Internet of Things & Wearable Technology: Unlocking the Next Wave of Data-Driven Innovation

1. The Internet of Things & Wearable Technology: An Overview of Key Issues & Policy Concerns Adam Thierer Senior Research Fellow Mercatus Center at George Mason University Last updated September 2015

2. Outline of Paper & Presentation • Definitions • Opportunities • Key Policy Concerns (Technical vs. Social) • A Deeper Dive on Privacy-Related Concerns • Constructive Solutions • A Word about Adaptation • The Growing Conflict of Visions Ahead 2

3. Definitions 3

4. Definitions of IoT Evolving • No consensus definition, but lots of catchphrases! – “machine-to-machine” communication – “Industrial Internet” (GE) – “Internet of Everything” (Cisco) – “ThingerNet” / “Thingerverse” • “Smart” everything! – “smart homes,” “smart buildings,” “smart appliances,” “smart health,” “smart mobility,” “smart cities,” “smart cars,” etc. 4

5. Best Definition of IoT Morrison Foerster analysts define IoT as: “the network of everyday physical objects which surround us and that are increasingly being embedded with technology to enable those objects to collect and transmit data about their use and surroundings.” • More simply, it’s a world were the Internet is baked into all our stuff! 5

6. Key Components of the IoT • Power of IoT comes from combination of: – Faster & smaller microprocessors – Smaller & better sensors (& cameras) – More ubiquitous & robust wireless networks – Expanding cloud storage capacity – Enhanced “big data” capabilities • It’s the miniaturization of everything that matters – both in terms of device size & cost • = the long-desired “seamless web” of connectivity now exists 6

7. Just How Connected? • ABI Research: estimates that there are more than 10 billion wirelessly connected devices in the market today and more than 35 billion devices expected by 2019 • Cisco: by 2019, 40 billion intelligent things will be connected & communicating • IDC: predicts far greater penetration of 212 billion installed devices by 2020 7

9. The Economic Opportunity 9

10. Estimated Economic Impact of IoT • McKinsey Global: $3.9 trillion to $11.1 trillion potential economic impact per year by 2025 • IDC: compound annual growth rate of 7.9% between now & 2020, to reach $8.9 trillion • Cisco: IoT will create $14.4 trillion in value between 2013 and 2022 10

11. 11

12. Many Subsectors, Many Players 12

13. 13

14. “Wearables” = Most Important IoT Category • = IoT that is worn on body • “quantified self” movement growing • Unsightly today (think “Google Glass”), but will literally be sewn into our clothes in future (“sensor-rich fabrics”) & largely invisible • Becoming “lifestyle remotes” to automate our lives 14

15. 15

16. Sectors & Professions That Will Be Transformed by Wearable Tech • Health Care / Surgery • Firefighting • Law enforcement • Political campaigns • Education / Instruction • Retailing • Entertainment • Theme parks • Airlines & vacationing • Financial Services • Sports / Athletics 16

17. Health & Fitness Are Major Drivers Typology of Mobile Health Technologies • Connectors: applications that connect smartphones and tablets to FDA-regulated devices, thus amplifying the devices’ functionalities. • Replicators: applications that turn a smartphone or tablet itself into a medical device by replicating the functionality of an FDA-regulated device. • Automators & Customizers: apps which use questionnaires, algorithms, formulae, medical calculators, or other software parameters to aid clinical decisions. • Informers & Educators: medical reference texts and educational apps that primarily aim to inform and educate. • Administrators: apps that automate office functions, like identifying appropriate insurance billing codes or scheduling patient appointments. • Loggers & Trackers: apps that allows users to log, record, and make decisions about their general health and wellness. Source: Nathan Cortez, SMU School of Law 17

18. Wearable Market Growth • Canalys: 700% growth in wearable smart bands market in the second half of 2013 • IDC: shipment volumes will exceed 19 million units in 2014, 3x prior year • IDC: global market will swell to 112 million units in 2018, resulting in a CAGR of 78% • + major smartphone platforms providers (Apple, Google, Microsoft, Samsung) all competing aggressively here 18

19. The “Sci-Fi” Future of IoT & Wearables Will Arrive Shortly • “Implantables” = IoT implanted under skin • “Ingestibles” = IoT tech that is swallowed • “Biohacking”= Body modification to enhance or repair human abilities – see: http://discuss.biohack.me 19

20. Policy Concerns: Technical vs. Social 20

21. Technical Issues • Access to adequate spectrum to facilitate wireless networking capabilities? • Technical standards – Wi-Fi, Bluetooth, near field communication, GPS – Licensed or unlicensed ? • Device / platform interoperability – Apple vs. Android vs. what else? • Device addressing – Will rise of IoT & wearables get IPv6 transition moving? 21

22. Quick Note on Technical Issues • Technical issues were not focus of this particular paper • That is primarily because I am actually far more optimistic we can work those issues out relative to… 22

23. Social Concerns (in order of current severity) • Security • Privacy – reputational issues – “discrimination” issues – data ownership • Safety • Automation fears & other ethical objections – “cyborg” concerns 23

24. Regulatory Interest Growing Policymakers Already Exploring IoT Tech • FTC (general privacy & security) • FDA (safety of mobile medical apps & devices) • FCC (wireless issues) • FAA (commercial drones) • NHTSA (intelligent vehicle technology) • NTIA (multistakeholder privacy reviews) • Congress • Various state, local & int’l regulators (esp. in EU) 24

25. A Deeper Dive on Privacy & Security Concerns 25

26. The Coming Data Deluge • Amount of data generated & collected online today pales in comparison to what is coming • Recall estimates of 30+ billion devices by 2020 • And recall defining realities of IoT & wearable tech: – always-on – always-sensing – always-collecting – always-communicating • The IoT is, at once, a massive data generator & giant data vacuum cleaner 26

27. Ramifications for Modern Privacy & Security Policies • “fair information practice principles” (FIPPs) will be hard to strictly apply & enforce • FTC Chairwoman Ramirez: “the difficulties will be exponentially greater with the advent of the Internet of Things, as the boundaries between the virtual and physical worlds disappear.” 27

28. How IoT Challenges FIPPS • What is “adequate notice” in an always-on, always-sensing world of billions of micro devices? • What counts as “consent” in a world of peer-to-peer self- surveillance? – Ex: How do you get consent when using Google Glass or a “Narrative” clip-on camera? • Transparency: How to post privacy policies when everything is so small? • What counts as “respect for context” when everything is being collected? • How does data minimization work for “always on” IoT & wearables 28

29. IoT Also Challenges… • Health Insurance Portability and Accountability Act (HIPAA) • COPPA & FERPA (kids & education privacy) • GLB financial privacy • State privacy & data security laws • FDA safety standards • + wide variety of workplace issues 29

30. Will a Move to Use-Based Restrictions Save the Day? • Going to be very hard to limit collection, so a move to use-based restrictions seems likely • But which uses? – “discriminatory” uses (how defined?) – are existing discrimination statutes applicable? • What about database access / correction? – think FCRA • Problem of overly sweeping use restrictions – “privacy paternalism”? 30

31. Query: What about the First Amendment? • First Amendment likely poses serious roadblock to more comprehensive regulation of IoT & wearables • Volokh: “We already have a code of ‘fair information practices,’ and it is the First Amendment” • ACLU of Illinois v. Alvarez (2012): – “The act of making an audio or audiovisual recording is necessarily included within the First Amendment’s guarantee of speech and press rights as a corollary of the right to disseminate the resulting recording.” • 1A might limit both collection & use-based restrictions 31

32. Constructive Solutions 32

33. A “Layered” Approach to Address Concerns 1) Developers: Privacy & security “by design” / best practices 2) Consumers: Education, media literacy & tech etiquette 3) Social norms, pressure & sanctions will play big role – ex: restrictions on phones in theaters & locker rooms 4) Common law adjudication / other legal standards – privacy torts (“intrusion upon seclusion”); “Pepping Tom” laws – Products liability: strict liability / negligence, design defects law, failure to warn, breach of warranty, etc 5) FTC (Section 5) “unfair & deceptive practices” 6) Targeted data use restrictions for sensitive classes of info – note: existing discrimination statutes might cover some issues 33

34. Developer-Side Solutions Elements of Privacy / Security by Design • Better security through encryption, anonymization / data “de-identification” • Rolling security notices / updates / upgrades • Proper use guidelines • Better transparency re: data use/sharing policies • Data minimization when possible • Simpler UI 34

35. Consumer-Side Education • Media literacy / digital citizenship / “netiquette” • Government can be active here w/o fear of First Amendment – PSAs / general awareness-building efforts • ex: OnGuardOnline.gov – Classroom lessons • Privacy curriculum (see Fordham CLIP model) 35

36. Liability Norms Could Evolve • Who is “least-cost avoider” who assumes liability? • As developer knowledge of potential misuses grows, liability could shift, too – Ex: Driverless cars & insurance as cars become a service • But will liability norms need a nudge in that direction? … • … or, will IoT developers need protection from over- eager tort lawyers! • Bottom line: Let product liability evolve; it has happened many times before w/ other tech. 36

37. FTC Role Will Continue Recent FTC Privacy & Security Enforcement Actions • Google • Facebook • Apple • Twitter • MySpace • HTC • Lookout • Path • Snapchat • Fandango • Credit Karma • TrendNet 37  53 data security-related cases recently  20-year privacy audits for some firms + fines  = is this an “FTC common law” of IoT privacy & security?

38. A Word about Social Adaptation 38

39. What Was True Before… • Citizen attitudes about emerging technologies follow a familiar cycle: 1. initial resistance (“technopanic” phase) 2. gradual adaptation 3. eventual assimilation • we have seen this cycle play out in countless other contexts 39

40. First We Panic, Then… • Recall reaction to camera & photography in late 1800’s… “Instantaneous photographs and newspaper enterprise have invaded the sacred precincts of private and domestic life; and numerous mechanical devices threaten to make good the prediction that ‘what is whispered in the closet shall be proclaimed from the house-tops.’” — Samuel D. Warren and Louis D. Brandeis, 1890 • But we got through it! We adjusted our societal norms and personal expectations to accommodate photography. • Instead of rejecting cameras, we bought a lot of them! (But then learned how to use them respectfully, too.) 40

41. Key Takeaways • There is no end point in debates about data security & online privacy; a never-ending challenge • IoT & wearables merely extend & exacerbate problems we already faced in Web 1.0 & 2.0 world • silver bullet solutions don’t exist (never have, never will) • Need to find creative ways to adapt to each new set of challenges – individuals, institutions, law & norms all must adapt – patience & humility will be crucial policy virtues 41

42. The Grand Tech Policy Clash of Visions to Come 42

43. IoT and Future Tech Flashpoints Internet of Things • Wearable Tech • Smart Homes • Smart Cities Health Issues • Medical Devices • Biohacking • Embeddables • Genetic issues • Mobile medical apps • Telemedicine 3-D Printing Robotics • Smart cars • Private drones • A.I.

44. Which Vision Will Govern? IoT foreshadows many other debates about emerging tech. The choice: • Permissionless Innovation = the general freedom to experiment & learn through trial- and-error experimentation. • Precautionary Principle = Crafting public policies to control or limit new innovations until their creators can prove that they won’t cause any harms. 44

45. The Heart of the Debate Which Default for Innovation? 45 Precautionary Principle Permissionless Innovation risk anticipation risk adaptation Ex ante enforcement Ex post enforcement Preemptive top-down controls Reactive bottom-up remedies Innovators have to ask, “Mother, May I?” Innovation is “innocent until proven guilty”

46. A Range of Responses to Technological Risk Prohibition Censorship Info suppression Product bans Anticipatory Regulation Administrative mandates Restrictive defaults Licensing & permits Industry guidance Resiliency Education & Media Literacy Labeling / Transparency User empowerment Self-regulation Adaptation Experience / Experiments Learning / Coping Social norms & pressure Top-down Solutions Bottom-up Solutions Precautionary Principle Permissionless Innovation 46

47. Related Mercatus Center Research • Book: Permissionless Innovation: The Continuing Case for Comprehensive Technological Freedom • Testimony: The Connected World: Examining the Internet of Things • Analysis: Projecting the Growth and Economic Impact of the Internet of Things • Law review article: The Internet of Things and Wearable Technology: Addressing Privacy and Security Concerns without Derailing Innovation • Oped: How Not to Strangle the Internet of Things • Filing to FTC on Privacy and Security Implications of the Internet of Things • Law review article: Technopanics, Threat Inflation, and the Danger of an Information Technology Precautionary Principle • Article: Muddling Through: How We Learn to Cope with Technological Change 47