FTC suggests ways to make fitness trackers, other devices, safer and more secure
FTC filed comments in response to a request put out by the federal Consumer Products Safety Commission (CPSC). The comments were put together by FTC’s Bureau of Consumer Protection (BCP).
The BCP staff in its comments emphasized that poor security among Internet of Things (IoT) devices might create technology-related hazards associated with the loss of critical safety function, loss of connectivity, or degradation of data integrity. As examples, BCP postulated that a car’s braking system might fail if infected with malware, or carbon monoxide or fire detectors could stop working if they lose their internet connection.
In the devices used in the nutrition industry, possible hazards might include faulty data collection that could lead to skewed nutrition recommendations. Or confidential personal medical data could be compromised.
Reasonable security—not perfection—is the goal
BCP said that consumers must be willing to accept a limited amount of risk associated with these devices in order to enjoy the many benefits they provide.
“Requiring IoT devices to have perfect security would deter the development of devices that provide consumers with the safety and other benefits discussed above. Conversely, insecure devices can erode consumer trust if consumers cannot rely on the safety and security of their device. Companies that manufacture and sell IoT devices must take reasonable steps to secure them from unauthorized access,” the bureau wrote.
BCP noted that FTC has already provided a wealth of guidance to IoT manufacturers. For example, the comments state, “In its staff report from 2015 on the Internet of Things, the FTC made several recommendations for security best practices, including recommendations that companies conduct risk assessments, test their security measures before launching their products, train employees on security, and monitor products throughout their life cycle.”
The comments said that FTC has also recommended that, while mobile device manufacturers have made progress in making security updates easier for consumers to manage, more still needs to be done. In addition, the agency recommended manufacturers to tell consumers when a given device will no longer be supported with further safety and security upgrades.
The comments also recommended ways for CPSC to encourage consumers to sign up for security updates and product recalls, and BCP recommends that if CPSC does consider instituting any overarching regulation on IoT safety and security, the rule is to “be technology-neutral and sufficiently flexible so that it does not become obsolete as technology changes.”
Claims on devices are like any other claim
Attorney Ivan Wasserman, manager of the Washington, DC office of the law firm Amin Talati Upadhye, said the comments are fully in according with FTC’s mission, and provide additional oversight in an emerging area of the nutrition/technology interface.
“Everyone in the industry should know by now that the FTC prohibits false or misleading claims for dietary supplements. What they may not know is that its consumer protection mandate extends far beyond that, and recently has been very focused on privacy and data security,” he said.
“While most of the action has been related to actual websites and apps, it is not surprising that it is also concerned about anything connected to the internet that could be vulnerable.
"For our industry, that could apply to wearable fitness trackers, connected exercise equipment and monitors, and who knows what else that will come along in the future. Companies must maintain reasonable security programs and of course any claims they make about the security of their devices must be truthful and not misleading,” Wasserman added.