Will Regulation of the “Internet of Things” Fall to the States?

There’s a busy world all around us that goes relatively unnoticed much of the time but that could soon be a major focus of government regulation. It’s called the Internet of Things, or IoT, and although it has dominated the attention of the tech industry for the last several years, many in the general public still don’t know what it is or have even heard of it.

 

“Nobody knows what this is, but yet it’s incredibly important,” said U.S. Sen. Brian Schatz (D-Hawaii) at an IoT policymaking event in Washington, D.C. in December hosted by the Center for Data Innovation, as reported in Government Technology. “The reality is that while few people know what IoT is, they are already exposed to it when they cross the street or wash their hands.”

 

As a concept, the “Internet of Things” has been around since the early 80s, when a group of students in the Computer Science department at Carnegie Mellon University wired up a Coke machine to the Internet to keep tabs on its inventory. But there still isn’t a widely accepted definition of what the IoT actually is, according to a report released last month by the Federal Trade Commission. A working definition may be that it is the rapidly-growing network of physical devices -- from cable TV boxes and refrigerators to wearable medical devices and traffic lights -- that can connect to the Internet. It enables home thermostats to automatically adjust to weather forecasts, doctors to remotely monitor patients’ heart rates and stoplights to adapt to local traffic patterns.

 

The FTC report said experts estimate there will be 25 billion such devices in operation this year and twice that number by 2020. A story by Katy Bachman last January in Adweek, placed the latter figure even higher, between 50 billion and 75 billion, which she said would “create 13 quadrillion connections to the Internet and generate 200 exabytes of data a year.” To put that into perspective she noted the Library of Congress houses 5 exabytes of data.

 

That enormous volume of data has sounded alarm bells in Washington.

 

“We’re now in a world where data is being collected all the time,” FTC Commissioner Edith Ramirez said at the 11^th annual State of the Net conference last month, according to The Verge. “We’re bringing these devices into our homes, into what used to be private spheres, and the data that is being generated is increasingly much more sensitive.”

 

The FTC’s report, titled The Internet of Things: Privacy and Security in a Connected World, which was based on a workshop the agency conducted in Nov. 2013, stated that while participants generally agreed the IoT offered “potentially revolutionary” benefits to consumers, they also noted it “presents a variety of potential security risks that could be exploited to harm consumers by: (1) enabling unauthorized access and misuse of personal information; (2) facilitating attacks on other systems; and (3) creating risks to personal safety.”

 

“Participants also noted that privacy risks may flow from the collection of personal information, habits, locations, and physical conditions over time,” the report said. “In particular, some panelists noted that companies might use this data to make credit, insurance, and employment decisions.”

 

The security and privacy threat posed by IoT devices has already been demonstrated. Last summer researchers at the University of Michigan found that networked traffic signals were susceptible to cyberattacks. And in 2012 hundreds of home security cameras and baby monitors were hacked and their video streams posted on the Internet. That cyberattack led to the FTC’s first action against the purveyor of an IoT device, the marketer of the baby monitors, TRENDnet, which ultimately reached a settlement with the agency under which it agreed to beef up its security practices.

 

Despite the evidence of such threats, the FTC’s position, according to its report, is that “legislation at this stage would be premature,” aside from “strong, flexible, and technology-neutral federal legislation to strengthen [Congress’] existing data security enforcement tools and to provide notification to consumers when there is a security breach,” for which the agency has been advocating since at least 2012.

 

The bulk of the FTC’s recommendations lean toward self-regulation. The report states, for example, that IoT companies “should build security into their devices at the outset, rather than as an afterthought” and “limit the data they collect and retain.” It also advises that those companies give consumers choice in what data they share and notify them when there is a security breach.

 

The FTC’s light-handed approach is guided by a desire to avoid stifling innovation and economic growth.

 

“We should adopt a regulatory regime that allows technology, even disruptive technology, to thrive,” FTC Commissioner Maureen Ohlhausen said at last year’s International Consumer Electronics Show (CES), according to Adweek. “Success of the Internet has been driven by the freedom to experiment even in the face of unease. It’s vital that government approach the Internet of things with regulatory humility.”

 

President Barack Obama has called for federal legislation to protect against cyberattacks, including a bill requiring companies to notify consumers within 30 days of discovering a data breach that their personal information may have been compromised, like what the FTC has been seeking for years. With the recent high-profile cyberattack at Sony, some form of that measure could finally happen.

 

But states haven’t been willing to just sit around and wait for Congress to act on the issue. Every state but three -- Alabama, New Mexico and South Dakota -- has already enacted its own data breach notification law, according to the National Conference of State Legislatures. And even if Congress passes such a law, there are plenty of other facets of the issue for states to focus their attention on, such as consumer privacy. By NCSL’s count, for instance, 15 states have enacted laws, which, among other things, prohibit the downloading of information from motor vehicle event data recorders, or “black boxes,” without the consent of the vehicle owners or policyholders (see Bird’s eye view).

 

At the Center for Data Innovation’s Dec. 4 event entitled “How Can Policymakers Help Build the Internet of Things?” U.S. Sen. Deb Fischer (R-Nebraska) advised, “policymakers can’t bury their heads in the sand and pretend this technological revolution isn’t happening, only to wake up years down the road and try to micromanage a fast-changing, dynamic industry.” Many state lawmakers likely share that view.

 

-- By KOREY CLARK

 

States take action on Mental Health First Aid

During the 2013-14 legislative year, 14 states enacted bills related to Mental Health First Aid - CPR-like training to help emergency personnel, teachers and others recognize and respond to mental health disorders - according to the National Council for Behavioral Health. The enactments in 11 of those states appropriated funding for the training. MHFA-related legislation was also considered but failed in seven states.

 

Source: National Council for Behavioral Health

 

Legend:

 

Passed legislation related to MHFA in 2013-14 session: Arizona, Colorado, Connecticut, Illinois, Indiana, Maryland, Michigan, Minnesota, Nebraska, New York, Oklahoma, Texas, Virginia, Washington

 

MHFA-related legislation failed: Alaska, Florida, Mississippi, Massachusetts, New Jersey, Tennessee, Wisconsin

 

OK Dem Wants to Eliminate Straight-Party Voting

Oklahoma Sen. J.J. Dossett (D) has filed a bill (SB 9) that would do away with straight-party voting in the state.

 

“I think it is unnecessary to have the straight-party option,” he said. “I think it is something that might have had value in the past when people couldn’t inform themselves on the candidate and vote.”

 

Dossett also said his filing of the bill wasn’t motivated by last month’s election. But 56.4 percent of the state’s voters who went with the straight-party option in the 2012 general election were Republicans, a ratio that increased to 59.7 percent in 2014 and 62 percent on Nov. 8. And University of Oklahoma Political Science Department Chair Keith Gaddie said he doesn’t believe the bill has a chance of being approved by the state’s Republican-controlled Legislature.

 

Oklahoma is one of only 10 states that allow straight-party voting, according to the National Conference of State Legislatures. (TULSA WORLD)

Electronic Voting Experts Express Concern About Wireless Voting Machines

A group of 30 researchers, activists and scientists signed a letter this month urging the federal government to issue an official warning to states that use voting machines with integrated wireless technology that the machines are vulnerable to hacking. The voting machine experts said they had “grave concerns” that such manipulation could “wreak havoc on an election.”

 

Sarah Revell, a spokeswoman for Florida’s Department of State, defended her state’s use of such machines, saying they “are not connected to the internet” and “that when transmitting election data everything is encrypted and authenticated.”

 

But Andrew W. Appel, a computer scientist at Princeton University, said a “modem talking through the cell phone network really is more connected to the internet than they like to think.”

 

He said hackers could use a portable cell tower, known as a Stingray, to intercept the wireless signals or use an internet-linked cellular network to introduce malicious code into the machines.

 

“If you can talk to that modem, and if there are any security flaws in the voting machine software that talk through that modem, then the voting machine could be confused into installing new software that changes the vote,” he said. (MCCLATCHY DC)

Public Access To Police Body Cam Footage Hot Issue In States

Twenty-one states have passed laws governing public access to police body camera footage, according to CNN and the Reporters Committee for Freedom of the Press. A few of those measures, including North Carolina HB 972, were signed into law in the last few months. Legislation concerning access to body camera footage is also pending in another 13 states.

 

Source: CNN, Reporters Committee for Freedom of the Press