This week, after a seemingly endless year of construction, my family and I moved into our new, energy-efficient home. As I was in the kitchen unpacking, my daughter cried out, somewhat dramatically, “Mama, come here …. The thermostat is watching me…” Whereupon she proceeded to demonstrate this by waiting until the thermostat went dark and then walking toward it, causing it to awaken. Being a seasoned privacy and e-discovery lawyer, I responded with equal drama, “Of course dear … We are living in the age of the Internet of Things.” She was unimpressed with my knowledge. But it did get me to thinking. Isn’t e-discovery hard enough without worrying about the Internet of Things (“IoT”)?
The IoT seems to have popped up everywhere around us. Bob Gohn at Navigant has a great background piece on the IoT as well as a piece on the types of devices that make up the IoT and the security risks they create. But in layman’s terms, the IoT refers to all the devices that collect data through the use of sensors and connect to the internet that are not traditionally thought of as computing devices. It is exemplified not just by my nifty thermostat, but also by the FitBit, Google Glass, and even that smart parking meter that tells the meter reader when to come give you a ticket. The IoT is so pervasive in fact that the term is used interchangeably with the term the “Internet of Everything” and is expected to eclipse the market for traditional computing devices.
Certainly privacy and data security issues related to the IoT are legion. Given the ubiquity of the IoT, there is little doubt that it is only a matter of time until issues over devices that make up the IoT arise in regulatory enforcement proceedings and litigation. In fact, late last year, the FTC announced that it had its eye on the consumer risks presented by the IoT by filing a seven-page complaint against TRENDnet, a company that sells internet-connected cameras. The FTC complaint, which was settled just a few weeks ago by consent order, alleged that TRENDnet’s practices failed to provide reasonable security “to prevent unauthorized access to sensitive information, namely the live feeds from the IP cameras.” And just in case this enforcement activity wasn’t enough of a signal of its interest in the IoT, the FTC presented a workshop on the IoT, Internet of Things – Privacy and Security in a Connected World, late last year as well.