Sarabia 1

Joe Sarabia
CST 300
February 16, 2016

The Internet of Things (IoT) has great potential to deliver on the promise of a hyper-

connected lifestyle filled with devices that can communicate with each other to make intelligent

decisions and otherwise ostensibly improve our quality of life and provide greater convenience

in how we interact with the world around us. A fundamental mechanism enabling these

capabilities is the generation, storage and analysis of substantial amounts of data. The broad

nature of data generated and gathered by IoT devices creates considerable opportunities for

misuse and raises the question of how to handle the regulation of this data and related privacy

concerns in this relatively nascent yet burgeoning industry.

The Internet of Things is a term used to describe a vast network of physical objects with

embedded hardware and software which are able to communicate with each other to share data

and feature the ability to connect to existing networks to facilitate the broader exchange of data

and remote accessibility and control. An example of a common household device that has been

recently retrofitted for use as an IoT device is the lightbulb. Numerous vendors currently offer

lightbulbs that are able to obtain IP addresses thereby allowing these devices to communicate

with some external device that can monitor and manipulate the state of the lightbulb without the

use of a traditional light switch. These light bulbs can be further coupled with a device that

tracks GPS location, such as a mobile phone, that can be used to determine proximity to a device

and take some desired action. A common example could be to turn the lightbulb off when a

person carrying a mobile phone leaves home and then turns the lightbulb on when that person

returns home. This is a simple example of how devices on the IoT might interact; the breadth of

actual devices, their interoperability and the data they collect is substantially more sophisticated.
 Sarabia 2

IoT can trace its roots back to ARPANET and the fledgling days of the Internet itself. A

key enabling technology in IoT is TCP/IP, which is a suite of communications protocols that

allow devices to communicate over both local networks and larger networks such as the Internet.

The concept of packet switching, which TCP/IP facilitated, allowed nodes on the early

ARPANET system to move away from the idea of dedicated circuits between each node thereby

permitting a much more scalable network design and paved the path for the substantial growth of

what would later become the Internet. While TCP/IP is a foundational technology for IoT, the

more advanced concept of communication between devices to drive efficiency and convenience

was pioneered by MITs Auto-ID Center, which was initially founded in 1999 to develop an

open standard architecture for creating a seamless global network of physical objects using RFID

(RFID Connect, 2015). Although that was the Auto-ID Centers original intent, IoT today

encompasses a much broader set of devices than those that use RFID. The Auto-ID Center also

established the first international conference dedicated to IoT topics.

There are several significant events to consider when examining IoT. One of the most

significant events occurred in 1990 when John Ramkey and Simon Hackett made history by

hooking up a toaster to the Internet and creating the first IoT device (Waterhouse, 2013).

Although it had very simple controls just power on/off it foreshadowed what would decades

later become more commonplace: every day objects connected to and operated via the Internet.

It wasnt until 1999 that Kevin Ashton coined the term Internet of Things in a presentation he

gave at his then employer Proctor & Gamble to describe such devices (Ashton, 2009). Mr.

Ashton would shortly thereafter go on to co-found the aforementioned Auto-ID Center. A major

inflection point for IoT occurred between 2008 and 2009, when for the first time the number of

connected devices exceeded the number of people connected to the Internet. Around this same
 Sarabia 3

time, the miniaturization of microcontrollers and computers became an important accelerant to

IoT and proved to be popular with do-it-yourselfers; this included the creation of the Arduino

microcontroller in 2005 and the Raspberry Pi miniature computer in 2011. The growth of IoT is

expected to accelerate. According to Evans (2011), by the end of 2015 the IoT was expected to

consist of 25 billion connected devices, and then grow to 50 billion connected devices by 2020.

In 2013 the Federal Trade Commission (FTC) issued its first ever compliant against an

IoT device manufacturer, alleging in part that TRENDnet, the subject of the complaint, had

failed to use reasonably security to design its software and as a result, hundreds of consumers

private camera feeds were made public on the Internet (FTC, 2013). By 2015, the FTC released

its comprehensive report on IoT, addressing, amongst other things, issues of security and privacy.

While it stopped short of immediately recommending legislative remedies, it did provide a series

of guidelines for device manufacturers to follow to address consumer privacy and security in the

IoT.

There are privacy issues in other industries that are analogous to privacy in the IoT. A

suitable example is demonstrated by the handling and storage of personally identifiable

information (PII) which is an important factor used when determining compliance with the

Health Insurance Portability & Accountability Act (HIPAA). PII is subject to substantial

scrutiny when evaluating HIPAA compliance, with a specific focus on the proper protection of

any PII that is electronically submitted. Examples of PII include data such as biometric

information, medical information and personal financial information. IoT has the propensity to

generate, and in fact already has devices that do generate, data that is similar in nature to PII

under HIPAA; the issue at hand for IoT is to what extent, if any, should the data generated by its

devices be regulated.
 Sarabia 4

There are four major groups of stakeholders to consider when comprehensively

evaluating the IoT privacy issue: consumers, technology companies, third party companies and

regulatory agencies. Each of these stakeholders play a fundamental role in this issue and have

different values and interests that are important to consider in order to effectively analyze their

opinions and claims.

Consumers are one of the primary stakeholders in this debate. Consumers are those who

purchase and use IoT devices, and about whom much data is generated, collected and stored as

they use these devices. Consumers care about the privacy of their data and the privacy of their

day-to-day lives. Consumers have a reasonable expectation that representations of technology

companies are accurate and that these companies and their partners will preserve the privacy of

their data. Representations of technology companies aside, consumers generally want their

privacy protected and a device to operate securely even when such a representation isnt made.

While the FTC has made recommendations to technology companies about how to handle

privacy in IoT devices, what is significant about recent events to consumers at this point is

technology companies may or may not follow them. As in the case of TRENDnet, technology

companies have jeopardized the privacy of IoT consumers and their data. At this point, this FTC

complaint against TRENDnet is the only enforcement action that the FTC has taken against any

technology company on behalf of consumers.

According to Groopman and Etlinger (2015), consumers strongly favor more

information and more engagement around privacy. In their research, 47% of respondents

indicated a high interest in understanding how companies are using data from their IoT devices.

The greatest area of concern for consumers relates to if and where companies are selling their

data, where 78% of respondents cited high concerns about this activity (Groopman & Etlinger).
 Sarabia 5

Consumers support this stance most commonly with claims of value and policy. Notable

unsolicited comments from consumers in Groopman and Etlingers (2015) research include the

following claims: I dont think companies should be allowed to sell my information without

providing substantial benefit to me and if companies sell my data without my receiving any

benefits from it, or without my express permission in every instance, then Im against it. The

explicit claim of value here is that consumers feel their data is worth something and they should

benefit from the sale of any of their data. Groopman and Etlingers (2015) research also

contained the following claim: Its very hard to discern when, how, and who is using my data.

Its also very hard to opt out of this tracking. If you dont allow it, you cant really do anything.

How about a little give? The more implicit claim here is one of policy, indicating consumer

interest in the ability to have more control over how their data is collected and used.

Technology companies are those responsible for the manufacture of an IoT device. Often,

the technology company is the same entity produces software that runs on the device and

provides some service to a consumer. Although in some cases, there may be a separate device

manufacturer which supplies components that are critical to the operation of the IoT device and

enable it to connect with and communicate to other IoT devices. Technology companies

typically market these devices to consumers and are responsible for messages directed towards

consumers that contain claims about certain attributes of their products. The significance of

recent events to technology companies is substantial. A regulatory agency such as the FTC has

begun to closely scrutinize a heretofore unregulated industry, and has produced a report with

guidelines that it suggests technology companies follow. Reports of this nature have the

potential to establish the framework for legislation, which could shape the industry and have a

profound impact upon it. Also, should a technology company become the subject of an FTC
 Sarabia 6

complaint, resolving it comes at some cost both in reputation and time and money to implement

any necessary remedies.

Most, if not all, technology companies are for-profit corporations. In a report produced

by RCRWireless News, Hawn (2015) identified 10 of the leading global IoT companies, all of

which are for-profit, most of which are publically traded and many of which are well known in

the technology industry. Hawn (2015) categorizes these leading IoT companies in two distinct

groups: Industrial IoT for companies that focus on larger scale solutions and contains IBM,

AT&T, Cisco, General Electric (GE), and RTI; and Consumer IoT for companies that focus

more on products for smart homes and consumer electronics and contains Amazon, Google,

Samsung, Apple and Microsoft. Of these top 10 companies, 9 are publically traded with a

combined market capitalization of $2.6 trillion as of market closing on February 26, 2016.

According to Kinney (2015), by 2025 the IoT market could be worth up to $11.1 trillion of

annual revenue. A key interest for any stakeholder in this group, and consistent with their

position as a publicly traded company, is to gain share of this potential $11 trillion market.

According to Kinney (2015), device manufacturers need to be primarily concerned with two

things: interoperability and properly harnessing the massive volume of data produced by IoT

networks. Kinney (2015) asserted that these two factors are important to fully unlock the total

potential economic value of IoT.

Direct opinions of technology companies on this particular issue are relatively scarce in

the record. This is not altogether surprising for a nascent and emerging technology. The best

insight into the opinions of technology companies is found in the Congressional record, not from

technology companies themselves but instead from two industry advocacy groups. Gary Shapiro,

President and CEO of Consumer Electronics Association (CEA), testified at a Congressional

 Sarabia 7

hearing that the Internet of Things requires government restraint (Internet of Things, 2015).

While he acknowledged that there are legitimate concerns about safety, privacy [and] security,

as well as questions around who actually owns the data, he asserted that consumers adoption

hinges on building trust (Internet of Things, 2015). According to Internet of Things (2015),

Shapiro further testified:

[I]ts up to manufacturers and service providers to make good decisions about privacy

and security or they will fail in the marketplace, and we are passionate that industry

driven solutions are best to promote innovation while protecting consumers, but we

recognize and respect the legitimate role of government to encourage transparency,

clarity, and experimentation. CEA itself has been involved already in over 30 standards

making operations, activities that produce ANSI-certified standards, that are focussing

[sic] [on] technical aspects of Internet of Things, and of course, its just beginning. But

we have to be careful of overly prescriptive mandates because that could stymie the

growth of the Internet of Things. Any government action should be very narrow and very

specific and focus on a real harm. (p. 8)

On behalf of technology companies, Shapiro argues for very little, if any government action or

regulation. In supporting this stance, Shapiro makes two substantial claims. Firstly, there is his

claim of cause, where he states that if the government takes action that is too zealous, too broad

or too restrictive, then it would lead to reduced growth of the industry. Finally, Shapiro exerts a

claim of policy stating that any action should be specific and focused on real harm, thereby

implying that a perceived harm would not warrant action. In the same Congressional hearing,

Dean Garfield, President and CEO of Information Technology Industry Council, echoed

Shapiros position, stating that we need the exercise of restraint (Internet of Things, 2015).
 Sarabia 8

Garfield also expressed concern regarding the potential impact of regulatory intervention on

industry growth when he stated that: the Internet of Things is at its nascent stages, and in order

to grow to reach its full potential, its important that we avoid mandates that put the thumb on the

scale of particular technologies versus others (Internet of Things, 2015). Garfields claims

mirror Shapiros. There is an implicit claim of cause where he asserts that premature regulation

would unduly impair growth, and the more explicit claim of policy to avoid regulations that

would single out and impede the growth of some subset of technologies.

Third party companies are another important stakeholder in the IoT privacy issue. In this

particular case, third party companies refer to a company that partners with a technology

company to provide some sort of service to its mutual or even its prospective customers. The

most relevant use case to this issue is a third party company which obtains consumer generated

data from a technology company for the sole purpose of advertising or marketing related

activities. According to Leung (2014), IoT will have the [sic] enormous impact on the way we

do business, specifically where marketing is concerned. As a result of increasing numbers of

devices being outfitted with sensors and obtaining ubiquitous network connectivity which also

produce continuous streams of data for analysis, the face of advertising is going to change for

both the marketer and the consumer (Leung, 2014). According to Leung (2014), there are

benefits to both the consumer and marketing; consumers will save time by only being served

relevant ads and marketing will no longer waste thousands of dollars on irrelevant advertising.

The claims by this stakeholder on this issue are implicit and tangential at best; it is difficult to

find a third party company openly discussing the purchase of sensitive data for the purposes of

targeting marketing, despite this being a relatively common industry practice. One need not look

any further than terms of service agreements such as this one from Bosch, which states in part:
 Sarabia 9

We may enter into agreements with Third Party Companies. A Third Party Company may want

access to Personal Data that we collect from our customers. As a result, we may disclose your

Personal Data to a Third Party Company. When it comes to this issue, a third party companys

ability to provide some service is rested solely on its ability to obtain data from a technology

company, so they have an interest in maintaining that access to this consumer data.

The final stakeholder to evaluate in this issue is regulatory agencies. Regulatory agencies

are responsible for enforcing regulations and providing guidance to legislative bodies to aid in

law making. The most relevant agency to consider in this particular issue at this time is the FTC.

The FTC is responsible for consumer protection and ensuring that business practices are fair. In

the context of this issue, the aforementioned FTC report on IoT analyzed the various

stakeholders, identified causes for concern related to privacy of consumer data, and made several

recommendations that technology companies should follow to preserve the privacy and security

of this data. In a press release announcing the report, the FTC stated that IoT-specific

legislation would be premature at this point in time given the rapidly evolving nature of the

technology (Federal Trade Commission, 2015). The claim made by the FTC is an implicit one

of cause, as other stakeholders also made, effectively that applying legislative remedies for

privacy concerns too early in its development could inhibit its growth.

There are primarily two options identified by the various stakeholders in this issue. Some

stakeholders favor the laissez-faire option, advocating for a hands off approach to the regulation

of IoT as a means to facilitate the continued growth of the industry. Others, greatly concerned

about the long lasting implications that this technology may have on privacy, advocate for early

and extensive regulations to prevent what they foretell to be irreparable harm.

 Sarabia 10

The first option to more closely examine is the option to exercise restraint by either

substantially minimizing or altogether avoiding any new regulations related to privacy in the IoT.

The arguments supporting this option generally take on one of two forms: that regulatory

intervention will inhibit growth, or that regulatory intervention should be narrow and focus on

actual harm. The primary assumption that stakeholders who support this option are making is

that regulations would actually inhibit growth, when there is no way to know this for certain.

Stakeholders supporting this option commonly cite that this laissez-faire method was successful

in the past with what was at that time another nascent, yet rapidly growing technology: the

Internet. Another assumption these stakeholders are operating under is that consumer adoption

will continue to increase despite most consumers expressing a desire to have their privacy

protected. In the case of both technology companies and the third party companies, the ethical

framework underlying their support of unregulated or minimally regulated IoT industry is ethical

egoism.

Ethical egoism is a normative theory that essentially posits that people ought to act with

their own self-interest in mind. This theory was first introduced by Henry Sidgwick in 1874.

One way to summarize ethical egoism is to say that everybody should do what I want, or in this

case, everybody should do what my company wants. When a stakeholder such as a technology

company says the government should exercise restraint, another way of saying this is the

government should not regulate my business because it will slow our growth or simplified I do

want the government to not regulate my business. The ethical egoism framework applies here

to the technology companies, because in essence, the basis for their argument is what is best for

them, namely preventing the growth of business, so thats what should be done. This is
 Sarabia 11

essentially the same application for the third party companies as well, though there is a lack of

direct statements to corroborate this.

Although the FTC supports the same option as other stakeholders to enact minimal

regulation, a different ethical framework underlies this support. In this instance, the FTC applies

utilitarianism. Utilitarianism is a normative theory that rightness of an act is determined by how

much pleasure and how little pain it causes for all parties affected by it. Utilitarianism was

originally founded by Jeremy Bentham and later expanded by John Stuart Mill. Unlike the other

stakeholders that support this option, the FTC has nothing to gain by supporting this option.

Instead, it must weigh all possible options. In its report, the FTC identifies the potential privacy

dangers of the IoT, yet also discussed the balancing act between that and maintaining growth of

the industry. The FTC uses utilitarianism to assert that a lack of regulation will lead to the most

pleasure by allowing the industry to grow and enabling consumers to reap the reported benefits,

while minimizing pain by stating a set of best practices that technology companies should follow

to reduce data privacy and security risks.

The other option to consider is to regulate the industry now to avoid breaches of privacy.

An assumption that stakeholders supporting his option make is that the most effective way to

protect privacy in the IoT is through regulatory or legislative remedy of some sort. Another

assumption that these stakeholders commonly make is that there is potential for some nefarious

activity by other stakeholders should their activities not be properly regulated. The only

stakeholder supporting this option in this analysis of the privacy issue was consumers, who did

so by applying a care ethics framework to their argument.

Care ethics is a normative theory which suggests that there is in imperative in particular

to care for those with whom one has a close relationship. Carol Gilligan was one of the founders
 Sarabia 12

of care ethics. Care ethics applies in this case due to the close relationship between the consumer

who generates the data and the technology company who stores and potentially shares the data

with third party companies. The basis for consumers position here is that companies with

sensitive data should take great care of that data due to their close relationship, and in order to

enforce that, desire a regulatory body to step in to ensure that it occurs.

I believe that rapid growth of technology occurs most effectively in an unimpeded market.

There are huge potential benefits of this technology which I believe outweigh the potential

detriments. I do concur with the FTC that technology companies have a duty to make their

products secure by default. Further, I think that technology companies should adopt an opt-in

approach to any sharing of any data to third parties. I agree that minimal regulation was

successful in the past, such as with the Internet, and its an approach that should be taken with

IoT as well. My views align closely with technology companies and the FTC.
 Sarabia 13

References

Ashton, K. (2009, June 22). That 'Internet of Things' Thing. RFID Journal. Retrieved

February 23, 2016, from http://www.rfidjournal.com/articles/view?4986

Bracy, J. (2015, February 12). Senate Committee Explores Internet-of-Things Regulation. The

Privacy Advisor. Retrieved February 9, 2016, from https://iapp.org/news/a/senate-

committee-explores-internet-of-things-regulation/

Evans, D. (2011, April). The Internet of Things. Cisco. Retrieved February 9, 2016, from

http://www.cisco.com/c/dam/en_us/about/ac79/docs/innov/IoT_IBSG_0411FINAL.pdf

Federal Trade Commission. (2015, January 27). FTC Report on Internet of Things Urges

Companies to Adopt Best Practices to Address Consumer Privacy and Security Risks.

Retrieved February 9, 2016, from https://www.ftc.gov/news-events/press-

releases/2015/01/ftc-report-internet-things-urges-companies-adopt-best-practices

Groopman, J. and Etlinger, S. (2015, June). Consumer Perceptions of Privacy in the Internet of

Things. The Altimeter Group.

Hawn, J. (2015, November 30). In-depth: Top 10 Internet of Things companies to watch.

RCRWireless News. Retrieved February 26, 2016, from

http://www.rcrwireless.com/20151130/internet-of-things/in-depth-top-10-internet-of-

things-companies-to-watch

Higginbotham, S. (2015, July 06). Companies need to share how they use our data. Here are

some ideas. Fortune. Retrieved February 9, 2016, from

http://fortune.com/2015/07/06/consumer-data-privacy/
 Sarabia 14

Internet of Things: Hearing before the Subcommittee on Courts, Intellectual Property, and the

Internet of the Committee on the Judiciary, House of Representatives, 114th Cong., 1

(2015).

Kinney, S. (2015, July 01). IoT potentially worth $11B by 2025. RCRWireless News.

Retrieved February 26, 2016, from http://www.rcrwireless.com/20150701/internet-of-

things/iot-potentially-worth-11-b-by-2025-tag17

Kleine, B., Levendowski, A., & Lobo, B. (2015, March 27). Internet of Things: The new

frontier for data security and privacy (Part 1). InsideCounsel. Retrieved February 23,

2016, from http://www.insidecounsel.com/2015/03/27/internet-of-things-the-new-

frontier-for-data-secur?slreturn=1456192541

Leung, Stuart. (2014, March 20). 5 Ways the Internet of Things Will Make Marketing Smarter.

Salesforce Blog. Retrieved February 27, 2016, from

https://www.salesforce.com/blog/2014/03/internet-of-things-marketing-impact.html

McCinney, D. (2015, November 10). Intel IoT Platform Collaborations Reveal a Strong and

Connected Future. Intel. Retrieved February 9, 2016, from

http://blogs.intel.com/iot/2015/11/10/iot-insights-2015-intel-iot-platform-collaborations-

reveal-a-strong-and-connected-future/

Shaban, H. (2015, February 11). Will the internet of things finally kill privacy? The Verge.

Retrieved February 9, 2016, from http://www.theverge.com/2015/2/11/8016585/will-the-

internet-of-things-finally-kill-privacy

Waterhouse, P. (2013, December 9). Internet of Everything: Connecting Things Is Just Step

One. InformationWeek. Retrieved February 23, 2016, from

 Sarabia 15

http://www.informationweek.com/strategic-cio/executive-insights-and-

innovation/internet-of-everything-connecting-things-is-just-step-one/d/d-id/1112958

Zanolli, L. (2015, March 23). Welcome to Privacy Hell, also Known as the Internet of Things.

Fast Company. Retrieved February 9, 2016, from

http://www.fastcompany.com/3044046/tech-forecast/welcome-to-privacy-hell-otherwise-

known-as-the-internet-of-things