Is Washington Ready for the Internet of Things?

By wirelessly connecting nearly every device we use, from refrigerators to cars, the Internet of Things is creating a brand-new digital universe that's full of both promise and peril. And once again, Washington is playing catch-up.

This illustration can only be used with the Brendan Sasso piece that originally ran in the 2/28/2015 issue of National Journal magazine. (National Journal)

Members of Congress are known for many qualities, but technological savvy has seldom been one of them. "We have folks who still print out schedules, who aren't always relying on devices," says Rep. Suzan DelBene of Washington, a Democrat and former Microsoft executive who's a notable exception. The halls of Congress are among the last places in America where you can still see the occasional flip phone in use, wielded by the likes of Sen. Charles Schumer, the New York Democrat. The old-school tendencies of senators and representatives have often left them playing catch-up as the Internet has blossomed—and as worries about privacy rights and security risk (the Sony Pictures hack, anyone?) have multiplied.

On Feb. 11, however, the Senate Commerce Committee appeared to be right on time when Chairman John Thune, the South Dakota Republican, gaveled open the first congressional hearing on what, he said, "may be the most important trend in technology." That trend is the "Internet of Things," the buzzy term for a fast-expanding universe of "smart" appliances, household and workplace objects, articles of clothing, and cutting-edge devices—from fitness bracelets and coffeemakers to cars and heart monitors—that are wirelessly connected to the Internet. It won't be long, experts say, before practically every product we use is connected.

Naturally enough, the new gadgets often inspire a "gee whiz" response: Cars that can talk to each other and avoid accidents! Appliances that anticipate my needs! But with all its potential benefits for health, safety, and convenience, the Internet of Things is also raising alarms. Smart homes and devices are generating oceans of fresh information for data brokers to monetize—and for advertisers, hackers, government agencies, insurance companies, and prospective employers to tap into. Tales of security breaches hit the headlines with growing regularity. The weekend before Congress's first foray into this brave new world, 60 Minutes reported on hackers who've found that they can seize control of connected cars, potentially allowing them to hijack your brakes or steer your vehicle into oncoming traffic. Just a day before the hearing, the technology giant Samsung had been forced to "clarify" the privacy policy attached to its smart TVs, which had ominously warned that viewers' conversations could be shared with an unnamed "third party."

"The promise of the Internet of Things must be balanced with real concerns over privacy and the security of our networks," Sen. Bill Nelson of Florida, the Commerce Committee's ranking Democrat, said at the hearing. Pointing to the Samsung flap, Nelson warned that "Big Brother may really be listening to us." His fellow Democrat, Sen. Edward Markey of Massachusetts, voiced his worries about the potential for cyberattacks on connected cars, which he said were becoming "computers on wheels" with inadequate protections for security and safety. "Thieves no longer need a crowbar to break into your car, they just need a smartphone," Markey said; worse, hackers controlling a vehicle going 60 miles per hour could have catastrophic consequences. Markey touted a bill he'd just introduced, with Sen. Richard Blumenthal, a Connecticut Democrat, that would direct the National Highway Traffic Safety Administration and the Federal Trade Commission to set security and privacy regulations for smart cars.

Markey sees that as the tip of an inevitable new regulatory iceberg. "The Internet of Things, as it intrusively injects itself into all aspects of life, is ultimately going to result in Americans insisting on more protections," he told me after the hearing. "I think it's inevitable that stronger laws are going to be placed on the books. It's only a question of time."

That time may not come soon, however, if it's up to Markey and Nelson's fellow Commerce Committee members. For these senators, the greater risk is that European-style regulations could squelch a wildly lucrative array of new inventions and applications. "Let's tread carefully before we consider stepping in with a 'government knows best' mentality that could halt innovation and growth," Thune said. "Let's treat the Internet of Things with the same light touch that has caused the Internet to be such a great American success story."

Sen. Cory Booker, a New Jersey Democrat with close ties to Silicon Valley dating back to his days at Stanford University, nodded to "legitimate fears" over the dangers and potential abuses of new technologies, but likened them to the anxieties that always accompany such breakthroughs. People must have been similarly terrified, he said, when airplanes first began taking flight. But government didn't get in the way then, he said, and it shouldn't now. "We should be doing everything possible to encourage this and nothing to restrict it," he said.

High-tech boosterism is a bipartisan affair in Washington. Thune had called the hearing at the request of Booker and Sens. Kelly Ayotte, a New Hampshire Republican; Deb Fischer, a Nebraska Republican; and Brian Schatz, a Hawaii Democrat. Those senators, like their House colleagues who recently formed a "Congressional Internet of Things Caucus," are primarily concerned with ensuring that the government helps the Internet of Things to grow and thrive. "I'm really concerned about government getting in the way," Fischer said. "Sure, there are concerns out there, but I don't want to see all the excitement that's with the Internet of Things move overseas."

Beneath the familiar-sounding battle lines—proponents of regulation squaring off against free-market champions—there is, not surprisingly, broad consensus on some basic themes: the need to protect consumers' privacy, for instance, and to fend off a whole new wave of devastating hacks like the one North Korea allegedly used to bring Sony to its knees last year or the 2013 incident in which 40 million Target customers had their credit-card numbers stolen. The question, though, is how. And it's a complicated challenge, to put it mildly. After all, says Adam Thierer, a libertarian who's a senior fellow at the Mercatus Center at George Mason University, "the Internet of Things lies at the center of what we might consider a perfect storm of public policy issues: privacy, safety, security, intellectual property, spectrum, technical standards, automation concerns, potential labor disruptions, and more."

Agencies that oversee pieces of the Internet of Things—the Federal Aviation Administration, the Food and Drug Administration, NHTSA—can work up new rules and standards for particular products, and they are. But the Internet of Things is not merely a collection of new gadgets. It promises to usher in a whole new way of life—one of wireless, screen-free connectivity that will change the way we brush our teeth, monitor our children, drive our cars, cook our meals, and do our work. It inspires both utopian visions and dystopian fears. Piecemeal, behind-the-scenes, agency-by-agency deliberation doesn't quite do justice to the massive policy implications at play. What's needed instead, it seems clear, is broad, sustained engagement with the issue in Congress and in Washington as a whole.

Like most Americans, however, members of Congress are largely still dipping their toes into the Internet of Things, with a mixture of wonder and worry. Meanwhile, what Joe Hall of the Center for Democracy & Technology calls our "foray into a networked civilization" blasts ahead at laser speed.

(Adolfo Valle)THE INTERNET OF THINGS is the latest frontier in the development of the digital sphere. Speaking in January at the World Economic Forum in Davos, Switzerland, Google Executive Chairman Eric Schmidt raised eyebrows by predicting that, before long, the Internet will "disappear." He didn't mean that we won't be connected in the future; rather, he said, pretty much everything will be connected, to the extent that we stop even thinking about the Internet as an entity. "There will be so many I.P. addresses, "¦ so many devices, sensors, things that you are wearing, things that you are interacting with, that you won't even sense it," Schmidt said. "It will be part of your presence all the time."

The Internet of Things—or, as Cisco Systems' CEO prefers, the "Internet of Everything"—is already here, but it's expected to explode over the next few years. Not even counting computers, tablets, and smartphones, there will be 30 billion connected devices by the end of the decade, according to the research firm IDC. Those devices, the firm predicts, could be generating upward of $3.04 trillion in global revenue by then.

Author, social theorist, and consultant Jeremy Rifkin, who last year published The Zero Marginal Cost Society: The Internet of Things, the Collaborative Commons, and the Eclipse of Capitalism, is among those who foretell sweeping environmental, economic, and social benefits. "It's going to allow the human race, potentially, to engage in a new platform that can democratize economic life and create a much more ecologically based civilization," he told me recently. The Internet of Things will ultimately reduce the costs of many products to nearly nothing, Rifkin believes. He predicts a future in which consumers can sell their surplus energy back to the electricity grid and can trade products effortlessly using delivery systems of drones and driverless cars. "That means more of us are using less of the resources of the Earth," he says, "and we're redistributing them over and over in the sharing commons." That, Rifkin believes, will fundamentally transform the very nature of capitalism.

Americans have begun to get a taste of the Internet of Things' life-enhancing potential—if not, by any means, the demise of capitalism. Millions have purchased smart watches and fitness-trackers like Fitbits. Google's Nest allows customers to adjust their home's temperature based on the owners' habits, keeping them comfortable and reducing electric bills. Connected Crock-Pots are allowing people to start cooking dinner while they're still at work. And parents are keeping track of their children, not only with monitoring cameras they can tune into from anywhere, but even with connected socks.

Those socks are the invention of new father Kurt Workman, whose company, Owlet, makes a wireless health monitor that slips onto a baby's foot. "I wish I could be up all night, making sure that he's OK and checking on him every five minutes," Workman says. "But you've got to sleep eventually." Owlet is marketed to parents concerned not only about getting some shut-eye, but also about the approximately 4,000 sudden infant deaths that occur every year. The sock monitors babies' heart rates and oxygen levels as they sleep; an alarm sounds on parents' smartphones if the child stops breathing. Parents can also check the Owlet data to see how their baby slept the previous night. The data is uploaded and stored on Owlet's servers, which Workman says could one day give medical researchers a trove of data on infant health.

Owlet may be a boon to parents' peace of mind, but the sort of data collection that Workman touts is keeping civil libertarians and privacy advocates up at night. What becomes of all the personal information that the Internet of Things is gathering and collecting?

The new technologies will greatly accelerate the growth of "big data." The troves of ever-more-personal, ever-more-detailed information about us all could be extraordinarily helpful to scientists and researchers. Doctors will be able to analyze aggregated data from health monitors to learn more about diseases, for instance, potentially leading to life-saving innovations. Urban planners can use data from cars and homes to study energy consumption and traffic patterns, helping them make cities more efficient and livable.

But big data is also a big business—one that's growing as fast as the universe of connected "things" it increasingly draws from. Data brokers such as Acxiom, Datalogix, and Experian have long collected detailed information about individuals drawn from a gamut of sources—from public records to social-media habits—to repackage and sell. (Sen. Markey, never one to mince words, calls them "privacy-reapers for profit.") The information is used for targeted advertising, identity checks, and even snooping by employers and ex-lovers. Now, with information from smart sensors and devices, a car-insurance company might not just know how many accidents and traffic violations you've had, but what time of the day you drive, how fast you tend to go, and how often you slam on your brakes. Health-insurance companies could base rates on data gleaned from fitness trackers. Potential employers can have a lot more than résumés and references on which to base their hiring decisions.

This supersized big data will have its more benign uses, too. Netflix's recommendation engine, for instance, could attune itself according to data about our environments and bodies. Shawn DuBravac, chief economist of the Consumer Electronics Association, predicts that Netflix will want to partner with Internet of Things companies to see how many people are in a room, how dark it is, and what the temperature is. A smart watch could monitor a person's heart rate to tell Netflix what mood the person is in. "Netflix might see that it's dark inside, that you're alone, that you're lying down, that you're depressed, that it's cold, and say, 'Hey, Nicholas Sparks plays great in this environment. You might really like this,'"‰" DuBravac says.

But what if you don't like it? "If you have a feeling someone is watching you every time you flush your toilet or run your dishwasher, that's a new level of intrusion that we haven't seen before," says Jay Stanley, a senior policy analyst for the American Civil Liberties Union. The Internet of Things will make it harder to keep one's private life private.

Already, most people don't bother to read website privacy policies—but at least there is something to read. Many of the new devices are small and don't even have screens, making it more difficult to inform users about what sorts of information might be collected, or to obtain their consent. Currently, many Internet of Things products rely on the owner's smartphone as a central controller. So just like mobile apps can use pop-up windows to get consent for location tracking, Internet of Things devices can send alerts to people's phones when they're about to collect sensitive information. But connected devices will increasingly untether themselves from phones.

"How do you give informed consent to a sock?" asks Alvaro Bedoya, the executive director for the Center on Privacy and Technology at Georgetown University. "I don't know."

Because much of the monitoring will take place in the background, customers are less likely to realize their data is being collected. You're probably aware that you've provided a lot of data about yourself on social-media sites like Facebook, but the Internet of Things will be a constant and ubiquitous presence that many of us won't even think about. When you're not actually deciding what information to share, you're naturally less guarded about what you're sharing. You'll also know less about who you might be sharing it with.

The upshot is clear enough: "Soon, everything we do, both online and offline, will be recorded and stored forever," security technologist Bruce Schneier, a fellow at the Berkman Center at Harvard University, wrote in 2013. "The only question remaining is who will have access to all this information, and under what rules."

LAST APRIL IN HEBRON, KENTUCKY, Adam and Heather Schreck were awakened at midnight by the sound of a man's voice in their 10-month-old daughter's room. "Wake up, baby!" the voice was yelling. Adam rushed into the room, but no one was there. Then the family's baby-monitoring camera pivoted to look straight at him, and the same voice began hollering "some bad things [and] some obscenities," as he told a local Fox TV station. Adam quickly unplugged the camera, but quieting the voice did little to soothe his nerves. Clearly, a stranger (or strangers) had been watching his family through the camera, but he had no idea who it was or how long they'd been tuned in.

Chase Rhymes, the chief operating officer of Foscam, which made the camera, says his company wasn't to blame. The Shrecks, he says, failed to change the camera's default password from "admin," making it easy prey for hackers, who could just look up the online manual and find the default setting. Foscam has subsequently altered its security regime, requiring customers to change the default password before the cameras will work. "I think the story really is that, in the Internet of Things and the connected home, your home is more vulnerable now than it was prior," Rhymes says.

The Shrecks' wake-up call was hardly an isolated incident. "You only need to pick up a newspaper to read about a new breach," says Edith Ramirez, chairwoman of the Federal Trade Commission, the chief federal agency responsible for consumer-privacy protection. The FTC's first Internet of Things enforcement action, in September 2013, brought suit against a home-camera company called TRENDnet for using flawed software that allowed anyone with a camera's Internet address to watch its video feed online—even if a customer was using a strong password. A hacker had made the flaw public by posting the live feeds of nearly 700 private cameras. TRENDnet settled the lawsuit, agreeing to overhaul its security practices, pay for regular outside audits, and not to misrepresent the security of its cameras again.

(Adolfo Valle)

While the prospect of being surveilled by anonymous hackers is downright creepy, the security risks go far beyond the privacy intrusions of wired Peeping Toms. Because connected devices are often networked together through Wi-Fi or Bluetooth, a single vulnerability—on a camera, a car, or even a sock—could become the entry point to access all of a person's information. "It's like the camel's nose under the tent," says Maneesha Mithal, the head of the FTC's Division of Privacy and Identity Protection. "If a hacker can access one part, they can get into the whole system."

Because so many connected gadgets will be considered disposable, Mithal says, they may be even more vulnerable than computers and smartphones. A company making smart light bulbs or toothbrushes may not put much thought into security or plan to ever release security updates. "People who are coming out with these innovative products might not have as much of a background in security as people who are doing computer software," Mithal says. "So it's not as mature on the security front."

It's not just consumer products like cameras and socks that are vulnerable. Dan Tentler, cofounder of the computer security firm Carbon Dynamics, demonstrated at a hacker conference in 2012 that he could use Shodan—a search engine that scans the Internet for connected devices—to take control of building power systems, pressurized water heaters, a car wash, and a wind-turbine farm. He was even able to access a system controlling city traffic lights; as Tentler logged into the traffic system, it displayed a warning that changing the settings could cause people to die.

"This scares the living shit out of security folks," says Joe Hall. "The potential for things to go wrong is so many orders of magnitude greater than [with] just the regular Internet." Hackers could open garage doors across the whole country, switch off critical medical devices, or set millions of ovens on full heat, causing some to catch fire. ("The clean cycle on an oven that goes up to 900 degrees is a pretty good example of something that should require someone to be physically present," Hall says.)

It's not just the stereotypical hacker in a basement who could cause havoc, of course; hostile foreign governments like North Korea, organized crime syndicates, or terrorist groups like the Islamic State can also look for vulnerable devices—not just to remote-control them and freak Americans out, but to access more sensitive systems. As the Sony incident showed, this is anything but an outlandish scenario. "I guarantee you that the next wave of serious hacks will be around the Internet of Things," Hall says. Adam Segal, a senior fellow studying cybersecurity at the Council on Foreign Relations, believes that connected cars will make particularly enticing targets; state-sponsored hackers could attack a central server to cut the brakes on thousands of cars at once—or to go after a particular person. (Recognizing this kind of danger, Vice President Dick Cheney had the wireless technology in his pacemaker disabled in 2007 to ensure that it couldn't be used for an assassination attempt.)

Foreign hackers may be more eager to exploit connected devices for surveillance rather than sabotage. American officials have complained for years that China has been spying on U.S. companies to gain an economic edge. In 2011, the U.S. Chamber of Commerce revealed that its systems had been breached by Chinese hackers; The Wall Street Journal reported that the thermostat in a Chamber-owned apartment on Capitol Hill was communicating with an Internet address in China. Foreign spies could use the Internet of Things to build portfolios on particularly powerful Americans, says Jim Lewis, a senior fellow at the Center for Strategic and International Studies. They could even dig up information to use as blackmail or coercion, he warned.

"It's the same story we've seen all along with the Internet, which is huge economic opportunities accompanied by a definite increase in risk," Lewis says. When the Internet first started, many companies focused on building their products and figured they could deal with security later. The Internet of Things "is a tremendous opportunity," Lewis says, "but it has to be different than the last time. We have to think about security. It takes a while for Washington to figure out 'What is this? How do I fit into this?' ... I think that's the point we're approaching."

"How do you give informed consent to a sock?" asks Alvaro Bedoya. "I don't know."

YOU'D HAVE A HARD TIME finding anybody in Washington—members of Congress, regulators, even advocates of sweeping and strict privacy rights—who would mount a serious argument that the government should even attempt to apply the brakes on the Internet of Things. The benefits, both to economic growth and to everyday Americans' quality of life, are simply too vast, too undeniable. What will be hotly debated—what's already sparking arguments on Capitol Hill—is how to regulate the flow of personal information and sensitive data from "smart" devices in a way that prevents public safety, privacy rights, and national security from being dangerously compromised.

Actually, the question is not only how to regulate, but when. Should Congress, and the various federal agencies that oversee portions of the Internet of Things, be setting restrictions now—or take a wait-and-see approach, stepping in only after calamities, or near-calamities, occur? Thierer, the libertarian scholar at George Mason University, is among those who warn against any "preemptive strike" by the feds; the key to economic growth, he argues, is encouraging "permissionless innovation" that allows entrepreneurs to experiment with new products, unfettered by worries about federal regulation. After all, that's how the original Internet was built. "Congress and the Clinton administration crafted a very sensible framework for Internet and electronic commerce," Thierer says, "and it worked out marvelously."

FTC Chairwoman Ramirez, on the other hand, contends that stronger regulations could be a boon to the more far-flung Internet of Things. Recalling the TRENDnet case, with its hacked home cameras, she says: "The families who are impacted by that are going to be rightly cautious the next time they consider bringing an Internet of Things device in their home. It's incidents like that, the security flaws, that I think will slow down the adoption of the Internet of Things."

New rules for specific pieces of the Internet of Things are being rolled out by multiple federal agencies—the FAA is working on air-safety regulations for drones, for instance, while the FDA has already released guidelines for protecting wireless medical devices from hackers. But the FTC is the chief federal cop for the super-connected world. Unlike other agencies, which can only set "sector-specific" standards for industries that fall under their purview, the FTC can go after companies across the spectrum. But it's a relatively small agency, with fewer than 1,200 employees, and its enforcement powers are limited; it can only crack down on business practices that fit a legal definition of "unfair" or "deceptive."

If a maker of "things" violates a promise in its privacy policy, the FTC can take action. Typically, the agency asks a federal court to order companies to change practices and to pay for regular external audits for years to come. Those court orders can also impose hefty fines for repeat violations. But as long as a company isn't flat-out lying, there are few restrictions on what it can do with a person's information. The FTC has interpreted its power over "unfair" practices to mean that companies have to employ "reasonable" security measures, but even that standard is currently being challenged in the courts.

In January, the FTC released a modest set of new guidelines for the Internet of Things and also asked Congress to grant it authority to levy fines for first-time violators (which is highly unlikely to happen). The new standards recommend that tech companies take steps to ensure security before they put products on the market, and that they limit the amount of data they collect to allow customers to make "informed choices" about their privacy. Technically, adherence to the standards is voluntary, though the FTC can use them to help identify which companies are being "unfair" or "deceptive." The FTC doesn't have the capacity to go after every potential offender, but its cases are designed to send warnings to others. "We want to influence the behavior out there," says Ramirez. The agency's greatest worry, says Mithal, is "under-deterrence": "We've seen reports that companies often don't even maintain the most basic security measures. I think that some companies may be willing to take the risk that there's a breach as a cost of business."

To strengthen its hand considerably, the FTC also asked Congress to pass sweeping online privacy legislation that would give consumers much more control over their information. The United States has no law guaranteeing a broad right to privacy. That contrasts sharply with the European Union, which passed a far-reaching "Data Protection Directive" in 1995, establishing seven privacy-protection principles that businesses are required to follow—and that consumers can insist business adhere to. (The strictness of the model is immediately obvious the moment that one visits just about any European website; a large banner on every page discloses how the site tracks the user's activity.)

In 2012, the Obama administration outlined a "Consumer Privacy Bill of Rights"—a set of seven principles for how online companies should handle personal information. There has been little support in Congress for such a measure, but the White House is poised to make another push: It will soon release legislative language for the "bill of rights" in an attempt to jump-start discussions.

Even many privacy advocates think that such an ambitious law—with all its unsavory "European" connotations—is a nonstarter. "Never will a consumer privacy bill of rights pass Congress," Bedoya says. "All I think most privacy advocates want is for people to be informed about what data is being collected, and what's being done with it, and to have a choice about it. All folks want are some basic rules of the road."

One basic rule the FTC and White House want has a real chance to see daylight in Congress: "breach notification" to consumers when their data is stolen or hacked. This is one security measure strongly backed by businesses, who'd prefer a federal standard to the current patchwork of state notification laws. The House Commerce, Manufacturing, and Trade Subcommittee has already held hearings on the topic, and Chairman Michael Burgess calls breach notification a "top priority" for his panel. Sen. Thune also says he wants to move a notification law through the Senate. Otherwise, the bills that may have the best chance will be stand-alone measures to regulate Internet of Things products that are causing widespread worries among the public.

Once again, though, Washington is largely playing catch-up with digital progress. The good news is that, compared with the earlier incarnations of the Internet, when Washington stayed "analog" long past the point when most of the country was fully wired, those who call for stronger cybersecurity measures are cautiously optimistic: Hey, at least they're talking about it. But unless (or, some would say, until) the darker fears of security experts and privacy doomsayers materialize, Washington's laissez-faire attitude will continue to prevail. This is America, after all, where lurching boldly forward in the name of profit—and with new technology that promises to make everyone's lives easier and better—is the modus operandi. Even a widespread outbreak of foreign hackers shouting at babies, causing smart cars to initiate pileups, or firing up toasters en masse won't change that bedrock philosophy any time soon.