Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Consumer Privacy

GAO Report Highlights Security, Privacy, and Governance Challenges of the Internet of Things

shutterstock_314652596In May 2017, the Government Accountability Office (GAO) released a technology assessment of the Internet of Things (IoT) for Congressional members of the IoT Caucus. The GAO report offers an introduction to IoT; reviews the many uses and their associated benefits that connected devices may bring to consumers, industry, and the public sector; and highlights the potential implications of the use of IoT, including information security challenges, privacy challenges, and government oversight. The report also identifies areas of apparent consensus among experts regarding the challenges posed by IoT, though the appropriate responses are disputed. Accordingly, the report may act as a foundation for future policymaker discussions about regulating IoT.

Congressional interest in IoT has steadily grown over the years. Beginning in 2014 with a request for the Senate Committee on Commerce, Science, and Transportation to hold a hearing on the future of IoT, Senators have increasingly sought to understand the IoT space. The GAO began researching IoT technologies following a June 23, 2015 request from IoT Congressional Caucus members, U.S. Senators Brian Schatz (D-HI), Deb Fischer (R-NE), Cory Booker (D-N.J.), and then-Senator Kelly Ayotte (R-N.H.). The GAO’s report provides an introduction to IoT and answers three overarching questions: (i) what is known about current and emerging IoT technologies, (ii) how and for what purpose IoT technologies are being applied, and (iii) the potential implications of the use of IoT technologies. It studied these questions from September 2015 to May 2017.

The GAO identified ten implications regarding the use of IoT. These implications include technological and policy challenges, as well as economic impacts. The ten implications and their brief descriptions are as follows:

  • Privacy challenges derived from difficulties in providing notice, receiving consent, and limiting the collection of personal information;
  • Information security challenges stemming from the interconnected nature of the network;
  • User safety concerns related to certain uses—such as medical devices—and whether devices will function without an active internet connection;
  • Challenges in government oversight of the IoT given no single U.S. federal agency has regulatory responsibility for the IoT;
  • Difficulties in managing IoT electromagnetic spectrum;
  • The closing opportunity window to influence global initiatives related to IoT;
  • The tensions related to IoT interoperability;
  • Complications from many different standards and standards-setting organizations;
  • The economic ramifications of IoT, including industry cost-savings, new job creation, worker displacement, and the influence on market power; and
  • Other considerations such as the digital divide and electronic waste.

Key Policy Issue: Privacy Challenges

The GAO begins by explaining the OECD’s version of Fair Information Practices (FIPs), which are an internationally recognized set of principles to maintain user privacy, and which preceded the development of the Federal Trade Commission’s FIPPs. The GAO states that IoT implicates several of the FIPs. First, the FIPs call for users to receive adequate notice and consent to the collection of their data. Providing notice and consent to consumers can be more difficult with IoT as many devices lack a traditional interface to provide notice, or they collect information when the consumer is unable to read about privacy practices. Moreover, providing sufficient notice and consent to all users interacting with the device—rather than only the first user—is an unresolved issue. No consensus has emerged on how to solve this problem.

Additionally, the GAO states that organizations wishing to comply with FIPs should specify the purpose of their data collection and collect personal information only if that purpose requires doing so. If an organization intends to use the data for a different purpose, it should receive consent from the consumer. The report mentions that IoT can enable unauthorized monitoring of individuals by aggregating data from various sources, and suggests that the aggregation of this data might result in “physical, criminal, financial, or reputational harm” for consumers.

Key Policy Issue: Information Security Challenges

The GAO also devotes significant attention to information security, one of the FIPs. The report identifies the pace of IoT adoption, the lack of attention to device security, and the prevalence of cloud computing as creating unique challenges that may limit broader IoT adoption. The report states that the “growing ubiquity of IoT devices and networks may pose significant security risks,” especially as cyber threats become more sophisticated. The GAO states that the common software that IoT devices use enables the reuse of malicious code. Moreover, compromised IoT devices can relay the malware to other devices automatically, The report catalogs many types of attacks that can compromise IoT devices, including distributed denials of service, wiretapping, war driving, and malware, Exacerbating this problem, according to the report, is the absence of security best practices and standards specific to IoT. To begin addressing this problem, the report suggests considering security controls from the initial design stage, also referred to as security-by-design.  However, the report acknowledges that experts remain unclear on the best method to address the problems related to interconnectedness.

The GAO additionally discusses software-related challenges, which include devices designed without the ability to update their software automatically and devices with standard default passwords that may be difficult for consumers to change. Moreover, the GAO highlights that IoT device software may have a shorter lifespan than the device itself, which may introduce further risk to the security of networks to which such devices are connected.

Another information security threat identified in the report involves the prevalence of cloud computing. While acknowledging why many companies use cloud computing, the GAO mentions that it involves inherent security threats: cloud computing requires the device operators sacrifice control over “both the physical and logical aspects” of the system, increases the possibility of unauthorized access, and takes place in a significantly more complex operating environment.

Key Policy Issue: Government Oversight Challenges

In addition to security and privacy concerns, the assessment highlights the structural difficulties in overseeing IoT. No single agency has regulatory authority over IoT, and some sector-specific authority may overlap. Moreover, some areas are common to all IoT devices, such as security and privacy. Complicating the issue of governmental oversight is that both state and federal laws and regulations may apply.

According to the report, both the executive and legislative branches of the federal government have explored two related questions: whether the government should regulate IoT, and if so, who? Within the executive branch, the National Telecommunications and Information Administration (NTIA) is exploring this issue directly. Earlier this year, the NTIA released a Green Paper that explored the technological and policy landscape of IoT, and requested additional comments on its framework. Last month, the NTIA also convened a workshop to discuss security upgradability and patching. At the time of writing this post, the NTIA has not scheduled its next workshop. Within the legislative branch, a bipartisan group of senators introduced the Developing Innovation and Growing the Internet (DIGIT) Act in 2016, which calls for the Department of Commerce to convene a working group to make recommendations to Congress on expanding IoT.

Thus far in 2017, IoT has been a key topic of discussion in the U.S. Senate, including before the Senate Committee on Homeland Security and Governmental Affairs, the Senate Energy and Natural Resources Committee, and the Senate Committee on Commerce, Science, and Transportation. Other Congressional activities regarding IoT include the establishment of a Bipartisan House Internet of Things working group, the  re-introduction of the DIGIT Act, and the Senate Cybersecurity Caucus inquiring about cybersecurity threats related to IoT.

* * *

Moving forward, clients should expect continued regulatory and legislative attention on IoT security and privacy challenges. While experts disagree on the appropriate response, the GAO report makes clear that some consensus has emerged around the need for improving IoT security and meeting consumer expectations for privacy. The GAO report suggests on several occasions that further IoT proliferation might be limited if these problems remain unaddressed.

Filippo Raso in our Washington, D.C. office also contributed to this post.