1. The Internet of Things and Consumer Protection
Daniel Kaufman
Deputy Director
Bureau of Consumer Protection
Views expressed are those of the speaker and not necessarily those of the Commission or any Commissioner.

2. FTC Background Independent law enforcement agency
Consumer protection and competition mandate
Section 5 of FTC Act prohibits “unfair or deceptive acts of practices”
Policy work includes public workshops, Congressional testimony, consumer education, and business guidance
Privacy is a consumer protection priority

3. Enforcement Actions

4. Common Remedies Prohibition against misrepresentations
Comprehensive data security or privacy program, appropriate to company’s size, activities, information collected
Third party assessments of programs
Other case-specific requirements – e.g., disclosures, software updates
Civil penalties for violations

5. Internet of Things
Devices or sensors sold or used by consumers that connect, store, or transmit information with or between each other.
Offer many benefits but raise privacy and security concerns.
Include health and fitness monitors home security devices, connected cars and household appliances
Internet-connected cameras that allow you to post photos online with 1 click, home automation systems that turn on your front porch lights when you leave work, wearable devices that track you daily activity, calories and slepp.
Potential benefits include
improved health monitoring, safer highways, more efficient energy use.

6. Internet of Things
FTC held a workshop to discuss risks and benefits of IoT.
Participants included technologists, academics, consumer advocates and industry representatives.
Resulting Staff Report issued in January 2015.

7. Internet of Things Staff Report
Ongoing initiatives
Law enforcement
Consumer and business education
Participation in multi-stakeholder groups
Advocacy

8. Internet of Things Staff Report
Four areas of recommendations:
Security
Data minimization
Notice and Choice
Legislation.

9. Internet of Things Staff Report
Security
Security by design
Training and oversight
Multi-layered defense
Monitor through expected product life cycle

10. Internet of Things Staff Report
Data Minimization
Limit collection
Retain for limited time

11. Internet of Things Staff Report
Notice and choice
No “one-size-fits-all”
Innovative approaches identified
Response to criticisms

12. Internet of Things Staff Report
Legislation
Specific IoT legislation premature
Reiterates Commission call for flexible data security and breach notification legislation

13. Careful Connections: Building the Internet of Things
Practical advice for businesses, including:
Taking advantage of what experts have learned;
Proper authentication;
Designing reasonable security measures;
Pre-launch testing
Default settings; and
Communications with customers.

14. TRENDnet: overview FTC’s first IoT case
Security vulnerabilities in IP cameras and mobile apps
Attacker accessed hundreds of camera feeds

15. TRENDnet: design & testing
No software security review and testing at key points
Failed to implement reasonable guidance or training for responsible employees

16. Deception and Unfairness
Company falsely represented that it had taken reasonable steps to ensure that (1) its cameras and apps could securely monitor private areas of a consumer’s home or workplace and (2) that a user’s security settings will be honored
Company failed to provide reasonable security to prevent unauthorized access to live IP camera feeds

17. TRENDnet: order requirements
Required to provide notice to consumers, with technical support to update or uninstall cameras
Prohibited from misrepresenting security
Required to establish comprehensive security program, with third-party compliance assessments

18. Daniel Kaufman Dkaufman@ftc.gov (202) 326- 2675
QUESTIONS ?
Daniel Kaufman
(202)