Written by, Nora Hanson, Chris Knight, Blake McCartney & Dale Rappaneau, Class of 2022

I. Introduction

There are a variety of definitions of the “Internet of Things” (“IoT”). IoT has been described as “the concept of . . . connecting any device with an on and off switch to the Internet” and/or to another device.^[1] It may also be explained as “[t]he interconnection via the Internet of computing devices embedded in everyday objects, enabling them to send and receive data.”^[2] The concept of IoT encompasses many types of devices, including home technologies, wearable devices, and technology used by countless industries such as farming, manufacturing, transportation, and oil and gas.

This paper focuses on IoT in the consumer’s home, a space ripe with privacy considerations. First, this paper considers IoT in the home and the corresponding privacy risks. Next, this piece explains the manner in which the United States currently regulates IoT. Finally, this paper considers how the United States will regulate IoT moving forward.

II. IoT in the Home and Its Corresponding Privacy Risks

Today, a wide array of IoT devices live alongside us in our homes. According to a study conducted by Stanford University, the University of Illinois, and Avast Software, “more than 66% of homes [in North America] have” an IoT device.^[3] First, one cannot discuss IoT in the home without mentioning prolific smart speaker devices, like the Amazon Echo (“Alexa”) and the Google Home. Alexa and Google Home use speech recognition “to perform an ever-growing range of tasks on demand,” including playing music, reporting the weather, calling an Uber, or ordering you pizza.^[4] Amazon also offers a smart speaker device that specifically caters to children and offers child-specific features, the Echo Dot Kids Edition.^[5] These smart speaker devices can connect with other smart items within the home, such as light bulbs, thermostats, home alarm systems, and locks.^[6] One such product frequently paired with smart speaker devices is another Amazon device known as “Ring.”^[7] Ring offers “Wi-Fi enabled smart security systems,” including “alarms, video doorbells, security systems, and cameras.”^[8] One of Ring’s most popular offerings is a Wi-Fi camera that “communicate[s] directly with occupants via a two-way speaker-microphone system.”^[9]

IoT devices in the home also include more discrete devices like “smart meters,” which monitor and analyze various aspects of a home’s energy usage.^[10] Some of these devices may allow consumers to make adjustments in “real-time . . . based on the price of electricity,” offering significant cost savings to the homeowner.^[11] IoT can also be found in the kitchen, with items like the “HAPIfork,” which alerts the consumer with vibrations and indicator lights when they are eating too quickly.^[12]

While IoT devices offer convenient and fun features, they come with major privacy risks. For example, a Federal Trade Commission (FTC) Complaint alleges that the Amazon Echo Dot Kids transcribes the “conversations” it has with children, “associate[s] them with a specific child via a personal identifier, and store[s] them forever in the cloud.”^[13] It is largely unknown what Amazon does with its treasure trove of children’s data, but the fact that the device is catered to children is particularly concerning from a privacy perspective.^[14] This is because children who grow up with the Echo Dot are likely to talk to the device like they would a person, and they may reveal sensitive information to the device.^[15] Adults have the same concerns with the regular Amazon Echo Dot. In Tice v. Amazon, the Plaintiff alleged that Alexa records user’s personal conversations without permission or without hearing a wake word^[16] and is “constantly listening to voices and conversations and sometimes records these conversations . . . .”^[17] The exact details of what is recorded and what is done with Alexa’s recordings are not yet publicly known, but if the consumer has a smart speaker in their home, they are essentially welcoming Google and Amazon to record their personal conversations.^[18] In an even more terrifying vein, Amazon’s Ring device—the home security device that offers a camera and two-way speaker-microphone system—has generated numerous reports of “malicious third parties who [have] gained access to” the device and used it to “terrorize unsuspecting occupants, many of whom are children.”^[19] In one lawsuit against Ring, the Plaintiff, a Ring customer, installed the device over his garage.^[20] One day, when his children were playing basketball in front of the garage, “a voice came through the camera’s two-way speaker system” and “engaged with [his] children commenting on their basketball play and encouraging them to get closer to the camera.”^[21] While these instances may seem like particularly egregious examples of privacy concerns, these are real and pressing issues that all consumers of IoT devices must confront as they continue to welcome IoT devices into their homes.

III. How Federal and State Governments Currently Regulate the IoT Industry

Despite the evidence showcasing security and privacy risks of IoT devices, the federal government refuses to adopt legislation specifically targeting these risks. Thus, as with most privacy-related issues on the federal level, regulation relies upon the clumsy patchwork system of existing federal laws, supported by individualized state legislation.

           A. The FTC

            In 2013, the FTC hosted a workshop to analyze the IoT industry in an effort to determine whether the federal government should pass legislation to regulate IoT. The Commission found that, while IoT posed “real” risks, those risks did not “need to be addressed through IoT-specific legislation” because such legislation would be “premature.”^[22] Instead, the FTC announced it intended to “use [their] existing tools to ensure IoT companies continue to consider security and privacy issues as they develop new devices and services.”^[23] Thus, the patchwork system continues.

            First, the FTC utilizes its usual approach to privacy problems: its broad power of regulating “unfair or deceptive acts or practices.” ^[24] This approach relies on the FTC’s desire to act and does not afford consumers the opportunity to pursue a private action.^[25] However, the FTC recently published regulatory guidelines for businesses that manufacture IoT devices, possibly signaling a shift in how the FTC views IoT privacy and security risks.^[26] Notably, the FTC recommends implementing a “defense-in-depth approach that incorporates security measures at multiple levels,” which, although vague, echoes the privacy-by-design concept of the General Data Protection Regulation (GDPR) and pressures IoT manufacturers to build comprehensive security systems into their devices.^[27]

Second, the FTC relies upon laws like the Children’s Online Privacy Protection Act (COPPA), the Health Breach Notification Rule, and the Fair Credit Reporting Act (FCRA), to regulate and guide the development of IoT. For example, in United States v. VTech Electronics Ltd., VTech, a manufacturer of electronic learning products for children, agreed to settle charges alleging that it violated COPPA when its app, Kids Connect, allowed hackers to access an Internet-connected device’s database containing a child user’s photos and audio files.^[28] Alternatively, if an IoT device utilizes personal health records, such as biometric data from wearable devices, the FTC, in accordance with the Health Breach Notification Rule, requires companies to notify consumers when their “identifiable health information” has been compromised due to a breach.^[29] Finally, although the FTC has not brought a claim under the FCRA in relation to an IoT technology, the FTC nonetheless announced that it could.^[30] All of this, while far from uniform, creates a tapestry of legal possibilities for how and when federal regulatory oversight occurs for IoT devices. But, ultimately, this legal tapestry lacks the focus of its state-side counterparts in regard to IoT devices.

           B. The CCPA & The Connected Devices Act

The California Consumer Privacy Act (CCPA) remains the must-watch privacy regulation in the United States. Under the CCPA, the IoT industry must tread lightly when dealing with “personal information” because this term includes all information that can be associated with individuals or households.^[31] Moreover, the law’s geographic reach extends well beyond the borders of California, meaning any large IoT manufacturer that sells IoT devices to Californian households will likely want to adhere to the CCPA. Experts in the IoT industry are taking notice because the law “force[s] IoT devices to be secure by design.”^[32] More importantly, the CCPA provides IoT consumers with a list of rights, including the right to know what information IoT devices collect, the right to know how IoT companies use that information, and the right to access that information. For IoT devices that have secretly listened to or monitored the private activities of households, these rights are a death knell for their shadowy activities.

Furthermore, on January 1, 2020, the Connected Devices Act went into effect in California, building upon the CCPA by targeting regulation directly in the IoT industry. Under this law, a manufacturer of a device capable of connecting to the Internet must equip the device with a “reasonable security feature.”^[33] Although the law does not define “reasonable” in this context, it states that a security system must be “(1) [a]ppropriate to the nature and function of the device; (2) [a]ppropriate to the information it may collect, contain, or transmit; [and] (3) [d]esigned to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure.”^[34] In sum, while the CCPA bared its teeth at the IoT industry and forced them to incorporate security by design, this Act sharpened those teeth by setting expectations for what kind of security must be implemented in IoT devices.

               C. The IoT Cybersecurity Improvement Act

The IoT Cybersecurity Improvement Act, which is the most significant proposal for regulating IoT, became law in December of 2020. The Act aims to “improve the cybersecurity of Internet-connected devices by requiring that devices purchased by the U.S. government meet certain minimum security requirements.”^[35] To achieve this goal, the Act directs the National Institute of Standards and Technology (NIST) to create security standards that government agencies must follow when purchasing IoT technology, as well as standards for the management of the devices’ vulnerabilities.^[36]

The Act applies to a broader scope than just computers and smartphones. The Act defines devices as “a physical object that is capable of being in regular connection with the Internet or a network that is connected to the Internet, and has computer processing capabilities of collecting, sending, or receiving data.”^[37] Because the Act applies to devices used by the federal government, it applies to any private companies that create and supply the devices used by the government.^[38] The law would require that contractors that provide covered devices “notify government agencies of any security vulnerabilities.”^[39]

Given the dearth of regulation of IoT devices at the federal level, any regulation should be considered progress, and a significant number of devices will be positively affected by the regulation. However, as some privacy advocates have pointed out, the Act is quite clearly an initial step and not the solution.^[40]

First, the Act places responsibility on the device manufacturers to provide “secure, trustworthy IoT technologies.”^[41] While the Act will lead to guidelines, it is not a guarantee that companies will truly significantly increase security. It remains to be seen how broad or specific the government guidelines will be and how much accountability will be in place for any manufacturers that remain deficient.

Second, the Act will have no impact on the massive number of devices manufactured for private consumers.^[42] The Act will likely do little to increase awareness of the dangers of IoT devices both for manufacturers and individual consumers, and it is likely that the vast majority of manufacturers and distributors of IoT devices that are not subject to the guidelines will not change their current security practices. However, if the guidelines are robust, they may provide a framework that can be used in future legislation or by other agencies in developing broader standards that apply across the industry and do more to protect the average consumer.

IV. Regulating IoT Moving Forward

There are a number of avenues for regulating IoT moving forward. In 2015, the FTC put forward a number of guidelines for companies in its report, which have been followed by companies like Amazon and Microsoft. Additionally, organizations like the Global Privacy Enforcement Network (GPEN), which the FTC and the Federal Communications Commission (FCC) are a part of; the European Telecommunications Standards Institute; and the GSM Association (GSMA) have put forward best practices for the IoT. Despite the fact that the FTC report is now five years old, its guidelines have been adopted by companies, continue to be described as best practices, and adopted by other governments, demonstrating that most of the FTC’s regulations could be adopted to create a thorough regulating scheme.

The FTC’s guidelines from 2015 have been considered best practices by other organizations in recent years. For example, GPEN launched a global investigation in 2016, into privacy practice methods for the internet of things, which it repeated in 2017, and 2018.^[43] GPEN used many of the FTC report’s factors to determine the global strength of privacy protection for the internet of things, such as training employees, transparency, and conducting privacy risk assessments.^[44] The GSMA has also supported privacy by design and has targeted its guidelines and suggestions at service providers as well as the manufacturers and developers, a concept also embraced in Europe, which a US regulatory scheme should adopt.^[45] Additionally, the European Telecommunications Standards Institute (ETSI) also included many of the same standards as the 2015 FTC report, like transparency, data minimization, encryption, and providing notice and choice to consumers.^[46] The best practice standards show that despite the fact that it has been five years since the FTC report, its guidelines remain relevant. Part of the reason the FTC report aligns with many best-practice standards is because it appears to be based on the Fair Information Practice Principles (FIPPs), such as consumer notice and choice and data minimization.^[47] The FIPPs are also seen in many of the world’s privacy regulatory schemes, like the General Data Protection Regulation (GDPR), which keeps the practices at the forefront of the international privacy stage. Adopting a standard familiar to many across the world as well as the United States would lead to a smoother transition.

Additionally, other governments have adopted standards similar to the FTC standards in recent years. In January 2020, the United Kingdom decided to adopt legislation to bring security to consumer smart products. This legislation, based on the ESTI best practices and the UK’s Code of Practice for Consumer IoT Security, also requires privacy throughout the lifecycle of the device, keeping security software updating and notifying consumers about those updates, and data minimization.^[48] Additionally, the UK legislation looks to also place security obligations on retailers and distributors of the devices to better ensure that products do not end up on the market unless they meet the security requirements of the prospective legislation.^[49] Given the UK’s long experience with privacy regulation under the GDPR, seeing which principles it has continued to utilize in new legislation could also influence which FTC guidelines the United States could use. Further, adding obligations to retailers and the marketplace to make sure all products comply could help create a safer, more comprehensive scheme.

A final reason to adopt the FTC guidelines as formal regulation is that companies have to come to rely on those guidelines and have used them to adopt policies around devices. Amazon, for example, practices security by design per the FTC guidelines.^[50] Amazon also practices encryption and password protection per the guidelines, as well as data minimization, employee training, and regulating the lifecycle of the device.^[51] However, Amazon does not appear to regulate its marketplace under the obligations put forward by the GSMA and in European practices and its policy does not mention providing users with notice, further demonstrating why the market needs binding regulations. Amazon’s policy specifies that users are responsible for updating the security and security patches of their devices.^[52] Clearly, Amazon, and most likely other major IoT companies as well, are familiar with the FTC’s guidelines and have adopted some of the guidelines, and created workarounds for the others. Formally adopting the FTC guidelines as regulations would make the transition to binding legislation easier, since the companies practice some of the guidelines, and at least have notice of the others, making it easier to regulate the companies and enforce a regulatory scheme going forward.

In conclusion, the United States could adopt many of the 2015 FTC guidelines as binding legislation for a comprehensive regulatory scheme for IoT devices. The United States should probably add in obligations for retailers and the marketplace, as suggested by the GSMA and the European best practices. Another less familiar and common path would be to not adopt any of the FTC guidelines and instead adopt a scheme like the FRCA scheme, regulating the use of data rather than its collection, however, that would be a departure from both the policies of companies as well as what the rest of the world does to regulate its data. Therefore, the easiest adoption for the moment would be the 2015 FTC guidelines with the adjustments from the GSMA.

V. Conclusion

The Internet of Things has exploded in recent years and now is involved in the daily lives of many, if not most, people who live in developed countries. The privacy risks for individuals stemming from IoT devices are particularly acute given that most often, these devices are located in the home. The IoT Cybersecurity Improvement Act will provide a much-needed step toward national regulation of IoT devices, but private business and trade groups should continue to adopt best practices and guidelines established by the FTC. The IoT continues to expand rapidly as IoT devices become more ingrained in daily life. As such, this will remain a key area of focus for any privacy professional.

[1] Jacob Morgan, A Simple Explanation of “The Internet of Things,” Forbes (May 13, 2014), https://www.forbes.com/sites/jacobmorgan/2014/05/13/simple-explanation-internet-things-that-anyone-can-understand.

[2] Internet of Things, Oxford Dictionaries, https://en.oxforddictionaries.com/definition/Internet_of_things (last visited Nov. 20, 2020).

[3] Deepak Kumar et al. All Things Considered: An Analysis of IoT Devices on Home Networks, 28 USENIX Security Symposium 1169, 1169 (2019).

[4] Richard Baguely & Colin McDonald, Appliance Science: Alexa, How Does Alexa Work? The Science of the Amazon Echo, CNet (Aug. 4, 2016), https://www.cnet.com/news/appliance-science-alexa-how-does-alexa-work-the-science-of-amazons-echo/; Avery Hartmans, 19 of the Coolest Things your Google Home Can Do, Business Insider (Jan. 17, 2019), https://www.businessinsider.com/google-home-features-tips-tricks-2018-2.

[5] Request for Investigation of Amazon, Inc.’s Echo Dot Kids Edition for Violating the Child’s Online Priv. Protection Act, at iii (2019), https://www.echokidsprivacy.com/#readcomplaint.

[6] Kate Kozuch, The Best Alexa Compatible Devices in 2020, Tom’s Guide (Oct. 31, 2020), https://www.tomsguide.com/best-picks/best-alexa-compatible-devices.

[7] Orange v. Ring L.L.C., No. 2:19-cv-10899, 2019 WL 7373613, at *5 (C.D. Cal. Dec. 26, 2019).

[8] Id. at **5, 7.

[9] Id. at *6.

[10] Vicki R. Harding, The Internet of Things (IOT): A Part of How the World Works or Against the Natural Order of Things? 62 No. 2 Prac. L. 21, 23 (2016).

[11] Branden Ly, Never Home Alone: Data Priv. Reguls. for the Internet of Things, 2017 U. Ill. J. L. Tech. & Pol’y 539, 543 (2017).

[12] HAPIfork, https://www.hapilabs.com/product/hapifork (last visited Nov. 10, 2020).

[13] Request for Investigation of Amazon, Inc.’s Echo Dot Kids Edition for Violating the Child’s Online Priv. Protection Act, supra note 5, at 2.

[14] Id.

[15] Id.

[16] A wake word is a que that turns the device on and alerts it to start recording the user’s request. Some examples of wake words for Alexa are “Alexa,” “Amazon,” etc. Margaret Rouse, Wake Word, Tech Target (Aug. 2019), https://whatis.techtarget.com/definition/wake-word.

[17] Tice v. Amazon.com, Inc. no. 5:19-cv-1311, 2020 U.S. Dist. LEXIS 60597, at *3 (C.D. Cal. Mar. 25, 2020).

[18] Grant Clauser, Amazon’s Alexa Never Stops Listening to You. Should You Worry? N.Y. Times: Wirecutter (Aug. 8, 2019) https://www.nytimes.com/wirecutter/blog/amazons-alexa-never-stops-listening-to-you/.

[19] Orange, 2019 WL 7373613, at *7.

[20] Id. at *10.

[21] Id.

[22] Fed. Trade Comm’n, Internet of Things: Privacy & Security in a Connected World (2015), at 48.

[23] Id. at 53.

[24] 15 U.S.C. § 45(a)(1) (2018).

[25] However, every state has enacted an Unfair and Deceptive Acts and Practices statute, thus possibly allowing consumers an opportunity to bring a private action against IoT manufacturers.

[26] Fed. Trade Comm’n, Careful Connections: Keeping the Internet of Things Secure, Sept. 2020, available at https://www.ftc.gov/tips-advice/business-center/guidance/careful-connections-keeping- internet-things-secure (“There is no ‘one size fits all’ approach to securing IoT devices, and what constitutes reasonable security will depend on a number of factors, including: the device functionality and purpose, the type and amount of information collected, the entities with whom the data is shared, and the level and likelihood of potential security risks involved.”)

[27] Id.

[28] Stipulated Order, United States v. VTech Elec. Ltd. Inc., No. 1:18-cv-114 (N.D. Ill. Jan. 8, 2018).

[29] 42 U.S.C. § 17932(a) (2018).

[30] Fed. Trade Comm’n, supra note 22, at viii.

[31] 2020 Cal. Legis. Serv. Ch. 370 (S.B. 1371) (WEST) (defining “personal information” as “information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household”).

[32] Dean Takahashi, California’s Privacy Law Means it’s Time to Add Security to IoT, Venture Beat, Dec. 28, 2019, available at https://venturebeat.com/2019/12/28/californias-privacy-law-means-its-time-to-add- security-to-iot/.

[33] Cal. Civ. Code § 1798.91.04 (West).

[34] Id.

[35] Senator Cory Gardner Press Releases, U.S. House Passes Gardner’s IoT Cybersecurity Improvement Act, (Sept. 14, 2020) https://www.gardner.senate.gov/newsroom/press-releases/us-house-passes-gardners-iot-cybersecurity-improvement-act.

[36] Erez Yalon, Is the IoT Cybersecurity Improvement Act Enough?, Nextgov (Oct. 23, 2020), https://www.nextgov.com/ideas/2020/10/iot-cybersecurity-improvement-act-enough/169388/

[37] Greg Murphy, The IoT Cybersecurity Improvement Act: Combining Tech With Policy To Address Threats, Forbes (Nov. 11, 2020) https://www.forbes.com/sites/forbestechcouncil/2020/11/11/the-iot-cybersecurity-improvement-act-combining-tech-with-policy-to-address-threats/?sh=3cb715406129; see GovTrack, H.R. 1668: IoT Cybersecurity Improvement Act of 2020, https://www.govtrack.us/congress/bills/116/hr1668/text (last visited Nov. 19, 2020).

[38] Gordon Rees Scully Mansukhani, LLP, Proposed Bill to Establish Security Standards for IoT Devices Used by Government Officials Passes House, https://www.grsm.com/publications/2020/bill-to-establish-security-standards-for-iot-devices-used-by-government-officials-passes-house (last visited Nov. 19, 2020).

[39] Id.

[40] Yalon, supra note 35.

[41] Id.

[42] Id.

[43] Global Privacy Enforcement Network, GPEN Sweep 2018 ‘Privacy Accountability,’ Off. of the Privacy Comm’r (Oct. 2018); Global Privacy Enforcement Network, GPEN Sweep 2017 ‘Privacy Accountability,’ UK Info. Comm’r Off. (Oct. 2017); Global Privacy Enforcement Network, 2016 GPEN Sweep – Internet of Things Office of the Privacy Comm’r (2016).

[44] Global Privacy Enforcement Network, GPEN Sweep 2018 ‘Privacy Accountability,’ 5, 6, 7; FTC, Internet of Things: Privacy and Security in a Connected World, iii, 52 (Jan. 2015).

[45] GSMA, IoT Security Guidelines Overview Document, 7, 35 (Feb. 29, 2020).

[46] European Telecommunications Standards Institute, Cyber Security for Consumer Internet of Things: Baseline Requirements, 16, 18, 20, 24 (June 2020).

[47] FTC, supra note 2, at ii, v, iv.

[48] Department for Digital, Culture, Media & Sport, Code for Consumer IoT Security, 7, 8, 10 (Oct. 2018).

[49] Matt Warman, Proposals for Regulating Consumer Smart Product Cyber Security – call for views, Dept. for Digital, Culture, Media & Sport (Oct. 2020).

[50] Amazon Web Services, Amazon Web Services: Overview of Security Processes, 12 (Mar. 2020).

[51] Id. at 5, 7, 45.

[52] Id. at 2.