As the number of Internet-connected devices people use in their homes and on their bodies expands dramatically, so, too, does the conversation about how to keep those machines secure.
So far, the debate has largely focused on technology companies' ability to secure them and regulators' push to ensure they have proper privacy protections in place.
But panelists at Thursday’s Security of Things Forum from both the US government and private sector stress that the industry must do even more to meet the needs of consumers. It can be difficult for consumers to fully understand the privacy implications of the devices they use, and consumers aren’t able to keep up with security updates as the Internet of Things becomes more complex, panelists said.
“Security, privacy – it’s something consumers can’t figure out,” Julie Brill, commissioner of the Federal Trade Commission, told the Cambridge, Mass., event hosted by The Security Ledger and Passcode.
Despite that new models of personal devices are out on the market with strengthened or advanced security measures, Ms. Brill said, consumers continue to use old versions that are no longer being supported by the company with software updates – and they may not realize how that leaves them far less secure.
To take some of the onus of responsibility off of consumers for the security of their devices, the FTC released “Start with Security” in June, a security best-practice guide for businesses. The guide suggests 10 ways businesses can improve their overall security and the security of apps and devices they create. The government can also help enforce best security practices in the space, Brill said.
For instance, in 2014, the FTC took action against TRENDnet, a home security camera company, because it did not secure customers’ video feeds. The videos could be viewed by people who had the camera’s Web address. The FTC found that TRENDnet did not engage in reasonable security practices and ordered the company to establish a security program to examine security risks and conduct third-party audits for 20 years.
As connected devices become more mainstream, however, the privacy implications of the data they collect also get more complicated, said Peter Lefkowitz, chief privacy officer at GE. Consumers are familiar with the personal devices such an iPhone that collect personal data, he said. But they might not think of the security or privacy repercussions that stem from using connected medical devices – such as CT scans – or realize the machines can share the information they collect.
While these devices and the data they collect can be beneficial for medical advances, they can collect sensitive medical details that can create a detailed picture of a person, Mr. Lefkowitz said. Understanding the kinds of data collected and used by widespread devices, he said, are “important areas of development for society.”
Washington policymakers also face a learning curve. Those seeking to protect consumers’ security and privacy when it comes to the Internet of Things must also be careful not to damage innovation by instating overly broad regulations, said Andrea Matwyshyn, a law professor at Northeastern University.
“In this case, we need a regulatory scalpel, not a regulatory axe,” Ms. Matwyshyn said.
Ultimately, it could come down to the consumers’ own needs and preferences. Some might prefer that certain devices are not connected to the Internet. Just because connective capabilities can be added, doesn’t mean they should, Matwyshyn said. “It’s the ‘better with bacon’ problem.”