Is Washington Ready for the Internet of Things?

By wirelessly connecting nearly every device we use, from refrigerators to cars, the Internet of Things is creating a brand-new digital universe that’s full of both promise and peril. And once again, Washington is playing catch-up.

This illustration can only be used with the Brendan Sasso piece that originally ran in the 2/28/2015 issue of National Journal magazine.
National Journal
Add to Briefcase
Brendan Sasso
Feb. 27, 2015, 12:02 a.m.

Mem­bers of Con­gress are known for many qual­it­ies, but tech­no­lo­gic­al savvy has sel­dom been one of them. “We have folks who still print out sched­ules, who aren’t al­ways re­ly­ing on devices,” says Rep. Su­z­an Del­Bene of Wash­ing­ton, a Demo­crat and former Mi­crosoft ex­ec­ut­ive who’s a not­able ex­cep­tion. The halls of Con­gress are among the last places in Amer­ica where you can still see the oc­ca­sion­al flip phone in use, wiel­ded by the likes of Sen. Charles Schu­mer, the New York Demo­crat. The old-school tend­en­cies of sen­at­ors and rep­res­ent­at­ives have of­ten left them play­ing catch-up as the In­ter­net has blos­somed — and as wor­ries about pri­vacy rights and se­cur­ity risk (the Sony Pic­tures hack, any­one?) have mul­ti­plied.

On Feb. 11, however, the Sen­ate Com­merce Com­mit­tee ap­peared to be right on time when Chair­man John Thune, the South Dakota Re­pub­lic­an, gaveled open the first con­gres­sion­al hear­ing on what, he said, “may be the most im­port­ant trend in tech­no­logy.” That trend is the “In­ter­net of Things,” the buzzy term for a fast-ex­pand­ing uni­verse of “smart” ap­pli­ances, house­hold and work­place ob­jects, art­icles of cloth­ing, and cut­ting-edge devices — from fit­ness brace­lets and cof­fee­makers to cars and heart mon­it­ors — that are wire­lessly con­nec­ted to the In­ter­net. It won’t be long, ex­perts say, be­fore prac­tic­ally every product we use is con­nec­ted.

Nat­ur­ally enough, the new gad­gets of­ten in­spire a “gee whiz” re­sponse: Cars that can talk to each oth­er and avoid ac­ci­dents! Ap­pli­ances that an­ti­cip­ate my needs! But with all its po­ten­tial be­ne­fits for health, safety, and con­veni­ence, the In­ter­net of Things is also rais­ing alarms. Smart homes and devices are gen­er­at­ing oceans of fresh in­form­a­tion for data brokers to mon­et­ize — and for ad­vert­isers, hack­ers, gov­ern­ment agen­cies, in­sur­ance com­pan­ies, and pro­spect­ive em­ploy­ers to tap in­to. Tales of se­cur­ity breaches hit the head­lines with grow­ing reg­u­lar­ity. The week­end be­fore Con­gress’s first for­ay in­to this brave new world, 60 Minutes re­por­ted on hack­ers who’ve found that they can seize con­trol of con­nec­ted cars, po­ten­tially al­low­ing them to hi­jack your brakes or steer your vehicle in­to on­com­ing traffic. Just a day be­fore the hear­ing, the tech­no­logy gi­ant Sam­sung had been forced to “cla­ri­fy” the pri­vacy policy at­tached to its smart TVs, which had omin­ously warned that view­ers’ con­ver­sa­tions could be shared with an un­named “third party.”

“The prom­ise of the In­ter­net of Things must be bal­anced with real con­cerns over pri­vacy and the se­cur­ity of our net­works,” Sen. Bill Nel­son of Flor­ida, the Com­merce Com­mit­tee’s rank­ing Demo­crat, said at the hear­ing. Point­ing to the Sam­sung flap, Nel­son warned that “Big Broth­er may really be listen­ing to us.” His fel­low Demo­crat, Sen. Ed­ward Mar­key of Mas­sachu­setts, voiced his wor­ries about the po­ten­tial for cy­ber­at­tacks on con­nec­ted cars, which he said were be­com­ing “com­puters on wheels” with in­ad­equate pro­tec­tions for se­cur­ity and safety. “Thieves no longer need a crow­bar to break in­to your car, they just need a smart­phone,” Mar­key said; worse, hack­ers con­trolling a vehicle go­ing 60 miles per hour could have cata­stroph­ic con­sequences. Mar­key touted a bill he’d just in­tro­duced, with Sen. Richard Blu­menth­al, a Con­necti­c­ut Demo­crat, that would dir­ect the Na­tion­al High­way Traffic Safety Ad­min­is­tra­tion and the Fed­er­al Trade Com­mis­sion to set se­cur­ity and pri­vacy reg­u­la­tions for smart cars.

Mar­key sees that as the tip of an in­ev­it­able new reg­u­lat­ory ice­berg. “The In­ter­net of Things, as it in­trus­ively in­jects it­self in­to all as­pects of life, is ul­ti­mately go­ing to res­ult in Amer­ic­ans in­sist­ing on more pro­tec­tions,” he told me after the hear­ing. “I think it’s in­ev­it­able that stronger laws are go­ing to be placed on the books. It’s only a ques­tion of time.”

That time may not come soon, however, if it’s up to Mar­key and Nel­son’s fel­low Com­merce Com­mit­tee mem­bers. For these sen­at­ors, the great­er risk is that European-style reg­u­la­tions could squelch a wildly luc­rat­ive ar­ray of new in­ven­tions and ap­plic­a­tions. “Let’s tread care­fully be­fore we con­sider step­ping in with a ‘gov­ern­ment knows best’ men­tal­ity that could halt in­nov­a­tion and growth,” Thune said. “Let’s treat the In­ter­net of Things with the same light touch that has caused the In­ter­net to be such a great Amer­ic­an suc­cess story.”

Sen. Cory Book­er, a New Jer­sey Demo­crat with close ties to Sil­ic­on Val­ley dat­ing back to his days at Stan­ford Uni­versity, nod­ded to “le­git­im­ate fears” over the dangers and po­ten­tial ab­uses of new tech­no­lo­gies, but likened them to the anxi­et­ies that al­ways ac­com­pany such break­throughs. People must have been sim­il­arly ter­ri­fied, he said, when air­planes first began tak­ing flight. But gov­ern­ment didn’t get in the way then, he said, and it shouldn’t now. “We should be do­ing everything pos­sible to en­cour­age this and noth­ing to re­strict it,” he said.

High-tech boos­t­er­ism is a bi­par­tis­an af­fair in Wash­ing­ton. Thune had called the hear­ing at the re­quest of Book­er and Sens. Kelly Ayotte, a New Hamp­shire Re­pub­lic­an; Deb Fisc­her, a Neb­raska Re­pub­lic­an; and Bri­an Schatz, a Hawaii Demo­crat. Those sen­at­ors, like their House col­leagues who re­cently formed a “Con­gres­sion­al In­ter­net of Things Caucus,” are primar­ily con­cerned with en­sur­ing that the gov­ern­ment helps the In­ter­net of Things to grow and thrive. “I’m really con­cerned about gov­ern­ment get­ting in the way,” Fisc­her said. “Sure, there are con­cerns out there, but I don’t want to see all the ex­cite­ment that’s with the In­ter­net of Things move over­seas.”

Be­neath the fa­mil­i­ar-sound­ing battle lines — pro­ponents of reg­u­la­tion squar­ing off against free-mar­ket cham­pi­ons — there is, not sur­pris­ingly, broad con­sensus on some ba­sic themes: the need to pro­tect con­sumers’ pri­vacy, for in­stance, and to fend off a whole new wave of dev­ast­at­ing hacks like the one North Korea al­legedly used to bring Sony to its knees last year or the 2013 in­cid­ent in which 40 mil­lion Tar­get cus­tom­ers had their cred­it-card num­bers stolen. The ques­tion, though, is how. And it’s a com­plic­ated chal­lenge, to put it mildly. After all, says Adam Thier­er, a liber­tari­an who’s a seni­or fel­low at the Mer­catus Cen­ter at George Ma­son Uni­versity, “the In­ter­net of Things lies at the cen­ter of what we might con­sider a per­fect storm of pub­lic policy is­sues: pri­vacy, safety, se­cur­ity, in­tel­lec­tu­al prop­erty, spec­trum, tech­nic­al stand­ards, auto­ma­tion con­cerns, po­ten­tial labor dis­rup­tions, and more.”

Agen­cies that over­see pieces of the In­ter­net of Things — the Fed­er­al Avi­ation Ad­min­is­tra­tion, the Food and Drug Ad­min­is­tra­tion, NHTSA — can work up new rules and stand­ards for par­tic­u­lar products, and they are. But the In­ter­net of Things is not merely a col­lec­tion of new gad­gets. It prom­ises to ush­er in a whole new way of life — one of wire­less, screen-free con­nectiv­ity that will change the way we brush our teeth, mon­it­or our chil­dren, drive our cars, cook our meals, and do our work. It in­spires both uto­pi­an vis­ions and dysto­pi­an fears. Piece­meal, be­hind-the-scenes, agency-by-agency de­lib­er­a­tion doesn’t quite do justice to the massive policy im­plic­a­tions at play. What’s needed in­stead, it seems clear, is broad, sus­tained en­gage­ment with the is­sue in Con­gress and in Wash­ing­ton as a whole.

Like most Amer­ic­ans, however, mem­bers of Con­gress are largely still dip­ping their toes in­to the In­ter­net of Things, with a mix­ture of won­der and worry. Mean­while, what Joe Hall of the Cen­ter for Demo­cracy & Tech­no­logy calls our “for­ay in­to a net­worked civil­iz­a­tion” blasts ahead at laser speed.

(Adolfo Valle) Adolfo Valle

(Ad­olfo Valle)THE IN­TER­NET OF THINGS is the latest fron­ti­er in the de­vel­op­ment of the di­git­al sphere. Speak­ing in Janu­ary at the World Eco­nom­ic For­um in Da­v­os, Switzer­land, Google Ex­ec­ut­ive Chair­man Eric Schmidt raised eye­brows by pre­dict­ing that, be­fore long, the In­ter­net will “dis­ap­pear.” He didn’t mean that we won’t be con­nec­ted in the fu­ture; rather, he said, pretty much everything will be con­nec­ted, to the ex­tent that we stop even think­ing about the In­ter­net as an en­tity. “There will be so many I.P. ad­dresses, “¦ so many devices, sensors, things that you are wear­ing, things that you are in­ter­act­ing with, that you won’t even sense it,” Schmidt said. “It will be part of your pres­ence all the time.”

The In­ter­net of Things — or, as Cisco Sys­tems’ CEO prefers, the “In­ter­net of Everything” — is already here, but it’s ex­pec­ted to ex­plode over the next few years. Not even count­ing com­puters, tab­lets, and smart­phones, there will be 30 bil­lion con­nec­ted devices by the end of the dec­ade, ac­cord­ing to the re­search firm IDC. Those devices, the firm pre­dicts, could be gen­er­at­ing up­ward of $3.04 tril­lion in glob­al rev­en­ue by then.

Au­thor, so­cial the­or­ist, and con­sult­ant Jeremy Ri­fkin, who last year pub­lished The Zero Mar­gin­al Cost So­ci­ety: The In­ter­net of Things, the Col­lab­or­at­ive Com­mons, and the Ec­lipse of Cap­it­al­ism, is among those who fore­tell sweep­ing en­vir­on­ment­al, eco­nom­ic, and so­cial be­ne­fits. “It’s go­ing to al­low the hu­man race, po­ten­tially, to en­gage in a new plat­form that can demo­crat­ize eco­nom­ic life and cre­ate a much more eco­lo­gic­ally based civil­iz­a­tion,” he told me re­cently. The In­ter­net of Things will ul­ti­mately re­duce the costs of many products to nearly noth­ing, Ri­fkin be­lieves. He pre­dicts a fu­ture in which con­sumers can sell their sur­plus en­ergy back to the elec­tri­city grid and can trade products ef­fort­lessly us­ing de­liv­ery sys­tems of drones and driver­less cars. “That means more of us are us­ing less of the re­sources of the Earth,” he says, “and we’re re­dis­trib­ut­ing them over and over in the shar­ing com­mons.” That, Ri­fkin be­lieves, will fun­da­ment­ally trans­form the very nature of cap­it­al­ism.

Amer­ic­ans have be­gun to get a taste of the In­ter­net of Things’ life-en­han­cing po­ten­tial — if not, by any means, the de­mise of cap­it­al­ism. Mil­lions have pur­chased smart watches and fit­ness-track­ers like Fit­bits. Google’s Nest al­lows cus­tom­ers to ad­just their home’s tem­per­at­ure based on the own­ers’ habits, keep­ing them com­fort­able and re­du­cing elec­tric bills. Con­nec­ted Crock-Pots are al­low­ing people to start cook­ing din­ner while they’re still at work. And par­ents are keep­ing track of their chil­dren, not only with mon­it­or­ing cam­er­as they can tune in­to from any­where, but even with con­nec­ted socks.

Those socks are the in­ven­tion of new fath­er Kurt Work­man, whose com­pany, Ow­let, makes a wire­less health mon­it­or that slips onto a baby’s foot. “I wish I could be up all night, mak­ing sure that he’s OK and check­ing on him every five minutes,” Work­man says. “But you’ve got to sleep even­tu­ally.” Ow­let is mar­keted to par­ents con­cerned not only about get­ting some shut-eye, but also about the ap­prox­im­ately 4,000 sud­den in­fant deaths that oc­cur every year. The sock mon­it­ors ba­bies’ heart rates and oxy­gen levels as they sleep; an alarm sounds on par­ents’ smart­phones if the child stops breath­ing. Par­ents can also check the Ow­let data to see how their baby slept the pre­vi­ous night. The data is up­loaded and stored on Ow­let’s serv­ers, which Work­man says could one day give med­ic­al re­search­ers a trove of data on in­fant health.

Ow­let may be a boon to par­ents’ peace of mind, but the sort of data col­lec­tion that Work­man touts is keep­ing civil liber­tari­ans and pri­vacy ad­voc­ates up at night. What be­comes of all the per­son­al in­form­a­tion that the In­ter­net of Things is gath­er­ing and col­lect­ing?

The new tech­no­lo­gies will greatly ac­cel­er­ate the growth of “big data.” The troves of ever-more-per­son­al, ever-more-de­tailed in­form­a­tion about us all could be ex­traordin­ar­ily help­ful to sci­ent­ists and re­search­ers. Doc­tors will be able to ana­lyze ag­greg­ated data from health mon­it­ors to learn more about dis­eases, for in­stance, po­ten­tially lead­ing to life-sav­ing in­nov­a­tions. Urb­an plan­ners can use data from cars and homes to study en­ergy con­sump­tion and traffic pat­terns, help­ing them make cit­ies more ef­fi­cient and liv­able.

But big data is also a big busi­ness — one that’s grow­ing as fast as the uni­verse of con­nec­ted “things” it in­creas­ingly draws from. Data brokers such as Acx­iom, Data­logix, and Ex­peri­an have long col­lec­ted de­tailed in­form­a­tion about in­di­vidu­als drawn from a gamut of sources — from pub­lic re­cords to so­cial-me­dia habits — to re­pack­age and sell. (Sen. Mar­key, nev­er one to mince words, calls them “pri­vacy-reap­ers for profit.”) The in­form­a­tion is used for tar­geted ad­vert­ising, iden­tity checks, and even snoop­ing by em­ploy­ers and ex-lov­ers. Now, with in­form­a­tion from smart sensors and devices, a car-in­sur­ance com­pany might not just know how many ac­ci­dents and traffic vi­ol­a­tions you’ve had, but what time of the day you drive, how fast you tend to go, and how of­ten you slam on your brakes. Health-in­sur­ance com­pan­ies could base rates on data gleaned from fit­ness track­ers. Po­ten­tial em­ploy­ers can have a lot more than résumés and ref­er­ences on which to base their hir­ing de­cisions.

This su­per­sized big data will have its more be­nign uses, too. Net­flix’s re­com­mend­a­tion en­gine, for in­stance, could at­tune it­self ac­cord­ing to data about our en­vir­on­ments and bod­ies. Shawn DuB­ra­vac, chief eco­nom­ist of the Con­sumer Elec­tron­ics As­so­ci­ation, pre­dicts that Net­flix will want to part­ner with In­ter­net of Things com­pan­ies to see how many people are in a room, how dark it is, and what the tem­per­at­ure is. A smart watch could mon­it­or a per­son’s heart rate to tell Net­flix what mood the per­son is in. “Net­flix might see that it’s dark in­side, that you’re alone, that you’re ly­ing down, that you’re de­pressed, that it’s cold, and say, ‘Hey, Nich­olas Sparks plays great in this en­vir­on­ment. You might really like this,’”‰” DuB­ra­vac says.

{{third­PartyEmbed type:magazineAd source:magazine_mid}}

But what if you don’t like it? “If you have a feel­ing someone is watch­ing you every time you flush your toi­let or run your dish­wash­er, that’s a new level of in­tru­sion that we haven’t seen be­fore,” says Jay Stan­ley, a seni­or policy ana­lyst for the Amer­ic­an Civil Liber­ties Uni­on. The In­ter­net of Things will make it harder to keep one’s private life private.

Already, most people don’t both­er to read web­site pri­vacy policies — but at least there is something to read. Many of the new devices are small and don’t even have screens, mak­ing it more dif­fi­cult to in­form users about what sorts of in­form­a­tion might be col­lec­ted, or to ob­tain their con­sent. Cur­rently, many In­ter­net of Things products rely on the own­er’s smart­phone as a cent­ral con­trol­ler. So just like mo­bile apps can use pop-up win­dows to get con­sent for loc­a­tion track­ing, In­ter­net of Things devices can send alerts to people’s phones when they’re about to col­lect sens­it­ive in­form­a­tion. But con­nec­ted devices will in­creas­ingly un­teth­er them­selves from phones.

“How do you give in­formed con­sent to a sock?” asks Al­varo Bedoya, the ex­ec­ut­ive dir­ect­or for the Cen­ter on Pri­vacy and Tech­no­logy at Geor­getown Uni­versity. “I don’t know.”

Be­cause much of the mon­it­or­ing will take place in the back­ground, cus­tom­ers are less likely to real­ize their data is be­ing col­lec­ted. You’re prob­ably aware that you’ve provided a lot of data about your­self on so­cial-me­dia sites like Face­book, but the In­ter­net of Things will be a con­stant and ubi­quit­ous pres­ence that many of us won’t even think about. When you’re not ac­tu­ally de­cid­ing what in­form­a­tion to share, you’re nat­ur­ally less guarded about what you’re shar­ing. You’ll also know less about who you might be shar­ing it with.

The up­shot is clear enough: “Soon, everything we do, both on­line and off­line, will be re­cor­ded and stored forever,” se­cur­ity tech­no­lo­gist Bruce Schnei­er, a fel­low at the Berkman Cen­ter at Har­vard Uni­versity, wrote in 2013. “The only ques­tion re­main­ing is who will have ac­cess to all this in­form­a­tion, and un­der what rules.”

LAST APRIL IN HEBRON, KEN­TUCKY, Adam and Heath­er Schreck were awakened at mid­night by the sound of a man’s voice in their 10-month-old daugh­ter’s room. “Wake up, baby!” the voice was yelling. Adam rushed in­to the room, but no one was there. Then the fam­ily’s baby-mon­it­or­ing cam­era pivoted to look straight at him, and the same voice began holler­ing “some bad things [and] some ob­scen­it­ies,” as he told a loc­al Fox TV sta­tion. Adam quickly un­plugged the cam­era, but quiet­ing the voice did little to soothe his nerves. Clearly, a stranger (or strangers) had been watch­ing his fam­ily through the cam­era, but he had no idea who it was or how long they’d been tuned in.

Chase Rhymes, the chief op­er­at­ing of­ficer of Fo­scam, which made the cam­era, says his com­pany wasn’t to blame. The Shrecks, he says, failed to change the cam­era’s de­fault pass­word from “ad­min,” mak­ing it easy prey for hack­ers, who could just look up the on­line manu­al and find the de­fault set­ting. Fo­scam has sub­sequently altered its se­cur­ity re­gime, re­quir­ing cus­tom­ers to change the de­fault pass­word be­fore the cam­er­as will work. “I think the story really is that, in the In­ter­net of Things and the con­nec­ted home, your home is more vul­ner­able now than it was pri­or,” Rhymes says.

The Shrecks’ wake-up call was hardly an isol­ated in­cid­ent. “You only need to pick up a news­pa­per to read about a new breach,” says Edith Ramirez, chair­wo­man of the Fed­er­al Trade Com­mis­sion, the chief fed­er­al agency re­spons­ible for con­sumer-pri­vacy pro­tec­tion. The FTC’s first In­ter­net of Things en­force­ment ac­tion, in Septem­ber 2013, brought suit against a home-cam­era com­pany called TREND­net for us­ing flawed soft­ware that al­lowed any­one with a cam­era’s In­ter­net ad­dress to watch its video feed on­line — even if a cus­tom­er was us­ing a strong pass­word. A hack­er had made the flaw pub­lic by post­ing the live feeds of nearly 700 private cam­er­as. TREND­net settled the law­suit, agree­ing to over­haul its se­cur­ity prac­tices, pay for reg­u­lar out­side audits, and not to mis­rep­res­ent the se­cur­ity of its cam­er­as again.

(Adolfo Valle) Adolfo Valle

While the pro­spect of be­ing sur­veilled by an­onym­ous hack­ers is down­right creepy, the se­cur­ity risks go far bey­ond the pri­vacy in­tru­sions of wired Peep­ing Toms. Be­cause con­nec­ted devices are of­ten net­worked to­geth­er through Wi-Fi or Bluetooth, a single vul­ner­ab­il­ity — on a cam­era, a car, or even a sock — could be­come the entry point to ac­cess all of a per­son’s in­form­a­tion. “It’s like the camel’s nose un­der the tent,” says Manee­sha Mith­al, the head of the FTC’s Di­vi­sion of Pri­vacy and Iden­tity Pro­tec­tion. “If a hack­er can ac­cess one part, they can get in­to the whole sys­tem.”

Be­cause so many con­nec­ted gad­gets will be con­sidered dis­pos­able, Mith­al says, they may be even more vul­ner­able than com­puters and smart­phones. A com­pany mak­ing smart light bulbs or tooth­brushes may not put much thought in­to se­cur­ity or plan to ever re­lease se­cur­ity up­dates. “People who are com­ing out with these in­nov­at­ive products might not have as much of a back­ground in se­cur­ity as people who are do­ing com­puter soft­ware,” Mith­al says. “So it’s not as ma­ture on the se­cur­ity front.”

It’s not just con­sumer products like cam­er­as and socks that are vul­ner­able. Dan Tentler, cofounder of the com­puter se­cur­ity firm Car­bon Dy­nam­ics, demon­strated at a hack­er con­fer­ence in 2012 that he could use Shodan — a search en­gine that scans the In­ter­net for con­nec­ted devices — to take con­trol of build­ing power sys­tems, pres­sur­ized wa­ter heat­ers, a car wash, and a wind-tur­bine farm. He was even able to ac­cess a sys­tem con­trolling city traffic lights; as Tentler logged in­to the traffic sys­tem, it dis­played a warn­ing that chan­ging the set­tings could cause people to die.

“This scares the liv­ing shit out of se­cur­ity folks,” says Joe Hall. “The po­ten­tial for things to go wrong is so many or­ders of mag­nitude great­er than [with] just the reg­u­lar In­ter­net.” Hack­ers could open gar­age doors across the whole coun­try, switch off crit­ic­al med­ic­al devices, or set mil­lions of ovens on full heat, caus­ing some to catch fire. (“The clean cycle on an oven that goes up to 900 de­grees is a pretty good ex­ample of something that should re­quire someone to be phys­ic­ally present,” Hall says.)

It’s not just the ste­reo­typ­ic­al hack­er in a base­ment who could cause hav­oc, of course; hos­tile for­eign gov­ern­ments like North Korea, or­gan­ized crime syn­dic­ates, or ter­ror­ist groups like the Is­lam­ic State can also look for vul­ner­able devices — not just to re­mote-con­trol them and freak Amer­ic­ans out, but to ac­cess more sens­it­ive sys­tems. As the Sony in­cid­ent showed, this is any­thing but an out­land­ish scen­ario. “I guar­an­tee you that the next wave of ser­i­ous hacks will be around the In­ter­net of Things,” Hall says. Adam Segal, a seni­or fel­low study­ing cy­ber­se­cur­ity at the Coun­cil on For­eign Re­la­tions, be­lieves that con­nec­ted cars will make par­tic­u­larly en­ti­cing tar­gets; state-sponsored hack­ers could at­tack a cent­ral serv­er to cut the brakes on thou­sands of cars at once — or to go after a par­tic­u­lar per­son. (Re­cog­niz­ing this kind of danger, Vice Pres­id­ent Dick Cheney had the wire­less tech­no­logy in his pace­maker dis­abled in 2007 to en­sure that it couldn’t be used for an as­sas­sin­a­tion at­tempt.)

For­eign hack­ers may be more eager to ex­ploit con­nec­ted devices for sur­veil­lance rather than sab­ot­age. Amer­ic­an of­fi­cials have com­plained for years that China has been spy­ing on U.S. com­pan­ies to gain an eco­nom­ic edge. In 2011, the U.S. Cham­ber of Com­merce re­vealed that its sys­tems had been breached by Chinese hack­ers; The Wall Street Journ­al re­por­ted that the ther­mo­stat in a Cham­ber-owned apart­ment on Cap­it­ol Hill was com­mu­nic­at­ing with an In­ter­net ad­dress in China. For­eign spies could use the In­ter­net of Things to build port­fo­li­os on par­tic­u­larly power­ful Amer­ic­ans, says Jim Lewis, a seni­or fel­low at the Cen­ter for Stra­tegic and In­ter­na­tion­al Stud­ies. They could even dig up in­form­a­tion to use as black­mail or co­er­cion, he warned.

“It’s the same story we’ve seen all along with the In­ter­net, which is huge eco­nom­ic op­por­tun­it­ies ac­com­pan­ied by a def­in­ite in­crease in risk,” Lewis says. When the In­ter­net first star­ted, many com­pan­ies fo­cused on build­ing their products and figured they could deal with se­cur­ity later. The In­ter­net of Things “is a tre­mend­ous op­por­tun­ity,” Lewis says, “but it has to be dif­fer­ent than the last time. We have to think about se­cur­ity. It takes a while for Wash­ing­ton to fig­ure out ‘What is this? How do I fit in­to this?’ … I think that’s the point we’re ap­proach­ing.”

“How do you give in­formed con­sent to a sock?” asks Al­varo Bedoya. “I don’t know.”

YOU’D HAVE A HARD TIME find­ing any­body in Wash­ing­ton — mem­bers of Con­gress, reg­u­lat­ors, even ad­voc­ates of sweep­ing and strict pri­vacy rights — who would mount a ser­i­ous ar­gu­ment that the gov­ern­ment should even at­tempt to ap­ply the brakes on the In­ter­net of Things. The be­ne­fits, both to eco­nom­ic growth and to every­day Amer­ic­ans’ qual­ity of life, are simply too vast, too un­deni­able. What will be hotly de­bated — what’s already spark­ing ar­gu­ments on Cap­it­ol Hill — is how to reg­u­late the flow of per­son­al in­form­a­tion and sens­it­ive data from “smart” devices in a way that pre­vents pub­lic safety, pri­vacy rights, and na­tion­al se­cur­ity from be­ing dan­ger­ously com­prom­ised.

Ac­tu­ally, the ques­tion is not only how to reg­u­late, but when. Should Con­gress, and the vari­ous fed­er­al agen­cies that over­see por­tions of the In­ter­net of Things, be set­ting re­stric­tions now — or take a wait-and-see ap­proach, step­ping in only after calam­it­ies, or near-calam­it­ies, oc­cur? Thier­er, the liber­tari­an schol­ar at George Ma­son Uni­versity, is among those who warn against any “pree­mpt­ive strike” by the feds; the key to eco­nom­ic growth, he ar­gues, is en­cour­aging “per­mis­sion­less in­nov­a­tion” that al­lows en­tre­pren­eurs to ex­per­i­ment with new products, un­fettered by wor­ries about fed­er­al reg­u­la­tion. After all, that’s how the ori­gin­al In­ter­net was built. “Con­gress and the Clin­ton ad­min­is­tra­tion craf­ted a very sens­ible frame­work for In­ter­net and elec­tron­ic com­merce,” Thier­er says, “and it worked out mar­velously.”

FTC Chair­wo­man Ramirez, on the oth­er hand, con­tends that stronger reg­u­la­tions could be a boon to the more far-flung In­ter­net of Things. Re­call­ing the TREND­net case, with its hacked home cam­er­as, she says: “The fam­il­ies who are im­pacted by that are go­ing to be rightly cau­tious the next time they con­sider bring­ing an In­ter­net of Things device in their home. It’s in­cid­ents like that, the se­cur­ity flaws, that I think will slow down the ad­op­tion of the In­ter­net of Things.”

New rules for spe­cif­ic pieces of the In­ter­net of Things are be­ing rolled out by mul­tiple fed­er­al agen­cies — the FAA is work­ing on air-safety reg­u­la­tions for drones, for in­stance, while the FDA has already re­leased guidelines for pro­tect­ing wire­less med­ic­al devices from hack­ers. But the FTC is the chief fed­er­al cop for the su­per-con­nec­ted world. Un­like oth­er agen­cies, which can only set “sec­tor-spe­cif­ic” stand­ards for in­dus­tries that fall un­der their pur­view, the FTC can go after com­pan­ies across the spec­trum. But it’s a re­l­at­ively small agency, with few­er than 1,200 em­ploy­ees, and its en­force­ment powers are lim­ited; it can only crack down on busi­ness prac­tices that fit a leg­al defin­i­tion of “un­fair” or “de­cept­ive.”

If a maker of “things” vi­ol­ates a prom­ise in its pri­vacy policy, the FTC can take ac­tion. Typ­ic­ally, the agency asks a fed­er­al court to or­der com­pan­ies to change prac­tices and to pay for reg­u­lar ex­tern­al audits for years to come. Those court or­ders can also im­pose hefty fines for re­peat vi­ol­a­tions. But as long as a com­pany isn’t flat-out ly­ing, there are few re­stric­tions on what it can do with a per­son’s in­form­a­tion. The FTC has in­ter­preted its power over “un­fair” prac­tices to mean that com­pan­ies have to em­ploy “reas­on­able” se­cur­ity meas­ures, but even that stand­ard is cur­rently be­ing chal­lenged in the courts.

In Janu­ary, the FTC re­leased a mod­est set of new guidelines for the In­ter­net of Things and also asked Con­gress to grant it au­thor­ity to levy fines for first-time vi­ol­at­ors (which is highly un­likely to hap­pen). The new stand­ards re­com­mend that tech com­pan­ies take steps to en­sure se­cur­ity be­fore they put products on the mar­ket, and that they lim­it the amount of data they col­lect to al­low cus­tom­ers to make “in­formed choices” about their pri­vacy. Tech­nic­ally, ad­her­ence to the stand­ards is vol­un­tary, though the FTC can use them to help identi­fy which com­pan­ies are be­ing “un­fair” or “de­cept­ive.” The FTC doesn’t have the ca­pa­city to go after every po­ten­tial of­fend­er, but its cases are de­signed to send warn­ings to oth­ers. “We want to in­flu­ence the be­ha­vi­or out there,” says Ramirez. The agency’s greatest worry, says Mith­al, is “un­der-de­terrence”: “We’ve seen re­ports that com­pan­ies of­ten don’t even main­tain the most ba­sic se­cur­ity meas­ures. I think that some com­pan­ies may be will­ing to take the risk that there’s a breach as a cost of busi­ness.”

To strengthen its hand con­sid­er­ably, the FTC also asked Con­gress to pass sweep­ing on­line pri­vacy le­gis­la­tion that would give con­sumers much more con­trol over their in­form­a­tion. The United States has no law guar­an­tee­ing a broad right to pri­vacy. That con­trasts sharply with the European Uni­on, which passed a far-reach­ing “Data Pro­tec­tion Dir­ect­ive” in 1995, es­tab­lish­ing sev­en pri­vacy-pro­tec­tion prin­ciples that busi­nesses are re­quired to fol­low — and that con­sumers can in­sist busi­ness ad­here to. (The strict­ness of the mod­el is im­me­di­ately ob­vi­ous the mo­ment that one vis­its just about any European web­site; a large ban­ner on every page dis­closes how the site tracks the user’s activ­ity.)

{{third­PartyEmbed type:magazineAd source:magazine_bot­tom}}

In 2012, the Obama ad­min­is­tra­tion out­lined a “Con­sumer Pri­vacy Bill of Rights” — a set of sev­en prin­ciples for how on­line com­pan­ies should handle per­son­al in­form­a­tion. There has been little sup­port in Con­gress for such a meas­ure, but the White House is poised to make an­oth­er push: It will soon re­lease le­gis­lat­ive lan­guage for the “bill of rights” in an at­tempt to jump-start dis­cus­sions.

Even many pri­vacy ad­voc­ates think that such an am­bi­tious law — with all its un­sa­vory “European” con­nota­tions — is a non­starter. “Nev­er will a con­sumer pri­vacy bill of rights pass Con­gress,” Bedoya says. “All I think most pri­vacy ad­voc­ates want is for people to be in­formed about what data is be­ing col­lec­ted, and what’s be­ing done with it, and to have a choice about it. All folks want are some ba­sic rules of the road.”

One ba­sic rule the FTC and White House want has a real chance to see day­light in Con­gress: “breach no­ti­fic­a­tion” to con­sumers when their data is stolen or hacked. This is one se­cur­ity meas­ure strongly backed by busi­nesses, who’d prefer a fed­er­al stand­ard to the cur­rent patch­work of state no­ti­fic­a­tion laws. The House Com­merce, Man­u­fac­tur­ing, and Trade Sub­com­mit­tee has already held hear­ings on the top­ic, and Chair­man Mi­chael Bur­gess calls breach no­ti­fic­a­tion a “top pri­or­ity” for his pan­el. Sen. Thune also says he wants to move a no­ti­fic­a­tion law through the Sen­ate. Oth­er­wise, the bills that may have the best chance will be stand-alone meas­ures to reg­u­late In­ter­net of Things products that are caus­ing wide­spread wor­ries among the pub­lic.

Once again, though, Wash­ing­ton is largely play­ing catch-up with di­git­al pro­gress. The good news is that, com­pared with the earli­er in­carn­a­tions of the In­ter­net, when Wash­ing­ton stayed “ana­log” long past the point when most of the coun­try was fully wired, those who call for stronger cy­ber­se­cur­ity meas­ures are cau­tiously op­tim­ist­ic: Hey, at least they’re talk­ing about it. But un­less (or, some would say, un­til) the dark­er fears of se­cur­ity ex­perts and pri­vacy doom­say­ers ma­ter­i­al­ize, Wash­ing­ton’s lais­sez-faire at­ti­tude will con­tin­ue to pre­vail. This is Amer­ica, after all, where lurch­ing boldly for­ward in the name of profit — and with new tech­no­logy that prom­ises to make every­one’s lives easi­er and bet­ter — is the mod­us op­erandi. Even a wide­spread out­break of for­eign hack­ers shout­ing at ba­bies, caus­ing smart cars to ini­ti­ate pileups, or fir­ing up toast­ers en masse won’t change that bed­rock philo­sophy any time soon.

{{ BIZOBJ (video: 5547) }}


Welcome to National Journal!

You are currently accessing National Journal from IP access. Please login to access this feature. If you have any questions, please contact your Dedicated Advisor.