Last month, CTIA, the wireless industry association, launched an initiative through which wireless-connected Internet of Things (“IoT”) devices can be certified for cybersecurity readiness.  According to the CTIA announcement, the CTIA Cybersecurity Certification Program (the “Program”) is intended to protect both consumers and wireless infrastructure by creating a more secure foundation for IoT applications that support “smart” cities, connected cars, mobile health apps, home appliances, and other IoT-enabled environments.

The Program was developed in collaboration with the nationwide wireless carriers, along with technology companies, security experts and test laboratories, and builds upon IoT security recommendations from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST).  According to the Program Test Plan, devices eligible for certification include those that contain an IoT application layer that provides identity and authentication functionality and at least one communications module supporting either LTE or Wi-Fi networks.

A device submitted for certification will undergo a series of tests at a CTIA-authorized lab.  The testing will assess the device for one of three certification levels or “categories.” To obtain a Category 1 certification, the device will be reviewed for the presence of “core” IoT device security elements, including a Terms of Service and a customer-facing privacy policy, along with technical elements including password management, authentication and access controls.  A Category 2 certification includes the Category 1 elements, in addition to enhanced security features, such as an audit log, multi-factor authentication, remote deactivation, and threat monitoring. A Category 3 certification features the most comprehensive level of cybersecurity threat testing, and covers elements such as encryption of data at rest, digital signature validation, and tamper reporting, in addition to the elements under Categories 1 and 2.

The Program comes at a time of rapid growth for IoT devices.  According to the latest Ericsson Mobility Report, the global IoT market will expand to 3.5 billion cellular-connected devices in the next five years.  Much of this growth is expected to be driven by the anticipated deployment of 5G technology and enhanced mobile broadband.

The Program will begin accepting devices for certification testing beginning in October 2018.  Details on how to participate in the Program are available on the CTIA website.

If you follow our blog, you know that we often write about issues involving the FTC and the CPSC, but we usually do not write about both in the same post. Now those worlds have collided. The staff of the FTC’s Bureau of Consumer Protection (“BCP”), a prominent voice in the Internet of Things dialogue, recently filed comments in response to a CPSC request for information about the potential safety hazards linked to internet-connected products. The request follows a May 16 hearing that included speakers representing a variety of industries and organizations, such as Retail Industry Leaders Association, Underwriters Laboratories Inc., Consumer Reports, and the Electronic Privacy Information Center. The BCP staff’s comments specifically address the following topics:

  • Best practices for mitigating against safety hazards. The BCP staff’s comments placed security and safety hand in hand with the following recommendations for companies offering connected devices: (1) risk assessments to evaluate their security programs and pinpoint possible threats before launching a product; and (2) oversight of service providers, including the incorporation of security standards into contracts and ensuring that the providers are complying with applicable security standards.
  • Registration for safety alerts and information related to recalls. The BCP staff recommended implementing a process similar to the CPSC’s current protocol for alerts related to infant and toddler products, wherein manufacturers and retailers are required to provide a safety registration card with the product. Instead of requiring the consumer to mail-in a registration, however, a URL could be included for online registration.
  • The role of government in regulating IoT security. The BCP staff did not take a position on whether the CPSC should implement regulations specific to IoT device hazards, but suggested that, if the CPSC considers such regulation, it should take a technology-neutral approach so that any such regulation does not quickly become obsolete.

The CPSC continues to evaluate these issues while coordinating with other federal entities like the FTC and NIST, tracking state legislative developments, and exploring the role of voluntary standards. Any company that makes, imports, distributes, or sells a connected product should continue to watch for developments.

Manufacture, import, or sell a connected device?  In addition to the potential hazards associated with the physical performance of the product, you also need to consider the potential hazards associated with the product’s connectivity.  The Consumer Product Safety Commission (“CPSC”) is considering the Internet of Things and will hold a public hearing on May 16 for interested stakeholders to discuss the potential safety issues with connected products and the CPSC’s role in addressing these issues, along with industry best practices and current standards development.  Privacy and personal data security issues in the IoT environment do not fall under the CPSC’s jurisdiction, but the agency has the authority to cover consumer hazards resulting from IoT products, which could include fire, burn, shock, tripping or falling, laceration, contusion, and chemical exposure.  

The CPSC has identified two product safety challenges associated with IoT products: (1) preventing or eliminating hazardous conditions designed into products intentionally or without sufficient consideration; and (2) preventing and addressing incidents of hazardization.  While the former falls into the CPSC’s wheelhouse of preventing and correcting consumer product issues, the latter is a non-traditional area of product safety activity and could pose some challenges with the high rate of growth of connected products.   The CPSC defines hazardization as “the situation created when a product that was safe when obtained by a consumer, but which, when connected to a network, becomes hazardous through malicious, incorrect, or careless changes to operational code.”  Examples include a connected cooktop with a software glitch that ignites without the consumer’s knowledge and starts a fire or an integrated home security system that fails to download a software update and the default condition is to deactivate the system, disabling the smoke alarms without the consumer’s knowledge. Continue Reading CPSC to Hear About the Safety Consequences If a Smart Device Isn’t So Smart

Earlier this week, the FTC announced its first settlement involving internet-connected toys. The FTC alleged that the Kid Connect app used with some of VTech’s toys collected personal information from hundreds of thousands of children, and that the company failed to provide direct notice of its privacy practices to parents, or to obtain verifiable consent from them, as required by the Children’s Online Privacy Protection Act (or “COPPA”). The FTC also alleged that VTech failed to use reasonable data security measures to protect the personal information it collected.

According to the FTC’s complaint, VTech collected personal information from parents on its Learning Lodge Navigator online Vconnect Deviceplatform, where the Kid Connect app was available for download, and through a (no longer available) web-based gaming and chat platform called Planet VTech. Before using Kid Connect or Planet VTech, parents were required to register and provide personal information about themselves and their children. VTech also collected personal information from children when they used the Kid Connect app.

As of November 2015, about 2.25 million parents had registered and created accounts with Learning Lodge for nearly 3 million children, including about 638,000 Kid Connect accounts for children. In addition, about 134,000 parents in the US had created Planet VTech accounts for 130,000 children.

The FTC generally alleged that:

  • VTech failed to provide direct notice of its information collection and use practices to parents and did not link to its privacy policy in each area where personal information was collected from children.
  • VTech did not take reasonable steps to protect the information it collected through Kid Connect. (In November 2015, the company was informed by a journalist that a hacker accessed its computer network and personal information about Kid Connect app users.)
  • VTech violated the FTC Act by falsely stating in its privacy policy that most personal information submitted by users through the Learning Lodge and Planet VTech would be encrypted.

As part of the settlement, VTech agreed to pay $650,000. In addition, VTech is permanently prohibited from violating COPPA in the future and from misrepresenting its security and privacy practices as part of the proposed settlement. It also is required to implement a comprehensive data security program, which will be subject to independent audits for 20 years.

In the FTC’s press release, acting FTC Chairman Maureen K. Ohlhausen noted that “as connected toys become increasingly popular, it’s more important than ever that companies let parents know how their kids’ data is collected and used and that they take reasonable steps to secure that data.” This case demonstrates that the consequences of not taking those steps up-front can be significant.

Last Friday, ten consumer and privacy advocacy groups, including the Electronic Privacy Information Center, Center for Digital Democracy, and Consumer Watchdog, sent a letter to Acting Chairman Ann Marie Buerkle, requesting that the CPSC recall the Google Home Mini smart speaker. The speaker was designed to respond to the voice commands, “OK, Google” and “Hey, Google,” as well as to a consumer pressing a small button on the top of the unit. Last week, the blog Android Police reported a glitch that caused the device to detect a touch even when a consumer was not pressing the button and remain “always on.” In response, Google issued a software update and completely disabled the button functionality.

The groups claim that this glitch resulted in Google intercepting and recording private conversations without consumers’ knowledge or consent, and that the device therefore poses a risk to consumer safety. Although they acknowledge that “the privacy concerns associated with Internet-connected devices appear different from traditional public safety concerns,” the groups call on the CPSC and its “broad mandate” to respond to such concerns, particularly in light of the “failure” of the FTC to investigate complaints involving Internet-connected devices.

Under the Consumer Product Safety Act, manufacturers, importers, distributors, and retailers have an obligation to immediately report to the CPSC when they obtain information that reasonably supports the conclusion that a consumer product contains a defect that could create a substantial product hazard, or creates an unreasonable risk of serious injury or death. While the groups note that the CPSC recently announced a recall of Internet-connected devices, the cited recall involved a product that posed an actual injury to consumers. CPSC action based on a non-physical injury, such as invasion of privacy, would be breaking new ground, but manufacturers, distributors, and retailers of IoT and other connected products should continue to watch for new developments and consider the potential safety issues associated with the products.

On June 28, the FTC and National Highway Traffic Safety Administration (NHTSA) brought together a variety of stakeholders including regulators, automakers, software companies, and consumer groups to discuss connected cars, including current innovations and challenges in the field of data privacy. Acting FTC Chairwoman Maureen Ohlhausen opened the day by asserting that regulators will need to show “humility” in trying to understand the risks associated with connected cars. However, she emphasized that the FTC will still use their enforcement authority against those who misuse consumer data, while taking care not to conflict with NHTSA’s oversight efforts. Terry Shelton, acting executive director of NHTSA, agreed with these goals.  The day’s panels focused on three main themes:

Safety – Fewer Accidents, Better Recall Compliance, and Privacy

Connected cars are expected to be able to decrease accidents and traffic fatalities. According to Terry Shelton, Acting Executive Director of NHTSA, 94% of fatal car accidents are due to human error. Additionally, both Shelton and Acting FTC Chairwoman Ohlhausen emphasized that the number of automobile-related fatalities has risen considerably in recent years.

It is less clear what happens when the artificial intelligence (AI) systems responsible break down. As cars become better able to make decisions on their own, the question of liability when a mistake occurs will be brought to the forefront. However, connected cars may increase compliance with safety recalls as self-driving cars may bring themselves into the shop for repair, and manufacturers will more easily be able to trace automated cars that have not been updated. The panel also discussed whether consumers should be allowed to opt out of sharing safety data and whether safety concerns may be used as excuses to collect information for commercial use.

Data – Notice and Consent, Types and Use of Data

As is the case with all connected devices, data collection and use presents many questions. Current technology allows devices to use driving patterns to detect drowsy driving, but newer devices will use biometric data for this purpose.  Depending on how the data is gathered, mechanisms for consumer notice and consent remain a challenge.

Stephen Pattison of ARM offered three important categories of data that may be taken from connected vehicles. The first is information linking the user to the vehicle. He asserted that this is the most sensitive information, and should be controlled by the consumer. The second is information that is brand sensitive, and may be of interest to competitors. This also includes information about individual components of the car. It will be up to the manufacturer how and when this information is shared. The third category is non-identifying information such as road conditions. This information is useful for other companies and law enforcement to use under some agreement that outlines the terms of use.

Panelists noted that the information produced by these vehicles is not encrypted or anonymized, as doing so would destroy the value of the data. It is important for the car or car system to be able to understand why a mistake occurred, or be able to make choices using very granular data, and share that data either with itself or in vehicle to vehicle communications to make other cars smarter and more able to make those decisions as well.

After-market products that are purchased by consumers and voluntarily placed into their cars are also collecting data. These include devices such as remote start, backup cameras, or an insurance dongle. While there is more consumer acknowledgement that these devices will be tracking personal information, the panelists at the workshop were in general agreement that more information should be given to consumers in clear and concise ways to enable them to make informed choices.

Security and Privacy – It’s Not If, But When A Breach Will Happen

One phrase that was repeated during the conference was: it is not a question of if, but when a breach will happen. Carrie Morton of the University of Michigan’s Mcity automated-vehicle research center explained that consumers are often “okay with the tradeoff” of exposing their personal driving information if they see a benefit. However, there is some information that even the most connected of drivers do not want exposed. While it may be true that consumers care less about who has their data is than what is being done with it, this cannot be mistaken for a lack of care concerning data privacy in general.

Earlier this year, NHTSA released a set of best practices to protect connected cars against cyberattacks and data breaches. These included a push for earlier integration of breach detection, a feature which Jeff Massimilla of GM said they are building into their cars from the beginning. NHTSA will look to the FTC for support in enforcing these regulations. There was also support from some panelists for harsher FTC sanctions for those that unlawfully access or re-identify anonymized data, as the data will likely be easy to de-anonymize.

*          *          *

We’ll continue to follow these issues and related connected product developments here at Ad Law Access.

 

Summer Associate Carmen Tracy contributed to this post. Ms. Tracy is not a practicing attorney and is practicing under the supervision of principals of the firm who are members of the D.C. Bar.

On Monday, the FTC submitted comments to the draft National Telecommunications and Information Administration (NTIA) guidance intended to improve Internet of Things (IoT) device security and increase consumer transparency. While recognizing the benefits (and proliferation) of IoT devices, the Commission’s comments caution that such benefits can only be realized when device manufacturers both incorporate – and adequately inform consumers of – reasonable security measures.

The comments begin by highlighting several “lessons learned” from FTC enforcement actions involving IoT devices such as home security cameras, baby monitors, and smart TVs. Specifically, the Commission explains that such actions emphasize the need for manufacturers to take reasonable security measures and to continuously manage security risks. The comments, in addition, note the several policy initiatives, consumer and business educational materials, and company-specific guidance (in lieu of enforcement) intended to assist IoT manufacturers with device security.

The Commission also recommends several changes to the NTIA guidance’s “Elements of Updatability”:

  • Edits to “Key Elements” Prior to Purchase – The Elements of Updatability recommend three pre-sale “key elements”: (1) disclosure of whether the device can receive security upgrades, (2) disclosure of how the device receives such upgrades, and (3) the anticipated timeline for the end of security support. The FTC recommends that manufacturers disclose the minimum support period, rather than an anticipated timeline, as well as disclose if the device will lose functionality or become highly vulnerable when security support ends.
  • Edits to “Additional Elements” Before or After Purchase – The FTC adds several “additional elements” that manufacturers should consider conveying to consumers, either before or after purchase. Such additional elements include (1) adopting a uniform notification method to, for example, notify consumers of updates (if updates are not automatic); (2) enabling consumers to sign-up for affirmative security support notifications that are separate from marketing communications; and (3) providing real-time notifications when support is about to end.
  • Omission of One “Additional Element” – The FTC also advises omission of the “additional element” describing the update process, explaining that such description imposes costs on manufacturers with little benefit to consumers who can “feel overburdened by choice and ignore critical information.”

Please join Kelley Drye in 2017 for the Advertising and Privacy Law Webinar Series. Like our annual in-person event, this series will provide engaging speakers with extensive experience and knowledge in the fields of advertising, privacy, and consumer protection. These webinars will give key updates and provide practical tips to address issues faced by counsel.

This webinar series will commence January 25 and continue the last Wednesday of each month, as outlined below.

January 25, 2017 | February 22, 2017 | March 29, 2017 | April 26, 2017 | June 28, 2017
July 26, 2017 | September 27, 2017 | October 25, 2017 | November 29, 2017

Kicking off the series will be a one-hour webinar on “Marketing in a Multi-Device World: Update on Cross Device Tracking” on January 25, 2017 at 12 PM ET. For more information and to register, please click here. CLE credit will be offered for this program.

Ad iconThe Digital Advertising Alliance (DAA) recently announced that enforcement of its guidance on cross-device tracking (the “Application of the DAA Principles of Transparency and Control to Data Used Across Devices”) is set to begin on February 1, 2017. Originally published in November 2015, the guidance was intended to clarify how the DAA’s Core Principles of notice and choice should be applied to cross-device tracking.

And for those of you that have not through the guidance recently…or at all… here is a quick summary:

Transparency: The privacy policy must disclose the fact that data collected from a particular browser or device may be used with another computer or device that is linked to the browser or device on which such data was collected, or transferred to a non-affiliated third-party for such purposes. The notice should also include a clear and prominent link to a disclosure that either (1) links to the industry-developed website or choice mechanism that provides the consumer with choices over these practices, or (2) individually lists the third-parties that are engaged in cross-device tracking.

Consumer Control: Consumers must have the ability to exercise choice (i.e., an opt-out mechanism) concerning cross-device tracking.

Although the DAA published the guidance last year, it has delayed enforcement to allow companies time to come into compliance. The guidance on cross-device tracking will be independently enforced by the Council of Better Business Bureaus (CBBB) and the DMA (formerly the Direct Marketing Association), which provide ongoing independent oversight of the DAA Principles.

What does this mean for you?  If you are actively engaging in cross-device tracking, or have implemented beacons or other technologies that permit cross-device tracking to occur on your website or app, be sure that your privacy policy and other public-facing materials provide consumers with appropriate notice and choice about your cross-device tracking practices.

This content is password protected. To view it please enter your password below: