More devices than ever before are tracking and recording us but how much they can monitor remains unclear

The former Microsoft executive Suzan DelBene is something of an outlier among her current professional colleagues when it comes to tech savvy. She’s doing what she can, though, to help educate her peers about the so-called internet of things device class that includes products such as the Microsoft Band she wears to work. Indeed, it’s one reason that DelBene – a US Rep. for Washington’s First Congressional District – co-founded Congress’ internet of things caucus this year.

They may not be fluent in the language associated with wearable technology. Even so, DelBane’s congressional peers, many of whom don’t wear or use such devices, are nevertheless in an influential position when it comes to the internet of things, a booming category that technology giant Cisco has said could represent a market opportunity of as much as $19 trillion.

Her colleagues, of course, are the ones who will fill in the policy gaps when it comes to things like the way internet connectivity is brought to millions of new types of products – products that also hoover up fresh swarms of data and open up new windows into the way we live our lives. Because unlike the way surfing the web on a laptop or smartphone can tell advertisers what websites a user frequently lands on, things like wearables and smart-home products offer insight into much more personal minutiae – about a user’s health, biometrics and activity inside their home and more.

Mainstream adoption

In many respects, the internet of things (IoT) cat is already out of the bag. Accenture’s 2014 State of the Internet of Things Study found that about 13% of consumers will own an in-home IoT device, like a thermostat or asecurity camera, by the end of this year. By 2019, that figure rises to almost 70% of consumers.

Thanks to IoT, more devices than ever are listening to us, monitoring us, tracking us, recording us – even if it’s not always clear what they should be allowed to listen to, how much they should be allowed to monitor and track and what their recording limits ought to be.

The former US homeland security secretary Michael Chertoff, for example, told the technology blog PandoDaily a few months ago that some caution was in order when it comes to IoT, that “one shouldn’t default to the position that connecting everything is perfect”.

Chertoff, who said he doesn’t use Gmail and doesn’t feel comfortable connecting his fitness tracker to the cloud, added that he could “see us eventually progressing to a day where almost everything you do is monitored, even if you never agreed to it”.

Vint Cerf is also skittish about IoT. At a news briefing in late August in Germany, the Google executive said he was sometimes “terrified” by IoT. His employer may develop the Nest smart thermostat and ply its employees with benefits such as massage chairs, but he avoids them. Why?

Because those chairs are run by software, he says: “I worry they will fold up on me”.

It was a lighthearted crack, but his broader attitude about the device class is anything but. He thinks it’s an area rife with both technical and legislative concerns – and he’s far from alone.

Law enforcement and IoT

Moving beyond the consumer use cases, law enforcement departments have likewise begun flocking to IoT devices. Police officers in agencies around the country and globe carry IoT devices such as body cams that extend their investigative reach – and, in some cases, invite privacy concerns.

Responding to an online petition directed at the White House in the wake of the Ferguson shooting that sought a requirement for law enforcement personnel to wear body cameras, the White House adviser Roy Austin wrote on the White House petition site that while the use of body cams comes with benefits, they also raise plenty of questions. Like: what are the privacy implications of having officers record interactions with the public? Should the cameras always be on? How long should the video be maintained, and who should have access to it?

“When we look at policy, it’s important we make sure that it’s up-to-date and reflective of the way the world works today – and where the world is heading in the future,” DelBene said. “We also have to make sure there are consumer protections, because (with IoT) we have issues of privacy, security, standards and interoperability.

“One of the things we’ve been focused on in starting the (IoT) caucus is to first educate members of Congress on how the technology works today and what things are coming soon.”

At the same time that she and fellow Republican Congressman Darrell Issa announced the launch of the caucus, they noted those and other pressing questions. They pointed out that not only was the Federal Trade Commission studying the device category, but that future agency regulatory action of industries engaged in connected devices would have implications for “future interoperability and development”.

They also acknowledged that with more users of the devices comes the need to bring closer scrutiny toward data sharing and privacy.

A hands-off approach versus a substantial role for government

So far, the lines that have been drawn up in the tussle over whether and how much to regulate IoT at this point is the largely hands-off approach versus an acceptance there’s definitely a role for government to play, even if that role is still taking shape at this point.

The tension, as DelBene explains it, is to regulate the industry in such a way that enough consumer protections are in place so that someone doesn’t “wake up and find out their coffee maker has been hacked”. On the other hand, she said, Congress needs to take care not to “get in the way of innovation”.

Lawmakers already are grappling with questions in this area. A bill has been introduced in the Senate, for example, that requires the development of protective standards for vehicles that would keep hackers from causing mischief like taking control of the vehicle’s electronics systems.

And that raises a potential regulatory question of its own – if a vehicle is hacked, is that the equivalent of a defect like, say, a bad ignition switch that could trigger a recall? Or is it comparable to a bad actor breaking something, like a vandal busting a window?

That question hasn’t been answered yet, but Mitch Bainwol, who heads up the Alliance of Automobile Manufacturers lobbying group, already is on record against any suggestion that a risk of cyber intrusion in a vehicle is tantamount to a defect.

The FTC, meanwhile, does not yet see a need for Congress to aggressively step in – that the onus is on device makers to build features that safeguard consumers and their data. In a paper released this year, FTC commission staff also recommended that Congress “enact broad-based (as opposed to IoT-specific) privacy legislation. Such legislation should be flexible and technology-neutral, while also providing clear rules of the road for companies about such issues as how to provide choices to consumers about data collection and use practices.”

That may quickly prove to be an outdated posture, though, if for no other reason the growing scale of IoT. Consider – it was six years ago, according to the FTC’s own data, that for the first time, the number of “things” connected to the internet surpassed the number of people on earth.

By some estimates, per the FTC, the number of connected devices will grow to 50bn by 2020. And the people in charge of making the rules are still figuring out what to make of a class of devices that we’re strapping to our bodies and installing in our homes.

Meanwhile, stakeholders are urging – go slow on the rule-making, and let the category continue to grow.