethical standards than
those of Western countries probably increases the risk of the creation of potentially harmful biological
agents or products. Given the broad distribution, low cost, and accelerated pace of development of this
dual-use technology, its deliberate or unintentional misuse might lead to far-reaching economic and
national security implications. Advances in genome editing in 2015 have compelled groups of high-profile
US and European biologists to question unregulated editing of the human germline (cells that are relevant
for reproduction), which might create inheritable genetic changes. Nevertheless, researchers will
probably continue to encounter challenges to achieve the desired outcome of their genome modifications,
in part because of the technical limitations that are inherent in available genome editing systems.
SPACE AND COUNTERSPACE
Space
Global Trends. Changes in the space sector will evolve more quickly in the next few years as innovation
becomes more ubiquitous, driven primarily by increased availability of technology and growing private
company investment. The number of space actors is proliferating, with 80 countries participating in space
activities and more expected in the next few years. New entrants from the private space sector—
leveraging lowering costs in aerospace technology and innovations in other technology sectors, such as
big data analytics, social media, automation, and additive manufacturing—will increase global access to
space-enabled applications, such as imaging, maritime automatic identification system (AIS), weather,
Internet, and communications.
Military and Intelligence. Foreign governments will expand their use of space services—to include
reconnaissance, communications, and position, navigation, and timing (PNT)—for military and
intelligence purposes, beginning to rival the advantages space-enabled services provide the United
States. Russia and China continue to improve the capabilities of their military and intelligence satellites
and grow more sophisticated in their operations. Russian military officials publicly tout their use of
imaging and electronic-reconnaissance satellites to support military operations in Syria—revealing some
of their sophisticated military uses of space services.
Counterspace
Threats to our use of military, civil, and commercial space systems will increase in the next few years as
Russia and China progress in developing counterspace weapon systems to deny, degrade, or disrupt US
space systems. Foreign military leaders understand the unique advantages that space-based systems
provide to the United States. Russia senior leadership probably views countering the US space
advantage as a critical component of warfighting. Its 2014 Military Doctrine highlights at least three
space-enabled capabilities—“global strike,” the “intention to station weapons in space,” and “strategic
non-nuclear precision weapons”—as main external military threats to the Russian Federation. Russia
and China are also employing more sophisticated satellite operations and are probably testing dual-use
technologies in space that could be applied to counterspace missions.
9
Deny and Disrupt. We already face a global threat from electronic warfare systems capable of jamming
satellite communications systems and global navigation space systems. We assess that this technology
will continue to proliferate to new actors and that our more advanced adversaries will continue to develop
more sophisticated systems in the next few years. Russian defense officials acknowledge that they have
deployed radar-imagery jammers and are developing laser weapons designed to blind US intelligence
and ballistic missile defense satellites.
Destroy. Russia and China continue to pursue weapons systems capable of destroying satellites on
orbit, placing US satellites at greater risk in the next few years. China has probably made progress on
the antisatellite missile system that it tested in July 2014. The Russian Duma officially recommended in
2013 that Russia resume research and development of an airborne antisatellite missile to “be able to
intercept absolutely everything that flies from space.”
COUNTERINTELLIGENCE
The United States will continue to face a complex foreign intelligence threat environment in 2016. We
assess that the leading state intelligence threats to US interests will continue to be Russia and China,
based on their capabilities, intent, and broad operational scope. Other states in South Asia, the Near
East, East Asia, and Latin America will pose local and regional intelligence threats to US interests. For
example, Iranian and Cuban intelligence and security services continue to view the United States as a
primary threat.
Penetrating and influencing the US national decisionmaking apparatus and Intelligence Community will
remain primary objectives for numerous foreign intelligence entities. Additionally, the targeting of national
security information and proprietary information from US companies and research institutions involved
with defense, energy, finance, dual-use technology, and other sensitive areas will remain a persistent
threat to US interests.
Insiders who disclose sensitive US Government information without authorization will remain a significant
threat in 2016. The sophistication and availability of information technology that can be used for
nefarious purposes exacerbate this threat both in terms of speed and scope of impact.
Nonstate entities, including international terrorist groups and transnational organized crime organizations,
will continue to employ and potentially improve their intelligence capabilities, which include human, cyber,
and technical means. Like state intelligence services, these nonstate entities recruit human sources and
conduct physical and technical surveillance to facilitate their activities and avoid detection and capture.
10
TRANSNATIONAL ORGANIZED CRIME
Some US Drug Threats Are Growing
Transnational drug trafficking poses a strong and in many cases growing threat to the United States at
home and to US security interests abroad. Supplies of some foreign-produced drugs in the United States
are rising, and some criminals who market them are growing more sophisticated.
x
Mexican drug traffickers, capitalizing on the strong US demand for heroin, have increased heroin
production significantly since 2007. US border seizures nearly doubled between 2010 and 2014.
Some Mexican trafficking groups—which collectively supply most of the heroin consumed in the
United States—have mastered production of the white heroin preferred in eastern US cities and have
been boosting overall drug potency by adding fentanyl. Fentanyl, which is 30 to 50 times more potent
than heroin, is sometimes used as an adulterant and mixed with lower-grade heroin to increase its
effects or mixed with diluents and sold as “synthetic heroin” with or without the buyers’ knowledge.
x
Mexican traffickers have probably increased their production of the stimulant methamphetamine for
the US market. US border seizures of the drug rose by nearly half between 2013 and 2014.
x
Traffickers in the Andean countries have increased their manufacture of cocaine. Producers in
Colombia—from which most US cocaine originates—increased output by nearly a third in 2014 over
the prior year. Cocaine output will probably rise again in 2016 as previously planted coca crops fully
mature.
x
US availability of some new psychoactive substances—so-called “designer drugs” typically produced
in Asia—has been increasing; UN scientists have identified more than 500 unique substances.
Transnational Organized Crime Groups Target Vulnerable States
Transnational organized crime groups will pose a persistent and at times sophisticated threat to the
wealth, health, and security of people around the globe. Criminal groups’ untaxed and unregulated
enterprises drain state resources, crowd out legitimate commerce, increase official corruption, and
impede economic competitiveness and fair trade. On occasion, transnational organized crime groups
threaten countries’ security, spur increases in social violence, or otherwise reduce governability.
x
Profit-minded criminals generally do not seek the reins of political power but rather to suborn, co-opt,
or bully government officials in order to create environments in which criminal enterprise can thrive.
x
Foreign-based transnational criminals are increasingly using online information systems to breach
sovereign borders virtually, without the need to send criminal operatives abroad to advance illicit
businesses.
x
Organized crime and rebel groups in Africa and elsewhere are likely to increase their involvement in
wildlife trafficking to fund political activities, enhance political influence, and purchase weapons. Illicit
trade in wildlife, timber, and marine resources endangers the environment, threatens good
11
governance and border security in fragile regions, and destabilizes communities whose economic
well-being depends on wildlife for biodiversity and ecotourism. Increased demand for ivory and rhino
horn in East Asia has triggered unprecedented increases in poaching in Sub-Saharan Africa.
Human trafficking exploits and abused individuals and challenges international security. Human
traffickers leverage corrupt officials, porous borders, and lax enforcement to orchestrate their illicit trade.
This exploitation of human lives for profit continues to occur in every country in the world—undermining
the rule of law and corroding legitimate institutions of government and commerce. Trafficking in persons
has become a lucrative source of revenue for transnational organized crime groups and terrorist
organizations and is estimated to produce tens of billions of dollars annually. For example, terrorist or
armed groups—such as ISIL, the Lord's Resistance Army, and Boko Haram—engage in kidnapping for
the purpose of sexual slavery, sexual exploitation, and forced labor. These activities might also
contribute to the funding and sustainment of such groups.
We assess that the ongoing global migration crises—a post-WWII record 60 million refugees and
internally displaced persons—will fuel an increase in the global volume of human trafficking victims as
men, women, and children undertake risky migration ventures and fall prey to sex trafficking, forced labor,
debt bondage and other trafficking crimes. This continuing rise in global displacement and dangerous
migration, both forced and opportunistic movements within countries and across national borders, will
probably allow criminal groups and terrorist organizations to exploit vulnerable populations.
ECONOMICS AND NATURAL RESOURCES
Global economic growth will probably remain subdued, in part because of the deceleration of China’s
economy. During 2015, preliminary figures indicate that worldwide GDP growth slipped to 3.1 percent,
down from 3.4 percent the previous year, although advanced economies as a group enjoyed their
strongest GDP growth since 2010 at nearly 2 percent. However, developing economies, which were
already dealing with broad and sharp commodity-price declines that began in 2014, saw the first net
capital outflows to developed countries since the late 1980s.
GDP growth for these economies was 4 percent in 2015, the lowest since 2009. The International
Monetary Fund (IMF) is forecasting a slight growth upturn in 2016 but downgraded its forecast in January
for both developed and developing economies. Adverse shocks such as financial instability in emerging
markets, a steeper-than-expected slowdown in China’s growth, or renewed uncertainty about Greece’s
economic situation, might prevent the predicted gradual increase in global growth.
Macroeconomic Stability
Continued solid performance by the United States and the resumption of growth for many European
states, even as the region continues to wrestle with the Greek debt crisis, will probably help boost growth
rates for developed economies. However, increasing signs of a sustained deceleration of Chinese
economic growth—particularly in sectors that are the most raw-material intensive—contributed to a
continued decline in energy and commodity prices worldwide in 2015. Emerging markets and developing
countries’ difficulties were compounded by the declines in foreign investment inflows and increases in
12
resident capital outflows. The prospect of higher growth and interest rates in the United States is spurring
net capital outflows from these countries, estimated to be more than $700 billion in 2015, compared to an
average yearly inflow of more than $400 billion from 2009 to 2014. The global slowdown in trade is also
contributing to a more difficult economic environment for many developing economies and might worsen if
efforts to advance trade liberalization through the World Trade Organization (WTO) and regional trade
deals stall.
Energy and Commodities
Weak energy and commodity prices have been particularly hard on key exporters in Latin America;
Argentina and Brazil experienced negative growth and their weakened currencies contributed to domestic
inflation. A steeply declining economy in Venezuela—the result of the oil-price decline and years of poor
economic policy and profligate government spending—will leave Caracas struggling to avoid default in
2016. Similarly, in Africa, declining oil revenues and past mismanagement have contributed to Angolan
and Nigerian fiscal problems, currency strains, and deteriorating external balances. Falling prices have
also forced commodity-dependent exporters, such as Ghana, Liberia, and Zambia, to make sharp budget
cuts to contain deficits. Persian Gulf oil exporters, which generally have more substantial financial
reserves, have nonetheless seen a sharp increase in budget deficits.
Declining energy prices and substantial increases in North American production have also discouraged
initiatives to develop new resources and expand existing projects—including in Brazil, Canada, Iraq, and
Saudi Arabia. They typically take years to complete, potentially setting the stage for shortfalls in coming
years when demand recovers.
Arctic
Diminishing sea ice is creating increased economic opportunities in the region and simultaneously raising
Arctic nations’ concerns about safety and the environment. Harsh weather and longer-term economic
stakes have encouraged cooperation among the countries bordering the Arctic. As polar ice recedes and
resource extraction technology improves, however, economic and security concerns will raise the risk of
increased competition between Arctic and non-Arctic nations over access to sea routes and resources.
Sustained low oil prices would reduce the attractiveness of potential Arctic energy resources. Russia will
almost certainly continue to bolster its military presence along its northern coastline to improve its
perimeter defense and control over its exclusive economic zone (EEZ). It will also almost certainly
continue to seek international support for its extended continental shelf claim and its right to manage ship
traffic within its EEZ. Moscow might become more willing to disavow established international processes
or organizations concerning Arctic governance and act unilaterally to protect these interests if RussianWestern relations deteriorate further.
HUMAN SECURITY
Environmental Risks and Climate Change
Extreme weather, climate change, environmental degradation, related rising demand for food and water,
poor policy responses, and inadequate critical infrastructure will probably exacerbate—and potentially
13
spark—political instability, adverse health conditions, and humanitarian crises in 2016. Several of these
developments, especially those in the Middle East, suggest that environmental degradation might
become a more common source for interstate tensions. We assess that almost all of the 194 countries
that adopted the global climate agreement at the UN climate conference in Paris in December 2015 view
it as an ambitious and long-lasting framework.
x
The UN World Meteorological Organization (WMO) report attributes extreme weather events in the
tropics and sub-tropical zones in 2015 to both climate change and an exceptionally strong El Niño
that will probably persist through spring 2016. An increase in extreme weather events is likely to
occur throughout this period, based on WMO reporting. Human activities, such as the generation of
greenhouse gas emissions and land use, have contributed to extreme weather events including more
frequent and severe tropical cyclones, heavy rainfall, droughts, and heat waves, according to a
November 2015 academic report with contributions from scientists at the National Oceanic and
Atmospheric Administration (NOAA). Scientists have more robust evidence to identify the influence
of human activity on temperature extremes than on precipitation extremes.
x
The Paris climate change agreement establishes a political expectation for the first time that all
countries will address climate change. The response to the deal has been largely positive among
government officials and nongovernmental groups, probably because the agreement acknowledges
the need for universal action to combat climate change along with the development needs of lowerincome countries. However, an independent team of climate analysts and the Executive Secretary of
the UN climate forum have stated that countries’ existing national plans to address climate change
will only limit temperature rise to 2.7 degrees Celsius by 2100.
Health
Infectious diseases and vulnerabilities in the global supply chain for medical countermeasures will
continue to pose a danger to US national security in 2016. Land-use changes will increase animal-tohuman interactions and globalization will raise the potential for rapid cross-regional spread of disease,
while the international community remains ill prepared to collectively coordinate and respond to disease
threats. Influenza viruses, coronaviruses such as the one causing Middle Eastern Respiratory Syndrome
(MERS), and hemorrhagic fever viruses such as Ebola are examples of infectious disease agents that are
passed from animals to humans and can quickly pose regional or global threats. Zika virus, an emerging
infectious disease threat first detected in the Western Hemisphere in 2014, is projected to cause up to 4
million cases in 2016; it will probably spread to virtually every country in the hemisphere. Although the
virus is predominantly a mild illness, and no vaccine or treatment is available, the Zika virus might be
linked to devastating birth defects in children whose mothers were infected during pregnancy. Many
developed and developing nations remain unable to implement coordinated plans of action to prevent
infectious disease outbreaks, strengthen global disease surveillance and response, rapidly share
information, develop diagnostic tools and countermeasures, or maintain the safe transit of personnel and
materials.
x
Human encroachment into animal habitats, including clearing land for farm use and urbanization, is
recognized as a contributing factor in the emergence of new infectious diseases. The populations of
Asia and Africa are urbanizing and growing faster than those of any other region, according to the
14
UN. Emerging diseases against which humans have no preexisting immunity or effective therapies
pose significant risks of becoming pandemics.
Atrocities and Instability
Risks of atrocities, large-scale violence, and regime-threatening instability will remain elevated in 2016. A
vicious cycle of conflict resulting from weak governance, the rise of violent non-state actors, insufficient
international capacity to respond to these complex challenges, and an increase in global migration all
contribute to global security risks. Weak global growth, particularly resulting from the cascading effect of
slower Chinese growth that will hurt commodity exporters, will also exacerbate risk.
x
Regional spillover will probably spread. For example, the long-term impact of civil war in Syria is
reinforcing sectarian differences in Iraq, and the flight of Syrians to Turkey, Jordan, and Lebanon, and
then onward to Europe is sowing regional tensions and straining national governments.
x
As of 2015, the central governments of seven states are unable to project authority and provide
goods and services throughout at least 50 percent of their respective territory; this number is the
largest at any point in the past 60 years.
x
The risk of waning support for universal human rights norms is increasing as authoritarian regimes
push back against human rights in practice and in principle.
Global Displacement
Europe will almost certainly continue to face record levels of arriving refugees and other migrants in 2016
unless the drivers causing this historic movement toward the continent change significantly in 2016, which
we judge is unlikely. Migration and displacement will also probably be an issue within Asia and Africa as
well as the Americas. In total, about 60 million people are displaced worldwide, according to the UN High
Commissioner for Refugees (UNHCR). These 60 million consist of approximately 20 million refugees, 38
million internally displaced persons (IDPs), and approximately 2 million stateless persons, also according
to UNHCR statistics.
x
Wars, weak border controls, and relatively easy and affordable access to routes and information are
driving this historic increase in mobility and displacement.
The growing scope and scale of human displacement will probably continue to strain the response
capacity of the international community and drive a record level of humanitarian requests. At the same
time, host and transit countries will struggle to develop effective responses and, in some cases, manage
domestic fears of terrorists exploiting migrant flows after the Paris attacks in November 2015.
x
In 2015, the UN received less than half of its requested funding for global assistance, suggesting that
the UN’s 2016 request is also likely to be underfunded.
15
REGIONAL THREATS
Emerging trends suggest that geopolitical competition among the major powers is increasing in ways that
challenge international norms and institutions. Russia, in particular, but also China seek greater influence
over their respective neighboring regions and want the United States to refrain from actions they perceive
as interfering with their interests—which will perpetuate the ongoing geopolitical and security competition
around the peripheries of Russia and China, to include the major sea lanes. They will almost certainly
eschew direct military conflict with the United States in favor of contests at lower levels of competition—to
include the use of diplomatic and economic coercion, propaganda, cyber intrusions, proxies, and other
indirect applications of military power—that intentionally blur the distinction between peace and wartime
operations.
Although major power competition is increasing, the geopolitical environment continues to offer
opportunities for US cooperation. In addition, despite the prospect for increased competition, the major
powers, including Russia and China, will have incentives to continue to cooperate with the United States
on issues of shared interest that cannot be solved unilaterally. A future international environment defined
by a mix of competition and cooperation among major powers, however, will probably encourage ad-hoc
approaches to global challenges that undermine existing international institutions.
EAST ASIA
China
China will continue to pursue an active foreign policy—especially within the Asia Pacific—highlighted by a
firm stance on competing territorial claims in the East and South China Seas, relations with Taiwan, and
its pursuit of economic engagement across East Asia. Regional tension will continue as China pursues
construction at its expanded outposts in the South China Sea and because competing claimants might
pursue actions that others perceive as infringing on their sovereignty. Despite the meeting between
China’s and Taiwan’s Presidents in November 2015, Chinese leaders will deal with a new president from
a different party in Taiwan following elections in January. China will also pursue efforts aimed at fulfilling
its “One Belt, One Road” initiative to expand China’s economic role and outreach across Asia.
China will continue to incrementally increase its global presence. Mileposts have included symbolic and
substantive developments, such as the IMF’s decision in November 2016 to incorporate the renminbi into
its Special Drawing Rights currency basket and China’s opening of the Asian Infrastructure Investment
Bank in early 2016. China will increasingly be a factor in global responses to emerging problems, as
illustrated by China’s participation in UN peacekeeping operations, WHO’s Ebola response, and
infrastructure construction in Africa and Pakistan.
Amid new economic challenges, Chinese leaders are pursuing an ambitious agenda of economic, legal,
and military reforms aimed at bolstering the country’s long-term economic growth potential, improving
16
government efficiency and accountability, and strengthening the control of the Communist Party. The
scope and scale of the reform agenda—coupled with an ongoing anti-corruption campaign—might
increase the potential for internal friction within China’s ruling Communist Party. Additionally, China’s
leaders, who have declared slower economic growth to be the “new normal,” will nonetheless face
pressure to stabilize growth at levels that still support strong job creation.
Southeast Asia
Regional integration via the Association of Southeast Asian Nations (ASEAN) made gains in 2015 with
the establishment of the ASEAN Community. However, ASEAN cohesion on economic and security
issues will continue to face challenges stemming from differing development levels among ASEAN
members and their varying threat perceptions of China’s regional ambitions and assertiveness in the
South China Sea.
Democracy in many Southeast Asian nations remains fragile. Elites—rather than the populace—retain a
significant level of control and often shape governance reforms to benefit their individual interests rather
than to promote democratic values. Corruption and cronyism continue to be rampant in the region, and
the rising threat of ISIL might provide some governments with a new rationale to not only address the
terrorist threat but also curb opposition movements, like some leaders in the region did in the post 9/11
environment. The new National League for Democracy-led government in Burma is poised to continue
the country’s democratic transition process, but given its lack of governing experience, the learning curve
will be steep. The Burmese constitution also ensures that the military will retain a significant level of
power in the government, hampering the NLD to put its own stamp on the ongoing peace process. In
Thailand, the military-led regime is positioned to remain in power through 2017.
North Korea
Since taking the helm of North Korea in December 2011, Kim Jong Un has further solidified his position
as the unitary leader and final decision authority through purges, executions, and leadership shuffles.
Kim and the regime have publicly emphasized—and codified—North Korea’s focus on advancing its
nuclear weapons program, developing the country’s troubled economy, and improving the livelihood of
the North Korean people, while maintaining the tenets of a command economy. Despite efforts at
diplomatic outreach, Kim continues to challenge the international community with provocative and
threatening behavior in pursuit of his goals, as prominently demonstrated in the November 2014
cyberattack on Sony, the August 2015 inter-Korean confrontation spurred by the North’s placement of
landmines that injured two South Korean soldiers, and the fourth nuclear test in January 2016.
RUSSIA AND EURASIA
Russia
Moscow’s more assertive foreign policy approach, evident in Ukraine and Syria, will have far-reaching
effects on Russia’s domestic politics, economic development, and military modernization efforts.
17
President Vladimir Putin has sustained his popular approval at or near record highs for nearly two years
after illegally annexing Crimea. Nevertheless, the Kremlin’s fears of mass demonstration remain high,
and the government will continue to rely on repressive tactics to defuse what it sees as potential catalysts
for protests in Russia. The Kremlin’s fear of instability and its efforts to contain it will probably be
especially acute before the September 2016 Duma election.
The Russian economy will continue to shrink as a result of longstanding structural problems—made
worse by low energy prices and economic sanctions—and entered into recession in 2015. A consensus
forecast projects that GDP will contract by 3.8 percent in 2015 and will probably decline between 2-3
percent in 2016 if oil prices remain around $40 per barrel or only 0.6 percent if oil returns to $50 per
barrel. Real wages declined throughout most of 2015 and the poverty rate and inflation have also
worsened.
We assess that Putin will continue to try to use the Syrian conflict and calls for cooperation against ISIL to
promote Russia’s Great Power status and end its international isolation. Moscow’s growing concern
about ISIL and other extremists has led to direct intervention on the side of Bashar al-Asad’s regime and
efforts to achieve a political resolution to the Syrian conflict on Russia’s terms. Since the terrorist attacks
in Paris and over the Sinai, Russia has redoubled its calls for a broader anti-terrorism coalition.
Meanwhile, growing Turkish-Russian tensions since Turkey’s shootdown of a Russian jet in November
2015 raise the specter of miscalculation and escalation.
Despite Russia’s economic slowdown, the Kremlin remains intent on pursuing an assertive foreign policy
in 2016. Russia’s willingness to covertly use military and paramilitary forces in a neighboring state
continues to cause anxieties in states along Russia’s periphery, to include NATO allies. Levels of
violence in eastern Ukraine have decreased, but Moscow’s objectives in Ukraine—maintaining long-term
influence over Kyiv and frustrating Ukraine’s attempts to integrate into Western institutions—will probably
remain unchanged in 2016.
Since the crisis began in Ukraine in 2014, Moscow has redoubled its efforts to reinforce its influence in
Eurasia. Events in Ukraine raised Moscow’s perceived stakes for increasing its presence in the region to
prevent future regime change in the former Soviet republics and for accelerating a shift to a mulitpolar
world in which Russia is the uncontested regional hegemon in Eurasia. Moscow will therefore continue to
push for greater regional integration, raising pressure on neighboring states to follow the example of
Armenia, Belarus, Kazakhstan, and Kyrgyzstan and join the Moscow-led Eurasian Economic Union.
Moscow’s military foray into Syria marks its first use of significant expeditionary combat power outside the
post-Soviet space in decades. Its intervention underscores both the ongoing and substantial
improvements in Russian military capabilities and the Kremlin’s confidence in using them as a tool to
advance foreign policy goals. Despite its economic difficulties, Moscow remains committed to
modernizing its military.
Russia continues to take information warfare to a new level, working to fan anti-US and anti-Western
sentiment both within Russia and globally. Moscow will continue to publish false and misleading
information in an effort to discredit the West, confuse or distort events that threaten Russia’s image,
undercut consensus on Russia, and defend Russia’s role as a responsible and indispensable global
power.
18
Ukraine, Belarus, and Moldova
The implementation timeline for the Minsk agreements has been extended through 2016, although
opposition from Ukraine, Russia, and the separatists on key remaining Minsk obligations might make
progress slow and difficult in 2016. Sustained violence along the Line of Contact delineating the
separatist-held areas will probably continue to complicate a political settlement, and the potential for
escalation remains.
Ukraine has made progress in its reform efforts and its moves to bolster ties to Western institutions.
Ukraine will continue to face serious challenges, however, including sustaining progress on key reforms
and passing constitutional amendments—required under the Minsk agreements to devolve political power
and fiscal authority to the regions.
Belarus continues its geopolitical balancing act, attempting to curry favor with the West without
antagonizing Russia. President Lukashenko released several high-profile political prisoners in August
2015 and secured reelection to a fifth term in October 2015 without cracking down on the opposition as
he has in previous elections. These developments prompted the EU and the United States to implement
temporary sanctions relief, providing a boost to a Belarusian economy.
Moldova faces a turbulent year in 2016. Popular discontent over government corruption and misrule
continues to reverberate after a banking scandal sparked large public protests, and political infighting
brought down a government coalition of pro-European parties in October 2015. Continued unrest is
likely. The breakaway pro-Russian region is also struggling economically and will remain dependent on
Russian support.
The Caucasus and Central Asia
Even as Georgia progresses with reforms, Georgian politics will almost certainly be volatile as political
competition increases. Economic challenges are also likely to become a key political vulnerability for the
government before the 2016 elections. Rising frustration among Georgia’s elites and the public with the
slow pace of Western integration and increasingly effective Russian propaganda raise the prospect that
Tbilisi might slow or suspend efforts toward greater Euro-Atlantic integration. Tensions with Russia will
remain high, and we assess that Moscow will raise the pressure on Tbilisi to abandon closer EU and
NATO ties.
Tensions between Armenia and Azerbaijan over the separatist region of Nagorno-Karabakh remained
high in 2015. Baku’s sustained military buildup coupled with declining economic conditions in Azerbaijan
are raising the potential that the conflict will escalate in 2016. Azerbaijan’s aversion to publicly
relinquishing its claim to Nagorno-Karabakh proper and Armenia’s reluctance to give up territory it
controls will continue to complicate a peaceful resolution.
Central Asian states remain concerned about the rising threat of extremism to the stability of their
countries, particularly in light of a reduced Coalition presence in Afghanistan. Russia shares these
concerns and is likely to use the threat of instability in Afghanistan to increase its involvement in Central
Asian security affairs. However, economic challenges stemming from official mismanagement, low
commodity prices, declining trade and remittances associated with Russia’s weakening economy, and
19
ethnic tensions and political repression, are likely to present the most significant instability threat to these
countries.
EUROPE
Key Partners
European governments will face continued political, economic, and security challenges deriving from
mass migration to Europe, terrorist threats, a more assertive Russia, and slow economic
recovery. Differences among national leaders over how best to confront the challenges are eroding
support for deeper EU integration and will bolster backing for populist leaders who favor national
prerogatives over EU-wide remedial strategies.
The European Commission expects 1.5 million migrants to arrive in Europe in 2016—an influx that is
prompting European officials to focus on improving border security, particularly at the Schengen Zone’s
external borders, and putting the free movement of people within the EU at risk. Several European
governments are using military forces in domestic security roles.
The European Commission has warned against drawing a link between terrorists and refugees, but
populist and far-right leaders throughout Europe are preying on voters’ security fears by highlighting the
potential dangers of accepting migrants fleeing war and poverty. Some EU leaders are citing the
November 2015 terrorist attacks in Paris to justify erecting fences to stem the flow of people.
European countries will remain active and steadfast allies on the range of national security threats that
face both the United States and Europe—from energy and climate change to countering violent
extremism and promoting democracy. Although the majority of NATO allies have successfully halted
further declines in defense spending, European military modernization efforts will take several years
before marked improvement begins to show.
Europe also continues to insist on full implementation of the Minsk agreement to stop violence in Ukraine.
However, European governments differ on the proper extent of engagement with Moscow.
Europe’s economic growth, which the EU projects will be moderate, could falter if emerging market
economies slow further, which would decrease the demand for European exports. The EU continues to
struggle to shake off the extended effects of its economic recession, with lingering worries over high
unemployment, weak demand, and lagging productivity. Greece also remains a concern for the EU. The
agreement between Greece and its creditors is an important step forward for restoring trust among the
parties and creating the conditions for a path forward for Greece within the Eurozone. Developing the
details of the agreement and its full implementation remain challenges.
The Balkans
Ethnic nationalism and weak institutions in the Balkans remain enduring threats to stability. Twenty years
after the end of the Bosnian War and the signing of the Dayton Agreement, Bosnia and Herzegovina
20
remains culturally and administratively divided, weighed down by a barely functional and inefficient
bureaucracy. The country, one of Europe's poorest, has endured negative GDP growth since the 2008
international financial crisis and is reliant on the support of international institutions including the IMF.
Youth unemployment, estimated at 60 percent, is the world's highest.
Kosovo has made progress toward full, multiethnic democracy, although tensions between Kosovo
Albanians and Kosovo Serbs remain. In Macedonia, an ongoing political crisis and concerns about
radicalization among ethnic Albanian Muslims threatens to aggravate already-tense relations between
ethnic majority Macedonians and the country’s minority Albanians, fifteen years after a violent interethnic
conflict between the two groups ended. Social tensions in the region might also be exacerbated if the
Western Balkans becomes an unwilling host to significant migrant populations.
Turkey
Turkey remains a partner in countering ISIL and minimizing foreign fighter flows. Ankara will continue to
see the Kurdistan Workers’ Party (PKK) as its number one security threat and will maintain military and
political pressure on the PKK, as well as on the Democratic Union Party (PYD) and its armed affiliate
People’s Protection Units (YPG), which Turkey equates with the PKK. Turkey is extremely concerned
about the increasing influence of the PYD and the YPG along its borders, seeing them as a threat to its
territorial security and its efforts to control Kurdish separatism within its borders.
Turkey is concerned about Russia’s involvement in the region in support of Asad, the removal of whom
Turkey sees as essential to any peace settlement. Turkey is also wary of increased Russian cooperation
with the Kurds and greater Russian influence in the region that could counter Turkey’s leadership role.
The Russian-Iranian partnership and Iran’s attempts to expand Shiite influence in the region are also
security concerns for Turkey.
The refugee flow puts significant strain on Turkey’s economy, which has amounted to $9 billion according
to a statement by Turkish President Recep Tayyip Erdogan. Refugees have also created infrastructure
and social strains, particularly regarding access to education and employment. Turkey tightened its
borders in 2015 and is working to stanch the flow of migrants to Europe and address refugee needs.
MIDDLE EAST AND NORTH AFRICA
Iraq
In Iraq, anti-ISIL forces will probably make incremental battlefield gains through spring 2016. Shia militias
and Kurdish forces in northern Iraq have recaptured Bayji and Sinjar, respectively, from the Islamic State
of Iraq and the Levant (ISIL). In western Iraq, the Iraqi Security Forces (ISF) have retaken most of the
greater Ramadi area from ISIL and will probably clear ISIL fighters from the city’s urban core in the
coming month.
ISIL’s governance of areas it controls is probably faltering as airstrikes take a toll on the group’s sources
of income, hurting ISIL’s ability to provide services, and causing economic opportunities for the population
21
to dwindle. Even so, the Iraqi Sunni population remains fearful of the Shia-dominated government in
Baghdad. This fear has been heightened as Iranian-backed Shia militias play a lead role in retaking
Sunni-majority areas, suggesting Iraq’s Sunnis will remain willing to endure some deprivation under ISIL
rule.
Prime Minister Haydar al-Abadi will probably continue to struggle to advance his reforms—which aim to
combat corruption and streamline government—because of resistance from Iraqi elites who view the
reforms as threatening to their entrenched political interests. Meanwhile, the drop in oil prices is placing
strain on both Baghdad’s and Irbil’s budgets, constraining their ability to finance counter-ISIL operations
and limiting options to address potential economically driven unrest.
Syria
We assess that foreign support will allow Damascus to make gains in some key areas against the
opposition and avoid further losses, but it will be unable to fundamentally alter the battlespace. Increased
Russian involvement, particularly airstrikes, will probably help the regime regain key terrain in high priority
areas in western Syria, such as Aleppo and near the coast, where it suffered losses to the opposition in
summer 2015. ISIL is under threat on several fronts in Syria and Iraq from increased Coalition and
government operations.
Manpower shortages will continue to undermine the Syrian regime’s ability to accomplish strategic
battlefield objectives. The regime still lacks the personnel needed to capture and hold key areas and
strategically defeat the opposition or ISIL. Damascus increasingly relies on militias, reservists, and
foreign supporters—such as Iran and Lebanese Hizballah--to generate manpower, according to press
reporting.
The Syrian regime and most of the opposition are participating in UN-mediated talks that started in early
February in Geneva. Both sides probably have low expectations for the negotiations, with the opposition
calling for ceasefires and humanitarian assistance as a precondition. The negotiations, without a
ceasefire agreement, will not alter the battlefield situation.
The humanitarian situation in Syria continues to deteriorate. In December 2015 and January 2016, the
number of Syrian refugees registered or in the process of registering in the Middle East and North Africa
rose by nearly 102,000 from 4.3 million to 4.4 million, according to UN data. The refugees are putting
significant strain on countries surrounding Syria as well as on Europe. Turkey hosts more than 2.2 million
refugees; Lebanon has about 1.1 million; Jordan has more than 630,000; Iraq has 245,000.
Approximately 500,000 have fled to Europe, according to the UN. The more than 4 million refugees and
6.5 million estimated internally displaced persons (IDPs) account for 49 percent of Syria’s preconflict
population.
x
Estimates of fatalities in Syria since the start of the civil war vary, but most observers calculate that at
least 250,000 men, women, and children on all sides of the conflict have lost their lives since 2011.
x
On 22 December, the UN Security Council unanimously adopted resolution 2258, which renews the
UN’s authority to utilize cross-border deliveries for humanitarian assistance to Syria through 10
22
January 2017. Since July 2014, the UN has provided food to 2.4 million people, water and sanitation
to 1.3 million people, and medical supplies to 4.1 million people through its cross-border deliveries.
x
Separately, the Syrian Government began requiring in mid-November that aid agencies get
humanitarian assistance notarized by the Syrian embassies in the country of product origin. This
requirement previously applied only to commercial goods and might delay future UN food deliveries
within Syria, according to the UN.
Libya
We assess that insecurity and conflict in Libya will persist in 2016, posing a continuing threat to regional
stability. The country has been locked in civil war between two rival governments and affiliated armed
groups. The 17 December signing of a UN-brokered agreement to form a Government of National Accord
(GNA) resulted from a year-long political dialogue that sought to end the ongoing civil war and reconcile
Libya’s rival governments. However, the GNA will face a number of obstacles in establishing its authority
and security across the country. The GNA still faces the difficult task of forming a capable, centralized
security force. It will also be challenged to confront terrorist groups such as ISIL, which has exploited the
conflict and political instability in the country to expand its presence.
x
The rival governments—the internationally recognized Tobruk-based House of Representatives
(House) and the Tripoli-based General National Congress (GNC) have participated in UN-brokered
peace talks since fall 2014. Reaction to the deal and the proposed GNA has been mixed, and
hardliners on both sides have opposed the agreement.
x
(U) On 25 January, the House voted to approve the UN-brokered deal with conditions but rejected a
controversial article granting the GNA’s Presidency Council interim control of the military. The House
also rejected the GNA’s proposed cabinet and demanded a smaller ministerial slate.
x
Libya’s economy has deteriorated because of the conflict. Oil exports—the primary source of
government revenue—have fallen significantly from the pre-revolution level of 1.6 billion barrels per
day. Libya’s oil sector also faces continued threats from terrorist groups; ISIL attacked oil production
and export facilities in February 2015, September 2015, and January 2016.
Meanwhile, extremists and terrorists have exploited the security vacuum to plan and launch attacks in
Libya and throughout the region. The permissive security environment has enabled ISIL to establish one
of its most developed branches outside of Syria and Iraq. As of late 2015, ISIL’s branch in Libya
maintained a presence in Surt, Benghazi, Tripoli, Ajdabiya, and other areas of the country, according to
press reports. Members of ISIL in Libya continue to stage attacks throughout the country.
Yemen
The Yemen conflict will probably remain in a strategic stalemate through mid-2016. Negotiations between
the Saudi-led coalition and the Huthi-aligned forces remain stalled, but neither side is able to achieve
decisive results through military force. Huthi-aligned forces almost certainly remain committed to fighting
following battlefield setbacks in the Aden and Marib Governorates in 2015 and probably intend to retake
lost territory in those areas.
23
Nonetheless, regional stakeholders on both sides of Yemen’s conflict, including Iran, which continues to
back the Huthis, are signaling willingness to participate in peace talks. Even a cease-fire of a few days or
weeks would facilitate the entry and distribution of commercial and humanitarian goods inside Yemen,
where at least 21 million people—80 percent of the population—require assistance, according to the UN.
AQAP and ISIL’s affiliates in Yemen have exploited the conflict and the collapse of government authority
to gain new recruits and allies and expand their territorial control. In December, AQAP seized the
southern city of Zinjibar, adding to its capture of the coastal city of Mukalla to the east.
Iran
Since January, Tehran met the demands for implementation of the Joint Comprehensive Plan of Action
(JCPOA), exchanged detainees, and released 10 US sailors. Despite these developments, the Islamic
Republic of Iran presents an enduring threat to US national interests because of its support to regional
terrorist and militant groups and the Asad regime, as well as its development of advanced military
capabilities. Tehran views itself as leading the “axis of resistance”—which includes the Asad regime and
subnational groups aligned with Iran, especially Lebanese Hizballah and Iraqi Shia militants. Their intent
is to thwart US, Saudi, and Israeli influence, bolster its allies, and fight ISIL’s expansion. Tehran might
even use American citizens detained when entering Iranian territories as bargaining pieces to achieve
financial or political concessions in line with their strategic intentions.
Iran’s involvement in the Syrian, Iraqi, and Yemeni conflicts deepened in 2015. In Syria, Iran more openly
acknowledged the deaths of Iranian “martyrs,” increased Iranian troop levels, and took more of a frontline
role against “terrorists.” In Iraq, Iranian combat forces employed rockets, artillery, and drones against
ISIL. Iran also supported Huthi rebels in Yemen by attempting to ship lethal aid to the Huthis. Tehran will
almost certainly remain active throughout the Persian Gulf and broader Middle East in 2016 to support its
regional partners and extend its regional influence. Iranian officials believe that engaging adversaries
away from its borders will help prevent instability from spilling into Iran and reduce ISIL’s threat to Iran
and its regional partners. Iran has also increased cooperation with Russia in the region.
Supreme Leader Khamenei continues to view the United States as a major threat to Iran, and we assess
that his views will not change, despite implementation of the JCPOA deal. In October 2015, Khamenei
publicly claimed the United States was using the JCPOA to “infiltrate and penetrate” Iran. His statement
prompted the Iranian hardliner-dominated security services to crack down on journalists and
businessmen with suspected ties to the West. The crackdown was intended by hardliners to demonstrate
to President Ruhani and to Washington that a broader opening to the West following JCPOA would not
be tolerated. Iran released several US citizens in January 2016 who were being held in Iran; however, it
might attempt to use any additional US citizens as bargaining chips for US concessions.
Iran’s military and security services are keen to demonstrate that their regional power ambitions have not
been altered by the JCPOA deal. One week prior to JCPOA Adoption Day, Iran publicized the launch of
its new “long-range” and more accurate ballistic missile called the “Emad.” Iran also publicizes
development of its domestically produced weapons systems, submarines and surface combatants,
artillery, and UAVs to deter potential adversaries and strengthen its regional influence and prestige.
24
Iran’s involvement in the Syrian and Iraqi conflicts has enabled its forces to gain valuable on-the-ground
experience in counterinsurgency operations.
Lebanon
Lebanon will continue to struggle with the fallout from the civil war in neighboring Syria and faces a range
of interlocking political, security, humanitarian, and economic challenges. The spillover from the Syrian
conflict has had negative consequences on almost all aspects of life in Lebanon, from rising sectarianism
to major strains on infrastructure and public services, further straining the country’s delicate political
balance.
x
Lebanon's most immediate security threat is from Syrian-based extremists on its northeastern border.
The Lebanese army has carried out multiple operations against Nusrah Front and ISIL to secure the
border and prevent against the flow of terrorists into the country. Beirut also faces threats from Sunni
extremists in the country who are retaliating against Lebanese Hizballah’s military involvement in the
Syrian civil war.
x
The influx of about 1.1 million Sunni Syrian refugees to Lebanon has altered the country’s sectarian
demographics and is badly straining public services and burdening the economy. The Lebanese
economy will probably remain stagnant throughout 2016, as protracted regional instability and
political gridlock at home continue to erode the country’s competitiveness.
Egypt
Egypt faces a persistent threat of terrorist and militant activity directed primarily at state security forces in
both the Sinai Peninsula and in mainland Egypt. The security services have initiated a counterterrorism
campaign to disrupt and detain Sinai-based militants; however, terrorist groups still retain the ability to
conduct attacks.
x
ISIL’s branch in Sinai (ISIL-Sinai) has conducted dozens of lethal attacks on military and security
personnel, some of which suggest sophisticated and coordinated attack planning, according to press
reports.
x
ISIL-Sinai claimed responsibility for the downing of a Russian aircraft in the Sinai in October 2015,
which, if true, would demonstrate the expanding threat from ISIL and its regional branches.
x
The continued threat of terrorism places further strain on Egypt’s economy by harming Egypt’s
tourism industry, a key source of revenue. The country is also grappling with high poverty and
unemployment rates.
Tunisia
Tunisia’s first post-transitional democratic government since the 2011 Arab Spring revolution is marking
its first year in office. Since the revolution, the country has overcome deep political divisions to reach
consensus on key political issues, develop a new constitution, and elect a new government, according to
25
press and academic reports. Despite the government’s significant strides in its democratic transition,
Tunisia faces challenges in consolidating these achievements.
x
Tunisia is confronting a threat from terrorist groups exploiting Libya’s permissive environment to plan
and launch attacks, as well as from groups operating within Tunisia’s borders, according to press
reports. The perpetrators of the terrorist attack on the Bardo Museum in Tunis in March 2015 and
hotels in Sousse in June—both claimed by ISIL—trained at a terrorist camp in Libya, according to
press reports.
x
The government inherited high unemployment, particularly among youth, and a high budget deficit
according to press reports. The Bardo and Sousse terrorist attacks have disrupted tourism, a critical
source of revenues and jobs.
SOUTH ASIA
Afghanistan
The Kabul Government will continue to face persistent hurdles to political stability in 2016, including
eroding political cohesion, assertions of authority by local powerbrokers, recurring financial shortfalls, and
countrywide, sustained attacks by the Taliban. Political cohesion will remain a challenge for Kabul as the
National Unity Government will confront larger and more divisive issues later in 2016, including the
implementation of election reforms, long-delayed parliamentary elections, and a potential change by a
Loya Jirga that might fundamentally alter Afghanistan’s constitutional order. Kabul will be unable to
effectively address its dire economic situation or begin to curb its dependence on foreign aid until it first
contains the insurgency, which is steadily chipping away at Afghanistan’s security. In this environment,
international financial aid will remain the most important external determinant of the Kabul government's
strength. We assess that fighting in 2016 will be more intense than 2015, continuing a decade-long trend
of deteriorating security that will compound these challenges. The fighting will continue to threaten US
personnel, our Allies, and international partners—including Afghans—particularly in Kabul and other
urban population centers. The Afghan National Security Forces (ANSF), with the help of anti-Taliban
powerbrokers and international funding, will probably maintain control of most major population centers.
However, the forces will very likely cede control of some rural areas. Without international funding, the
ANSF will probably not remain a cohesive or viable force.
The Taliban has largely coalesced and is relatively cohesive under the leadership of new Taliban Senior
Leader Mullah Akhtar Mohammad Mansur despite some early opposition. The Taliban’s two-week
seizure of the provincial capital of Kunduz provided an important boost to Mansur’s leadership. The
Taliban will continue to test the overstretched ANSF faced with problematic logistics, low morale, and
weak leadership.
The Islamic State of Iraq and the Levant (ISIL) announced in January 2015 the formation of its Khorasan
branch in South Asia, an amalgamation of primarily disaffected and rebranded former Afghan Taliban and
Tehrik-e Taliban Pakistan (TTP) members. Despite quick early growth in 2015, ISIL’s Khorasan branch
26
will probably remain a low-level threat to Afghan stability as well as to US and Western interests in the
region in 2016.
Bangladesh
Prime Minister Sheikh Hasina’s continuing efforts to undermine the political opposition in Bangladesh will
probably provide openings for transnational terrorist groups to expand their presence in the country.
Hasina and other government officials have insisted publically that the killings of foreigners are the work
of the Bangladesh Nationalist Party and the Bangladesh Jamaat-e Islami political parties and are
intended to discredit the government. However, ISIL claimed responsibility for 11 high-profile attacks on
foreigners and religious minorities. Other extremists in Bangladesh—including Ansarullah Bangla Team
and al-Qa’ida in the Indian Subcontinent (AQIS)—have claimed responsibility for killing at least 11
progressive writers and bloggers in Bangladesh since 2013.
Pakistan and India
Relations between Pakistan and India remain tense despite the resumption of a bilateral dialogue in
December. Following a terrorist attack in early January on Pathankot Air Force base in India, which New
Delhi blames on a Pakistani-based group, India’s engagement with Pakistan will probably hinge in 2016
on Islamabad’s willingness to take action against those in Pakistan linked to the attack.
SUB-SAHARAN AFRICA
Central Africa
Prospects for delayed elections in the Democratic Republic of the Congo, originally scheduled for
2016, increase the risk of political tensions and perhaps violence. Violence might also break out in the
Republic of Congo where a controversial October 2015 constitutional referendum paved the way for
long-serving President Denis Sassou-Nguesso to run for a new term in 2016 elections. Both
governments have resorted to heavy-handed tactics to stifle opposition and subdue or prevent electionrelated protests.
In Burundi, violence related to President Pierre Nkurunziza’s controversial reelection in July 2015 will
almost certainly continue as a simmering crisis. The conflict might expand and intensify if increased
attacks between the government and armed opposition provoke a magnified response from either side or
if the security services fracture into divided loyalties.
The Central African Republic held peaceful presidential and parliamentary elections in late December,
although they were marred by logistical issues. A run-off will probably take place in mid-February
between the two top candidates, and we do not know how the armed spoilers and losing candidates will
react. The risk of continued ethno-religious clashes between Christians and Muslims throughout the
country remains high despite the presence of international peacekeeping forces, which are increasingly
targets of violence.
27
Somalia
The Somali Federal Government’s authority will probably remain largely confined to the capital in 2016,
and Mogadishu will continue to rely on the African Union Mission in Somalia (AMISOM) as a security
guarantor against al-Shabaab as it prepares for elections in 2016.
South Sudan
Implementation of the peace agreement between Juba and opposition elements will be slow as spoilers
from both sides seek to stall progress. The return of former opposition members to Juba will almost
certainly cause jockeying for positions of power. Localized fighting will continue and probably spread to
previously unaffected areas, causing the humanitarian situation to worsen Economic conditions will
probably deteriorate further as inflation remains high and prices for staple goods rise, fueling
dissatisfaction with the government.
Sudan
President Bashir consolidated power following his reelection in April 2015, but the regime will continue
attempts at a national dialogue, which will probably not placate a divided political opposition. The regime
will almost certainly confront a range of challenges, including public dissatisfaction over a weakened
economy. Divisions among armed opponents will almost certainly inhibit their ability to make significant
gains against Khartoum. However, elements of the opposition will continue to wage insurgencies in the
Southern Kordofan and Blue Nile states and Darfur. Sudan, listed as a state sponsor of terror since
1993, cut diplomatic ties with Iran in January following an attack on the Saudi Embassy in Tehran. Since
2014, Sudan’s relations with Iran have cooled as Khartoum has grown closer to Riyadh.
Nigeria
President Muhammadu Buhari and the Nigerian government will confront a wide range of challenges in
2016, many of which are deeply rooted and have no “quick fixes.” His tasks include reviving a struggling
economy – Africa’s largest – diversifying sources of government revenue beyond oil, reining in corruption,
addressing mounting state debts, reforming redundant parastatal organizations, and developing the
power, agriculture, and transportation sectors. Nigeria will continue to face internal threats from Boko
Haram, which pledged loyalty to the Islamic State in Iraq and the Levant (ISIL) in March 2015. Despite
losing territory in 2015, Boko Haram will probably remain a threat to Nigeria throughout 2016 and will
continue its terror campaign within the country and in neighboring Cameroon, Niger, and Chad.
LATIN AMERICA AND CARIBBEAN
Central America
Strong family ties to the United States—as well as gang violence, a lack of jobs, and a worsening drought
in Central America’s northern tier—will sustain high rates of migration to the United States in 2016. Weak
institutions, divided legislatures, low levels of tax collection, and high debts will constrain efforts to
28
improve rule of law, tackle corruption, and alleviate poverty. Homicide rates in the region remain among
the highest in the world and spiked in El Salvador to levels not seen since the country’s civil war from
1979 to 1992. The people hardest hit by the drought include most of the region’s subsistence farmers,
who constitute 25 to 40 percent of the population in Guatemala and Honduras. The prolonged drought
will probably affect 3.5 million people in the region in 2016.
Cuba
Cuban leaders will remain focused on preserving political control as they prepare for a probable
presidential transition in 2018. Economic reforms to reduce the state role in the economy and promote
private economic activity will continue at a slow pace, in part because of probable resistance from senior
leaders and government officials concerned that rapid changes might provoke popular unrest. Living
standards will remain poor. Along with fears among the Cuban population that the United States will
repeal the 1966 Cuban Adjustment Act, the statute allowing Cuban nationals to apply to become lawful
permanent US residents, these trends sustain the increasing migration of undocumented Cubans.
Migration is particularly acute across the US southwest border where 31,000 Cubans crossed in FY2015,
a 76-percent increase over the prior year.
Venezuela
The opposition alliance won a much-coveted majority in the December 2015 national assembly elections,
setting the stage for a political showdown in 2016 between the legislative and executive branches. The
opposition will seek to implement its policy agenda, which might include pursuing a presidential recall
referendum. Economic issues will also figure prominently on the domestic agenda for 2016. Caracas will
probably encounter fiscal pressures as it seeks to avoid a default on its sovereign debt in 2016; the
economy is suffering from a severe recession that the IMF projects will cause it to contract by at least 8
percent in 2016. Venezuela’s government has declined to release complete official figures on
macroeconomic indicators, such as inflation and growth.
Brazil
Brazil's investigation into corruption at state-controlled oil company Petrobras will probably continue
through 2016. Scores of Petrobras officials, construction firm executives, and politicians have been jailed
since the probe was launched in March 2014. Brazil lost its investment-grade rating in December 2015
after the second credit agency in three months downgraded the country’s debt to junk status. Further
damaging revelations from the probe might prolong political gridlock in Brazil. Meanwhile, preparations
are underway in Brazil to address infrastructure, logistics, and security issues involved in hosting the
2016 Summer Olympics in Rio. Organizers are using past Olympics as models, cooperating with foreign
governments, and building upon Brazil’s experience organizing a large and sustained security posture
such as when it hosted the World Cup in 2014.
29
Privacy & Security in a Connected World
FTC Staff Report
JANUARY 2015
FTC Staff Report
January 2015
Table of Contents
Executive Summary ......................................................................................................... i
Background .......................................................................................................................1
What is the “Internet of Things”?................................................................................ 5
Benefits & Risks ............................................................................................................... 7
Benefits .......................................................................................................................................... 7
Risks ............................................................................................................................................. 10
Application of Traditional Privacy Principles .......................................................... 19
Summary of Workshop Discussions..................................................................................... 19
Post-Workshop Developments............................................................................................. 25
Commission Staff’s Views and Recommendations for Best Practices ...................... 27
Legislation ...................................................................................................................... 47
Summary of Workshop Discussions.................................................................................... 47
Recommendations ................................................................................................................... 48
Conclusion ..................................................................................................................... 55
Executive Summary
The Internet of Things (“IoT”) refers to the ability of everyday objects to connect to the
Internet and to send and receive data. It includes, for example, Internet-connected cameras that
allow you to post pictures online with a single click; home automation systems that turn on your
front porch light when you leave work; and bracelets that share with your friends how far you
have biked or run during the day.
Six years ago, for the first time, the number of “things” connected to the Internet
surpassed the number of people. Yet we are still at the beginning of this technology trend.
Experts estimate that, as of this year, there will be 25 billion connected devices, and by 2020,
50 billion.
Given these developments, the FTC hosted a workshop on November 19, 2013 – titled
The Internet of Things: Privacy and Security in a Connected World. This report summarizes the
workshop and provides staff’s recommendations in this area. 1 Consistent with the FTC’s mission
to protect consumers in the commercial sphere and the focus of the workshop, our discussion is
limited to IoT devices that are sold to or used by consumers. Accordingly, the report does not
discuss devices sold in a business-to-business context, nor does it address broader machine-tomachine communications that enable businesses to track inventory, functionality, or efficiency.
Workshop participants discussed benefits and risks associated with the IoT. As to
benefits, they provided numerous examples, many of which are already in use. In the health
arena, connected medical devices can allow consumers with serious medical conditions to work
1
Commissioner Wright dissents from the issuance of this Staff Report. His concerns are explained in his separate
dissenting statement.
i
with their physicians to manage their diseases. In the home, smart meters can enable energy
providers to analyze consumer energy use, identify issues with home appliances, and enable
consumers to be more energy-conscious. On the road, sensors on a car can notify drivers of
dangerous road conditions, and software updates can occur wirelessly, obviating the need for
consumers to visit the dealership. Participants generally agreed that the IoT will offer numerous
other, and potentially revolutionary, benefits to consumers.
As to risks, participants noted that the IoT presents a variety of potential security risks
that could be exploited to harm consumers by: (1) enabling unauthorized access and misuse of
personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal
safety. Participants also noted that privacy risks may flow from the collection of personal
information, habits, locations, and physical conditions over time. In particular, some panelists
noted that companies might use this data to make credit, insurance, and employment decisions.
Others noted that perceived risks to privacy and security, even if not realized, could undermine
the consumer confidence necessary for the technologies to meet their full potential, and may
result in less widespread adoption.
In addition, workshop participants debated how the long-standing Fair Information
Practice Principles (“FIPPs”), which include such principles as notice, choice, access, accuracy,
data minimization, security, and accountability, should apply to the IoT space. The main
discussions at the workshop focused on four FIPPs in particular: security, data minimization,
notice, and choice. Participants also discussed how use-based approaches could help protect
consumer privacy.
ii
1. Security
There appeared to be widespread agreement that companies developing IoT products
should implement reasonable security. Of course, what constitutes reasonable security for a
given device will depend on a number of factors, including the amount and sensitivity of data
collected and the costs of remedying the security vulnerabilities. Commission staff encourages
companies to consider adopting the best practices highlighted by workshop participants,
including those described below.
First, companies should build security into their devices at the outset, rather than as an
afterthought. As part of the security by design process, companies should consider:
(1) conducting a privacy or security risk assessment; (2) minimizing the data they collect and
retain; and (3) testing their security measures before launching their products. Second, with
respect to personnel practices, companies should train all employees about good security, and
ensure that security issues are addressed at the appropriate level of responsibility within the
organization. Third, companies should retain service providers that are capable of maintaining
reasonable security and provide reasonable oversight for these service providers. Fourth, when
companies identify significant risks within their systems, they should implement a defense-indepth approach, in which they consider implementing security measures at several levels. Fifth,
companies should consider implementing reasonable access control measures to limit the ability
of an unauthorized person to access a consumer’s device, data, or even the consumer’s network.
Finally, companies should continue to monitor products throughout the life cycle and, to the
extent feasible, patch known vulnerabilities.
iii
2. Data Minimization
Data minimization refers to the concept that companies should limit the data they collect
and retain, and dispose of it once they no longer need it. Although some participants expressed
concern that requiring data minimization could curtail innovative uses of data, staff agrees with
the participants who stated that companies should consider reasonably limiting their collection
and retention of consumer data.
Data minimization can help guard against two privacy-related risks. First, larger data
stores present a more attractive target for data thieves, both outside and inside a company – and
increases the potential harm to consumers from such an event. Second, if a company collects and
retains large amounts of data, there is an increased risk that the data will be used in a way that
departs from consumers’ reasonable expectations.
To minimize these risks, companies should examine their data practices and business
needs and develop policies and practices that impose reasonable limits on the collection and
retention of consumer data. However, recognizing the need to balance future, beneficial uses of
data with privacy protection, staff’s recommendation on data minimization is a flexible one that
gives companies many options. They can decide not to collect data at all; collect only the fields
of data necessary to the product or service being offered; collect data that is less sensitive; or deidentify the data they collect. If a company determines that none of these options will fulfill its
business goals, it can seek consumers’ consent for collecting additional, unexpected categories of
data, as explained below.
iv
3. Notice and Choice
The Commission staff believes that consumer choice continues to play an important role
in the IoT. Some participants suggested that offering notice and choice is challenging in the IoT
because of the ubiquity of data collection and the practical obstacles to providing information
without a user interface. However, staff believes that providing notice and choice remains
important.
This does not mean that every data collection requires choice. The Commission has
recognized that providing choices for every instance of data collection is not necessary to protect
privacy. In its 2012 Privacy Report, which set forth recommended best practices, the
Commission stated that companies should not be compelled to provide choice before collecting
and using consumer data for practices that are consistent with the context of a transaction or the
company’s relationship with the consumer. Indeed, because these data uses are generally
consistent with consumers’ reasonable expectations, the cost to consumers and businesses of
providing notice and choice likely outweighs the benefits. This principle applies equally to the
Internet of Things.
Staff acknowledges the practical difficulty of providing choice when there is no
consumer interface and recognizes that there is no one-size-fits-all approach. Some options
include developing video tutorials, affixing QR codes on devices, and providing choices at point
of sale, within set-up wizards, or in a privacy dashboard. Whatever approach a company decides
to take, the privacy choices it offers should be clear and prominent, and not buried within lengthy
documents. In addition, companies may want to consider using a combination of approaches.
Some participants expressed concern that even if companies provide consumers with
choices only in those instances where the collection or use is inconsistent with context, such an
v
approach could restrict unexpected new uses of data with potential societal benefits. These
participants urged that use limitations be considered as a supplement to, or in lieu of, notice and
choice. With a use-based approach, legislators, regulators, self-regulatory bodies, or individual
companies would set “permissible” and “impermissible” uses of certain consumer data.
Recognizing concerns that a notice and choice approach could restrict beneficial new
uses of data, staff has incorporated certain elements of the use-based model into its approach. For
instance, the idea of choices being keyed to context takes into account how the data will be used:
if a use is consistent with the context of the interaction – in other words, it is an expected use –
then a company need not offer a choice to the consumer. For uses that would be inconsistent with
the context of the interaction (i.e., unexpected), companies should offer clear and conspicuous
choices. In addition, if a company collects a consumer’s data and de-identifies that data
immediately and effectively, it need not offer choices to consumers about this collection.
Furthermore, the Commission protects privacy through a use-based approach, in some instances.
For example, it enforces the Fair Credit Reporting Act, which restricts the permissible uses of
consumer credit report information under certain circumstances. The Commission also applies its
unfairness authority to challenge certain harmful uses of consumer data.
Staff has concerns, however, about adopting a pure use-based model for the Internet of
Things. First, because use-based limitations are not comprehensively articulated in legislation,
rules, or widely-adopted codes of conduct, it is unclear who would decide which additional uses
are beneficial or harmful. Second, use limitations alone do not address the privacy and security
vi
risks created by expansive data collection and retention. Finally, a pure use-based model would
not take into account consumer concerns about the collection of sensitive information. 2
The establishment of legislative or widely-accepted multistakeholder frameworks could
potentially address some of these concerns. For example, a framework could set forth permitted
or prohibited uses. In the absence of consensus on such frameworks, however, the approach set
forth here – giving consumers information and choices about their data – continues to be the
most viable one for the IoT in the foreseeable future.
4. Legislation
Participants also discussed whether legislation over the IoT is appropriate, with some
participants supporting legislation, and others opposing it. Commission staff agrees with those
commenters who stated that there is great potential for innovation in this area, and that
IoT-specific legislation at this stage would be premature. Staff also agrees that development of
self-regulatory programs designed for particular industries would be helpful as a means to
encourage the adoption of privacy- and security-sensitive practices.
However, in light of the ongoing threats to data security and the risk that emerging IoT
technologies might amplify these threats, staff reiterates the Commission’s previous
recommendation for Congress to enact strong, flexible, and technology-neutral federal legislation
to strengthen its existing data security enforcement tools and to provide notification to
consumers when there is a security breach. General data security legislation should protect
against unauthorized access to both personal information and device functionality itself. For
2
In addition to collecting sensitive information outright, companies might create sensitive information about
consumers by making inferences from other data that they or others have already collected. A use-based model
might not address, or provide meaningful notice about, sensitive inferences. The extent to which a use-based model
limits or prohibits sensitive inferences will depend on how the model defines harms and benefits and how it balances
the two, among other factors.
vii
example, if a pacemaker is not properly secured, the concern is not merely that health
information could be compromised, but also that a person wearing it could be seriously harmed.
In addition, the pervasiveness of information collection and use that the IoT makes
possible reinforces the need for baseline privacy standards, which the Commission previously
recommended in its 2012 privacy report. Although the Commission currently has authority to
take action against some IoT-related practices, it cannot mandate certain basic privacy
protections – such as privacy disclosures or consumer choice – absent a specific showing of
deception or unfairness. Commission staff thus again recommends that Congress enact broadbased (as opposed to IoT-specific) privacy legislation. Such legislation should be flexible and
technology-neutral, while also providing clear rules of the road for companies about such issues
as how to provide choices to consumers about data collection and use practices. 3
In the meantime, we will continue to use our existing tools to ensure that IoT companies
continue to consider security and privacy issues as they develop new devices. Specifically, we
will engage in the following initiatives:
•
Law enforcement:
The Commission enforces the FTC Act, the FCRA, the health breach notification
provisions of the HI-TECH Act, the Children’s Online Privacy Protection Act, and other
laws that might apply to the IoT. Where appropriate, staff will recommend that the
Commission use its authority to take action against any actors it has reason to believe are
in violation of these laws.
•
Consumer and business education:
The Commission staff will develop new consumer and business education materials in
this area.
3
Commissioner Ohlhausen does not agree with the recommendation for baseline privacy legislation. See infra note
191.
viii
•
Participation in multi-stakeholder groups:
Currently, Commission staff is participating in multi-stakeholder groups that are
considering guidelines related to the Internet of Things, including on facial recognition
and smart meters. Even in the absence of legislation, these efforts can result in best
practices for companies developing connected devices, which can significantly benefit
consumers.
•
Advocacy:
Finally, where appropriate, the Commission staff will look for advocacy opportunities
with other agencies, state legislatures, and courts to promote protections in this area.
ix
Background
Technology is quickly changing the way we interact with the world around us. Today,
companies are developing products for the consumer market that would have been unimaginable
a decade ago: Internet-connected cameras that allow you to post pictures online with a single
click; home automation systems that turn on your front porch light when you leave work; and
bracelets that share with your friends how far you have biked or run during the day. These are all
examples of the Internet of Things (“IoT”), an interconnected environment where all manner of
objects have a digital presence and the ability to communicate with other objects and people. The
IoT explosion is already around us, in the form of wearable computers, smart health trackers,
connected smoke detectors and light bulbs, and essentially any other Internet-connected device
that isn’t a mobile phone, tablet, or traditional computer.
Six years ago, for the first time, the number of “things” connected to the Internet
surpassed the number of people. 1 Yet we are still at the beginning of this technology trend.
Experts estimate that, as of this year, there will be 25 billion connected devices, and by 2020,
50 billion. 2 Some estimate that by 2020, 90% of consumer cars will have an Internet connection,
up from less than 10 percent in 2013. 3 Three and one-half billion sensors already are in the
1
DAVE EVANS, CISCO INTERNET BUS. SOLUTIONS GRP., THE INTERNET OF THINGS: HOW THE NEXT EVOLUTION OF
THE INTERNET IS CHANGING EVERYTHING 3 (2011), available at
http://www.cisco.com/web/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf. These estimates include all types of
connected devices, not just those aimed at the consumer market.
2
Id.
3
TELEFONICA, CONNECTED CAR INDUSTRY REPORT 2013 9 (2013), available at
http://websrvc.net/2013/telefonica/Telefonica%20Digital_Connected_Car2013_Full_Report_English.pdf.
1
marketplace, 4 and some experts expect that number to increase to trillions within the next
decade. 5 All of these connected machines mean much more data will be generated: globally, by
2018, mobile data traffic will exceed fifteen exabytes – about 15 quintillion bytes – each month. 6
By comparison, according to one estimate, an exabyte of storage could contain 50,000 years’
worth of DVD-quality video. 7
These new developments are expected to bring enormous benefits to consumers.
Connected health devices will allow consumers with serious health conditions to work with their
physicians to manage their diseases. Home automation systems will enable consumers to turn off
the burglar alarm, play music, and warm up dinner right before they get home from work.
Connected cars will notify first responders in the event of an accident. And the Internet of Things
may bring benefits that we cannot predict.
However, these connected devices also will collect, transmit, store, and potentially share
vast amounts of consumer data, some of it highly personal. Given the rise in the number and
types of connected devices already or soon to be on the market, the Federal Trade Commission
(“FTC” or “Commission”) announced in April 2013 that it would host a workshop on the privacy
and security issues associated with such devices and requested public input about the issues to
4
See Stanford Univ., TSensors Summit™ for Trillion Sensor Roadmap 1 (Oct. 23-25, 2013), available at
http://tsensorssummit.org/Resources/Why%20TSensors%20Roadmap.pdf.
5
Id.
6
CISCO, CISCO VISUAL NETWORKING INDEX: GLOBAL MOBILE DATA TRAFFIC FORECAST UPDATE, 2013–2018 3
(2014), available at http://www.cisco.com/c/en/us/solutions/collateral/service-provider/visual-networking-indexvni/white_paper_c11-520862.pdf.
7
University of Bristol, Exabyte Informatics, available at http://www.bris.ac.uk/research/themes/exabyteinformatics.html.
2
consider. 8 In response to the request for comment, staff received twenty-nine public comments 9
from a variety of consumer advocacy groups, academics, and industry representatives. The
workshop – titled The Internet of Things: Privacy and Security in a Connected World – took
place on November 19, 2013, and featured panels of academics, researchers, consumer
advocates, and representatives from government and industry. 10
The workshop consisted of four panels, 11 each of which focused on a different aspect of
the IoT. 12 The first panel, “The Smart Home,” 13 looked at an array of connected devices, such as
home automation systems and smart appliances. The second panel, “Connected Health and
Fitness,” 14 examined the growth of increasingly connected medical devices and health and
fitness products, ranging from casual wearable fitness devices to connected insulin pumps. The
third panel, “Connected Cars,” 15 discussed the different technologies involved with connected
8
Press Release, FTC, FTC Seeks Input on Privacy and Security Implications of the Internet of Things (Apr. 17,
2013), available at http://www.ftc.gov/news-events/press-releases/2013/04/ftc-seeks-input-privacy-and-securityimplications-internet-things.
9
Pre-workshop comments (“#484 cmt.”) are available at http://www.ftc.gov/policy/public-comments/initiative-484.
10
For a description of the workshop, see http://www.ftc.gov/news-events/events-calendar/2013/11/internet-thingsprivacy-security-connected-world.
11
In addition to the four panels, workshop speakers included Keith Marzullo of the National Science Foundation
(“Marzullo”), who gave an overview of the IoT space (Transcript of Workshop at 15-34); Carolyn Nguyen
(“Nguyen”) of Microsoft Corp., who discussed contextual privacy and its implications for the IoT (Transcript of
Workshop at 35-51); and Vinton “Vint” Cerf (“Cerf”) of Google Inc., who gave the workshop’s Keynote Address
(Transcript of Workshop at 118-153).
12
A complete transcript of the proceeding is available at
http://www.ftc.gov/sites/default/files/documents/public_events/internet-things-privacy-security-connectedworld/final_transcript.pdf. Videos of the workshop also are available at http://www.ftc.gov/news-events/audiovideo/ftc-events.
13
Transcript of Workshop at 52-115.
14
Id. at 164-234.
15
Id. at 235-291.
3
cars, including Event Data Recorders (“EDRs”) 16 and other vehicle “telematics,” a term that
refers to data collection, transmission, and processing technologies for use in vehicles. Finally,
the fourth panel, “Privacy and Security in a Connected World,” 17 discussed the broader privacy
and security issues raised by the IoT.
Following the workshop, the Commission invited comments on the issues raised by the
panels. 18 In response, staff received seventeen public comments from private citizens, trade
organizations, and privacy advocates. 19
This report summarizes the workshop and provides staff’s recommendations in this area.
Section II of this report discusses how we define the “Internet of Things.” Section III describes
some of the benefits and risks of the new technologies that are part of the IoT phenomenon.
Section IV examines the application of existing privacy principles to these new technologies, and
Section V addresses whether legislation would be appropriate in this area. Sections IV and V
begin by discussing the views of written commenters and workshop speakers (collectively,
“participants”), and then set forth staff recommendations. These recommendations focus on the
types of products and services consumers are likely to encounter today and in the foreseeable
future. We look forward to continuing to explore privacy issues as new IoT technologies come to
market.
16
An EDR is “a device or function in a vehicle that records the vehicle’s dynamic time-series data during the time
period just prior to a crash event (e.g., vehicle speed vs. time) or during a crash event . . . intended for retrieval after
the crash event.” 49 C.F.R. § 563.5.
17
Transcript of Workshop at 292-364.
18
Press Release, FTC, FTC Seeks Comment on Issues Raised at Internet of Things Workshop (Dec. 11, 2013),
available at http://www.ftc.gov/news-events/press-releases/2013/12/ftc-seeks-comment-issues-raised-internetthings-workshop.
19
Post-workshop comments (“#510 cmt.”) are available at http://www.ftc.gov/policy/public-comments/initiative510.
4
What is the “Internet of Things”?
Although the term “Internet of Things” first appeared in the literature in 2005, 20 there is
still no widely accepted definition. 21 One participant described the IoT as the connection of
“physical objects to the Internet and to each other through small, embedded sensors and wired
and wireless technologies, creating an ecosystem of ubiquitous computing.” 22 Another
participant described it as including “embedded intelligence” in individual items that can detect
changes in their physical state. 23 Yet another participant, noting the lack of an agreed-upon
definition of the IoT, observed, “[w]hat all definitions of IoT have in common is that they focus
on how computers, sensors, and objects interact with one another and process data.” 24
The IoT includes consumer-facing devices, as well as products and services that are not
consumer-facing, such as devices designed for businesses to enable automated communications
between machines. For example, the term IoT can include the type of Radio Frequency
Identification (“RFID”) tags that businesses place on products in stores to monitor inventory;
sensor networks to monitor electricity use in hotels; and Internet-connected jet engines and drills
on oil rigs. Moreover, the “things” in the IoT generally do not include desktop or laptop
computers and their close analogs, such as smartphones and tablets, although these devices are
often employed to control or communicate with other “things.”
20
See Remarks of Marzullo, Transcript of Workshop at 19.
21
See Comment of ARM/AMD, #510 cmt. #00018 at 1.
22
Comment of Consumer Elec. Ass’n, #484 cmt. #00027 at 1.
23
Remarks of Marzullo, Transcript of Workshop at 19.
24
Comment of Ctr. for Democracy & Tech., #484 cmt. #00028 at 3.
5
For purposes of this report, we use the term IoT to refer to “things” such as devices or
sensors – other than computers, smartphones, or tablets – that connect, communicate or transmit
information with or between each other through the Internet. Consistent with the FTC’s mission
to protect consumers in the commercial sphere, our discussion of IoT is limited to such devices
that are sold to or used by consumers. Accordingly, the report does not discuss devices sold in a
business-to-business context, such as sensors in hotel or airport networks; nor does it discuss
broader machine-to-machine communications that enable businesses to track inventory,
functionality, or efficiency.
6
Benefits & Risks
Like all technologies, the Internet of Things has benefits and risks. To develop policy
approaches to this industry, one must understand both. Below is a summary of the benefits and
risks of IoT, both current and potential, highlighted by workshop participants.
Benefits
Most participants agreed that the IoT will offer numerous, and potentially revolutionary,
benefits to consumers. 25 One area in which these benefits appear highly promising is health
care. 26 For example, insulin pumps and blood-pressure cuffs that connect to a mobile app can
enable people to record, track, and monitor their own vital signs, without having to go to a
doctor’s office. This is especially beneficial for aging patients, for whom connected health
devices can provide “treatment options that would allow them to manage their health care at
home without the need for long-term hospital stays or transition to a long-term care facility.” 27
Patients can also give caregivers, relatives, and doctors access to their health data through these
apps, resulting in numerous benefits. As one panelist noted, connected health devices can
“improve quality of life and safety by providing a richer source of data to the patient’s doctor for
diagnosis and treatment[,] . . . improve disease prevention, making the healthcare system more
efficient and driving costs down[,] . . . [and] provide an incredible wealth of data, revolutionizing
25
See Comment of Future of Privacy Forum, #484 cmt. #00013 at 4; Comment of Software & Info. Indus. Ass’n.,
#484 cmt. #00025 at 2.
26
See Comment of AT&T Inc., #484 cmt. #00004 at 5.
27
Comment of Med. Device Privacy Consortium, #484 cmt. #00022 at 1.
7
medical research and allowing the medical community to better treat, and ultimately eradicate,
diseases.” 28
Recent studies demonstrate meaningful benefits from connected medical devices. One
workshop participant said that “one of the most significant benefits that we have from this
connected world [is] the ability to . . . draw the patients in and engage them in their own care.” 29
Another participant described a clinical trial showing that, when diabetic patients used connected
glucose monitors, and their physicians received that data, those physicians were five times more
likely to adjust medications, resulting in better disease management and substantial financial
savings for patients. He stated that the clinical trial demonstrated that diabetic patients using the
connected glucose monitor reduced their average blood sugar levels by two points and that, by
comparison, the Food and Drug Administration (“FDA”) considers medications that reduce
blood sugar by as little as one half point to be successful. 30
Consumers can benefit from the IoT in many other ways. In the home, for example, smart
meters can enable energy providers to analyze consumer energy use and identify issues with
home appliances, “even alerting homeowners if their insulation seems inadequate compared to
that of their neighbors,” 31 thus empowering consumers to “make better decisions about how they
use electricity.” 32 Home automation systems can provide consumers with a “single platform that
28
Comment of Consumer Elec. Ass’n, #484 cmt. #00027 at 16.
29
See Remarks of Stan Crosley, Indiana Univ. (“Crosley”), Transcript of Workshop at 199.
30
See Remarks of Anand Iyer, WellDoc Communications, Inc. (“Iyer”), Transcript of Workshop at 188–189.
31
Comment of AT&T Inc., #484 cmt. #00004 at 4-5.
32
Remarks of Eric Lightner, Department of Energy (“Lightner”), Transcript of Workshop at 54.
8
can connect all of the devices within the home, [with] a single app for controlling them.” 33
Connected ovens allow consumers to “set [their] temperatures remotely . . . , go from bake to
broil . . . , [and] monitor [their] products from various locations inside . . . and outside [their]
home[s].”34 Sensors known as “water bugs” can notify consumers if their basements have
flooded, 35 and wine connoisseurs can monitor the temperature in their wine cellars to preserve
their finest vintages. 36
On the road, connected cars will increasingly offer many safety and convenience benefits
to consumers. For example, sensors on a car can notify drivers of dangerous road conditions, and
software updates can occur wirelessly, obviating the need for consumers to visit the dealership. 37
Connected cars also can “offer real-time vehicle diagnostics to drivers and service facilities;
Internet radio; navigation, weather, and traffic information; automatic alerts to first responders
when airbags are deployed; and smartphone control of the starter and other aspects of the car.” 38
In the future, cars will even drive themselves. Participants discussed the ability of self-driving
cars to create safety benefits. For example, rather than having error-prone humans decide which
car should go first at a four-way stop sign, self-driving cars will be able to figure out who should
33
Remarks of Jeff Hagins, SmartThings (“Hagins”), Transcript of Workshop at 64.
34
Remarks of Michael Beyerle, GE Appliances (“Beyerle”), Transcript of Workshop at 60.
35
See Remarks of Scott Peppet, Univ. of Colorado School of Law (“Peppet”), Transcript of Workshop at 167.
36
See Remarks of Cerf, Transcript of Workshop at 132.
37
See Remarks of Christopher Wolf, Future of Privacy Forum (“Wolf”), Transcript of Workshop at 247-48.
38
Comment of Consumer Elec. Ass’n, #484 cmt. #00027 at 13.
9
go first according to a standard protocol. 39 They would also allow people with visual
impairments to use their own cars as a mode of transportation. 40
Risks
Despite these important benefits, there was broad agreement among participants that
increased connectivity between devices and the Internet may create a number of security and
privacy risks. 41
SECURITY RISKS
According to panelists, IoT devices may present a variety of potential security risks that
could be exploited to harm consumers by: (1) enabling unauthorized access and misuse of
personal information; (2) facilitating attacks on other systems; and (3) creating safety risks.
Although each of these risks exists with traditional computers and computer networks, they are
heightened in the IoT, as explained further below.
First, on IoT devices, as with desktop or laptop computers, a lack of security could enable
intruders to access and misuse personal information collected and transmitted to or from the
39
See Remarks of Cerf, Transcript of Workshop at 127.
40
See id. at 138.
41
See, e.g., Remarks of Craig Heffner, Tactical Network Solutions (“Heffner”), Transcript of Workshop at 73-77,
109-10; Remarks of Lee Tien, Electronic Frontier Foundation (“Tien”), Transcript of Workshop at 82-83; Remarks
of Hagins, Transcript of Workshop at 92-93, 110; Remarks of Jay Radcliffe, InGuardians, Inc. (“Radcliffe”),
Transcript of Workshop at 182-84; Remarks of Iyer, Transcript of Workshop at 223; Remarks of Tadayoshi Kohno,
Univ. of Washington (“Kohno”), Transcript of Workshop at 244-47, 263-64; Remarks of David Jacobs, Electronic
Privacy Information Center (“Jacobs”), Transcript of Workshop at 296; Remarks of Marc Rogers, Lookout, Inc.
(“Rogers”), Transcript of Workshop at 344-45. See also, e.g., HP, INTERNET OF THINGS RESEARCH STUDY 5 (2014),
available at http://h20195.www2.hp.com/V2/GetDocument.aspx?docname=4AA5-4759ENW&cc=us&lc=en (“HP
Security Research reviewed 10 of the most popular devices in some of the most common IoT niches revealing an
alarmingly high average number of vulnerabilities per device. Vulnerabilities ranged from Heartbleed to denial of
service to weak passwords to cross-site scripting.”); id. at 4 (noting that 80 percent of devices tested raised privacy
concerns).
10
device. For example, new smart televisions enable consumers to surf the Internet, make
purchases, and share photos, similar to a laptop or desktop computer. 42 Like a computer, any
security vulnerabilities in these televisions could put the information stored on or transmitted
through the television at risk. If smart televisions or other devices store sensitive financial
account information, passwords, and other types of information, unauthorized persons could
exploit vulnerabilities to facilitate identity theft or fraud. 43 Thus, as consumers install more smart
devices in their homes, they may increase the number of vulnerabilities an intruder could use to
compromise personal information. 44
Second, security vulnerabilities in a particular device may facilitate attacks on the
consumer’s network to which it is connected, or enable attacks on other systems. 45 For example,
42
See, e.g., Erica Fink & Laurie Segall, Your TV might be watching you, CNN MONEY (Aug. 1, 2013), available at
http://money.cnn.com/2013/08/01/technology/security/tv-hack/index.html (“Today’s high-end televisions are almost
all equipped with ‘smart’ PC-like features, including Internet connectivity, apps, microphones and cameras.”).
43
See Mario Ballano Barcena et al., Security Response, How safe is your quantified self?, SYMANTEC (Version 1.1 –
Aug. 11, 2014), available at
www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/how-safe-is-your-quantifiedself.pdf (noting risks relating to IoT including identity theft). According to the most recent statistics from the Bureau
of Justice Statistics of the Department of Justice, an estimated 16.6 million Americans – about seven percent of
Americans sixteen or older – experienced at least one incident of identity theft in 2012. Losses due to personal
identity theft totaled $24.7 billion, billions of dollars more than the losses for all other property crimes combined.
BUREAU OF JUSTICE STATISTICS, U.S. DEP’T OF JUSTICE, VICTIMS OF IDENTITY THEFT, 2012 (Dec. 2013)), available
at http://www.bjs.gov/content/pub/pdf/vit12.pdf. Another study demonstrated that one in four people who received
notice of a breach involving their personal information were victims of identity theft, a significantly higher figure
than for individuals who did not receive a breach notice. See Javelin, 2013 Identity Fraud Report, available at
https://www.javelinstrategy.com/brochure/276.
44
See, e.g., Remarks of Marzullo, Transcript of Workshop at 18-19 (discussing ubiquitous or pervasive computing);
id. at 28-30 (discussing potential security vulnerabilities in devices ranging from pacemakers to automobiles);
Remarks of Nguyen, Transcript of Workshop at 35 (“the first thing that really comes to mind are the sensors that are
expected to be ubiquitously present and the potential for everything inanimate, whether it be in the home, in the car,
or attached to the individual, to measure and transmit data”).
45
See Remarks of Heffner, Transcript at 113 (“[I]f I, as someone out on the Internet, can break into a device that is
inside your network, I am now inside your network and I can access other things that you do care about . . . . There
should never be a device on your network that you shouldn’t care about the security of.”).
11
a compromised IoT device could be used to launch a denial of service attack. 46 Denial of service
attacks are more effective the more devices the attacker has under his or her control; as IoT
devices proliferate, vulnerabilities could enable these attackers to assemble large numbers of
devices to use in such attacks. 47 Another possibility is that a connected device could be used to
send malicious emails. 48
Third, unauthorized persons might exploit security vulnerabilities to create risks to
physical safety in some cases. One participant described how he was able to hack remotely into
two different connected insulin pumps and change their settings so that they no longer delivered
medicine. 49 Another participant discussed a set of experiments where an attacker could gain
“access to the car’s internal computer network without ever physically touching the car.” 50 He
described how he was able to hack into a car’s built-in telematics unit and control the vehicle’s
engine and braking, although he noted that “the risk to car owners today is incredibly small,” in
part because “all the automotive manufacturers that I know of are proactively trying to address
these things.” 51 Although the risks currently may be small, they could be amplified as fully
46
See, e.g., Dick O’Brien, The Internet of Things: New Threats Emerge in a Connected World, SYMANTEC (Jan. 21,
2014), available at www.symantec.com/connect/blogs/internet-things-new-threats-emerge-connected-world
(describing worm attacking IoT devices that connects them to a botnet for use in denial of service attacks).
47
Id.
48
See Paul Thomas, Despite the News, Your Refrigerator is Not Yet Sending Spam, SYMANTEC (Jan. 23, 2014),
available at http://www.symantec.com/connect/blogs/despite-news-your-refrigerator-not-yet-sending-spam
(debunking reports that an Internet worm had used compromised IoT devices to send out spam, but adding, “While
malware for IoT devices is still in its infancy, IoT devices are susceptible to a wide range of security concerns. So
don’t be surprised if, in the near future, your refrigerator actually does start sending spam.”).
49
See Remarks of Radcliffe, Transcript of Workshop at 182. See also Remarks of Tien, Transcript of Workshop at
82-83 (“And obviously one of the big differences between, say, a problem with your phone and a problem with your
. . . diabetes pump or your defibrillator is that if it is insecure and it is subject to any kind of malware or attack, it is
much more likely there would be very serious physical damage.”).
50
Remarks of Kohno, Transcript of Workshop at 245.
51
See id. at 245-47, 266.
12
automated cars, and other automated physical objects, become more prevalent. Unauthorized
access to Internet-connected cameras or baby monitors also raises potential physical safety
concerns. 52 Likewise, unauthorized access to data collected by fitness and other devices that
track consumers’ location over time could endanger consumers’ physical safety. Another
possibility is that a thief could remotely access data about energy usage from smart meters to
determine whether a homeowner is away from home.
These potential risks are exacerbated by the fact that securing connected IoT devices may
be more challenging than securing a home computer, for two main reasons. First, as some
panelists noted, companies entering the IoT market may not have experience in dealing with
security issues. 53 Second, although some IoT devices are highly sophisticated, many others may
be inexpensive and essentially disposable. 54 In those cases, if a vulnerability were discovered
after manufacture, it may be difficult or impossible to update the software or apply a patch. 55
And if an update is available, many consumers may never hear about it. 56 Relatedly, many
52
See discussion of TRENDnet, infra notes 132-34 and accompanying text (FTC settlement alleging that hackers
were able to access video streams from TRENDnet cameras). In another notorious incident, a hacker gained access
to a video and audio baby monitor. See Chris Matyszczyk, Hacker Shouts at Baby Through Baby Monitor, CNET
(Apr. 29, 2014), available at www.cnet.com/news/hacker-shouts-at-baby-through-baby-monitor/. See also Kashmir
Hill, ‘Baby Monitor Hack’ Could Happen To 40,000 Other Foscam Users, FORBES (Aug. 27, 2013), available at
www.forbes.com/sites/kashmirhill/2013/08/27/baby-monitor-hack-could-happen-to-40000-other-foscam-users/
(recounting a similar incident).
53
Remarks of Tien, Transcript of Workshop at 71; Remarks of Heffner, Transcript of Workshop at 73-75; Remarks
of Hagins, Transcript of Workshop at 92-93.
54
See Comment of Ctr. for Democracy & Tech., #510 cmt. #00016 at 2.
55
See, e.g., Article 29 Data Protection Working Party, Opinion 8/2014 on Recent Developments on the Internet of
Things 9 (Sept. 16, 2014) (“Article 29 Working Group Opinion”), available at http://ec.europa.eu/justice/dataprotection/article-29/documentation/opinion-recommendation/files/2014/wp223_en.pdf (“For example, most of the
sensors currently present on the market are not capable of establishing an encrypted link for communications since
the computing requirements will have an impact on a device limited by low-powered batteries.”).
56
Id. See also Hill, supra note 52 (noting that some 40,000 of 46,000 purchasers of connected cameras had not
installed a firmware update addressing a security vulnerability).
13
companies – particularly those developing low-end devices – may lack economic incentives to
provide ongoing support or software security updates at all, leaving consumers with unsupported
or vulnerable devices shortly after purchase. 57
PRIVACY RISKS
In addition to risks to security, participants identified privacy risks flowing from the
Internet of Things. Some of these risks involve the direct collection of sensitive personal
information, such as precise geolocation, financial account numbers, or health information –
risks already presented by traditional Internet and mobile commerce. Others arise from the
collection of personal information, habits, locations, and physical conditions over time, 58 which
may allow an entity that has not directly collected sensitive information to infer it.
The sheer volume of data that even a small number of devices can generate is stunning:
one participant indicated that fewer than 10,000 households using the company’s IoT homeautomation product can “generate 150 million discrete data points a day” 59 or approximately one
data point every six seconds for each household. 60
57
See, e.g., Bruce Schneier, The Internet of Things Is Wildly Insecure — And Often Unpatchable, WIRED (Jan. 6,
2014), available at http://www.wired.com/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-ahuge-problem (“The problem with this process is that no one entity has any incentive, expertise, or even ability to
patch the software once it’s shipped. The chip manufacturer is busy shipping the next version of the chip, and the
[original device manufacturer] is busy upgrading its product to work with this next chip. Maintaining the older chips
and products just isn’t a priority.”).
58
See, e.g., Remarks of Tien, Transcript of Workshop at 67; Comment of Ctr. for Democracy & Tech., #484 cmt.
#00028 at 4-5.
59
Remarks of Hagins, Transcript of Workshop at 89.
60
Cf. infra note 73 and accompanying text (discussing inferences possible from smart meter readings taken every
two seconds).
14
Such a massive volume of granular data allows those with access to the data to perform
analyses that would not be possible with less rich data sets. 61 According to a participant,
“researchers are beginning to show that existing smartphone sensors can be used to infer a user’s
mood; stress levels; personality type; bipolar disorder; demographics (e.g., gender,
marital status, job status, age); smoking habits; overall well-being; progression of Parkinson’s
disease; sleep patterns; happiness; levels of exercise; and types of physical activity or
movement.” 62 This participant noted that such inferences could be used to provide beneficial
services to consumers, but also could be misused. Relatedly, another participant referred to the
IoT as enabling the collection of “sensitive behavior patterns, which could be used in
unauthorized ways or by unauthorized individuals.” 63 Some panelists cited to general privacy
risks associated with these granular information-collection practices, including the concern that
the trend towards abundant collection of data creates a “non-targeted dragnet collection from
devices in the environment.” 64
Others noted that companies might use this data to make credit, insurance, and
employment decisions. 65 For example, customers of some insurance companies currently may
opt into programs that enable the insurer to collect data on aspects of their driving habits – such
61
See Article 29 Working Group Opinion, supra note 55, at 8 (“Full development of IoT capabilities may put a
strain on the current possibilities of anonymous use of services and generally limit the possibility of remaining
unnoticed.”).
62
Scott R. Peppet, Regulating the Internet of Things: First Steps Towards Managing Discrimination, Privacy,
Security & Consent, 93 TEX. L. REV. 85, 115-16 (2014) (citations omitted) (“Regulating the Internet of Things”),
available at http://www.texaslrev.com/wp-content/uploads/Peppet-93-1.pdf. Although we do not include
smartphones in our definition of IoT (see supra p. 6), many IoT devices contain sensors similar to the sensors in
smartphones, and therefore, similar types of inferences may be possible using data from IoT devices.
63
Comment of Elec. Privacy Info. Ctr., #484 cmt. #00011 at 3.
64
Remarks of Tien, Transcript of Workshop at 67.
65
See Remarks of Peppet, Transcript of Workshop at 169.
15
as in one case, the number of “hard brakes,” the number of miles driven, and the amount of time
spent driving between midnight and 4 a.m. – to help set the insurance rate. 66 Use of data for
credit, insurance, and employment decisions could bring benefits – e.g., enabling safer drivers to
reduce their rates for car insurance or expanding consumers’ access to credit – but such uses
could be problematic if they occurred without consumers’ knowledge or consent, or without
ensuring accuracy of the data.
As a further example, one researcher has hypothesized that although a consumer may
today use a fitness tracker solely for wellness-related purposes, the data gathered by the device
could be used in the future to price health or life insurance or to infer the user’s suitability for
credit or employment (e.g., a conscientious exerciser is a good credit risk or will make a good
employee). 67 According to one commenter, it would be of particular concern if this type of
decision-making were to systematically bias companies against certain groups that do not or
cannot engage in the favorable conduct as much as others or lead to discriminatory practices
against protected classes. 68
Participants noted that the Fair Credit Reporting Act (“FCRA”) 69 imposes certain limits
on the use of consumer data to make determinations about credit, insurance, or employment, or
for similar purposes. 70 The FCRA imposes an array of obligations on entities that qualify as
66
See Peppet, Regulating the Internet of Things, supra note 62, at 106-07. See also, e.g., Progressive, Snapshot
Common Questions, available at http://www.progressive.com/auto/snapshot-common-questions/; StateFarm, Drive
Safe & Save with In-Drive, available at https://www.statefarm.com/insurance/auto/discounts/drive-safesave/indrive.
67
See Remarks of Peppet, Transcript of Workshop at 167-169.
68
See id. at 93, 123-24.
69
15 U.S.C. § 1681 et seq.
70
See, e.g., Remarks of Crosley, Transcript of Workshop at 213; Remarks of Peppet, Transcript of Workshop at
213; Peppet, Regulating the Internet of Things, supra note 62, at 126-127.
16
consumer reporting agencies, such as employing reasonable procedures to ensure maximum
possible accuracy of data and giving consumers access to their information. 71 However, the
FCRA excludes most “first parties” that collect consumer information; thus, it would not
generally cover IoT device manufacturers that do their own in-house analytics. Nor would the
FCRA cover companies that collect data directly from consumers’ connected devices and use the
data to make in-house credit, insurance, or other eligibility decisions – something that could
become increasingly common as the IoT develops. For example, an insurance company may
offer consumers the option to submit data from a wearable fitness tracker, in exchange for the
prospect of lowering their health insurance premium. The FCRA’s provisions, such as those
requiring the ability to access the information and correct errors, may not apply in such
circumstances.
Yet another privacy risk is that a manufacturer or an intruder could “eavesdrop”
remotely, intruding into an otherwise private space. Companies are already examining how IoT
data can provide a window into the previously private home. 72 Indeed, by intercepting and
analyzing unencrypted data transmitted from a smart meter device, researchers in Germany were
71
See 15 U.S.C. §§1681e, 1681j.
72
See, e.g., Louise Downing, WPP Unit, Onzo Study Harvesting Smart-Meter Data, BLOOMBERG (May 12, 2014),
available at http://origin-www.bloomberg.com/apps/news?pid=conewsstory&tkr=WPP:LN&sid=aPY7EUU9oD6g
(reporting that the “world’s biggest advertising agency” and a software company are collaborating to explore uses of
smart meter data and quoting a CEO who noted, “Consumers are leaving a digital footprint that opens the door to
their online habits and to their shopping habits and their location, and the last thing that is understood is the home,
because at the moment, when you shut the door, that is it.”). See also Comment of Ctr. for Democracy & Tech., #510
cmt. #00016 at 2-3 (“to the extent that a powerful commercial entity controls an IoT networking platform within a
home or business, that positions them to collect, analyze, and act upon copious amounts of data from within
traditionally private spaces.”).
17
able to determine what television show an individual was watching. 73 Security vulnerabilities in
camera-equipped devices have also raised the specter of spying in the home. 74
Finally, some participants pointed out that perceived risks to privacy and security, even if
not realized, could undermine the consumer confidence necessary for the technologies to meet
their full potential and may result in less widespread adoption. 75 As one participant stated,
“promoting privacy and data protection principles remains paramount to ensure societal
acceptance of IoT services.” 76
73
See Dario Carluccio & Stephan Brinkhaus, Presentation: “Smart Hacking for Privacy,” 28th Chaos
Communication Congress, Berlin, December 2011, available at
https://www.youtube.com/watch?v=YYe4SwQn2GE&feature=youtu.be. Moreover, “the two-second reporting
interval provides so much data that [the researchers] were able to accurately chart power usage spikes and lulls
indicative of times a homeowner would be home, asleep or away.” Id. (In most smart meter implementations, data is
reported at much longer intervals, usually fifteen minutes.) In addition to the privacy concerns, as noted above, the
researchers discovered that the encryption was not implemented properly and that they could alter the energy
consumption data reported by the meter. Id.
74
See, e.g., Fink & Segall, supra note 42 (describing a security vulnerability in Samsung smart TVs, since patched,
that “enabled hackers to remotely turn on the TVs’ built-in cameras without leaving any trace of it on the screen”).
75
See, e.g., Comment of Consumer Elec. Ass’n, #484 cmt. #00027 at 17-18; Comment of CTIA – The Wireless Ass’n,
#510 cmt. #00014 at 2; Comment of Future of Privacy Forum, #484 cmt. #00013 at 5.
76
Comment of GS1 US, #484 cmt. #00030 at 4.
18
Application of Traditional Privacy Principles
Summary of Workshop Discussions
Participants debated how the long-standing Fair Information Practice Principles
(“FIPPs”) of notice, choice, access, accuracy, data minimization, security, and accountability
should apply to the IoT space. While some participants continued to support the application of all
of the FIPPs, 77 others argued that data minimization, notice, and choice are less suitable for
protecting consumer privacy in the IoT. 78
The FIPPs were first articulated in 1973 in a report by what was then the U.S.
Department of Health, Education and Welfare. 79 Subsequently, in 1980, the Organization for
Economic Cooperation and Development (“OECD”) adopted a set of privacy guidelines, which
embodied the FIPPs. 80 Over time, the FIPPs have formed the basis for a variety of both
government and private sector initiatives on privacy. For example, both the European Union
77
See, e.g., Remarks of Michelle Chibba, Office of the Information and Privacy Commissioner, Ontario, Canada
(“Chibba”), Transcript of Workshop at 329; Remarks of Jacobs, Transcript of Workshop at 328-329; Comment of
AAA, #510 cmt. #00012 at 2; Comment of Ctr. for Democracy & Tech., #510 cmt. #00016 at 3.
78
See, e.g., Comment of GS1 US, #484 cmt. #00030 at 5; Comment of Transatl. Computing Continuum Policy
Alliance, #484 cmt. # 00021 at 2; Comment of Info. Tech. Indus. Council, #510 cmt. #00008 at 3.
79
See FTC, PRIVACY ONLINE: A REPORT TO CONGRESS 48 n.27 (1998), available at
http://www.ftc.gov/sites/default/files/documents/reports/privacy-online-report-congress/priv-23a.pdf.
80
See OECD, OECD GUIDELINES ON THE PROTECTION OF PRIVACY AND TRANSBORDER FLOWS OF PERSONAL DATA
(1980), available at
http://www.oecd.org/sti/ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderflowsofpersonaldata.htm.
(In 2013, the OECD updated its guidelines to address risk management, interoperability, and other issues. The
update is available at http://www.oecd.org/sti/ieconomy/2013-oecd-privacy-guidelines.pdf). See also FTC, PRIVACY
ONLINE: FAIR INFORMATION PRACTICES IN THE ELECTRONIC MARKETPLACE: A REPORT TO CONGRESS 3-4, 43 n.25
(2000).
19
Directive on the protection of personal data 81 and the Health Insurance Portability and
Accountability Act (“HIPAA”) 82 are based, in large part, on the FIPPs. In addition, many selfregulatory guidelines include the principles of notice, choice, access, and security. 83 The Obama
Administration’s Consumer Privacy Bill of Rights also includes these principles, 84 as does the
privacy framework set forth in the Commission’s 2012 Privacy Report. 85
Workshop discussion focused on four FIPPs in particular – data security, data
minimization, notice, and choice. As to data security, there was widespread agreement on the
need for companies manufacturing IoT devices to incorporate reasonable security into these
devices. As one participant stated, “Inadequate security presents the greatest risk of actual
consumer harm in the Internet of Things.” 86 Accordingly, as another participant noted,
81
Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of
individuals with regard to the processing of personal data and on the free movement of such data, 1995 O.J. (L 281)
31, available at http://ec.europa.eu/justice/policies/privacy/docs/95-46-ce/dir1995-46_part1_en.pdf.
82
Health Insurance Portability and Accountability Act of 1996, Pub. L. 104-191, 110 Stat. 1936 (codified as
amended in scattered sections of 18, 26, 29, and 42 U.S.C.).
83
See, e.g., NETWORK ADVER. INITIATIVE, NAI CODE OF CONDUCT 2013, available at
http://www.networkadvertising.org/2013_Principles.pdf; INTERNET ADVER. BUREAU, INTERACTIVE ADVERTISING
PRIVACY PRINCIPLES (Feb. 24, 2008), available at http://www.iab.net/guidelines/508676/1464.
84
THE WHITE HOUSE, CONSUMER DATA PRIVACY IN A NETWORKED WORLD: A FRAMEWORK FOR PROTECTING
PRIVACY AND PROMOTING INNOVATION IN THE GLOBAL DIGITAL ECONOMY (2012), available at
http://www.whitehouse.gov/sites/default/files/privacy-final.pdf.
85
FTC, PROTECTING CONSUMER PRIVACY IN AN ERA OF RAPID CHANGE: RECOMMENDATIONS FOR BUSINESSES AND
POLICYMAKERS vii-viii (2012) (“Privacy Report”), available at
http://www.ftc.gov/sites/default/files/documents/reports/federal-trade-commission-report-protecting-consumerprivacy-era-rapid-change-recommendations/120326privacyreport.pdf. Commissioners Ohlhausen and Wright were
not members of the Commission at that time and thus did not offer any opinion on that matter.
86
Comment of Future of Privacy Forum, #510 cmt. #00013 at 9 (and listing types of security measures that are
already being implemented to secure the IoT).
20
“[s]ecurity must be built into devices and networks to prevent harm and build consumer trust in
the IoT.” 87
Participants were more divided about the continuing applicability of the principles of data
minimization, notice, and choice to the IoT. 88 With respect to data minimization – which refers
to the concept that companies should limit the data they collect and retain, and dispose of it once
they no longer need it – one participant expressed concerns that requiring fledgling companies to
predict what data they should minimize would “chok[e] off potential benefits and innovation.” 89
A second participant cautioned that “[r]estricting data collection with rules like data
minimization could severely limit the potential opportunities of the Internet of Things” based on
beneficial uses that could be found for previously-collected data that were not contemplated at
the time of collection. 90 Still another participant noted that “[d]ata-driven innovation, in many
ways, challenges many interpretations of data minimization where data purpose specification and
use limitation are overly rigid or prescriptive.” 91
With respect to notice and choice, some participants expressed concern about its
feasibility, given the ubiquity of IoT devices and the persistent and pervasive nature of the
87
Comment of Infineon Tech. N. Am. Corp., #510 cmt. #00009 at 2; see also Remarks of Rogers, Transcript of
Workshop at 312 (“There are some pretty good examples out there of what happens to companies when security
becomes an afterthought and the cost that companies can incur in trying to fight the damage, the cost to brand
reputation, the loss of customer confidence. And there are also some great examples of companies, even in the
Internet of Things, as new as it is, companies that have gotten it right and they’ve done well. And they’ve gone on to
push out products where there have been no issues.”).
88
See, e.g., Comment of Transatl. Computing Continuum Policy Alliance, #484 cmt. # 00021 at 2; Comment of Info.
Tech. Indus. Council, #510 cmt. #00008 at 3-4.
89
Remarks of Dan Caprio, McKenna, Long & Aldridge, LLP (“Caprio”), Transcript of Workshop at 339.
90
Comment of Ctr. for Data Innovation, #510 cmt. #00002 at 3.
91
Comment of Software & Info. Indus. Ass’n, #484 cmt. #00025 at 6–7; see also Comment of Future of Privacy
Forum, #510 cmt. #00013 at 5 (purpose specification and data minimization as applied to the IoT “risks unduly
limiting the development of new services and the discoveries that may follow from valuable research”).
21
information collection that they make possible. As one participant observed, when “a bunch of
different sensors on a bunch of different devices, on your home, your car, your body . . . are
measuring all sorts of things,” it would be burdensome both for the company to provide notice
and choice, and for the consumer to exercise such choice every time information was reported. 92
Another participant talked about the risk that, if patients have “to consent to everything” for a
health monitoring app, “patients will throw the bloody thing away.” 93 Yet another participant
noted that any requirement to obtain consent could be “a barrier to socially beneficial uses of
information.” 94
A related concern is that many IoT devices – such as home appliances or medical
devices – have no screen or other interface to communicate with the consumer, thereby making
notice on the device itself difficult, if not impossible. 95 For those devices that do have screens,
the screens may be smaller than even the screens on mobile devices, where providing notice is
already a challenge. 96 Finally, even if a device has screens, IoT sensors may collect data at times
when the consumer may not be able to read a notice (for example, while driving). 97
92
Remarks of Peppet, Transcript of Workshop at 215–16.
93
Remarks of Iyer, Transcript of Workshop at 230.
94
Comment of Software & Info. Indus. Ass’n, #484 cmt. #00025 at 8.
95
See, e.g., Comment of Ctr. for Data Innovation, #510 cmt. #00002 at 2; Comment of Future of Privacy Forum,
#484 cmt. #00013 at 2 and 6; Comment of Transatl. Computing Continuum Policy Alliance, #510 cmt. #00017 at 2.
96
See FTC STAFF REPORT, MOBILE PRIVACY DISCLOSURES: BUILDING TRUST THROUGH TRANSPARENCY 10–11
(2013) (“Mobile Disclosures Report”), available at http://www.ftc.gov/sites/default/files/documents/reports/mobileprivacy-disclosures-building-trust-through-transparency-federal-trade-commission-staffreport/130201mobileprivacyreport.pdf.
97
In addition, some participants also suggested that notice and choice is not workable for IoT products and services
that are not consumer-facing – e.g., a sensor network to monitor electricity use in hotels. See, e.g., Comment of GS1
US, #484 cmt. #00030 at 5 (noting that “[i]t is difficult to anticipate how the existing mechanisms of notice and
choice, both being sound principles for privacy protection, would apply to sensors. . . . [H]ow would one provide
adequate notice for every embedded sensor network? How would consent be obtained?”); Comment of Future of
22
Despite these challenges, participants discussed how companies can provide data
minimization, notice, and choice within the IoT. One participant suggested that, as part of a data
minimization exercise, companies should ask themselves a series of questions, such as whether
they need a particular piece of data or whether the data can be deidentified. 98 Another participant
gave a specific example of how data could be minimized in the context of connected cars. This
participant noted that the recording device on such cars could “automatically delete old data after
a certain amount of time, or prevent individual data from being automatically synched with a
central database.” 99
As to notice and choice, one auto industry participant noted that his company provides
consumers with opt-in choices at the time of purchase in “[p]lain language and multiple choices
of levels.” 100 Another discussed a “consumer profile management portal[]” approach that would
include privacy settings menus that consumers can configure and revisit, 101 possibly on a
separate device such as a smartphone or a webportal. In addition to the types of specific settings
and choices, another participant suggested that devices and their associated platforms could
enable consumers to aggregate choices into “packets.” 102 Finally, one participant noted that
Privacy Forum, #510 cmt. #00013, Appendix A at 4. As noted above, this report addresses privacy and security
practices for consumer-facing products.
98
Remarks of Chibba, Transcript of Workshop at 300-01.
99
Comment of EPIC, #484 cmt. #00011 at 17-18.
100
Remarks of Kenneth Wayne Powell, Toyota Technical Center (“Powell”), Transcript of Workshop at 278.
101
Comment of Future of Privacy Forum, #484 cmt. #00013 at 6.
102
Remarks of Joseph Lorenzo Hall, Center for Democracy & Technology (“Hall”), Transcript of Workshop at 216.
23
companies could consider an approach that applies learning from consumer behavior on IoT
devices, in order to personalize privacy choices. 103
Some participants advocated for an increased focus on certain types of use restrictions to
protect consumer data. 104 With this approach, legislators, regulators, self-regulatory bodies, or
individual companies would set “permissible” and “impermissible” uses of certain consumer
data. One commenter characterized this approach as “shifting responsibility away from data
subjects toward data users, and increasing the emphasis on responsible data stewardship and
accountability.” 105
Participants offered a variety of approaches to adding use-based data protections. One
participant proposed that companies “tag” data with its appropriate uses so that automated
processes could identify and flag inappropriate uses. 106 Other participants noted that
policymakers could constrain certain uses of IoT data that do not comport with consumer
expectations and present the most risk of harm, either through law 107 or through voluntary
103
Remarks of Nguyen, Transcript of Workshop at 48.
104
See Remarks of Peppet, Transcript of Workshop at 210-211 (advocating “drawing some lines around acceptable
use” through legislation or regulation in addition to notice and choice); see also Remarks of Crosley at 213
(supporting “the appropriate use of the context”); Remarks of Hall at 214 (expressing support for “[u]se restrictions,
as long as they have teeth. That’s why I think vanilla self-regulatory efforts are probably not the answer. You need
to have something that is enforced by an independent body”).
105
Comment of Software & Information Industry Association, #484 cmt #00025 at 8.
106
Comment of Future of Privacy Forum, #510 cmt. #00013 at 10–11 (citing Hal Abelson, Information
Accountability as the Foundation of 21st Century Privacy Protection (2013), available at
http://kit.mit.edu/sites/default/files/documents/Abelson_MIT_KIT_2013_Conference.pdf). We note that such an
approach would require coordination and potential associated costs.
107
See Peppet, Regulating the Internet of Things, supra note 62, at 149 (proposing regulatory constraints).
24
self-regulatory efforts 108 or seal programs. 109 For example, as one participant has pointed out,
some state laws restrict access by auto insurance companies and other entities to consumers’
driving data recorded by an EDR. 110
Post-Workshop Developments
Since the November 2013 workshop, the IoT marketplace has continued to develop at a
remarkable pace. For example, in June 2014, Apple announced “HealthKit,” a platform that
“functions as a dashboard for a number of critical metrics as well as a hub for select third-party
fitness products,” 111 as a way to help protect health information that some connected devices
may collect. Similarly, in October 2014, Microsoft announced Microsoft Health, a “cloud-based
service that … provid[es] actionable insights based on data gathered from the fitness devices and
apps” and which will work in conjunction with Microsoft’s HealthVault, which for a decade has
offered “a trusted place to store health information and share it with medical professionals on a
security-enhanced platform.” 112 And last November, Intel announced a “new platform …
108
See, e.g., Comment of Consumer Elec. Ass’n, #484 cmt. #00027 at 7; Comment of Direct Mktg. Ass’n, #484 cmt.
#00010 at 2; Comment of CTIA – The Wireless Ass’n, # 510 cmt. #00014 at 4; Comment of U.S. Chamber of
Commerce, #510 cmt. #00011 at 3.
109
See, e.g.¸Comment of AT&T Inc., #484 cmt. #00004 at 9–10; Comment of Future of Privacy Forum, #484 cmt.
#00013 at 13.
110
Peppet, Regulating the Internet of Things, supra note 62, at 153-54.
111
Rachel King, Apple takes app-based approach to health tech with HealthKit, ZDNet (June 2, 2014), available at
http://www.zdnet.com/article/apple-takes-app-based-approach-to-health-tech-with-healthkit/.
112
Microsoft Health, http://www.microsoft.com/Microsoft-Health/en-us (last visited Jan. 9, 2015).
25
designed to make it easier for developers to connect devices securely, bring device data to the
cloud, and make sense of that data with analytics.” 113
Policymakers have also tried to keep pace with these developments in the IoT. For
example, in May 2014, the White House released a Big Data report (“White House Big Data
Report”), and the President’s Council of Advisors on Science and Technology released a
companion report (“PCAST Report”). Both reports weigh in on the debate between the
application of data minimization, notice, and choice versus use limitations. The White House Big
Data Report opined that “the notice and consent framework threatens to be overcome” in certain
instances, “such as the collection of ambient data by our household appliances.” 114 The White
House Big Data Report concluded that,
Putting greater emphasis on a responsible use framework has many potential advantages.
It shifts the responsibility from the individual, who is not well equipped to understand or
contest consent notices as they are currently structured in the marketplace, to the entities
that collect, maintain, and use data. Focusing on responsible use also holds data collectors
and users accountable for how they manage the data and any harms it causes, rather than
narrowly defining their responsibility to whether they properly obtained consent at the
time of collection. 115
Attention to the impact of the IoT spans the globe. In September 2014, Europe’s Article
29 Working Group – composed of data protection authorities of EU member countries – issued
113
Aaron Tilley, Intel Releases New Platform To Kickstart Development In The Internet Of Things, FORBES (Dec.
9, 2014), available at http://www.forbes.com/sites/aarontilley/2014/12/09/intel-releases-new-platform-to-kickstartdevelopment-in-the-internet-of-things/.
114
Executive Office of the President, BIG DATA: SEIZING OPPORTUNITIES, PRESERVING VALUES (May
2014) (“White House Big Data Report”) at 56, available at
http://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report_5.1.14_final_print.pdf. See also
President’s Council of Advisors on Science and Technology, REPORT TO THE PRESIDENT: BIG DATA AND
PRIVACY: A TECHNOLOGICAL PERSPECTIVE 38 (May 2014), available at
http://www.whitehouse.gov/administration/eop/ostp/pcast.
115
White House Big Data Report at 56.
26
an Opinion on Recent Developments on the Internet of Things. 116 In the opinion, the Working
Group emphasized the importance of user choice, noting that “users must remain in complete
control of their personal data throughout the product lifecycle, and when organisations rely on
consent as a basis for processing, the consent should be fully informed, freely given and
specific.”
In addition to policy work by government agencies, standards organizations related to the
Internet of Things continue to proliferate. One such area for standard-setting is data security. For
example, in August 2014, oneM2M, a global standards body, released a proposed security
standard for IoT devices. The standard addresses issues such as authentication, identity
management, and access control. 117
Commission Staff’s Views and Recommendations for
Best Practices
This section sets forth the Commission staff’s views on the issues of data security, data
minimization, and notice and choice with respect to the IoT and provides recommendations for
best practices for companies.
DATA SECURITY
As noted, there appeared to be widespread agreement that companies developing IoT
products should implement reasonable security. Participants also discussed a number of specific
security best practices. The Commission staff encourages companies to consider adopting these
116
Article 29 Working Group Opinion, supra note 55.
117
See oneM2M, Technical Specification, oneM2M Security Solutions at 15-16, available at
http://www.onem2m.org/images/files/deliverables/TS-0003-Security_Solutions-V-2014-08.pdf.
27
practices. Of course, what constitutes reasonable security for a given device will depend on a
number of factors, including the amount and sensitivity of data collected, the sensitivity of the
device’s functionality, and the costs of remedying the security vulnerabilities. Nonetheless, the
specific security best practices companies should consider include the following:
First, companies should implement “security by design” by building security into their
devices at the outset, rather than as an afterthought. 118 One participant stated that security should
be designed into every IoT product, at every stage of development, including “early on in the
design cycle of a technology.” 119 In addition, a company should do a privacy or security risk
assessment, consciously considering the risks presented by the collection and retention of
consumer information. 120 As part of this process, companies should incorporate the use of smart
defaults, such as requiring consumers to change default passwords – if they use default
passwords at all – during the set-up process. 121 Companies also should consider how to minimize
the data they collect and retain, as discussed further below. Finally, companies should test their
security measures before launching their products. As one participant pointed out, such testing
should occur because companies – and service providers they might use to help develop their
118
Comment of ARM and AMD, #510 cmt. #00018 at 2; see also Remarks of Hagins, Transcript of Workshop at
111; Remarks of Jacobs, Transcript of Workshop at 296; Remarks of Caprio, Transcript of Workshop at 298.
119
Remarks of Kohno, Transcript of Workshop at 281.
120
Remarks of Chibba, Transcript of Workshop at 301; see also Remarks of Rogers, Transcript of Workshop at 343.
121
See generally Remarks of Rogers, Transcript of Workshop at 344 (“Default passwords are something that should
never pass through into production space. It’s an easy thing to pick up with a very basic assessment, yet we are
constantly seeing these come through because these companies aren’t often doing this kind of assessment − so they
see it as a hindrance, an extra step. Or they claim the consumer should be responsible for setting the security, once it
lands on the consumer’s desk which, at the end of the day, the consumers aren’t capable of setting that level of
security, nor should they have to.”).
28
products – may simply forget to close “backdoors” in their products through which intruders
could access personal information or gain control of the device. 122
This last point was illustrated by the Commission’s recent actions against the operators of
the Credit Karma and Fandango mobile apps. In these cases, the companies overrode the settings
provided by the Android and iOS operating systems, so that SSL encryption was not properly
implemented. As a result, the Commission alleged, hackers could decrypt the sensitive consumer
financial information being transmitted by the apps. The orders in both cases include provisions
requiring the companies to implement reasonable security. 123
Second, companies must ensure that their personnel practices promote good security. As
part of their personnel practices, companies should ensure that product security is addressed at
the appropriate level of responsibility within the organization. One participant suggested that “if
someone at an executive level has responsibility for security, it tends to drive hiring and
processes and mechanisms throughout the entire organization that will improve security.” 124
Companies should also train their employees about good security practices, recognizing that
technological expertise does not necessarily equate to security expertise. Indeed, one participant
stated that being able to write software code “doesn’t mean…understand[ing] anything
whatsoever about the security of an embedded device.” 125
122
See generally Remarks of Heffner, Transcript of Workshop at 73-74.
123
Credit Karma, Inc., File No. 132-3091 (Mar. 28, 2014) (consent), available at
http://www.ftc.gov/enforcement/cases-proceedings/132-3091/credit-karma-inc; Fandango, LLC, File No. 132-3089
(Mar. 28, 2014) (consent), available at http://www.ftc.gov/enforcement/cases-proceedings/132-3089/fandango-llc.
See also HTC America, Inc., No. C-4406 (July 2, 2013) (consent) (alleging that HTC, among other things, failed to
conduct assessments, audits, reviews, or tests to identify potential security vulnerabilities in its mobile devices),
available at http://www.ftc.gov/enforcement/cases-proceedings/122-3049/htc-america-inc-matter.
124
Remarks of Hagins, Transcript of Workshop at 110.
125
Id. at 92.
29
Third, companies must work to ensure that they retain service providers that are capable
of maintaining reasonable security, and provide reasonable oversight to ensure that those service
providers do so. Failure to do so could result in an FTC law enforcement action. For example, in
the Commission’s recent settlement with GMR Transcription Services, the Commission alleged
that a medical and legal transcription company outsourced transcription services to independent
typists in India without adequately checking to make sure they could implement reasonable
security measures. According to the Commission’s complaint, among other things, the service
provider stored transcribed notes in clear text on an unsecured server. As a result, U.S.
consumers found their doctors’ notes of their physical examinations freely available through
Internet searches. This case illustrates the strong need for appropriate service provider oversight.
Fourth, for systems with significant risk, companies should implement a defense-in-depth
approach, where security measures are considered at several levels. For example, participants
raised concerns about relying on the security of consumers’ own networks, such as passwords for
their Wi-Fi routers, alone to protect the information on connected devices. 126 They noted that
companies must take “additional steps to encrypt [the information] or otherwise secure it.” 127
FTC staff shares these concerns and encourages companies to take additional steps to secure
information passed over consumers’ home networks. Indeed, encryption for sensitive
information, such as that relating to health, is particularly important in this regard. 128 Regardless
of the specific technology, companies should reasonably secure data in transit and in storage.
126
Id. at 102.
127
Remarks of Heffner, Transcript of Workshop at 102-03.
128
Remarks of Hall, Transcript of Workshop at 178-79.
30
Fifth, panelists noted that companies should consider implementing reasonable access
control measures to limit the ability of an unauthorized person to access a consumer’s device,
data, or even the consumer’s network. 129 In the IoT ecosystem, strong authentication could be
used to permit or restrict IoT devices from interacting with other devices or systems. The
privileges associated with the validated identity determine the permissible interactions between
the IoT devices and could prevent unauthorized access and interactions. 130 In implementing these
protections, companies should ensure that they do not unduly impede the usability of the device.
As noted above, the proposed oneM2M security standard includes many of the recommendations
discussed above. 131 Such efforts are important to the success of IoT.
Finally, companies should continue to monitor products throughout the life cycle and, to
the extent feasible, patch known vulnerabilities. Many IoT devices have a limited life cycle,
resulting in a risk that consumers will be left with out-of-date IoT devices that are vulnerable to
critical, publicly known security or privacy bugs. Companies may reasonably decide to limit the
time during which they provide security updates and software patches, but it is important that
companies weigh these decisions carefully. Companies should also be forthright in their
representations about providing ongoing security updates and software patches. Disclosing the
length of time companies plan to support and release software updates for a given product line
will help consumers better understand the safe ‘expiration dates’ for their commodity Internet129
See, e.g., BRETT C. TJADEN, FUNDAMENTALS OF SECURE COMPUTER SYSTEMS 5 (2004). See also HP, INTERNET
OF THINGS RESEARCH STUDY, supra note 41, at 4-5 (noting that approximately 60% of IoT devices examined had
weak credentials).
130
There may be other appropriate measures, as the security measures that a company should implement vary,
depending on the risks presented by unauthorized access to the device, and the sensitivity of any information
collected.
131
oneM2M Candidate Release August 2014, available at http://www.onem2m.org/technical/candidate-releaseaugust-2014 (last visited Dec. 19, 2014).
31
connected devices. In addition, companies that do provide ongoing support should also notify
consumers of security risks and updates.
Several of these principles are illustrated by the Commission’s first case involving an
Internet-connected device. TRENDnet 132 marketed its Internet-connected cameras for purposes
ranging from home security to baby monitoring, claiming that they were “secure.” In its
complaint, the Commission alleged, among other things, that the company transmitted user login
credentials in clear text over the Internet, stored login credentials in clear text on users’ mobile
devices, and failed to test consumers’ privacy settings to ensure that video feeds marked as
“private” would in fact be private. 133 As a result of these alleged failures, hackers were able to
access live feeds from consumers’ security cameras and conduct “unauthorized surveillance of
infants sleeping in their cribs, young children playing, and adults engaging in typical daily
activities.” 134 This case demonstrates the importance of practicing security-by-design.
132
Press Release, FTC, Marketer of Internet-Connected Home Security Video Cameras Settles FTC Charges It
Failed to Protect Consumers’ Privacy (Sept. 4, 2013), available at http://www.ftc.gov/news-events/pressreleases/2013/09/marketer-internet-connected-home-security-video-cameras-settles.
133
Complaint of FTC, TRENDnet, Inc., No. C-4426 (Feb. 7, 2014) (consent), available at
http://www.ftc.gov/system/files/documents/cases/140207trendnetcmpt.pdf.
134
Id. at 5.
32
Of course, the IoT encompasses a wide variety of products and services, and, as noted,
the specific security measures that a company needs to implement will depend on a number of
factors. 135 Devices that collect sensitive information, present physical security or safety risks
(such as door locks, ovens, or insulin pumps), or connect to other devices or networks in a
manner that would enable intruders to access those devices or networks should be more robustly
secured than, for example, devices that simply monitor room temperatures, miles run, or
calories ingested.
DATA MINIMIZATION
Commission staff agrees with workshop participants who stated that the data
minimization principle remains relevant and important to the IoT. 136 While staff recognizes that
companies need flexibility to innovate around new uses of data, staff believes that these interests
can and should be balanced with the interests in limiting the privacy and data security risks to
consumers. 137 Accordingly, companies should examine their data practices and business needs
135
See, e.g., FTC, Commission Statement Marking the FTC’s 50th Data Security Settlement (Jan. 31, 2014),
available at http://www.ftc.gov/system/files/documents/cases/140131gmrstatement.pdf:
The touchstone of the Commission’s approach to data security is reasonableness: a company’s
data security measures must be reasonable and appropriate in light of the sensitivity and volume of
consumer information it holds, the size and complexity of its business, and the cost of available
tools to improve security and reduce vulnerabilities. Through its settlements, testimony, and public
statements, the Commission has made clear that it does not require perfect security; reasonable
and appropriate security is a continuous process of assessing and addressing risks; there is no onesize-fits-all data security program; and the mere fact that a breach occurred does not mean that a
company has violated the law.
136
See, e.g., Remarks of Tien, Transcript of Workshop at 107–08; Comment of Ctr. for Democracy & Tech., #510
cmt. #00016 at 6–7.
137
See, e.g., Comment of Ctr. for Democracy & Tech., #510 cmt. #00016 at 3; Remarks of Chibba, Transcript of
Workshop at 329–30.
33
and develop policies and practices that impose reasonable limits on the collection and retention
of consumer data. 138
Data minimization is a long-standing principle of privacy protection and has been
included in several policy initiatives, including the 1980 OECD Privacy Guidelines, the 2002
Asia-Pacific Economic Cooperation (“APEC”) Privacy Principles, and the 2012 White House
Consumer Privacy Bill of Rights. 139 Some observers have debated how data minimization would
apply to new technologies. 140 In the IoT ecosystem, data minimization is challenging, but it
remains important. 141 Indeed, data minimization can help guard against two privacy-related risks.
First, collecting and retaining large amounts of data increases the potential harms associated with
a data breach, both with respect to data stored on the device itself as well as in the cloud. Larger
data stores present a more attractive target for data thieves, both outside and inside a company –
138
Privacy Report, supra note 85, at 26–27; see also Mobile Disclosures Report, supra note 96, at 1 n.2; FTC, Data
Brokers: A Call for Transparency and Accountability 55 (2014) (“Data Broker Report”), available at
http://www.ftc.gov/system/files/documents/reports/data-brokers-call-transparency-accountability-report-federaltrade-commission-may-2014/140527databrokerreport.pdf.
139
See Privacy Report, supra note 85, at 26–27; OECD, Guidelines Governing the Protection of Privacy and
Transborder Flows of Personal Data, at ¶ 7 (2013), available at http://www.oecd.org/sti/ieconomy/2013-oecdprivacy-guidelines.pdf (same); Dept. of Homeland Security, The Fair Information Practice Principles: Framework
for Privacy Policy at the Department of Homeland Security § 5 (Dec. 29, 2008), available at
http://www.dhs.gov/xlibrary/assets/privacy/privacy_policyguide_2008-01.pdf (stating a Data Minimization
principle: “DHS should only collect PII that is directly relevant and necessary to accomplish the specified purpose(s)
and only retain PII for as long as is necessary to fulfill the specified purpose(s).”); Exec. Office of the President,
National Strategy for Trusted Identities in Cyberspace 45 (Apr. 2011), available at
http://www.whitehouse.gov/sites/default/files/rss_viewer/NSTICstrategy_041511.pdf (stating a Data Minimization
principle: “Organizations should only collect PII that is directly relevant and necessary to accomplish the specified
purpose(s) and only retain PII for as long as is necessary to fulfill the specified purpose(s).”).
140
See White House Big Data Report, supra note 114, at 54 (Because “the logic of collecting as much data as
possible is strong … focusing on controlling the collection and retention of personal data, while important, may no
longer be sufficient to protect personal privacy.”); PCAST Report at x-xi (“[A] policy focus on limiting data
collection will not be a broadly applicable or scalable strategy – nor one likely to achieve the right balance between
beneficial results and unintended negative consequences (such as inhibiting economic growth).”).
141
See, e.g., Remarks of Tien, Transcript of Workshop at 107–08; Comment of Ctr. for Democracy & Tech., #510
cmt. #00016 at 6–7. See also Article 29 Working Group Opinion, supra note 55, at 16–17.
34
and increases the potential harm from such an event. 142 Thieves cannot steal data that has been
deleted after serving its purpose; nor can thieves steal data that was not collected in the first
place. Indeed, in several of its data security cases, the Commission has alleged that companies
could have mitigated the harm associated with a data breach by disposing of customer
information they no longer had a business need to keep. 143
Second, if a company collects and retains large amounts of data, there is an increased risk
that the data will be used in a way that departs from consumers’ reasonable expectations. For
example, in 2010, Commission staff sent a letter to the founders of XY magazine, a magazine for
gay youth, regarding their negotiations to sell in bankruptcy customer information dating back to
as early as 1996. The staff noted that, because the magazine had ceased to exist for a period of
three years, the subscribers were likely to have become adults and moved on, and because
continued use of their information would have been contrary to their reasonable expectations,
XY should delete the personal information. 144 In this case, the risk associated with continued
storage and use of the subscribers’ personal information contrary to their reasonable expectations
would not have existed if the company had engaged in reasonable data minimization practices.
Although these examples are not IoT-specific, they demonstrate the type of risk created
by the expansive collection and retention of data. To minimize these risks, companies should
142
Remarks of Chibba, Transcript of Workshop at 340; Privacy Report, supra note 85, at 27–29.
143
See CardSystems Solutions, Inc., No. C-4168, 2006 WL 2709787 (F.T.C. Sept. 5, 2006) (consent order),
available at http://www.ftc.gov/enforcement/cases-proceedings/052-3148/cardsystems-solutions-inc-solidusnetworks-inc-dba-pay-touch; DSW, Inc., No. C-4157, 2006 WL 752215 (F.T.C. Mar. 7, 2006) (consent order); BJ’s
Wholesale Club, Inc., 140 F.T.C. 465 (2005) (consent order), available at http://www.ftc.gov/enforcement/casesproceedings/042-3160/bjs-wholesale-club-inc-matter. Commissioner Ohlhausen was not a commissioner at the time
of these cases and therefore did not participate in them.
144
Letter from David C. Vladeck, Dir., FTC Bureau of Consumer Prot., to Peter Larson and Martin E. Shmagin
(July 1, 2010), available at http://www.ftc.gov/enforcement/cases-proceedings/closing-letters/letter-xy-magazinexycom-regarding-use-sale-or.
35
examine their data practices and business needs and develop policies and practices that impose
reasonable limits on the collection and retention of consumer data. 145 Such an exercise is integral
to a privacy-by-design approach and helps ensure that the company has given thought to its data
collection practices on the front end by asking questions such as what types of data it is
collecting, to what end, and how long it should be stored. 146 The process of mindfully
considering data collection and retention policies and engaging in a data minimization exercise
could also serve an education function for companies, while at the same time, protecting
consumer privacy. 147
As an example of how data minimization might work in practice, suppose a wearable
device, such as a patch, can assess a consumer’s skin condition. The device does not need to
collect precise geolocation information in order to work; however, the device manufacturer
believes that such information might be useful for a future product feature that would enable
users to find treatment options in their area. As part of a data minimization exercise, the
company should consider whether it should wait to collect geolocation until after it begins to
offer the new product feature, at which time it could disclose the new collection and seek
consent. The company should also consider whether it could offer the same feature while
collecting less information, such as by collecting zip code rather than precise geolocation. If the
company does decide it needs the precise geolocation information, it should provide a prominent
disclosure about its collection and use of this information, and obtain consumers’ affirmative
145
Comment of Transatl. Computing Continuum Policy Alliance, #484 cmt. #00021 at 4.
146
Id. See also Remarks of Chibba, Transcript of Workshop at 330.
147
Comment of Transatl. Computing Continuum Policy Alliance, #484 cmt. #00021 at 4.
36
express consent. Finally, it should establish reasonable retention limits for the data it
does collect.
To the extent that companies decide they need to collect and maintain data to satisfy a
business purpose, they should also consider whether they can do so while maintaining data in deidentified form. This may be a viable option in some contexts and helps minimize the
individualized data companies have about consumers, and thus any potential consumer harm,
while promoting beneficial societal uses of the information. For example, one university hospital
offers a website and an associated smart phone app that collect information from consumers,
including geolocation information, to enable users to find and report flu activity in their area. 148
The hospital can maintain and post information in anonymous and aggregate form, which can
benefit public health authorities and the public, while at the same time maintaining
consumer privacy.
A key to effective de-identification is to ensure that the data cannot be reasonably reidentified. For example, U.S. Department of Health and Human Service regulations 149 require
entities covered by HIPAA to either remove certain identifiers, such as date of birth and fivedigit zip code, from protected health information 150 or have an expert determine that the risk of
re-identification is “very small.” 151 As one participant discussed, 152 in 2009, a group of experts
attempted to re-identify approximately 15,000 patient records that had been de-identified under
148
See Flu Near You, available at https://flunearyou.org/.
149
45 C.F.R. §§ 164.514(a)-(c).
150
45 C.F.R. § 165.514(b)(2).
151
45 C.F.R. § 165.514(b)(1).
152
Comment of Future of Privacy Forum, #510 cmt. #00013, Appendix A at 8.
37
the HIPAA standard. They used commercial data sources to re-identify the data and were able to
identify only 0.013% of the individuals. 153 While deidentification can be challenging in several
contexts, 154 appropriately de-identified data sets that are kept securely and accompanied by
strong accountability mechanisms, can reduce many privacy risks.
Of course, as technology improves, there is always a possibility that purportedly
de-identified data could be re-identified. 155 This is why it is also important for companies to have
accountability mechanisms in place. When a company states that it maintains de-identified or
anonymous data, the Commission has stated that companies should (1) take reasonable steps to
de-identify the data, including by keeping up with technological developments; (2) publicly
commit not to re-identify the data; and (3) have enforceable contracts in place with any third
parties with whom they share the data, requiring the third parties to commit not to re-identify the
data. 156 This approach ensures that if the data is not reasonably de-identified and then is reidentified in the future, regulators can hold the company responsible.
With these recommendations on data minimization, Commission staff is mindful of the
need to balance future, beneficial uses of data with privacy protection. For this reason, staff’s
recommendation is a flexible one that gives companies many options: they can decide not to
153
Id.
154
Technical experts continue to evaluate the effectiveness of deidentification for different types of data, and some
urge caution in interpreting claims about the effectiveness of specific technical means of deidentification. See, e.g.,
Arvind Narayanan and Edward Felten, No Silver Bullet: De-Identification Still Doesn’t Work (July 9, 2014),
available at http://randomwalker.info/publications/no-silver-bullet-de-identification.pdf.
155
See, e.g., Ann Cavoukian and Khaled El Emam, De-identification Protocols: Essential for Protecting Privacy
(June 25, 2014), available at http://www.privacybydesign.ca/content/uploads/2014/06/pbd-deidentifcation_essential.pdf; Comment of Ctr. for Democracy & Tech, #510 cmt. #00016 at 8; Privacy Report, supra
note 85, at 21.
156
See Privacy Report, supra note 85, at 21; see also Comment of Future of Privacy Forum, #510 cmt. #00013,
Appendix A at 7.
38
collect data at all; collect only the fields of data necessary to the product or service being offered;
collect data that is less sensitive; or de-identify the data they collect. If a company determines
that none of these options work, it can seek consumers’ consent for collecting additional,
unexpected data. In addition, in considering reasonable collection and retention limits, it is
appropriate to consider the sensitivity of the data at issue: the more sensitive the data, the more
harmful it could be if the data fell into the wrong hands or were used for purposes the consumer
would not expect. Through this approach, a company can minimize its data collection, consistent
with its business goals. 157 As one participant noted, “[p]rotecting privacy and enabling
innovation are not mutually exclusive and must consider principles of accountability and privacy
by design.” 158
NOTICE AND CHOICE
While the traditional methods of providing consumers with disclosures and choices may
need to be modified as new business models continue to emerge, staff believes that providing
notice and choice remains important, as potential privacy and security risks may be heightened
due to the pervasiveness of data collection inherent in the IoT. Notice and choice is particularly
important when sensitive data is collected. 159
157
See, e.g., Comment of Future of Privacy Forum, #484 cmt. #00013 at 10 (describing its Smart Grid privacy seal).
158
Comment of Transatl. Computing Continuum Policy Alliance, #484 cmt. #00021 at 3. See also Remarks of
Chibba, Transcript of Workshop at 330.
159
See, e.g., Comment of Future of Privacy Forum, #510 cmt. #00013 at 6 (“In some cases, however, such as when
consumers are purchasing connected devices that will collect personally identifiable health information, the
presentation of privacy policies will be important to helping consumers make informed choices.”); Comment of Ctr.
for Digital Democracy, #484 cmt. #00006 at 3 (“[T]he combined impact of the mobile marketing and real-time data
revolution and the Internet of Things places consumer privacy at greater risk than ever before.”).
39
Moreover, staff believes that providing consumers with the ability to make informed
choices remains practicable in the IoT. This does not mean that every data collection requires
choice. The Commission has recognized that providing choices for every instance of data
collection is not necessary to protect privacy. In its 2012 Privacy Report, which set forth
recommended best practices, the Commission stated that companies should not be compelled to
provide choice before collecting and using consumer data for practices that are consistent with
the context of a transaction or the company’s relationship with the consumer. Indeed, because
these data uses are generally consistent with consumers’ reasonable expectations, the cost to
consumers and businesses of providing notice and choice likely outweighs the benefits. 160 This
principle applies equally to the Internet of Things.
For example, suppose a consumer buys a smart oven from ABC Vending, which is
connected to an ABC Vending app that allows the consumer to remotely turn the oven on to the
setting, “Bake at 400 degrees for one hour.” If ABC Vending decides to use the consumer’s
oven-usage information to improve the sensitivity of its temperature sensor or to recommend
another of its products to the consumer, it need not offer the consumer a choice for these uses,
which are consistent with its relationship with the consumer. On the other hand, if the oven
manufacturer shares a consumer’s personal data with, for example, a data broker or an ad
network, such sharing would be inconsistent with the context of the consumer’s relationship with
the manufacturer, and the company should give the consumer a choice. The practice of
distinguishing contextually appropriate data practices from those that are inconsistent with
160
Privacy Report, supra note 85, at 38-39; id. at 38 (“The Commission believes that for some practices, the benefits
of providing choice are reduced – either because consent can be inferred or because public policy makes choice
unnecessary.”).
40
context reduces the need for companies to provide opportunities for consumer choice before
every single data collection.
Staff acknowledges the practical difficulty of providing choice when there is no
consumer interface, and recognizes that there is no one-size-fits-all approach. Some options –
several of which were discussed by workshop participants – include the following:
•
Choices at point of sale:
One auto industry participant noted that his company provides consumers with opt-in choices
at the time of purchase in “[p]lain language and multiple choices of levels.” 161
•
Tutorials:
Facebook offers a video tutorial to guide consumers through its privacy settings page. IoT
device manufacturers can offer similar vehicles for explaining and providing choices to
consumers.
•
Codes on the device:
Manufacturers could affix a QR code or similar barcode that, when scanned, would take the
consumer to a website with information about the applicable data practices and enable
consumers to make choices through the website interface. 162
•
Choices during set-up:
Many IoT devices have an initial set-up wizard, through which companies could provide
clear, prominent, and contextual privacy choices.
161
Remarks of Kenneth Wayne Powell, Toyota Technical Center (“Powell”), Transcript of Workshop at 278.
162
See Article 29 Working Group Opinion, supra note 55, at 18 (proposing that a “device manufacturer could print
on things equipped with sensors a QR code, or a flashcode describing the type of sensors and the information it
captures as well as the purposes of these data collections”).
41
•
Management portals or dashboards:163
In addition to the availability of initial set-up choices, IoT devices could also include privacy
settings menus that consumers can configure and revisit. For example, in the mobile context,
both Apple and Google (for Android) have developed dashboard approaches that seem
promising – one that is framed by data elements, such as geolocation and contacts (Apple),
and one that is framed by individual apps (Android). 164 Similarly, companies developing
“command centers” for their connected home devices 165 could incorporate similar privacy
dashboards. Properly implemented, such “dashboard” approaches can allow consumers clear
ways to determine what information they agree to share.
•
Icons:
Devices can use icons to quickly convey important settings and attributes, such as when a
device is connected to the Internet, with a toggle for turning the connection on or off.
•
“Out of Band” communications requested by consumers:
When display or user attention is limited, it is possible to communicate important privacy
and security settings to the user via other channels. For example, some home appliances
allow users to configure their devices so that they receive important information through
emails or texts.
•
General Privacy Menus:
In addition to the types of specific settings and choices described above, devices and their
associated platforms could enable consumers to aggregate choices into “packets.” 166 This
could involve having more general settings like “low privacy,” “medium,” or “high,”
accompanied by a clear and conspicuous explanation of the settings.
•
A User Experience Approach:
One participant noted that companies could consider an approach that applies learning from
consumer behavior on IoT devices, in order to personalize choices. 167 For example, a
manufacturer that offers two or more devices could use the consumer’s preferences on one
device (e.g., “do not transmit any of my information to third parties”) to set a default
preference on another. As another example, a single device, such as a home appliance “hub”
that stores data locally – say on the consumer’s home network – could learn a consumer’s
preferences based on prior behavior and predict future privacy preferences as new appliances
are added to the hub.
163
Comment of Future of Privacy Forum, #484 cmt. #00013 at 6.
164
See Mobile Disclosures Report, supra note 96, at 16-17.
165
Don Clark, The Race to Build Command Centers for Smart Homes, WALL ST. J. (Jan. 4, 2015), available at
http://www.wsj.com/articles/the-race-to-build-command-centers-for-smart-homes-1420399511.
166
Remarks of Joseph Lorenzo Hall, Center for Democracy & Technology (“Hall”), Transcript of Workshop at 216.
167
Remarks of Nguyen, Transcript of Workshop at 48.
42
Of course, whatever approach a company decides to take, the privacy choices it offers
should be clear and prominent, and not buried within lengthy documents. 168 In addition,
companies may want to consider using a combination of approaches.
Staff also recognizes concerns discussed at the workshop 169 and, as noted above, in the
White House Big Data Report and PCAST Report that, applied aggressively, a notice and choice
approach could restrict unexpected new uses of data with potential societal benefits. For this
reason, staff has incorporated certain elements of the use-based model into its approach. For
instance, the idea of choices being keyed to context takes into account how the data will be used:
if a use is consistent with the context of the interaction – in other words, it is an expected use –
then a company need not offer a choice to the consumer. For uses that would be inconsistent with
the context of the interaction (i.e., unexpected), companies should offer clear and conspicuous
choices. Companies should not collect sensitive data without affirmative express consent.
In addition, if a company enables the collection of consumers’ data and de-identifies that
data immediately and effectively, it need not offer choices to consumers about this collection. As
noted above, robust de-identification measures can enable companies to analyze data they collect
in order to innovate in a privacy-protective way. 170 Companies can use such de-identified data
without having to offer consumers choices.
168
This discussion refers to how companies should communicate choices to consumers. Lengthy privacy policies are
not the most effective consumer communication tool. However, providing disclosures and choices through these
privacy policies serves an important accountability function, so that regulators, advocacy groups, and some
consumers can understand and compare company practices and educate the public. See Privacy Report, supra note
85, at 61-64.
169
See, e.g., Comment of Future of Privacy Forum, #510 cmt. #00013, App. A at 9; Comment of GS1 US, #484 cmt.
#00030 at 5; Comment of Software & Info. Indus. Ass’n., #484 cmt. #00025 at 6-9.
170
See, e.g., Comment of CTIA – The Wireless Ass’n, #484 cmt. #00009 at 10-11; Comment of Future of Privacy
Forum, #510 cmt. #00013 at 5.
43
Staff also notes that existing laws containing elements of the use-based approach apply to
the IoT. The FCRA sets forth a number of statutory protections applicable to “consumer report”
information, including restrictions on the uses for which this information can be shared. 171 Even
when there is a permissible use for such information, the FCRA imposes an array of protections,
including those relating to notice, access, disputes, and accuracy. 172 In addition, the FTC has
used its “unfairness” authority to challenge a number of harmful uses of consumer data. For
example, in the agency’s recent case against Leap Lab, the Commission alleged that defendants
sold consumer payday loan applications that included consumers’ Social Security and financial
account numbers to non-lenders that had no legitimate need for this sensitive personal
information. 173
Staff has concerns, however, about adopting solely a use-based model for the Internet of
Things. First, because use-based limitations have not been fully articulated in legislation or other
widely-accepted multistakeholder codes of conduct, it is unclear who would decide which
additional uses are beneficial or harmful. 174 If a company decides that a particular data use is
beneficial and consumers disagree with that decision, this may erode consumer trust. For
example, there was considerable consumer outcry over Facebook’s launch of the Beacon service,
171
FCRA, 15 U.S.C. § 1681–1681v. Section 604 of the FCRA sets forth the permissible purposes for which a
consumer reporting company may furnish consumer report information, such as to extend credit or insurance or for
employment purposes. 15 U.S.C. 1681b.
172
FCRA, 15 U.S.C. § 1681–1681v.
173
Press Release, FTC, FTC Charges Data Broker with Facilitating the Theft of Millions of Dollars from
Consumers’ Accounts (Dec. 23, 2014), available at http://www.ftc.gov/news-events/press-releases/2014/12/ftccharges-data-broker-facilitating-theft-millions-dollars.
174
ANN CAVOUKIAN ET AL., INFO. & PRIVACY COMM’R, ONT., CAN., THE UNINTENDED CONSEQUENCES OF PRIVACY
PATERNALISM (2014), available at http://www.privacybydesign.ca/content/uploads/2014/03/pbdprivacy_paternalism.pdf.
44
as well as Google’s launch of the Buzz social network, which ultimately led to an FTC
enforcement action. 175
Second, use limitations alone do not address the privacy and security risks created by
expansive data collection and retention. As explained above, keeping vast amounts of data can
increase a company’s attractiveness as a data breach target, as well as the risk of harm associated
with any such data breach. For this reason, staff believes that companies should seek to
reasonably limit the data they collect and dispose of it when it is no longer needed.
Finally, a use-based model would not take into account concerns about the practice of
collecting sensitive information. 176 Consumers would likely want to know, for example, if a
company is collecting health information or making inferences about their health conditions,
even if the company ultimately does not use the information. 177
175
See, e.g., Google Inc., No. C-4336 (Oct. 13, 2011) (consent order), available at
http://www.ftc.gov/sites/default/files/documents/cases/2011/10/111024googlebuzzdo.pdf.
176
In addition to collecting sensitive information outright, companies might create sensitive information about
consumers by making inferences from other data that they or others have already collected. A use-based model
might not address, or provide meaningful notice about, sensitive inferences. The extent to which a use-based model
limits or prohibits sensitive inferences will depend on how the model defines harms and benefits and how it balances
the two, among other factors.
177
Of course, if a company misstates how it uses data, this could be a deceptive practice under Section 5 of the FTC
Act. The FTC has brought cases against companies that promise to use consumers’ data one way, but used it in
another way. See, e.g., Google Inc., supra note 175. The FTC can also use its unfairness authority to prohibit uses of
data that cause or are likely to cause substantial injury to a consumer, where that injury was not reasonably
avoidable by the consumer, and where the injury was not outweighed by a benefit to consumers or competition. See,
e.g., Designerware, LLC, No. C-4390 (Apr. 11, 2013) (consent order) (alleging that installing and turning on
webcams on people’s home computers without their knowledge or consent was an unfair practice), available at
http://www.ftc.gov/enforcement/cases-proceedings/112-3151/designerware-llc-matter.
45
The establishment of legislative or widely-accepted multistakeholder use-based
frameworks could potentially address some of these concerns and should be considered. For
example, the framework could set forth permitted or prohibited uses. In the absence of such
legislative or widely accepted multistakeholder frameworks, however, the approach set forth
here – giving consumers information and choices about their data – continues to be the most
viable one for the IoT in the foreseeable future.
46
Legislation
Summary of Workshop Discussions
Workshop participants discussed whether legislation is needed to ensure appropriate
protections for data collected through connected devices. Some participants expressed
trepidation that the benefits of the IoT might be adversely affected should policymakers enact
laws or regulations on industry. 178 One participant stated, “[t]he FTC should be very cautious
about proposing regulation of this sector, given its importance to innovation in America.” 179
Another participant noted that “we should be careful to kind of strike a balance between guiding
companies in the right direction and enforcing.” 180 Still another worried that the workshop might
“represent[] the beginning of a regulatory regime for a new set of information technologies that
are still in their infancy” and advised policymakers to “exercise restraint and avoid the impulse
to regulate before serious harms are demonstrated.” 181 Another participant questioned what
legislation would look like, given the difficulty of defining the contours of privacy rights. 182
A number of participants noted that self-regulation is the appropriate approach to take to
the IoT. One participant stated, “self-regulation and best business practices – that are technology
178
See, e.g., Comment of Direct Mktg. Ass’n, #484 cmt. #00010.
179
Comment of Internet Commerce Coal., #484 cmt. #00020 at 2.
180
Remarks of Rogers, Transcript of Workshop at 359.
181
Comment of Tech. Policy Program of the Mercatus Ctr., George Mason Univ., #484 cmt. #00024 at 1 and 9.
182
Remarks of Cerf, Transcript of Workshop at 149-50 (“Well, I have to tell you that regulation is tricky. And I
don’t know, if somebody asked me, would you write a regulation for this, I would not know what to say. I don’t
think I have enough understanding of all of the cases that might arise in order to say something useful about this,
which is why I believe we are going to end up having to experience problems before we understand the nature of the
problems and maybe even the nature of the solutions.”).
47
neutral – along with consumer education serve as the preferred framework for protecting
consumer privacy and security while enhancing innovation, investment, competition, and the free
flow of information essential to the Internet of Things.” 183 Another participant agreed, stating
“[s]elf-regulatory regimes have worked well to ensure consumer privacy and foster innovation,
and industry has a strong track record of developing and implementing best practices to protect
information security.” 184
Other participants noted that the time is ripe for legislation, either specific to the IoT or
more generally. 185 One participant who called for legislation noted that the “explosion of fitness
and health monitoring devices is no doubt highly beneficial to public health and worth
encouraging,” but went on to state:
At the same time, data from these Internet of Things devices should not be usable by
insurers to set health, life, car, or other premiums. Nor should these data migrate into
employment decisions, credit decisions, housing decisions, or other areas of
public life. To aid the development of the Internet of Things—and reap the potential
public health benefits these devices can create—we should reassure the public that their
health data will not be used to draw unexpected inferences or incorporated into economic
decisionmaking. 186
Recommendations
The Commission staff recognizes that this industry is in its relatively early stages. Staff
does not believe that the privacy and security risks, though real, need to be addressed through
IoT-specific legislation at this time. Staff agrees with those commenters who stated that there is
183
Comment of U.S. Chamber of Commerce, #510 cmt. #00011 at 3.
184
Comment of Consumer Elec. Ass’n, #484 cmt. #00027 at 18.
185
Remarks of Hall, Transcript of Workshop at 180-81 (supporting baseline privacy legislation); see also Remarks
of Jacobs, Transcript of Workshop at 360 (emphasizing importance of enforcement “in the meantime”).
186
Peppet, Regulating the Internet of Things, supra note 62, at 151.
48
great potential for innovation in this area, and that legislation aimed specifically at the IoT at this
stage would be premature. Staff also agrees that development of self-regulatory programs 187
designed for particular industries would be helpful as a means to encourage the adoption of
privacy- and security-sensitive practices.
However, while IoT specific-legislation is not needed, the workshop provided further
evidence that Congress should enact general data security legislation. As noted above, there was
wide agreement among workshop participants about the importance of securing Internet-enabled
devices, with some participants stating that many devices now available in the market are not
reasonably secure, posing risks to the information that they collect and transmit and also to
information on consumers’ networks or even to others on the Internet. 188 These problems
highlight the need for substantive data security and breach notification legislation at the federal
level.
The Commission has continued to recommend that Congress enact strong, flexible, and
technology-neutral legislation to strengthen the Commission’s existing data security enforcement
tools and require companies to notify consumers when there is a security breach. Reasonable and
appropriate security practices are critical to addressing the problem of data breaches and
protecting consumers from identity theft and other harms. Notifying consumers of breaches after
they occur helps consumers protect themselves from any harm that is likely to be caused by the
misuse of their data. These principles apply equally to the IoT ecosystem. 189
187
Remarks of Lightner, Transcript of Workshop at 56-57 (discussing voluntary code of conduct for energy data);
Comment of Future of Privacy Forum, #484 cmt. #00013 (discussing self-regulatory efforts in a variety of contexts).
188
See discussion supra pp. 10-14 and accompanying notes.
189
One commenter argued that breach notification laws should be even broader in the IoT context. See Remarks of
Peppet, Transcript of Workshop at 220 (urging that breach notification laws be extended for the IoT to cover
additional types of information that would lead to consumer harm but would not meet the definition of personal
49
We emphasize that general technology-neutral data security legislation should protect
against unauthorized access to both personal information and device functionality itself. The
security risks associated with IoT devices, which are often not limited to the compromise of
personal information but also implicate broader health and safety concerns, illustrate the
importance of these protections. For example, if a pacemaker is not properly secured, the
concern is not merely that health information could be compromised, but also that a person
wearing it could be seriously harmed. 190 Similarly, a criminal who hacks into a car’s network
could cause a car crash. Accordingly, general data security legislation should address risks to
both personal information and device functionality.
In addition, the pervasiveness of information collection and use that the IoT makes
possible reinforces the need for baseline privacy standards. 191 Commission staff thus again
recommends that Congress consider enacting broad-based (as opposed to IoT-specific) privacy
legislation. Such legislation should be flexible and technology-neutral, while also providing clear
rules of the road for companies about such issues as when to provide privacy notices to
consumers and offer them choices about data collection and use practices. Although the
Commission currently has authority to take action against some IoT-related practices, it cannot
information protected under existing laws). The Commission has not taken a position on such an approach at this
time.
190
Andrea Peterson, Yes, Terrorists Could Have Hacked Dick Cheney’s Heart, WASH. POST (Oct. 21, 2013),
http://www.washingtonpost.com/blogs/the-switch/wp/2013/10/21/yes-terrorists-could-have-hacked-dick-cheneysheart/.
191
Commissioner Ohlhausen disagrees with this portion of the staff’s recommendation. She believes that the FTC’s
current Section 5 authority to prohibit unfair and deceptive acts or practices already requires notice and choice for
collecting sensitive personally identifiable information and protects against uses of consumer information that cause
or are likely to cause substantial consumer harm not outweighed by benefits to consumers or competition.
Furthermore, the FCRA, HIPAA, and other laws already provide additional sector-specific privacy protections.
Thus, Commissioner Ohlhausen questions what harms baseline privacy legislation would reach that the FTC’s
existing authority cannot.
50
mandate certain basic privacy protections – such as privacy disclosures or consumer choice –
absent a specific showing of deception or unfairness.
The Commission has issued a report and testified before Congress calling for baseline
federal privacy legislation. 192 These recommendations have been based on concerns about the
lack of transparency regarding some companies’ data practices and the lack of meaningful
consumer control of personal data. These concerns permeate the IoT space, given the ubiquity of
information collection, the broad range of uses that the IoT makes possible, the multitude of
companies involved in collecting and using information, and the sensitivity of some of the data at
issue.
Staff believes such legislation will help build trust in new technologies that rely on
consumer data, such as the IoT. Consumers are more likely to buy connected devices if they feel
that their information is adequately protected. 193 A 2012 survey shows, for example, that a
majority of consumers uninstalled an app because they were concerned that it was collecting too
much personal information, or declined to install an app at all. 194 A 2014 survey shows that 87%
of consumers are concerned about the type of data collected through smart devices, and 88% of
192
See, e.g., Privacy Report, supra note 85, at 12-13; The Need for Privacy Protections: Perspectives from the
Administration and the Federal Trade Commission Before the S. Comm. On Commerce, Science & Transportation
(May 9, 2012) (statement of FTC), available at
http://www.ftc.gov/sites/default/files/documents/public_statements/prepared-statement-federal-trade-commissionneed-privacy-protections-perspectives-administration-and/120509privacyprotections.pdf.
193
Remarks of Chibba, Transcript of Workshop at 312-13; see also Remarks of Wolf, Transcript of Workshop at
260 (noting that “the Michigan Department of Transportation and the Center for Automotive Research identified
security as the primary concern for connected car technologies”); Comment of Future of Privacy Forum, #484 cmt.
#00013 at 5 (“If there are lax controls and insufficient oversight over the collection of personal information through
connected devices, consumers will lose trust in the evolving technologies. Even with proper controls and oversight,
helping consumers understand the benefits from these innovations and the protections in place is important lest they
feel that personal control has been sacrificed for corporate gain.”).
194
JAN LAUREN BOYLES ET AL., PEW INTERNET PROJECT, PRIVACY AND DATA MANAGEMENT ON MOBILE DEVICES
(2012), available at http://www.pewinternet.org/files/oldmedia//Files/Reports/2012/PIP_MobilePrivacyManagement.pdf.
51
consumers want to control the data that is collected through smart devices. 195 Surveys also show
that consumers are more likely to trust companies that provide them with transparency and
choices. 196 General privacy legislation that provides for greater transparency and choices could
help both consumers and businesses by promoting trust in the burgeoning IoT marketplace.
In addition, as demonstrated at the workshop, general privacy legislation could ensure
that consumers’ data is protected, regardless of who is asking for it. For example, workshop
participants discussed the fact that HIPAA protects sensitive health information, such as medical
diagnoses, names of medications, and health conditions, but only if it is collected by certain
entities, such as a doctor’s office or insurance company. 197 Increasingly, however, health apps
are collecting this same information through consumer-facing products, to which HIPAA
protections do not apply. Commission staff believes that consumers should have transparency
and choices over their sensitive health information, regardless of who collects it. Consistent
standards would also level the playing field for businesses.
195
The TRUSTe Internet of Things Privacy Index, 2014 U.S. Edition, available at http://www.truste.com/usinternet-of-things-index-2014/.
196
See, e.g., Adam DeMartino, Evidon, RESEARCH: Consumers Feel Better About Brands that Give Them
Transparency and Control Over Ads (Nov. 10, 2010), available at http://www.evidon.com/blog/researchconsumers-feel-better-about-brands-that-give-them-transparency-and-control-over-ads; Scott Meyer, Data
Transparency Builds Trust, BRANDREPUBLIC (Oct. 31, 2012), available at
http://www.brandrepublic.com/news/1157134/; TRUSTe, New TRUSTe Survey Finds Consumer Education and
Transparency Vital for Sustainable Growth and Success of Online Behavioral Advertising (July 25, 2011), available
at http://www.truste.com/about-TRUSTe/press-room/news_truste_behavioral_advertising_survey_2011.
197
Remarks of Hall, Transcript of Workshop at 179; Remarks of T. Drew Hickerson, Happtique, Transcript of
Workshop at 350; Comment of Ctr. for Democracy & Tech, #510 cmt. #00016 at 12.
52
While Commission staff encourages Congress to consider privacy and security
legislation, we will continue to use our existing tools to ensure that IoT companies continue to
consider security and privacy issues as they develop new devices and services. Specifically, we
will engage in the following initiatives:
•
Law enforcement:
The Commission enforces the FTC Act, the FCRA, the Children’s Online Privacy
Protection Act, the health breach notification provisions of the HI-TECH Act, and other
laws that might apply to the IoT. Where appropriate, staff will recommend that the
Commission use its authority to take action against any actors it has reason to believe are
in violation of these laws. The TRENDNet case, discussed above, was the Commission’s
first IoT case. We will continue to look for cases involving companies making IoT
devices that, among other things, do not maintain reasonable security, make
misrepresentations about their privacy practices, or violate the requirements of the FCRA
when they use information for credit, employment, insurance, or other eligibility
decisions. Staff believes that a strong FTC law enforcement presence will help
incentivize appropriate privacy and security-protective practices by companies
manufacturing and selling connected devices.
•
Consumer and business education:
Consumers should understand how to get more information about the privacy of their IoT
devices, how to secure their home networks that connect to IoT devices, and how to use
any available privacy settings. Businesses, and in particular small businesses, would
benefit from additional information about how to reasonably secure IoT devices. The
Commission staff will develop new consumer and business education materials in this
area.
•
Participation in multi-stakeholder groups:
Currently, Commission staff is working with a variety of groups that are considering
guidelines related to the Internet of Things. For example, staff participates in NTIA’s
multi-stakeholder group that is considering guidelines for facial recognition and the
Department of Energy’s multi-stakeholder effort to develop guidelines for smart meters.
Even in the absence of legislation, these efforts can result in best practices for companies
developing connected devices, which can significantly benefit consumers. Commission
staff will continue to participate in multistakeholder groups to develop guidelines related
to the IoT.
•
Advocacy:
Finally, where appropriate, the Commission staff will look for advocacy opportunities
with other agencies, state legislatures, and courts to promote protections in this area.
Among other things, staff will share the best practices discussed in this report with other
government entities in order to ensure that they consider privacy and security issues.
53
54
Conclusion
The IoT presents numerous benefits to consumers, and has the potential to change the
ways that consumers interact with technology in fundamental ways. In the future, the Internet of
Things is likely to meld the virtual and physical worlds together in ways that are currently
difficult to comprehend. From a security and privacy perspective, the predicted pervasive
introduction of sensors and devices into currently intimate spaces – such as the home, the car,
and with wearables and ingestibles, even the body – poses particular challenges. As physical
objects in our everyday lives increasingly detect and share observations about us, consumers will
likely continue to want privacy. The Commission staff will continue to enforce laws, educate
consumers and businesses, and engage with consumer advocates, industry, academics, and other
stakeholders involved in the IoT to promote appropriate security and privacy protections. At the
same time, we urge further self-regulatory efforts on IoT, along with enactment of data security
and broad-based privacy legislation.
55
STA RT
WITH
A GUIDE FOR BUSINESS
LESSONS LEARNED FROM FTC CASES
FED ERAL T RAD E C OMMIS S ION
STA RT
WITH
1.
Start with security.
2. Control access to data sensibly.
3. Require secure passwords and authentication.
4. Store sensitive personal information securely and protect it
during transmission.
5. Segment your network and monitor who’s trying to get in and
out.
6. Secure remote access to your network.
7.
Apply sound security practices when developing new products.
8. Make sure your service providers implement reasonable security
measures.
9. Put procedures in place to keep your security current and
address vulnerabilities that may arise.
10. Secure paper, physical media, and devices.
When managing your network, developing an app, or even organizing paper
files, sound security is no accident. Companies that consider security from the
start assess their options and make reasonable choices based on the nature
of their business and the sensitivity of the information involved. Threats to
data may transform over time, but the fundamentals of sound security remain
constant. As the Federal Trade Commission outlined in Protecting Personal
Information: A Guide for Business, you should know what personal information
you have in your files and on your computers, and keep only what you need
for your business. You should protect the information that you keep, and
properly dispose of what you no longer need. And, of course, you should
create a plan to respond to security incidents.
In addition to Protecting Personal Information, the FTC has resources to help
you think through how those principles apply to your business. There’s an
online tutorial to help train your employees; publications to address particular
data security challenges; and news releases, blog posts, and guidance to help
you identify – and possibly prevent – pitfalls.
There’s another source of information about keeping sensitive data secure:
the lessons learned from the more than 50 law enforcement actions the FTC
has announced so far. These are settlements – no findings have been made
by a court – and the specifics of the orders apply just to those companies,
of course. But learning about alleged lapses that led to law enforcement can
help your company improve its practices. And most of these alleged practices
involve basic, fundamental security missteps. Distilling the facts of those
cases down to their essence, here are ten lessons to learn that touch on
vulnerabilities that could affect your company, along with practical guidance on
how to reduce the risks they pose.
1
1
Start with security.
From personal data on employment applications to network files with customers’ credit
card numbers, sensitive information pervades every part of many companies. Business
executives often ask how to manage confidential information. Experts agree on the key
first step: Start with security. Factor it into the decisionmaking in every department of
your business – personnel, sales, accounting, information technology, etc. Collecting and
maintaining information “just because” is no longer a sound business strategy. Savvy
companies think through the implication of their data decisions. By making conscious
choices about the kind of information you collect, how long you keep it, and who can
access it, you can reduce the risk of a data compromise down the road. Of course, all
of those decisions will depend on the nature of your business. Lessons from FTC cases
illustrate the benefits of building security in from the start by going lean and mean in your
data collection, retention, and use policies.
Don’t collect personal information you don’t need.
Here’s a foundational principle to inform your initial decision-making: No one can steal
what you don’t have. When does your company ask people for sensitive information?
Perhaps when they’re registering online or setting up a new account. When was the last
time you looked at that process to make sure you really need everything you ask for?
That’s the lesson to learn from a number of FTC cases. For example, the FTC’s complaint
against RockYou charged that the company collected lots of information during the
site registration process, including the user’s email address and email password. By
collecting email passwords – not something the business needed – and then storing
them in clear text, the FTC said the company created an unnecessary risk to people’s
email accounts. The business could have avoided that risk simply by not collecting
sensitive information in the first place.
Hold on to information only as long as you have a legitimate
business need.
Sometimes it’s necessary to collect personal data as part of a transaction. But once the
deal is done, it may be unwise to keep it. In the FTC’s BJ’s Wholesale Club case, the
company collected customers’ credit and debit card information to process transactions
in its retail stores. But according to the complaint, it continued to store that data for
up to 30 days – long after the sale was complete. Not only did that violate bank rules,
but by holding on to the information without a legitimate business need, the FTC said
BJ’s Wholesale Club created an unreasonable risk. By exploiting other weaknesses in
the company’s security practices, hackers stole the account data and used it to make
counterfeit credit and debit cards. The business could have limited its risk by securely
disposing of the financial information once it no longer had a legitimate need for it.
2
Don’t use personal information when it’s not necessary.
You wouldn’t juggle with a Ming vase. Nor should businesses use personal information
in contexts that create unnecessary risks. In the Accretive case, the FTC alleged that the
company used real people’s personal information in employee training sessions, and
then failed to remove the information from employees’ computers after the sessions were
over. Similarly, in foru International, the FTC charged that the company gave access to
sensitive consumer data to service providers who were developing applications for the
company. In both cases, the risk could have been avoided by using fictitious information
for training or development purposes.
2
Control access to data sensibly.
Once you’ve decided you have a legitimate business need to hold on to sensitive data,
take reasonable steps to keep it secure. You’ll want to keep it from the prying eyes of
outsiders, of course, but what about your own employees? Not everyone on your staff
needs unrestricted access to your network and the information stored on it. Put controls
in place to make sure employees have access only on a “need to know” basis. For your
network, consider steps such as separate user accounts to limit access to the places
where personal data is stored or to control who can use particular databases. For paper
files, external drives, disks, etc., an access control could be as simple as a locked file
cabinet. When thinking about how to control access to sensitive information in your
possession, consider these lessons from FTC cases.
Restrict access to sensitive data.
If employees don’t have to use personal information as part of their job, there’s no need
for them to have access to it. For example, in Goal Financial, the FTC alleged that the
company failed to restrict employee access to personal information stored in paper
files and on its network. As a result, a group of employees transferred more than 7,000
consumer files containing sensitive information to third parties without authorization.
The company could have prevented that misstep by implementing proper controls and
ensuring that only authorized employees with a business need had access to people’s
personal information.
3
Limit administrative access.
Administrative access, which allows a user to make system-wide changes to your system,
should be limited to the employees tasked to do that job. In its action against Twitter,
for example, the FTC alleged that the company granted almost all of its employees
administrative control over Twitter’s system, including the ability to reset user account
passwords, view users’ nonpublic tweets, and send tweets on users’ behalf. According
to the complaint, by providing administrative access to just about everybody in-house,
Twitter increased the risk that a compromise of any of its employees’ credentials could
result in a serious breach. How could the company have reduced that risk? By ensuring
that employees’ access to the system’s administrative controls was tailored to their job
needs.
3
Require secure passwords and
authentication.
If you have personal information stored on your network, strong authentication
procedures – including sensible password “hygiene” – can help ensure that only
authorized individuals can access the data. When developing your company’s policies,
here are tips to take from FTC cases.
Insist on complex and unique passwords.
“Passwords” like 121212 or qwerty aren’t much better than no passwords at all. That’s
why it’s wise to give some thought to the password standards you implement. In the
Twitter case, for example, the company let employees use common dictionary words
as administrative passwords, as well as passwords they were already using for other
accounts. According to the FTC, those lax practices left Twitter’s system vulnerable
to hackers who used password-guessing tools, or tried passwords stolen from other
services in the hope that Twitter employees used the same password to access the
company’s system. Twitter could have limited those risks by implementing a more secure
password system – for example, by requiring employees to choose complex passwords
and training them not to use the same or similar passwords for both business and
personal accounts.
4
Store passwords securely.
Don’t make it easy for interlopers to access passwords. In Guidance Software, the
FTC alleged that the company stored network user credentials in clear, readable text
that helped a hacker access customer credit card information on the network. Similarly,
in Reed Elsevier, the FTC charged that the business allowed customers to store user
credentials in a vulnerable format in cookies on their computers. In Twitter, too, the FTC
said the company failed to establish policies that prohibited employees from storing
administrative passwords in plain text in personal email accounts. In each of those cases,
the risks could have been reduced if the companies had policies and procedures in place
to store credentials securely. Businesses also may want to consider other protections
– two-factor authentication, for example – that can help protect against password
compromises.
Guard against brute force attacks.
Remember that adage about an infinite number of monkeys at an infinite number of
typewriters? Hackers use automated programs that perform a similar function. These
brute force attacks work by typing endless combinations of characters until hackers luck
into someone’s password. In the Lookout Services, Twitter, and Reed Elsevier cases, the
FTC alleged that the businesses didn’t suspend or disable user credentials after a certain
number of unsuccessful login attempts. By not adequately restricting the number of tries,
the companies placed their networks at risk. Implementing a policy to suspend or disable
accounts after repeated login attempts would have helped to eliminate that risk.
Protect against authentication bypass.
Locking the front door doesn’t offer much protection if the back door is left open. In
Lookout Services, the FTC charged that the company failed to adequately test its
web application for widely-known security flaws, including one called “predictable
resource location.” As a result, a hacker could easily predict patterns and manipulate
URLs to bypass the web app’s authentication screen and gain unauthorized access
to the company’s databases. The company could have improved the security of its
authentication mechanism by testing for common vulnerabilities.
5
4
Store sensitive personal information
securely and protect it during transmission.
For many companies, storing sensitive data is a business necessity. And even if you
take appropriate steps to secure your network, sometimes you have to send that data
elsewhere. Use strong cryptography to secure confidential material during storage
and transmission. The method will depend on the types of information your business
collects, how you collect it, and how you process it. Given the nature of your business,
some possibilities may include Transport Layer Security/Secure Sockets Layer (TLS/SSL)
encryption, data-at-rest encryption, or an iterative cryptographic hash. But regardless of
the method, it’s only as good as the personnel who implement it. Make sure the people
you designate to do that job understand how your company uses sensitive data and have
the know-how to determine what’s appropriate for each situation. With that in mind, here
are a few lessons from FTC cases to consider when securing sensitive information during
storage and transmission.
Keep sensitive information secure throughout its lifecycle.
Data doesn’t stay in one place. That’s why it’s important to consider security at all
stages, if transmitting information is a necessity for your business. In Superior Mortgage
Corporation, for example, the FTC alleged that the company used SSL encryption to
secure the transmission of sensitive personal information between the customer’s web
browser and the business’s website server. But once the information reached the server,
the company’s service provider decrypted it and emailed it in clear, readable text to
the company’s headquarters and branch offices. That risk could have been prevented
by ensuring the data was secure throughout its lifecycle, and not just during the initial
transmission.
Use industry-tested and accepted methods.
When considering what technical standards to follow, keep in mind that experts already
may have developed effective standards that can apply to your business. Savvy
companies don’t start from scratch when it isn’t necessary. Instead, they take advantage
of that collected wisdom. The ValueClick case illustrates that principle. According
to the FTC, the company stored sensitive customer information collected through its
e-commerce sites in a database that used a non-standard, proprietary form of encryption.
Unlike widely-accepted encryption algorithms that are extensively tested, the complaint
charged that ValueClick’s method used a simple alphabetic substitution system subject to
significant vulnerabilities. The company could have avoided those weaknesses by using
tried-and-true industry-tested and accepted methods for securing data.
6
Ensure proper configuration.
Encryption – even strong methods – won’t protect your users if you don’t configure
it properly. That’s one message businesses can take from the FTC’s actions against
Fandango and Credit Karma. In those cases, the FTC alleged that the companies
used SSL encryption in their mobile apps, but turned off a critical process known as
SSL certificate validation without implementing other compensating security measures.
That made the apps vulnerable to man-in-the-middle attacks, which could allow hackers
to decrypt sensitive information the apps transmitted. Those risks could have been
prevented if the companies’ implementations of SSL had been properly configured.
5
Segment your network and monitor who’s
trying to get in and out.
When designing your network, consider using tools like firewalls to segment your
network, thereby limiting access between computers on your network and between your
computers and the internet. Another useful safeguard: intrusion detection and prevention
tools to monitor your network for malicious activity. Here are some lessons from FTC
cases to consider when designing your network.
Segment your network.
Not every computer in your system needs to be able to communicate with every other
one. You can help protect particularly sensitive data by housing it in a separate secure
place on your network. That’s a lesson from the DSW case. The FTC alleged that the
company didn’t sufficiently limit computers from one in-store network from connecting
to computers on other in-store and corporate networks. As a result, hackers could use
one in-store network to connect to, and access personal information on, other in-store
and corporate networks. The company could have reduced that risk by sufficiently
segmenting its network.
7
Monitor activity on your network.
“Who’s that knocking on my door?” That’s what an effective intrusion detection tool asks
when it detects unauthorized activity on your network. In the Dave & Buster’s case,
the FTC alleged that the company didn’t use an intrusion detection system and didn’t
monitor system logs for suspicious activity. The FTC says something similar happened
in Cardsystem Solutions. The business didn’t use sufficient measures to detect
unauthorized access to its network. Hackers exploited weaknesses, installing programs
on the company’s network that collected stored sensitive data and sent it outside the
network every four days. In each of these cases, the businesses could have reduced
the risk of a data compromise or its breadth by using tools to monitor activity on their
networks.
6
Secure remote access to your network.
Business doesn’t just happen in the office. While a mobile workforce can increase
productivity, it also can pose new security challenges. If you give employees, clients,
or service providers remote access to your network, have you taken steps to secure
those access points? FTC cases suggest some factors to consider when developing your
remote access policies.
Ensure endpoint security.
Just as a chain is only as strong as its weakest link, your network security is only as
strong as the weakest security on a computer with remote access to it. That’s the
message of FTC cases in which companies failed to ensure that computers with remote
access to their networks had appropriate endpoint security. For example, in Premier
Capital Lending, the company allegedly activated a remote login account for a business
client to obtain consumer reports, without first assessing the business’s security. When
hackers accessed the client’s system, they stole its remote login credentials and used
them to grab consumers’ personal information. According to the complaint in Settlement
One, the business allowed clients that didn’t have basic security measures, like firewalls
and updated antivirus software, to access consumer reports through its online portal.
And in Lifelock, the FTC charged that the company failed to install antivirus programs on
the computers that employees used to remotely access its network. These businesses
could have reduced those risks by securing computers that had remote access to their
networks.
8
Put sensible access limits in place.
Not everyone who might occasionally need to get on your network should have an allaccess, backstage pass. That’s why it’s wise to limit access to what’s needed to get the
job done. In the Dave & Buster’s case, for example, the FTC charged that the company
failed to adequately restrict third-party access to its network. By exploiting security
weaknesses in the third-party company’s system, an intruder allegedly connected to the
network numerous times and intercepted personal information. What could the company
have done to reduce that risk? It could have placed limits on third-party access to its
network – for example, by restricting connections to specified IP addresses or granting
temporary, limited access.
7
Apply sound security practices when
developing new products.
So you have a great new app or innovative software on the drawing board. Early in the
development process, think through how customers will likely use the product. If they’ll
be storing or sending sensitive information, is your product up to the task of handling that
data securely? Before going to market, consider the lessons from FTC cases involving
product development, design, testing, and roll-out.
Train your engineers in secure coding.
Have you explained to your developers the need to keep security at the forefront? In
cases like MTS, HTC America, and TRENDnet, the FTC alleged that the companies failed
to train their employees in secure coding practices. The upshot: questionable design
decisions, including the introduction of vulnerabilities into the software. For example,
according to the complaint in HTC America, the company failed to implement readily
available secure communications mechanisms in the logging applications it pre-installed
on its mobile devices. As a result, malicious third-party apps could communicate with
the logging applications, placing consumers’ text messages, location data, and other
sensitive information at risk. The company could have reduced the risk of vulnerabilities
like that by adequately training its engineers in secure coding practices.
9
Follow platform guidelines for security.
When it comes to security, there may not be a need to reinvent the wheel. Sometimes
the wisest course is to listen to the experts. In actions against HTC America, Fandango,
and Credit Karma, the FTC alleged that the companies failed to follow explicit platform
guidelines about secure development practices. For example, Fandango and Credit
Karma turned off a critical process known as SSL certificate validation in their mobile
apps, leaving the sensitive information consumers transmitted through those apps open
to interception through man-in-the-middle attacks. The companies could have prevented
this vulnerability by following the iOS and Android guidelines for developers, which
explicitly warn against turning off SSL certificate validation.
Verify that privacy and security features work.
If your software offers a privacy or security feature, verify that the feature works as
advertised. In TRENDnet, for example, the FTC charged that the company failed to test
that an option to make a consumer’s camera feed private would, in fact, restrict access
to that feed. As a result, hundreds of “private” camera feeds were publicly available.
Similarly, in Snapchat, the company advertised that messages would “disappear forever,”
but the FTC says it failed to ensure the accuracy of that claim. Among other things,
the app saved video files to a location outside of the app’s sandbox, making it easy to
recover the video files with common file browsing tools. The lesson for other companies:
When offering privacy and security features, ensure that your product lives up to your
advertising claims.
Test for common vulnerabilities.
There is no way to anticipate every threat, but some vulnerabilities are commonly
known and reasonably foreseeable. In more than a dozen FTC cases, businesses failed
to adequately assess their applications for well-known vulnerabilities. For example, in
the Guess? case, the FTC alleged that the business failed to assess whether its web
application was vulnerable to Structured Query Language (SQL) injection attacks.
As a result, hackers were able to use SQL attacks to gain access to databases with
consumers’ credit card information. That’s a risk that could have been avoided by testing
for commonly-known vulnerabilities, like those identified by the Open Web Application
Security Project (OWASP).
10
8
Make sure your service providers
implement reasonable security measures.
When it comes to security, keep a watchful eye on your service providers – for example,
companies you hire to process personal information collected from customers or to
develop apps. Before hiring someone, be candid about your security expectations. Take
reasonable steps to select providers able to implement appropriate security measures
and monitor that they’re meeting your requirements. FTC cases offer advice on what to
consider when hiring and overseeing service providers.
Put it in writing.
Insist that appropriate security standards are part of your contracts. In GMR
Transcription, for example, the FTC alleged that the company hired service providers
to transcribe sensitive audio files, but failed to require the service provider to take
reasonable security measures. As a result, the files – many containing highly confidential
health-related information – were widely exposed on the internet. For starters, the
business could have included contract provisions that required service providers to
adopt reasonable security precautions – for example, encryption.
Verify compliance.
Security can’t be a “take our word for it” thing. Including security expectations in
contracts with service providers is an important first step, but it’s also important to build
oversight into the process. The Upromise case illustrates that point. There, the company
hired a service provider to develop a browser toolbar. Upromise claimed that the toolbar,
which collected consumers’ browsing information to provide personalized offers, would
use a filter to “remove any personally identifiable information” before transmission.
But, according to the FTC, Upromise failed to verify that the service provider had
implemented the information collection program in a manner consistent with Upromise’s
privacy and security policies and the terms in the contract designed to protect consumer
information. As a result, the toolbar collected sensitive personal information – including
financial account numbers and security codes from secure web pages – and transmitted
it in clear text. How could the company have reduced that risk? By asking questions and
following up with the service provider during the development process.
11
9
Put procedures in place to keep your
security current and address vulnerabilities
that may arise.
Securing your software and networks isn’t a one-and-done deal. It’s an ongoing process
that requires you to keep your guard up. If you use third-party software on your networks,
or you include third-party software libraries in your applications, apply updates as they’re
issued. If you develop your own software, how will people let you know if they spot a
vulnerability, and how will you make things right? FTC cases offer points to consider in
thinking through vulnerability management.
Update and patch third-party software.
Outdated software undermines security. The solution is to update it regularly and
implement third-party patches. In the TJX Companies case, for example, the FTC alleged
that the company didn’t update its anti-virus software, increasing the risk that hackers
could exploit known vulnerabilities or overcome the business’s defenses. Depending
on the complexity of your network or software, you may need to prioritize patches by
severity; nonetheless, having a reasonable process in place to update and patch thirdparty software is an important step to reducing the risk of a compromise.
Heed credible security warnings and move quickly to fix them.
When vulnerabilities come to your attention, listen carefully and then get a move on. In
the HTC America case, the FTC charged that the company didn’t have a process for
receiving and addressing reports about security vulnerabilities. HTC’s alleged delay in
responding to warnings meant that the vulnerabilities found their way onto even more
devices across multiple operating system versions. Sometimes, companies receive
security alerts, but they get lost in the shuffle. In Fandango, for example, the company
relied on its general customer service system to respond to warnings about security
risks. According to the complaint, when a researcher contacted the business about a
vulnerability, the system incorrectly categorized the report as a password reset request,
sent an automated response, and marked the message as “resolved” without flagging
it for further review. As a result, Fandango didn’t learn about the vulnerability until
FTC staff contacted the company. The lesson for other businesses? Have an effective
process in place to receive and address security vulnerability reports. Consider a
clearly publicized and effective channel (for example, a dedicated email address like
[email protected]) for receiving reports and flagging them for your security
staff.
12
10
Secure paper, physical media, and devices.
Network security is a critical consideration, but many of the same lessons apply to
paperwork and physical media like hard drives, laptops, flash drives, and disks. FTC
cases offer some things to consider when evaluating physical security at your business.
Securely store sensitive files.
If it’s necessary to retain important paperwork, take steps to keep it secure. In the
Gregory Navone case, the FTC alleged that the defendant maintained sensitive
consumer information, collected by his former businesses, in boxes in his garage. In
Lifelock, the complaint charged that the company left faxed documents that included
consumers’ personal information in an open and easily accessible area. In each case,
the business could have reduced the risk to their customers by implementing policies to
store documents securely.
Protect devices that process personal information.
Securing information stored on your network won’t protect your customers if the data
has already been stolen through the device that collects it. In the 2007 Dollar Tree
investigation, FTC staff said that the business’s PIN entry devices were vulnerable
to tampering and theft. As a result, unauthorized persons could capture consumer’s
payment card data, including the magnetic stripe data and PIN, through an attack known
as “PED skimming.” Given the novelty of this type of attack at the time, and a number
of other factors, staff closed the investigation. However, attacks targeting point-of-sale
devices are now common and well-known, and businesses should take reasonable steps
to protect such devices from compromise.
Keep safety standards in place when data is en route.
Savvy businesses understand the importance of securing sensitive information when
it’s outside the office. In Accretive, for example, the FTC alleged that an employee left
a laptop containing more than 600 files, with 20 million pieces of information related to
23,000 patients, in the locked passenger compartment of a car, which was then stolen.
The CBR Systems case concerned alleged unencrypted backup tapes, a laptop, and an
external hard drive – all of which contained sensitive information – that were lifted from
an employee’s car. In each case, the business could have reduced the risk to consumers’
personal information by implementing reasonable security policies when data is en route.
For example, when sending files, drives, disks, etc., use a mailing method that lets you
track where the package is. Limit the instances when employees need to be out and
about with sensitive data in their possession. But when there’s a legitimate business
need to travel with confidential information, employees should keep it out of sight and
under lock and key whenever possible.
13
Dispose of sensitive data securely.
Paperwork or equipment you no longer need may look like trash, but it’s treasure to
identity thieves if it includes personal information about consumers or employees.
For example, according to the FTC complaints in Rite Aid and CVS Caremark, the
companies tossed sensitive personal information – like prescriptions – in dumpsters.
In Goal Financial, the FTC alleged that an employee sold surplus hard drives that
contained the sensitive personal information of approximately 34,000 customers in clear
text. The companies could have prevented the risk to consumers’ personal information
by shredding, burning, or pulverizing documents to make them unreadable and by using
available technology to wipe devices that aren’t in use.
Looking for more information?
The FTC’s Business Center (business.ftc.gov) has a Data Security section with
an up-to-date listing of relevant cases and other free resources.
About the FTC
The FTC works for the consumer to prevent fraudulent, deceptive, and
unfair practices in the marketplace. The Business Center gives you and your
business tools to understand and comply with the law. Regardless of the size
of your organization or the industry you’re in, knowing – and fulfilling – your
compliance responsibilities is smart, sound business. Visit the Business Center
at business.ftc.gov.
Your Opportunity to Comment
The National Small Business Ombudsman and 10 Regional Fairness Boards
collect comments from small businesses about federal compliance and
enforcement activities. Each year, the Ombudsman evaluates the conduct of
these activities and rates each agency’s responsiveness to small businesses.
Small businesses can comment to the Ombudsman without fear of reprisal.
To comment, call toll-free 1-888-REGFAIR (1-888-734-3247) or go to
sba.gov/ombudsman.
14
Federal Trade Commission
business.ftc.gov
June 2015