Your Appliances May Be Spying on You

The FTC issues privacy and security guidelines to the companies that are creating the "Internet of Things."

A spokesmodel displays the connectivity feature on a Samsung smart refrigerator at the 2014 International CES at the Las Vegas Convention Center on January 7, 2014 in Las Vegas, Nevada.  (National Journal)

Connecting everyday products like refrigerators, baby monitors, and watches to the Internet is giving companies and hackers unprecedented access to private information, the Federal Trade Commission warned in a report Tuesday.

The "Internet of Things," the term for the growing universe of Internet-connected devices, can lead to significant improvements in our lives, the FTC wrote. But the connected devices could also undermine our security and privacy if companies aren't careful, the agency warned.

The FTC report lays out guidelines that businesses should follow as they connect more devices to Internet.

"The only way for the Internet of Things to reach its full potential for innovation is with the trust of American consumers," FTC Chairwoman Edith Ramirez said in a statement. "We believe that by adopting the best practices we've laid out, businesses will be better able to provide consumers the protections they want and allow the benefits of the Internet of Things to be fully realized."

Many Internet of Things devices already exist. Millions of people have bought Fitbits and other health monitors. Google's Nest adjusts a home's temperature based on its owners' habits, keeping them comfortable and saving electricity. The trend is expected to explode in the coming years.

Consumers already place huge amounts of information online, but the Internet of Things will give advertisers, data aggregators, and criminals access to even more sensitive details about their lives.

The report recommends that manufacturers consider security from the outset of new projects, train employees in security practices, carefully oversee outside providers, use multiple layers of security to defend against risks, and ensure there is no unauthorized access to consumer data. Companies should continue to monitor their devices throughout their life cycles and patch vulnerabilities when possible, the FTC said.

Businesses should also consider limiting the amount of information they collect and the length of time they hold it, the commission recommended.

The guidelines are voluntary—but following them is good advice for businesses that don't want to end up in the FTC's crosshairs. The agency has the authority to sue companies for "unfair" or "deceptive" business practices and also has stronger powers to protect children and credit information.

The report doesn't recommended that Congress pass any specific legislation to address the Internet of Things. But the agency reiterated its call for data-security legislation and a broad online privacy bill to provide baseline rights to consumers.

In 2013, the FTC filed its first lawsuit against an Internet of Things company. According to the FTC, TRENDnet, which makes Internet-enabled home cameras, used faulty software that allowed anyone to access a camera's live feed online.

A hacker made the flaw public in January 2012, and eventually the video feeds of 700 private cameras were posted online. Hackers were able to watch babies sleeping in their cribs, children playing, and adults going about their lives, according to the FTC suit. TRENDnet agreed to settle the FTC charges.

Tuesday's report is an indication that the FTC is carefully watching the growing array of connected devices and may be looking to bring more actions against similar companies.

Lawmakers are also starting to take notice of the Internet of Things. Rep. Darrell Issa, a California Republican, and Rep. Suzan DelBene, a Washington Democrat, launched the Congressional Caucus on the Internet of Things earlier this year. The Senate Commerce Committee plans to hold a hearing on the ropic next month.