High profile car hacks, large-scale breaches of intimate information, news of compromised household appliances -- hardly a day passes without some revelation of the ways in which our increasing interconnectedness is introducing new vulnerabilities into our lives. Technology is advancing at a rapid clip, and so are breaches. Now, more than ever, strong security and end-user controls are critical to protect personal information.
Most of us are just beginning to be aware of the amount of sensitive information we are sharing or transmitting each time we download a new app or connect up a new wearable, sensor, household appliance or device. We now carry smartphones that not only have our personal calendars, contacts, messages, and photo albums but also our wallets, health information, and controls for things in our homes. As we connect more and more things to each other and the Internet and run more of our lives on apps on our phones - we increase our exposure. Current estimates forecast that there will be anywhere from 25-50 billion connected devices by 2020.
That's a target rich environment for bad actors.
Which is why, if we are to benefit from all the amazing possibilities of the expansion of the Internet of Things (IoT), security is a must. Research from the McKinsey Global Institute estimated the economic impact of IoT could range from $3.9 trillion to $11.1 trillion per year in 2025. But the same report notes that winning consumer trust by addressing privacy and security is vital to achieving that potential.
Companies that are collecting and storing our data have an obligation to secure it. Many can and should do more to protect against breaches -- an FTC report released earlier this year noted a disparate range of security practices in IoT products. At the FTC, we are urging companies to embrace security by design and we can bring enforcement actions when companies fail to reasonably secure consumer data. But, as any security expert will tell you, there is no such thing as perfect security.
Encouragingly, many companies are taking meaningful steps to improve their security practices including greater use of encryption technology for data in transit and at rest, whether it be stored in the cloud or on devices. Encryption has helped protect the information of millions of consumers -- for example, protecting credit card information when a merchant is breached or protecting passwords when a popular website is hacked. The impact of major breaches may also be reduced the more that users' data and communications are encrypted end-to-end.
Moreover, there are more products on the market providing consumers with better security and privacy tools -- including encryption as the default for information stored on smartphones, apps that use end-to-end encryption, and services that encrypt data on devices and then back them up in the cloud. Competition in the marketplace of security and privacy technology holds considerable promise for consumers.
Each of us can play an important role in protecting our information on laptops, desktops, and smartphones by using strong end-user controls, such as disk encryption and firmware passwords. Disk encryption can protect information stored on the hard-disk from unwanted access and hardware passwords essentially prevent machines from being used without the password.
Using these tools can also make it easier for consumers to recover lost or stolen devices as the FTC's Chief Technologist recently discovered through personal experience.
Encryption and end-user protections can raise issues of access for law enforcement. Some argue that data storage and communications systems should be designed with exceptional access -- or "back doors" -- for law enforcement in order to avoid harming legitimate investigative capabilities. However, many technologists contend that exceptional access systems are likely to introduce security flaws and vulnerabilities, weakening the security of products.
This debate, sometimes called the crypto wars, is hardly new -- it has been going on in some form or another for decades. But what is changing is the extent to which we are using connected technology in every facet of our daily lives. If consumers cannot trust the security of their devices, we could end up stymieing innovation and introducing needless risk into our personal security. In this environment, policy makers should carefully weigh the potential impact of any proposals that may weaken privacy and security protections for consumers.