The Internet of Things & Wearable Technology:An Overview of Key Issues & Policy Concerns

Adam ThiererSenior Research FellowMercatus Center at George Mason University

Last updated September 2015

2

Outline of Paper & Presentation

• Definitions • Opportunities• Key Policy Concerns (Technical vs. Social)• A Deeper Dive on Privacy-Related Concerns• Constructive Solutions• A Word about Adaptation• The Growing Conflict of Visions Ahead

3

Definitions

4

Definitions of IoT Evolving

• No consensus definition, but lots of catchphrases!– “machine-to-machine” communication– “Industrial Internet” (GE)– “Internet of Everything” (Cisco)– “ThingerNet” / “Thingerverse”

• “Smart” everything! – “smart homes,” “smart buildings,” “smart appliances,”

“smart health,” “smart mobility,” “smart cities,” “smart cars,” etc.

5

Best Definition of IoTMorrison Foerster analysts define IoT as:

“the network of everyday physical objects which surround us and that are increasingly being embedded with technology to enable those objects to collect and transmit data about their use and surroundings.”

• More simply, it’s a world were the Internet is baked into all our stuff!

6

Key Components of the IoT• Power of IoT comes from combination of:

– Faster & smaller microprocessors – Smaller & better sensors (& cameras) – More ubiquitous & robust wireless networks– Expanding cloud storage capacity– Enhanced “big data” capabilities

• It’s the miniaturization of everything that matters– both in terms of device size & cost

• = the long-desired “seamless web” of connectivity now exists

7

Just How Connected?• ABI Research: estimates that there are more than 10

billion wirelessly connected devices in the market today and more than 35 billion devices expected by 2019

• Cisco: by 2019, 40 billion intelligent things will be connected & communicating

• IDC: predicts far greater penetration of 212 billion installed devices by 2020

8

9

The Economic Opportunity

10

Estimated Economic Impact of IoT

• McKinsey Global: $3.9 trillion to $11.1 trillion potential economic impact per year by 2025

• IDC: compound annual growth rate of 7.9% between now & 2020, to reach $8.9 trillion

• Cisco: IoT will create $14.4 trillion in value between 2013 and 2022

11

Many Subsectors, Many Players

12

13

14

“Wearables” = Most Important IoT Category

• = IoT that is worn on body• “quantified self” movement growing• Unsightly today (think “Google Glass”), but

will literally be sewn into our clothes in future (“sensor-rich fabrics”) & largely invisible

• Becoming “lifestyle remotes” to automate our lives

15

16

Sectors & Professions That Will Be Transformed by Wearable Tech

• Health Care / Surgery • Firefighting• Law enforcement• Political campaigns • Education / Instruction

• Retailing• Entertainment• Theme parks• Airlines & vacationing• Financial Services• Sports / Athletics

17

Health & Fitness Are Major Drivers

Typology of Mobile Health Technologies• Connectors: applications that connect smartphones and tablets to FDA-regulated

devices, thus amplifying the devices’ functionalities.• Replicators: applications that turn a smartphone or tablet itself into a medical device by

replicating the functionality of an FDA-regulated device.• Automators & Customizers: apps which use questionnaires, algorithms, formulae,

medical calculators, or other software parameters to aid clinical decisions.• Informers & Educators: medical reference texts and educational apps that primarily aim

to inform and educate.• Administrators: apps that automate office functions, like identifying appropriate

insurance billing codes or scheduling patient appointments.• Loggers & Trackers: apps that allows users to log, record, and make decisions about

their general health and wellness.

Source: Nathan Cortez, SMU School of Law

18

Wearable Market Growth

• Canalys: 700% growth in wearable smart bands market in the second half of 2013

• IDC: shipment volumes will exceed 19 million units in 2014, 3x prior year

• IDC: global market will swell to 112 million units in 2018, resulting in a CAGR of 78%

• + major smartphone platforms providers (Apple, Google, Microsoft, Samsung) all competing aggressively here

19

The “Sci-Fi” Future of IoT & Wearables Will Arrive Shortly

• “Implantables” = IoT implanted under skin• “Ingestibles” = IoT tech that is swallowed

• “Biohacking”= Body modification to enhance or repair human abilities – see: http://discuss.biohack.me

20

Policy Concerns:Technical vs. Social

21

Technical Issues• Access to adequate spectrum to facilitate wireless

networking capabilities?• Technical standards

– Wi-Fi, Bluetooth, near field communication, GPS– Licensed or unlicensed ?

• Device / platform interoperability – Apple vs. Android vs. what else?

• Device addressing – Will rise of IoT & wearables get IPv6 transition moving?

22

Quick Note on Technical Issues

• Technical issues were not focus of this particular paper

• That is primarily because I am actually far more optimistic we can work those issues out relative to…

23

Social Concerns(in order of current severity)

• Security• Privacy

– reputational issues– “discrimination” issues– data ownership

• Safety• Automation fears & other ethical objections

– “cyborg” concerns

24

Regulatory Interest GrowingPolicymakers Already Exploring IoT Tech

• FTC (general privacy & security)• FDA (safety of mobile medical apps & devices)• FCC (wireless issues)• FAA (commercial drones)• NHTSA (intelligent vehicle technology)• NTIA (multistakeholder privacy reviews)• Congress• Various state, local & int’l regulators (esp. in EU)

25

A Deeper Dive on Privacy & Security Concerns

26

The Coming Data Deluge• Amount of data generated & collected online today

pales in comparison to what is coming• Recall estimates of 30+ billion devices by 2020• And recall defining realities of IoT & wearable tech:

– always-on – always-sensing– always-collecting– always-communicating

• The IoT is, at once, a massive data generator & giant data vacuum cleaner

27

Ramifications for Modern Privacy & Security Policies

• “fair information practice principles” (FIPPs) will be hard to strictly apply & enforce

• FTC Chairwoman Ramirez: “the difficulties will be exponentially greater with the advent of the Internet of Things, as the boundaries between the virtual and physical worlds disappear.”

28

How IoT Challenges FIPPS• What is “adequate notice” in an always-on, always-sensing

world of billions of micro devices? • What counts as “consent” in a world of peer-to-peer self-

surveillance? – Ex: How do you get consent when using Google Glass or a “Narrative”

clip-on camera?• Transparency: How to post privacy policies when everything is

so small?• What counts as “respect for context” when everything is

being collected?• How does data minimization work for “always on” IoT &

wearables

29

IoT Also Challenges…

• Health Insurance Portability and Accountability Act (HIPAA)

• COPPA & FERPA (kids & education privacy)• GLB financial privacy• State privacy & data security laws• FDA safety standards• + wide variety of workplace issues

30

Will a Move to Use-Based Restrictions Save the Day?

• Going to be very hard to limit collection, so a move to use-based restrictions seems likely

• But which uses? – “discriminatory” uses (how defined?)– are existing discrimination statutes applicable?

• What about database access / correction?– think FCRA

• Problem of overly sweeping use restrictions – “privacy paternalism”?

31

Query: What about the First Amendment?

• First Amendment likely poses serious roadblock to more comprehensive regulation of IoT & wearables

• Volokh: “We already have a code of ‘fair information practices,’ and it is the First Amendment”

• ACLU of Illinois v. Alvarez (2012):– “The act of making an audio or audiovisual recording is

necessarily included within the First Amendment’s guarantee of speech and press rights as a corollary of the right to disseminate the resulting recording.”

• 1A might limit both collection & use-based restrictions

32

Constructive Solutions

33

A “Layered” Approach to Address Concerns

1) Developers: Privacy & security “by design” / best practices2) Consumers: Education, media literacy & tech etiquette3) Social norms, pressure & sanctions will play big role

– ex: restrictions on phones in theaters & locker rooms

4) Common law adjudication / other legal standards– privacy torts (“intrusion upon seclusion”); “Pepping Tom” laws– Products liability: strict liability / negligence, design defects law, failure to

warn, breach of warranty, etc

5) FTC (Section 5) “unfair & deceptive practices” 6) Targeted data use restrictions for sensitive classes of info

– note: existing discrimination statutes might cover some issues

34

Developer-Side SolutionsElements of Privacy / Security by Design

• Better security through encryption, anonymization / data “de-identification”

• Rolling security notices / updates / upgrades• Proper use guidelines • Better transparency re: data use/sharing

policies• Data minimization when possible • Simpler UI

35

Consumer-Side Education• Media literacy / digital citizenship /

“netiquette” • Government can be active here w/o fear of

First Amendment– PSAs / general awareness-building efforts

• ex: OnGuardOnline.gov– Classroom lessons

• Privacy curriculum (see Fordham CLIP model)

36

Liability Norms Could Evolve• Who is “least-cost avoider” who assumes liability?• As developer knowledge of potential misuses grows,

liability could shift, too– Ex: Driverless cars & insurance as cars become a service

• But will liability norms need a nudge in that direction? …

• … or, will IoT developers need protection from over-eager tort lawyers!

• Bottom line: Let product liability evolve; it has happened many times before w/ other tech.

37

FTC Role Will ContinueRecent FTC Privacy & Security Enforcement Actions

• Google• Facebook• Apple• Twitter• MySpace• HTC

• Lookout• Path• Snapchat• Fandango• Credit Karma• TrendNet

53 data security-related cases recently 20-year privacy audits for some firms + fines = is this an “FTC common law” of IoT privacy & security?

38

A Word about Social Adaptation

What Was True Before…

• Citizen attitudes about emerging technologies follow a familiar cycle:1. initial resistance (“technopanic” phase)2. gradual adaptation 3. eventual assimilation

• we have seen this cycle play out in countless other contexts

39

First We Panic, Then…

• Recall reaction to camera & photography in late 1800’s…

“Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops.’”

— Samuel D. Warren and Louis D. Brandeis, 1890

• But we got through it! We adjusted our societal norms and personal expectations to accommodate photography.

• Instead of rejecting cameras, we bought a lot of them! (But then learned how to use them respectfully, too.)

40

Key Takeaways• There is no end point in debates about data security

& online privacy; a never-ending challenge• IoT & wearables merely extend & exacerbate

problems we already faced in Web 1.0 & 2.0 world• silver bullet solutions don’t exist (never have, never

will)• Need to find creative ways to adapt to each new set

of challenges– individuals, institutions, law & norms all must adapt – patience & humility will be crucial policy virtues

41

42

The Grand Tech Policy Clash of Visions to Come

43

IoT andFuture Tech Flashpoints

Internet of Things• Wearable Tech• Smart Homes• Smart Cities

Health Issues• Medical Devices

• Biohacking• Embeddables• Genetic issues

• Mobile medical apps• Telemedicine

3-D Printing

Robotics• Smart cars

• Private drones• A.I.

44

Which Vision Will Govern?IoT foreshadows many other debates about emerging tech. The choice:• Permissionless Innovation = the general

freedom to experiment & learn through trial-and-error experimentation.

• Precautionary Principle = Crafting public policies to control or limit new innovations until their creators can prove that they won’t cause any harms.

45

The Heart of the DebateWhich Default for Innovation?Precautionary Principle Permissionless Innovation

risk anticipation risk adaptation

Ex ante enforcement Ex post enforcement

Preemptive top-down controls

Reactive bottom-up remedies

Innovators have to ask, “Mother, May I?”

Innovation is “innocent until proven guilty”

A Range of Responses to Technological Risk

ProhibitionCensorship

Info suppression Product bans

Anticipatory Regulation

Administrative mandatesRestrictive defaults Licensing & permitsIndustry guidance

ResiliencyEducation & Media Literacy

Labeling / TransparencyUser empowerment

Self-regulation

AdaptationExperience / Experiments

Learning / CopingSocial norms & pressure

Top-down Solutions

Bottom-up Solutions

Precautionary Principle

Permissionless Innovation

46

47

Related Mercatus Center Research• Book: Permissionless

Innovation: The Continuing Case for Comprehensive Technological Freedom • Testimony: The Connected World: Examining the Internet of Things• Analysis: Projecting the Growth and Economic Impact of the Internet of Things• Law review article: The

Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation

• Oped: How Not to Strangle the Internet of Things• Filing to FTC on Privacy and Security Implications of the Internet of Things• Law review article:

Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle

• Article: Muddling Through: How We Learn to Cope with Technological Change