Internet of Things (IoT)

On August 1, 2017, the Senate introduced the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017”, which aims to bolster the security of government-acquired IoT devices.  Sponsored by Sens. Mark Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-OR), and Steve Daines (R-MT), the bill would require connected devices purchased by the government agencies to be patchable, rely on industry standard protocols, not use hard-coded passwords, and not contain any known security vulnerabilities.

The bill would also require each executive level agency head to inventory all connected devices used by the agency.  OMB and DHS would establish guidelines for the agencies based on DHS’s Continuous Diagnostics and Mitigation (CDM) program.  Specifically, the bill directs OMB to develop alternative network-level security requirements for devise within limited data process and software functionality.  It also directs DHS to issue guidelines regarding cybersecurity coordinated vulnerability disclosure policies to be required by contractors providing connected devices to the U.S. Government.  Finally, researchers would be exempted from liability under the Computer Fraud and Abuse Act and the Digital Millennium Copyright Act when engaging in good-faith research pursuant to adopted coordinated vulnerability disclosure guidelines.

This legislation follows calls for more security and standards addressing IoT devices to further safeguard information from potential attacks. For example, the Government Accountability Office (GAO) recently recommended that the Department of Defense update its policies to address IoT risks that leave them vulnerable to attacks.  In addition, Trump’s executive order on cybersecurity called for reports with recommendations to reduce the threat of botnets and other automated distributed attacks.

In a press release, Senator Warner, co-chair of the Senate Cybersecurity Caucus (SCC), states that the bill would provide “thorough, yet flexible guidelines for Federal Government procurements of connected devices.”  In the same statement, the SCC’s co-chair, Sen. Garner, states the bill would “ensure the federal government leads by example and purchases devices that meet basic requirements to prevent hackers from penetrating our government systems.”

To view the introduced legislation, click here.

To view the public statement, click here.

To view the fact sheet summary, click here.

Today, Vizio, Inc., agreed to pay $2.2 million to settle charges by the FTC and the New Jersey Attorney General that it installed software on its Smart TGVS to collect viewing data on 11 million consumer televisions without the consumers’ knowledge or consent. The $2.2 million payment includes a $1.5 million payment to the FTC, and a $1 million payment to the New Jersey Division of Consumer Affairs, although $300,000 will be suspended and vacated after 5 years upon compliance with the order.   In a concurring statement, Commission Ohlhausen supported the order, but questioned the FTC’s allegation that individualized television viewing activity falls within the definition of sensitive information.

The 2014 complaint alleged that Vizio and an affiliate company manufactures smart TVs that capture second-by-second information about video displayed on the Smart TV, including video from consumer cable, broadband, set-top box, DVD, over-the-air broadcasts, and streaming devices.  In addition, Vizio facilitated the integration of specific demographic information (e.g., sex, age, income, marital status, household size, educational level, home ownership, household value, etc.) to the viewing data.  Vizio then sold the information to third parties, who used it for various purposes, including targeted advertising to consumers across devices.

According to the complaint, Vizio touted its “Smart Interactivity” features that “enables program offers and suggestions”, but failed to inform consumers that the settings also enabled the collection of consumer’s viewing data. The complaint alleges that Vizio’s data tracking, – which occurred without viewer’s informed consent – was unfair and deceptive. The Complaint charges that the Defendants participated in deceptive and unfair acts in violation of Section 5 of the FTC act, and similar charges under the New Jersey Consumer Fraud Act, in connection with the unfair collection and sharing of consumers’ Viewing Data and deception concerning their “Smart Interactivity” features.

As part of the settlement, Vizio stipulated to a federal court order that:

  • Requires Vizio to prominently disclose and obtain affirmative express consent of its data collection and sharing practices;
  • prohibits misrepresentations about the privacy, security, or confidentiality of consumer information they collect;
  • requires Vizio to delete data collected before March 1, 2016; and
  • requires Vizio to implement (and review biennially) a comprehensive data privacy program.

In a concurring statement, Commissioner Ohlhausen supported Count II of the complaint, alleging that Vizio deceptively omitted information about its data collection and sharing program.  However, she expressed concern about the implications of Count I, which alleged that granular (household or individual) television viewing activity is sensitive information, and that sharing this viewing information without consent causes or is likely to cause  a “substantial injury” under Section 5 of the FTC Act.  Although Commissioner Ohlhausen acknowledged that there may be good policy reasons to consider such information, she states that the statute does not allow the FTC to find a practice unfair based primarily on public policy, and that this case demonstrates “the need for the FTC to examine more rigorously what constitutes ‘substantial injury” in the context of information about consumers. Ohlhausen indicated that she will launch an effort in the coming weeks to examine this issue further.

To view the stipulated order, click here.

To view Commissioner Ohlhausen’s concurring statement click here.