JOSE, Calif. ó With smart gadgets already flooding the
market and thousands more expected in coming years, the
Internet of Things is emerging amid a regulatory
breakneck pace of this technology has far outpaced the
legal systemís ability to keep up with it, many
experts contend. Because of legal loopholes, consumers
often lack any right to control how long their data is
kept, who it is shared with and what is collected about
them, including such personal information as their
finances, mental health, political leanings and sexual
while ideas differ on what should be done about that,
there is widespread agreement that it will be crucial to
make sure the intimate details these devices gather on
everyone wonít be strewed willy-nilly across the Web.
grew up reading Huxley and Orwell, and I believe we all
need to be sensitive to the possibility this could go
very wrong," said Bryan Goff, a lawyer who has
studied the legal issues surrounding the Internet of
Things. While believing its innovations will provide
innumerable benefits, he added, "this is a
situation where change is going to happen ó there is
no stopping it. Now itís a question of doing what we
can to steer that change to the best outcome
people are wary of government mandating new rules for
smart devices. That includes Roger Atkinson, president
of the nonprofit Information Technology and Innovation
Foundation, which is partly financed by businesses,
including Google and Cisco Systems.
he believes gadget makers "have a lot of incentive
to have a trusted relationship with the consumer,"
he favors letting the industry regulate itself, adding
that "itís way, way too early" to be passing
new laws for the Internet of Things. "Letís let
it roll out a tad and keep track if anyone is abusing
many people already using such devices are perfectly
happy with them, such as 81-year-old Bill Dworsky and
his wife, Dorothy, 79. Their San Francisco home is
outfitted with sensors made by Lively, which notify
their son when they open their pill boxes or
refrigerator door, for example, to indicate whether they
are taking their medications and eating regularly.
think itís great we have this," said Dorothy
Dworsky, noting that she and her husband are getting
son, Phil Dworsky, director of strategic alliances at
Mountain View software firm Synopsys, added that he
feels confident Lively wonít misuse the information it
gathers on his parents. Thatís because Lively
usersí consent before sharing their data with anyone
and only after the information has been stripped of
personally identifiable details, which he said is
"important and reasonable to me."
consumer advocates contend companies canít always be
trusted to act in the publicís interest.
favoring limits on how much data the gadgets sweep up
and retain, they want users of the devices to control
whatís collected about them, who else can see it and
when it should be deleted. These critics are
particularly skeptical of corporate privacy policies,
which instead of restricting the use of consumer data
are often "written by lawyers to be as permissive
as possible," said Ryan Calo, a University of
Washington assistant law professor and expert on
South Korea-based LG Electronics. After it was lambasted
for collecting information on the programs its
television users watched ó even if the users chose an
option to prevent such data collection ó LG last year
termed "unprecedented control" over their
personal details. But that has triggered more complaints
that the policy now denies its customers access to some
of its smart TV services unless they permit their
viewing, voice commands and other information to be
shared with advertisers.
officials declined to comment on those criticisms. Its
denied users who balk at sharing their data, though the
company says at least one of those services is the
ability to operate the TV via voice commands.
statutes ó from the Fair Credit Reporting Act to the
Childrenís Online Privacy Protection Act ó govern
some consumer data protections. But the
information-gathering that will characterize the
Internet of Things is largely unregulated, legal experts
the Fair Credit Reporting Act limits the use of personal
information collected to determine eligibility for
credit or employment, for example, it doesnít apply to
similar information compiled for marketing purposes,
according to a study by the U.S. Government
Accountability Office. And although the Health Insurance
Portability and Accountability Act generally protects
individual health records, it doesnít cover many
Web-based businesses that amass such data.
most circumstances, information that many people may
consider very personal or sensitive legally can be
collected, shared and used for marketing purposes,"
the GAO concluded. "This can include information
about an individualís physical and mental health,
income and assets, mobile telephone numbers, shopping
habits, personal interests, political affiliations and
sexual habits and orientation" ó all of which is
expected to be collected by the Internet of Things.
primary regulatory body monitoring smart gadgets is the
Federal Trade Commission. Jessica Rich, who heads the
FTCís consumer protection bureau, said policing new
data-gathering technologies "is my No. 1
the FTC concluded in a January report that passing new
laws to specifically govern the Internet of Things
"would be premature," since the technology is
still evolving. And the agencyís clout is limited.
recent years, it has cited and won agreements with about
50 companies to improve their data-handling problems.
That included one Internet of Things case involving
Trendnet last year, whose Internet-linked video cameras
had faulty software that enabled hackers to secretly
view the cameraís live feeds, including infants
sleeping in their cribs, according to the FTC.
none of those companies were fined by the agency, which
has limited authority to issue civil penalties and whose
workforce has shrunk from 1,746 full-time positions in
1979 to 1,176 today.
of its relative lack of punch, smart-device makers
"donít even think about" the FTC, said
Justin Brookman of the Center for Democracy and
Technology. Moreover, although the agency has asked
federal lawmakers to bolster its power to police
data-related violations, that prospect remains uncertain
a result, some experts say, regulating the Internet of
Things could fall to such states as California.
2002, California became the first state to require
companies and others hit by data breaches to notify
residents if their personal information might have been
disclosed. Last year it enacted a law restricting rented
electronic devices from gathering personal consumer data
after an FTC investigation discovered some rental
computers were secretly spying on the computersí
users. Besides surreptitiously harvesting the usersí
credit card information, Social Security numbers,
medical records and private emails to doctors, the
computersí webcams took pictures inside the usersí
homes, including images of them "engaged in
California law that took effect in 2014 restricts
disclosure of information about customer electrical or
natural gas usage from smart utilities. Moreover,
California is one of a handful of states that require
car owners to be told if their vehicle contains an
"event data recorder," which maintains a
detailed dossier on their driving behavior.
consumer advocates contend these and other California
laws ó like those at the federal level ó only
partially address privacy worries surrounding the
Internet of Things.
vehicle data-recorder law, for example, has been faulted
for leaving unclear who has the right to control
information the gadgets gather.
cars are rapidly morphing into computers with wheels,
they are also producing data on the shape and condition
of the car, how fast the car travels, use of the phone
or radio, and even where and how often a car visits a
specific location," according to a legislative
analysis of the law. "As of today, the only entity
that has access to that information is the auto
manufacturer, and whatever third party to whom they
choose to direct the information."
a bill that would have given consumers more say over
those facts died in committee last year after auto
manufacturers argued it could hinder vehicle innovation
and be difficult to implement.
also have cited numerous weaknesses in Californiaís
pioneering "shine the light" law enacted in
2003, which requires companies with 20 or more employees
to inform consumers how their personal data is sold for
direct marketing purposes or else let them opt out of
having it shared.
by the University of California, Berkeley, the American
Civil Liberties Union and others have found that
companies covered by the law often donít properly
notify consumers of their rights and ignore inquiries
about their data gathering. Moreover, its provisions are
confusingly vague. While requiring companies to disclose
when they share personal information with "third
parties," for example, it defines those parties so
narrowly that many firms have been passing the data
along to business partners and others without notifying
consumers, the studies concluded.
a result, privacy advocates say it will be critical to
amend these laws or enact new ones to ensure that the
Internet of Things wonít cause more headaches than
Richards, a law professor at Washington University in
St. Louis, believes lawmakers eventually will do more to
protect the personal data captured by the growing array
of smart gadgets. But he cautioned that "the scope
of that protection and how long it takes to get there is
absolutely up for grabs."