Moving the Internet of Things Forward Without Hard Numbers on Risks
Today’s release of the FTC’s long-awaited report on the Internet of Things concludes that connected devices are “likely to meld the virtual and physical worlds together in ways that are currently difficult to comprehend.” It’s this great unknown where it seems many of the revolutionary benefits and more abstract risks from connectivity lie. While the Future of Privacy Forum was largely supportive of the report, the separate statement of Commissioner Ohlhausen and dissent from Commissioner Wright reflect the reality that it is still early days for the Internet of Things and the path forward is not crystal clear.
Both commissioners caution the FTC against focusing on speculative harms and urge a more rigorous cost-benefit analysis. For Commissioner Ohlhausen, this perspective dictates that the Commission approach new technologies with a degree of regulatory humility, while Commissioner Wright is more blunt: “Paying lip service to the obvious fact that the various best practices and proposals discussed in the Workshop Report might have both costs and benefits, without in fact performing such an analysis, does nothing to inform the recommendations made in the Workshop Report.”
There is some merit to this criticism. At the end of the day, I always want hard numbers to back up my policy positions and lamented the fact that I often don’t have them. The problem is that when it comes to privacy – particularly privacy harms – evaluating costs is difficult. Academics have been struggling for years through efforts both serious and silly to quantify the value of privacy, and the Internet of Things appears to have only added to the perception that there are new, more abstract threats to privacy. Existing risk assessment frameworks are well geared to identify and address tangible harms, such as financial loss or security vulnerabilities, but it is much harder to measure the chilling effects, if any, of smart thermostats and televisions.
It is not sufficient to simply dismiss concerns as too abstract or inchoate. By now, it should be increasingly clear that the public’s sense that individuals have lost control over their information is problematic. It’s unclear whether the FTC alone is in the position to ensure privacy and security concerns about connectivity will not undermine public confidence in the wider Internet of Things. So what can be done?
In some spaces, the Internet of Things seems to finally open the door for companies to compete on privacy in a way that consumers can understand. The Association of Global Automakers, for example, view its recently released automotive privacy principles as a floor for its members and fully expects car companies to be able to compete on privacy, both due to our close relationships with our cars and preeminent security concerns. There are plenty of opportunities for companies to be proactive on privacy. There are already industry efforts underway to establish a baseline for how wearable devices should be treated and algorithms be governed. Recently, FPF has called for companies to engage in a more detailed and concrete analysis of the benefits of their data projects. Part of the aim of this effort is to encourage industry to develop more elaborate and more structured processes such as review panels and “consumer” IRBs that can consider seriously the ethical challenges posed by some innovative uses of data.
Beyond that, the Internet of Things promises new opportunities for users to engage with their information. Connectivity tools that offer users controls will be important not just for privacy but for basic functionality. I was pleased to see the FTC report highlight our calls for consumer profile management portals. Implemented correctly, better user dashboards will give individuals the ability to make their own decisions about what information about them is collected, used, and shared. These tools respect user autonomy and let them make their own decisions about what benefits they want – and risks they’re willing to tolerate. Better, more individualized control obviously doesn’t resolve collective privacy challenges, but it is one option to look at alongside codes of conduct, traditional benefit-risk assessments, and review mechanisms. Until we can find a better way to measure and analyze the societal value of privacy, this multi-pronged approach is the best way forward on the Internet of Things.
-Joseph Jerome, Policy Counsel
