The world today is seemingly always plugged into the Internet and technologies are constantly sharing data about our personal and professional lives. Device connectivity is on an upward trend with Cisco estimating that 50 billion devices will be connected to the Internet by 2020. Collection and data sharing by these devices introduces a host of new vulnerabilities, raising concerns about safety, security, and privacy for policymakers and regulators.

1. The Internet of Things & Wearable Technology:
An Overview of Key Issues & Policy Concerns
Adam Thierer
Senior Research Fellow
Mercatus Center at George Mason University
Last updated September 2015

2. Outline of Paper & Presentation
• Definitions
• Opportunities
• Key Policy Concerns (Technical vs. Social)
• A Deeper Dive on Privacy-Related Concerns
• Constructive Solutions
• A Word about Adaptation
• The Growing Conflict of Visions Ahead
2

3. Definitions
3

4. Definitions of IoT Evolving
• No consensus definition, but lots of catchphrases!
– “machine-to-machine” communication
– “Industrial Internet” (GE)
– “Internet of Everything” (Cisco)
– “ThingerNet” / “Thingerverse”
• “Smart” everything!
– “smart homes,” “smart buildings,” “smart appliances,”
“smart health,” “smart mobility,” “smart cities,” “smart
cars,” etc.
4

5. Best Definition of IoT
Morrison Foerster analysts define IoT as:
“the network of everyday physical objects which
surround us and that are increasingly being
embedded with technology to enable those objects
to collect and transmit data about their use and
surroundings.”
• More simply, it’s a world were the Internet is baked
into all our stuff!
5

6. Key Components of the IoT
• Power of IoT comes from combination of:
– Faster & smaller microprocessors
– Smaller & better sensors (& cameras)
– More ubiquitous & robust wireless networks
– Expanding cloud storage capacity
– Enhanced “big data” capabilities
• It’s the miniaturization of everything that matters
– both in terms of device size & cost
• = the long-desired “seamless web” of connectivity
now exists
6

7. Just How Connected?
• ABI Research: estimates that there are more than 10
billion wirelessly connected devices in the market
today and more than 35 billion devices expected by
2019
• Cisco: by 2019, 40 billion intelligent things will be
connected & communicating
• IDC: predicts far greater penetration of 212 billion
installed devices by 2020
7

8. 8

9. The Economic Opportunity
9

10. Estimated Economic Impact of IoT
• McKinsey Global: $3.9 trillion to $11.1 trillion
potential economic impact per year by 2025
• IDC: compound annual growth rate of 7.9%
between now & 2020, to reach $8.9 trillion
• Cisco: IoT will create $14.4 trillion in value
between 2013 and 2022
10

11. 11

12. Many Subsectors, Many Players
12

13. 13

14. “Wearables” = Most
Important IoT Category
• = IoT that is worn on body
• “quantified self” movement growing
• Unsightly today (think “Google Glass”), but
will literally be sewn into our clothes in future
(“sensor-rich fabrics”) & largely invisible
• Becoming “lifestyle remotes” to automate our
lives
14

15. 15

16. Sectors & Professions That Will Be
Transformed by Wearable Tech
• Health Care / Surgery
• Firefighting
• Law enforcement
• Political campaigns
• Education / Instruction
• Retailing
• Entertainment
• Theme parks
• Airlines & vacationing
• Financial Services
• Sports / Athletics
16

17. Health & Fitness Are
Major Drivers
Typology of Mobile Health Technologies
• Connectors: applications that connect smartphones and tablets to FDA-regulated
devices, thus amplifying the devices’ functionalities.
• Replicators: applications that turn a smartphone or tablet itself into a medical device by
replicating the functionality of an FDA-regulated device.
• Automators & Customizers: apps which use questionnaires, algorithms, formulae,
medical calculators, or other software parameters to aid clinical decisions.
• Informers & Educators: medical reference texts and educational apps that primarily aim
to inform and educate.
• Administrators: apps that automate office functions, like identifying appropriate
insurance billing codes or scheduling patient appointments.
• Loggers & Trackers: apps that allows users to log, record, and make decisions about
their general health and wellness.
Source: Nathan Cortez, SMU School of Law
17

18. Wearable Market Growth
• Canalys: 700% growth in wearable smart bands
market in the second half of 2013
• IDC: shipment volumes will exceed 19 million units in
2014, 3x prior year
• IDC: global market will swell to 112 million units in
2018, resulting in a CAGR of 78%
• + major smartphone platforms providers (Apple,
Google, Microsoft, Samsung) all competing
aggressively here
18

19. The “Sci-Fi” Future of IoT & Wearables
Will Arrive Shortly
• “Implantables” = IoT implanted under skin
• “Ingestibles” = IoT tech that is swallowed
• “Biohacking”= Body modification to enhance
or repair human abilities
– see: http://discuss.biohack.me
19

20. Policy Concerns:
Technical vs. Social
20

21. Technical Issues
• Access to adequate spectrum to facilitate wireless
networking capabilities?
• Technical standards
– Wi-Fi, Bluetooth, near field communication, GPS
– Licensed or unlicensed ?
• Device / platform interoperability
– Apple vs. Android vs. what else?
• Device addressing
– Will rise of IoT & wearables get IPv6 transition moving?
21

22. Quick Note on Technical Issues
• Technical issues were not focus of this
particular paper
• That is primarily because I am actually far
more optimistic we can work those issues out
relative to…
22

23. Social Concerns
(in order of current severity)
• Security
• Privacy
– reputational issues
– “discrimination” issues
– data ownership
• Safety
• Automation fears & other ethical objections
– “cyborg” concerns
23

24. Regulatory Interest Growing
Policymakers Already Exploring IoT Tech
• FTC (general privacy & security)
• FDA (safety of mobile medical apps & devices)
• FCC (wireless issues)
• FAA (commercial drones)
• NHTSA (intelligent vehicle technology)
• NTIA (multistakeholder privacy reviews)
• Congress
• Various state, local & int’l regulators (esp. in EU)
24

25. A Deeper Dive on
Privacy & Security Concerns
25

26. The Coming Data Deluge
• Amount of data generated & collected online today
pales in comparison to what is coming
• Recall estimates of 30+ billion devices by 2020
• And recall defining realities of IoT & wearable tech:
– always-on
– always-sensing
– always-collecting
– always-communicating
• The IoT is, at once, a massive data generator & giant
data vacuum cleaner
26

27. Ramifications for Modern Privacy
& Security Policies
• “fair information practice principles” (FIPPs)
will be hard to strictly apply & enforce
• FTC Chairwoman Ramirez:
“the difficulties will be exponentially greater with
the advent of the Internet of Things, as the
boundaries between the virtual and physical
worlds disappear.”
27

28. How IoT Challenges FIPPS
• What is “adequate notice” in an always-on, always-sensing
world of billions of micro devices?
• What counts as “consent” in a world of peer-to-peer self-
surveillance?
– Ex: How do you get consent when using Google Glass or a “Narrative”
clip-on camera?
• Transparency: How to post privacy policies when everything is
so small?
• What counts as “respect for context” when everything is
being collected?
• How does data minimization work for “always on” IoT &
wearables
28

29. IoT Also Challenges…
• Health Insurance Portability and
Accountability Act (HIPAA)
• COPPA & FERPA (kids & education privacy)
• GLB financial privacy
• State privacy & data security laws
• FDA safety standards
• + wide variety of workplace issues
29

30. Will a Move to Use-Based
Restrictions Save the Day?
• Going to be very hard to limit collection, so a move to
use-based restrictions seems likely
• But which uses?
– “discriminatory” uses (how defined?)
– are existing discrimination statutes applicable?
• What about database access / correction?
– think FCRA
• Problem of overly sweeping use restrictions
– “privacy paternalism”?
30

31. Query: What about the First Amendment?
• First Amendment likely poses serious roadblock to
more comprehensive regulation of IoT & wearables
• Volokh: “We already have a code of ‘fair information
practices,’ and it is the First Amendment”
• ACLU of Illinois v. Alvarez (2012):
– “The act of making an audio or audiovisual recording is
necessarily included within the First Amendment’s
guarantee of speech and press rights as a corollary of the
right to disseminate the resulting recording.”
• 1A might limit both collection & use-based
restrictions
31

32. Constructive Solutions
32

33. A “Layered” Approach to Address Concerns
1) Developers: Privacy & security “by design” / best practices
2) Consumers: Education, media literacy & tech etiquette
3) Social norms, pressure & sanctions will play big role
– ex: restrictions on phones in theaters & locker rooms
4) Common law adjudication / other legal standards
– privacy torts (“intrusion upon seclusion”); “Pepping Tom” laws
– Products liability: strict liability / negligence, design defects law, failure to
warn, breach of warranty, etc
5) FTC (Section 5) “unfair & deceptive practices”
6) Targeted data use restrictions for sensitive classes of info
– note: existing discrimination statutes might cover some issues
33

34. Developer-Side Solutions
Elements of Privacy / Security by Design
• Better security through encryption,
anonymization / data “de-identification”
• Rolling security notices / updates / upgrades
• Proper use guidelines
• Better transparency re: data use/sharing
policies
• Data minimization when possible
• Simpler UI
34

35. Consumer-Side Education
• Media literacy / digital citizenship /
“netiquette”
• Government can be active here w/o fear of
First Amendment
– PSAs / general awareness-building efforts
• ex: OnGuardOnline.gov
– Classroom lessons
• Privacy curriculum (see Fordham CLIP model)
35

36. Liability Norms Could Evolve
• Who is “least-cost avoider” who assumes liability?
• As developer knowledge of potential misuses grows,
liability could shift, too
– Ex: Driverless cars & insurance as cars become a service
• But will liability norms need a nudge in that
direction? …
• … or, will IoT developers need protection from over-
eager tort lawyers!
• Bottom line: Let product liability evolve; it has
happened many times before w/ other tech.
36

37. FTC Role Will Continue
Recent FTC Privacy & Security Enforcement Actions
• Google
• Facebook
• Apple
• Twitter
• MySpace
• HTC
• Lookout
• Path
• Snapchat
• Fandango
• Credit Karma
• TrendNet
 53 data security-related cases recently
 20-year privacy audits for some firms + fines
 = is this an “FTC common law” of IoT privacy & security?
37

38. A Word about Social
Adaptation
38

39. What Was True Before…
• Citizen attitudes about emerging technologies
follow a familiar cycle:
1. initial resistance (“technopanic” phase)
2. gradual adaptation
3. eventual assimilation
• we have seen this cycle play out in countless
other contexts
39

40. First We Panic, Then…
• Recall reaction to camera & photography in late 1800’s…
“Instantaneous photographs and newspaper enterprise have invaded
the sacred precincts of private and domestic life; and numerous
mechanical devices threaten to make good the prediction that ‘what is
whispered in the closet shall be proclaimed from the house-tops.’”
— Samuel D. Warren and Louis D. Brandeis, 1890
• But we got through it! We adjusted our societal norms and
personal expectations to accommodate photography.
• Instead of rejecting cameras, we bought a lot of them! (But
then learned how to use them respectfully, too.)
40

41. Key Takeaways
• There is no end point in debates about data security
& online privacy; a never-ending challenge
• IoT & wearables merely extend & exacerbate
problems we already faced in Web 1.0 & 2.0 world
• silver bullet solutions don’t exist (never have, never
will)
• Need to find creative ways to adapt to each new set
of challenges
– individuals, institutions, law & norms all must adapt
– patience & humility will be crucial policy virtues
41

42. The Grand Tech Policy Clash of
Visions to Come
42

43. IoT and
Future Tech
Flashpoints
Internet of Things
• Wearable Tech
• Smart Homes
• Smart Cities
Health Issues
• Medical Devices
• Biohacking
• Embeddables
• Genetic issues
• Mobile medical apps
• Telemedicine
3-D Printing
Robotics
• Smart cars
• Private drones
• A.I.
43

44. Which Vision Will Govern?
IoT foreshadows many other debates about
emerging tech. The choice:
• Permissionless Innovation = the general
freedom to experiment & learn through trial-
and-error experimentation.
• Precautionary Principle = Crafting public
policies to control or limit new innovations
until their creators can prove that they won’t
cause any harms.
44

45. The Heart of the Debate
Which Default for Innovation?
Precautionary Principle Permissionless Innovation
risk anticipation risk adaptation
Ex ante enforcement Ex post enforcement
Preemptive
top-down controls
Reactive
bottom-up remedies
Innovators have to ask,
“Mother, May I?”
Innovation is “innocent
until proven guilty”
45

46. A Range of Responses to Technological Risk
Prohibition
Censorship
Info suppression
Product bans
Anticipatory
Regulation
Administrative mandates
Restrictive defaults
Licensing & permits
Industry guidance
Resiliency
Education & Media Literacy
Labeling / Transparency
User empowerment
Self-regulation
Adaptation
Experience / Experiments
Learning / Coping
Social norms & pressure
Top-down
Solutions
Bottom-up
Solutions
Precautionary Principle
Permissionless Innovation
46

47. Related Mercatus Center Research
• Book: Permissionless Innovation: The Continuing Case for Comprehensive
Technological Freedom
• Testimony: The Connected World: Examining the Internet of Things
• Analysis: Projecting the Growth and Economic Impact of the Internet of Things
• Law review article: The Internet of Things and Wearable Technology:
Addressing Privacy and Security Concerns without Derailing Innovation
• Oped: How Not to Strangle the Internet of Things
• Filing to FTC on Privacy and Security Implications of the Internet of Things
• Law review article: Technopanics, Threat Inflation, and the Danger of an
Information Technology Precautionary Principle
• Article: Muddling Through: How We Learn to Cope with Technological Change
47