Senators to push privacy, security legislation for IoT

11.02.2015
Some Democratic senators want new laws that mandate security and privacy measures on the Internet of Things, as concern grows over personal data collected by connected devices.

Several democratic members of the Senate Commerce, Science and Transportation Committee said Wednesday they are exploring legislation that would enforce privacy and security standards for connected devices. Senator Edward Markey, a Massachusetts Democrat, plans to introduce a bill that will focus on security standards and the data collected by connected automobiles.

This week, Markey released a report saying that most auto manufacturers selling vehicles in the U.S. have "massive holes" in their data security. Only two of 16 car companies that responded to information requests from Markey's office said they have capabilities to respond to a hacking attack in real time, he said during a hearing.

New cars are now "computers on wheels," Markey said, and hacked vehicles can be dangerous.

"A small vulnerability or error in coding can lead to a catastrophic consequence for drivers, passengers and pedestrians," he said. "Thieves no longer need a crowbar to break into your car -- they just need a smartphone."

Markey's legislation will require that makers of wireless access points on connected cars use penetration testing technologies and that collected data is encrypted. The legislation will also require that the car manufacturer or a security vendor be able to detect and respond to hacking attempts in real time.

The bill will also require car makers to explain their data collection practices to drivers and allow them to opt out of data collection without having to disable navigation.

Car companies that can build software to track vehicle performance and other information "should have the same geniuses in those companies to build in protection for security and privacy," Markey said. "If you can figure out an algorithm that sends information around the world in the blink of an eye, you should be able to figure out an algorithm that provides consumers the security and privacy they need."

Representatives of auto makers didn't testify during the hearing. The Alliance of Automobile Manufacturers, a trade group, said it has not yet fully reviewed Markey's report, but its members take several steps to protect security and to tell customers about the data they collect.

"Automakers believe that strong consumer data privacy protections and strong vehicle security are essential to maintaining the continued trust of our customers," the group said in a statement.

Other Democrats in the hearing also suggested they are open to new legislation addressing the privacy and security of the IoT. The IoT industry is projecting huge growth by collecting customer data, and Congress needs to "find that balance" between the industry's data collection and customer privacy, said Senator Joe Manchin, a West Virginia Democrat.

More transparency about the kinds of data IoT devices are collecting is also needed, said Senator Richard Blumenthal, a Connecticut Democrat who plans to cosponsor Markey's connected cars bill. Congress should explore legislation that more easily allows consumers to file class-action lawsuits for data breaches, he said.

Congress should also consider legislation that requires companies to follow best practices in cybersecurity, said Justin Brookman, director of the Consumer Privacy Project at the Center for Democracy and Technology. While the U.S. Federal Trade Commission has brought dozens of data security complaints against companies, it is facing court challenges on its authority to do so, he noted.

Several speakers at the hearing brought up recent concerns about the ability of smart TVs to capture conversations via their voice command features. Brookman also mentioned the cases where hackers have taken over webcams and broadcast videos online.

Congress, while considering a national breach notification law, should expand the consumer data covered by notifications to include nonfinancial information held in online accounts, he said. "Internet of Things devices reveal really sensitive stuff about us," Brookman added.

While some committee Democrats said they will explore legislation, representatives of the IoT industry urged Congress to go slow. Consumer confidence in the IoT is important, "but we must not overregulate in a way that would stifle innovation," said Michael Abbott, a general partner in the venture capital firm Kleiner Perkins Caufield & Byers.

Most of the panel's majority Republicans, and a handful of Democrats, agreed. The IoT is in early stages of its growth, and Congress shouldn't rush in to regulate, they said.

"Let's treat the Internet of Things with the same light touch that has caused the Internet to be such a great American success story," said Senator John Thune, a South Dakota Republican and committee chairman. "We should let consumers and entrepreneurs decide where IoT goes, rather than setting it on a Washington, D.C., directed path."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is grant_gross@idg.com.

Grant Gross