The Internet of Things & Wearable Technology: An Overview of Key Issues & Policy Concerns Adam Thierer Senior Research Fellow Mercatus Center at George Mason University Last updated September 2015
Feb 18, 2017
The Internet of Things & Wearable Technology:An Overview of Key Issues & Policy Concerns
Adam ThiererSenior Research FellowMercatus Center at George Mason University
Last updated September 2015
2
Outline of Paper & Presentation
• Definitions • Opportunities• Key Policy Concerns (Technical vs. Social)• A Deeper Dive on Privacy-Related Concerns• Constructive Solutions• A Word about Adaptation• The Growing Conflict of Visions Ahead
3
Definitions
4
Definitions of IoT Evolving
• No consensus definition, but lots of catchphrases!– “machine-to-machine” communication– “Industrial Internet” (GE)– “Internet of Everything” (Cisco)– “ThingerNet” / “Thingerverse”
• “Smart” everything! – “smart homes,” “smart buildings,” “smart appliances,”
“smart health,” “smart mobility,” “smart cities,” “smart cars,” etc.
5
Best Definition of IoTMorrison Foerster analysts define IoT as:
“the network of everyday physical objects which surround us and that are increasingly being embedded with technology to enable those objects to collect and transmit data about their use and surroundings.”
• More simply, it’s a world were the Internet is baked into all our stuff!
6
Key Components of the IoT• Power of IoT comes from combination of:
– Faster & smaller microprocessors – Smaller & better sensors (& cameras) – More ubiquitous & robust wireless networks– Expanding cloud storage capacity– Enhanced “big data” capabilities
• It’s the miniaturization of everything that matters– both in terms of device size & cost
• = the long-desired “seamless web” of connectivity now exists
7
Just How Connected?• ABI Research: estimates that there are more than 10
billion wirelessly connected devices in the market today and more than 35 billion devices expected by 2019
• Cisco: by 2019, 40 billion intelligent things will be connected & communicating
• IDC: predicts far greater penetration of 212 billion installed devices by 2020
8
9
The Economic Opportunity
10
Estimated Economic Impact of IoT
• McKinsey Global: $3.9 trillion to $11.1 trillion potential economic impact per year by 2025
• IDC: compound annual growth rate of 7.9% between now & 2020, to reach $8.9 trillion
• Cisco: IoT will create $14.4 trillion in value between 2013 and 2022
11
Many Subsectors, Many Players
12
13
14
“Wearables” = Most Important IoT Category
• = IoT that is worn on body• “quantified self” movement growing• Unsightly today (think “Google Glass”), but
will literally be sewn into our clothes in future (“sensor-rich fabrics”) & largely invisible
• Becoming “lifestyle remotes” to automate our lives
15
16
Sectors & Professions That Will Be Transformed by Wearable Tech
• Health Care / Surgery • Firefighting• Law enforcement• Political campaigns • Education / Instruction
• Retailing• Entertainment• Theme parks• Airlines & vacationing• Financial Services• Sports / Athletics
17
Health & Fitness Are Major Drivers
Typology of Mobile Health Technologies• Connectors: applications that connect smartphones and tablets to FDA-regulated
devices, thus amplifying the devices’ functionalities.• Replicators: applications that turn a smartphone or tablet itself into a medical device by
replicating the functionality of an FDA-regulated device.• Automators & Customizers: apps which use questionnaires, algorithms, formulae,
medical calculators, or other software parameters to aid clinical decisions.• Informers & Educators: medical reference texts and educational apps that primarily aim
to inform and educate.• Administrators: apps that automate office functions, like identifying appropriate
insurance billing codes or scheduling patient appointments.• Loggers & Trackers: apps that allows users to log, record, and make decisions about
their general health and wellness.
Source: Nathan Cortez, SMU School of Law
18
Wearable Market Growth
• Canalys: 700% growth in wearable smart bands market in the second half of 2013
• IDC: shipment volumes will exceed 19 million units in 2014, 3x prior year
• IDC: global market will swell to 112 million units in 2018, resulting in a CAGR of 78%
• + major smartphone platforms providers (Apple, Google, Microsoft, Samsung) all competing aggressively here
19
The “Sci-Fi” Future of IoT & Wearables Will Arrive Shortly
• “Implantables” = IoT implanted under skin• “Ingestibles” = IoT tech that is swallowed
• “Biohacking”= Body modification to enhance or repair human abilities – see: http://discuss.biohack.me
20
Policy Concerns:Technical vs. Social
21
Technical Issues• Access to adequate spectrum to facilitate wireless
networking capabilities?• Technical standards
– Wi-Fi, Bluetooth, near field communication, GPS– Licensed or unlicensed ?
• Device / platform interoperability – Apple vs. Android vs. what else?
• Device addressing – Will rise of IoT & wearables get IPv6 transition moving?
22
Quick Note on Technical Issues
• Technical issues were not focus of this particular paper
• That is primarily because I am actually far more optimistic we can work those issues out relative to…
23
Social Concerns(in order of current severity)
• Security• Privacy
– reputational issues– “discrimination” issues– data ownership
• Safety• Automation fears & other ethical objections
– “cyborg” concerns
24
Regulatory Interest GrowingPolicymakers Already Exploring IoT Tech
• FTC (general privacy & security)• FDA (safety of mobile medical apps & devices)• FCC (wireless issues)• FAA (commercial drones)• NHTSA (intelligent vehicle technology)• NTIA (multistakeholder privacy reviews)• Congress• Various state, local & int’l regulators (esp. in EU)
25
A Deeper Dive on Privacy & Security Concerns
26
The Coming Data Deluge• Amount of data generated & collected online today
pales in comparison to what is coming• Recall estimates of 30+ billion devices by 2020• And recall defining realities of IoT & wearable tech:
– always-on – always-sensing– always-collecting– always-communicating
• The IoT is, at once, a massive data generator & giant data vacuum cleaner
27
Ramifications for Modern Privacy & Security Policies
• “fair information practice principles” (FIPPs) will be hard to strictly apply & enforce
• FTC Chairwoman Ramirez: “the difficulties will be exponentially greater with the advent of the Internet of Things, as the boundaries between the virtual and physical worlds disappear.”
28
How IoT Challenges FIPPS• What is “adequate notice” in an always-on, always-sensing
world of billions of micro devices? • What counts as “consent” in a world of peer-to-peer self-
surveillance? – Ex: How do you get consent when using Google Glass or a “Narrative”
clip-on camera?• Transparency: How to post privacy policies when everything is
so small?• What counts as “respect for context” when everything is
being collected?• How does data minimization work for “always on” IoT &
wearables
29
IoT Also Challenges…
• Health Insurance Portability and Accountability Act (HIPAA)
• COPPA & FERPA (kids & education privacy)• GLB financial privacy• State privacy & data security laws• FDA safety standards• + wide variety of workplace issues
30
Will a Move to Use-Based Restrictions Save the Day?
• Going to be very hard to limit collection, so a move to use-based restrictions seems likely
• But which uses? – “discriminatory” uses (how defined?)– are existing discrimination statutes applicable?
• What about database access / correction?– think FCRA
• Problem of overly sweeping use restrictions – “privacy paternalism”?
31
Query: What about the First Amendment?
• First Amendment likely poses serious roadblock to more comprehensive regulation of IoT & wearables
• Volokh: “We already have a code of ‘fair information practices,’ and it is the First Amendment”
• ACLU of Illinois v. Alvarez (2012):– “The act of making an audio or audiovisual recording is
necessarily included within the First Amendment’s guarantee of speech and press rights as a corollary of the right to disseminate the resulting recording.”
• 1A might limit both collection & use-based restrictions
32
Constructive Solutions
33
A “Layered” Approach to Address Concerns
1) Developers: Privacy & security “by design” / best practices2) Consumers: Education, media literacy & tech etiquette3) Social norms, pressure & sanctions will play big role
– ex: restrictions on phones in theaters & locker rooms
4) Common law adjudication / other legal standards– privacy torts (“intrusion upon seclusion”); “Pepping Tom” laws– Products liability: strict liability / negligence, design defects law, failure to
warn, breach of warranty, etc
5) FTC (Section 5) “unfair & deceptive practices” 6) Targeted data use restrictions for sensitive classes of info
– note: existing discrimination statutes might cover some issues
34
Developer-Side SolutionsElements of Privacy / Security by Design
• Better security through encryption, anonymization / data “de-identification”
• Rolling security notices / updates / upgrades• Proper use guidelines • Better transparency re: data use/sharing
policies• Data minimization when possible • Simpler UI
35
Consumer-Side Education• Media literacy / digital citizenship /
“netiquette” • Government can be active here w/o fear of
First Amendment– PSAs / general awareness-building efforts
• ex: OnGuardOnline.gov– Classroom lessons
• Privacy curriculum (see Fordham CLIP model)
36
Liability Norms Could Evolve• Who is “least-cost avoider” who assumes liability?• As developer knowledge of potential misuses grows,
liability could shift, too– Ex: Driverless cars & insurance as cars become a service
• But will liability norms need a nudge in that direction? …
• … or, will IoT developers need protection from over-eager tort lawyers!
• Bottom line: Let product liability evolve; it has happened many times before w/ other tech.
37
FTC Role Will ContinueRecent FTC Privacy & Security Enforcement Actions
• Google• Facebook• Apple• Twitter• MySpace• HTC
• Lookout• Path• Snapchat• Fandango• Credit Karma• TrendNet
53 data security-related cases recently 20-year privacy audits for some firms + fines = is this an “FTC common law” of IoT privacy & security?
38
A Word about Social Adaptation
What Was True Before…
• Citizen attitudes about emerging technologies follow a familiar cycle:1. initial resistance (“technopanic” phase)2. gradual adaptation 3. eventual assimilation
• we have seen this cycle play out in countless other contexts
39
First We Panic, Then…
• Recall reaction to camera & photography in late 1800’s…
“Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops.’”
— Samuel D. Warren and Louis D. Brandeis, 1890
• But we got through it! We adjusted our societal norms and personal expectations to accommodate photography.
• Instead of rejecting cameras, we bought a lot of them! (But then learned how to use them respectfully, too.)
40
Key Takeaways• There is no end point in debates about data security
& online privacy; a never-ending challenge• IoT & wearables merely extend & exacerbate
problems we already faced in Web 1.0 & 2.0 world• silver bullet solutions don’t exist (never have, never
will)• Need to find creative ways to adapt to each new set
of challenges– individuals, institutions, law & norms all must adapt – patience & humility will be crucial policy virtues
41
42
The Grand Tech Policy Clash of Visions to Come
43
IoT andFuture Tech Flashpoints
Internet of Things• Wearable Tech• Smart Homes• Smart Cities
Health Issues• Medical Devices
• Biohacking• Embeddables• Genetic issues
• Mobile medical apps• Telemedicine
3-D Printing
Robotics• Smart cars
• Private drones• A.I.
44
Which Vision Will Govern?IoT foreshadows many other debates about emerging tech. The choice:• Permissionless Innovation = the general
freedom to experiment & learn through trial-and-error experimentation.
• Precautionary Principle = Crafting public policies to control or limit new innovations until their creators can prove that they won’t cause any harms.
45
The Heart of the DebateWhich Default for Innovation?Precautionary Principle Permissionless Innovation
risk anticipation risk adaptation
Ex ante enforcement Ex post enforcement
Preemptive top-down controls
Reactive bottom-up remedies
Innovators have to ask, “Mother, May I?”
Innovation is “innocent until proven guilty”
A Range of Responses to Technological Risk
ProhibitionCensorship
Info suppression Product bans
Anticipatory Regulation
Administrative mandatesRestrictive defaults Licensing & permitsIndustry guidance
ResiliencyEducation & Media Literacy
Labeling / TransparencyUser empowerment
Self-regulation
AdaptationExperience / Experiments
Learning / CopingSocial norms & pressure
Top-down Solutions
Bottom-up Solutions
Precautionary Principle
Permissionless Innovation
46
47
Related Mercatus Center Research• Book: Permissionless
Innovation: The Continuing Case for Comprehensive Technological Freedom • Testimony: The Connected World: Examining the Internet of Things• Analysis: Projecting the Growth and Economic Impact of the Internet of Things• Law review article: The
Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation
• Oped: How Not to Strangle the Internet of Things• Filing to FTC on Privacy and Security Implications of the Internet of Things• Law review article:
Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle
• Article: Muddling Through: How We Learn to Cope with Technological Change