FTC Report on Internet of Things Urges Companies to Adopt Best Practices to Address Consumer Privacy and Security Risks

Report Recognizes Rapid Growth of Connected Devices Offers Societal Benefits, But Also Risks That Could Undermine Consumer Confidence
In a detailed report on the Internet of Things, released today, the staff of the Federal Trade Commission recommend a series of concrete steps that businesses can take to enhance and protect consumers’ privacy and security, as Americans start to reap the benefits from a growing world of Internet-connected devices.
The Internet of Things is already impacting the daily lives of millions of Americans through the adoption of health and fitness monitors, home security devices, connected cars and household appliances, among other applications. Such devices offer the potential for improved health-monitoring, safer highways, and more efficient home energy use, among other potential benefits. However, the FTC report also notes that connected devices raise numerous privacy and security concerns that could undermine consumer confidence.
“The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers,” said FTC Chairwoman Edith Ramirez. “We believe that by adopting the best practices we’ve laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized.”
The Internet of Things universe is expanding quickly, and there are now over 25 billion connected devices in use worldwide, with that number set to rise significantly as consumer goods companies, auto manufacturers, healthcare providers, and other businesses continue to invest in connected devices, according to data cited in the report.
The report is partly based on input from leading technologists and academics, industry representatives, consumer advocates and others who participated in the FTC’s Internet of Things workshop held in Washington D.C. on Nov. 19, 2013, as well as those who submitted public comments to the Commission. Staff defined the Internet of Things as devices or sensors – other than computers, smartphones, or tablets – that connect, store or transmit information with or between each other via the Internet.  The scope of the report is limited to IoT devices that are sold to or used by consumers.
Security was one of the main topics addressed at the workshop and in the comments, particularly due to the highly networked nature of the devices. The report includes the following recommendations for companies developing Internet of Things devices:
• build security into devices at the outset, rather than as an afterthought in the design process;
• train employees about the importance of security, and ensure that security is managed at an appropriate level in the organization;
• ensure that when outside service providers are hired, that those providers are capable of maintaining reasonable security, and provide reasonable oversight of the providers;
• when a security risk is identified, consider a “defense-in-depth” strategy whereby multiple layers of security may be used to defend against a particular risk;
• consider measures to keep unauthorized users from accessing a consumer’s device, data, or personal information stored on the network;
• monitor connected devices throughout their expected life cycle, and where feasible, provide security patches to cover known risks.
Commission staff also recommend that companies consider data minimization – that is, limiting the collection of consumer data, and retaining that information only for a set period of time, and not indefinitely. The report notes that data minimization addresses two key privacy risks: first, the risk that a company with a large store of consumer data will become a more enticing target for data thieves or hackers, and second, that consumer data will be used in ways contrary to consumers’ expectations.
The report takes a flexible approach to data minimization.  Under the recommendations, companies can choose to collect no data, data limited to the categories required to provide the service offered by the device, less sensitive data; or choose to de-identify the data collected.
FTC staff also recommends that companies notify consumers and give them choices about how their information will be used, particularly when the data collection is beyond consumers’ reasonable expectations. It acknowledges that there is no one-size-fits-all approach to how that notice must be given to consumers, particularly since some Internet of Things devices may have no consumer interface. FTC staff identifies several innovative ways that companies could provide notice and choice to consumers.
Regarding legislation, staff concurs with many stakeholders that any Internet of Things-specific legislation would be premature at this point in time given the rapidly evolving nature of the technology. The report, however, reiterates the Commission’s repeated call for strong data security and breach notification legislation.  Staff also reiterates the Commission’s call from its 2012 Privacy Report for broad-based privacy legislation that is both flexible and technology-neutral, though Commissioner Ohlhausen did not concur in this portion of the report.
The FTC has a range of tools currently available to protect American consumers’ privacy related to the Internet of Things, including enforcement actions under laws such as the FTC Act, the Fair Credit Reporting Act, the Children’s Online Privacy Protection Act; developing consumer education and business guidance; participation in multi-stakeholder efforts; and advocacy to other agencies at the federal, state and local level.
In addition to the report, the FTC also released a new publication for businesses containing advice about how to build security into products connected to the Internet of Things. “Careful Connections: Building Security in the Internet of Things” encourages companies to implement a risk-based approach and take advantage of best practices developed by security experts, such as using strong encryption and proper authentication.
The Commission vote to issue the staff report was 4-1, with Commissioner Wright voting no. Commissioner Ohlhausen issued a concurring statement, and Commissioner Wright issued a dissenting statement.
The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 2,000 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s website provides free information on a variety of consumer topics. Like the FTC on Facebook, follow us on Twitter, and subscribe to press releases for the latest FTC news and resources.

Marketer Who Promoted a Green Coffee Bean Weight-Loss Supplement Agrees to Settle FTC Charges

Used Appearances on Dr. Oz, Other Shows to Launch Ad Campaign
Lindsey Duncan and the companies he controlled have agreed to settle Federal Trade Commission charges that they deceptively touted the supposed weight-loss benefits of green coffee bean extract through a campaign that included appearances on The Dr. Oz Show, The View, and other television programs.
Under the FTC settlement, the defendants are barred from making deceptive claims about the health benefits or efficacy of any dietary supplement or drug product, and will pay $9 million for consumer redress.
“Lindsey Duncan and his companies made millions by falsely claiming that green coffee bean supplements cause significant and rapid weight loss,” said Jessica Rich, Director of the FTC’s Bureau of Consumer Protection. “This case shows that the Federal Trade Commission will continue to fight deceptive marketers’ attempts to prey on consumers trying to improve their health.”
The FTC charged that Duncan and his companies, Pure Health LLC and Genesis Today, Inc., deceptively claimed that the supplement could cause consumers to lose 17 poundsand 16 percent of their body fat in just 12 weeks without diet or exercise, and that the claim was backed up by a clinical study. In September 2014, the FTC settled charges against the company that sponsored the severely flawed study that Duncan discussed on Dr. Oz.
According to the FTC’s complaint, shortly after Duncan agreed to appear on Dr. Oz but before the show aired, he began selling the extract and tailored a marketing campaign around his appearance on the show to capitalize on the “Oz effect” – a phenomenon in which discussion of a product on the program causes an increase in consumer demand.
For example, while discussing green coffee bean extract during the taping of Dr. Oz, Duncan urged viewers to search for the product online using phrases his companies would use in search advertising to drive consumers to their websites selling the extract. He reached out to retailers, describing his upcoming appearance on The Dr. Oz Show and saying he planned to discuss the clinical trials that purportedly proved the supplement’s effectiveness. He and his companies also began an intensive effort to make the extract available in Walmart stores and on Amazon.com when the program aired.
The defendants continued to use Duncan’s Dr. Oz appearance in their marketing campaign after the show aired, the complaint states, posting links to the episode on websites and using retail point-of-sale displays showing messages such as “New Health Discovery!  As Seen on TV, ‘The Dieter’s Secret Weapon.’” After appearing on Dr. Oz, Duncan and his companies sold tens of millions of dollars’ worth of the extract, according to the FTC.
The FTC also alleged that Duncan and several of the companies’ paid spokespeople portrayed themselves on television shows as independent sources of information about green coffee bean extract and other natural remedies, while failing to disclose their financial ties to the companies.
The proposed stipulated court order requires the defendants to substantiate any future weight-loss claims with at least two well-controlled human clinical tests. Any claims the defendants make about the health benefits and efficacy of any dietary supplement or drug cannot be misleading and must be substantiated by competent and reliable scientific evidence. Further, the order prohibits false claims that the benefits of any such product are scientifically proven.
The order also bars the defendants from misrepresenting the status of any endorser, and requires them to disclose all material connections between them and anyone who endorses their products. Finally, it imposes a $9 million redress judgment, with an initial payment of $5 million due within two weeks of when the court enters the order.
Information for Consumers
Consumers should carefully evaluate advertising claims for weight-loss products. For more information, see the FTC’s guidance for consumers of products and services advertised for Weight Loss & Fitness.
The Commission vote authorizing the staff to file the complaint was 5-0. The vote authorizing the filing of the proposed stipulated court order was 3-2, with Commissioners Ohlhausen and Wright voting no. The majority, Chairwoman Ramirez, Commissioner Brill, and Commissioner McSweeny, issued a separate statement. Commissioners Ohlhausen and Wright also issued a separate statement. The complaint and order were filed in the U.S. District Court for the Western District of Texas on January 26, 2015.
The FTC is a member of the National Prevention Council, which provides coordination and leadership at the federal level regarding prevention, wellness, and health promotion practices. This case advances the National Prevention Strategy’s goal of increasing the number of Americans who are healthy at every stage of life.
NOTE: The Commission files a complaint when it has “reason to believe” that the law has been or is being violated and it appears to the Commission that a proceeding is in the public interest. Stipulated orders have the force of law when approved and signed by the District Court judge.