A Federal Trade Commission staff report concludes that any specific Internet of Things (IoT) privacy or data security legislation would be "premature" but suggests more general legislation could be helpful. The commission vote to approve the report was 3-0.
That came in comments to the National Telecommunications & Information Administration, which is collecting input on the upsides, downsides, and government's role in the increasingly net-connected world.
The report does recommend general security and privacy legislation and "broad-based, technology-neutral" privacy legislation.
It says such legislation is needed given the ubiquity of information collection and the need to protect health and safety, including breach notification requirements so consumers will know if a door lock or car info system has been breached, for example, whether or not any personal information is taken.
The FTC's view on interoperability mandates is mixed. While the staffers say standardization may be pro-competitive if it eliminates costs for switching products or moving data between services, the government must take precautions to insure that the standard-setting process is not used to stifle competition by biasing one set of members with an economic interest in doing so.
"False or misleading representations or other anticompetitive abuse of collaborative standard setting can reduce competition, minimize the role of consumers, and potentially lock-in existing technological approaches to the detriment of innovation and consumers," the report said.
The report also said that, even with safeguards, the standard could reduce competition from different technologies, and said "in some settings," marketplace competition among those technologies may be the better course.
It also said that marketplace competition could prove a better way to protect information.
"[D]ifferent and competing technical approaches to interoperability may provide stronger privacy and data security benefits to consumers compared to a marketplace with a single interoperability standard," it said.
The FTC also pointed out that, even without legislation, companies that do not provide reasonable security for information could be violating the FTC Act prohibition on unfair and deceptive practices.
Back in 2013, in its first IoT-related case, the FTC settled with TRENDnet over allegedly unsecured monitors that allowed anyone to access them, hack them and post the feed on the web.