[co-author: Ryan Thompson]

On January 12, 2017, prior to the new administration taking power, the National Telecommunications and Information Administration (NTIA) within the Department of Commerce (Department) released a Green Paper on “Fostering the Advancement of the Internet of Things,” which assesses the technological and policy landscape of the Internet of Things (IoT). The Green Paper is expansive in scope, reflecting the broad range of issues raised in comments submitted by stakeholders in the private sector, academia, government, and civil society following NTIA’s April 2016 request for public comment. The Green Paper identifies key issues, and provides recommendations and assessments on the potential benefits and risks that IoT portends. The NTIA identifies cybersecurity, privacy and cross-border data flows as the most significant policy issues. It also proposes four principles for future policy engagement in which the Department would play a central role in creating conditions that would foster IoT growth. The agency also requested additional comments on the issues raised by the Green Paper.

IoT Brings a New Paradigm, but Government Engagement Should Be the Same

NTIA concludes that IoT represents a significant departure from previous technologies in its scope, scale, and the stakes involved. Because the opportunities and challenges offered by IoT will be unlike any that society has dealt with before, the interruption of connectivity will likely present more urgent challenges. Such interruptions could affect the performance of medical devices or the reliability of a supply chain, or even cause physical destruction in more expansive ways than prior interruptions of connectivity.

Notwithstanding the new challenges, the NTIA suggests the government’s decades long approach of supporting the emergence and development of new technologies may remain the same. Commenters overwhelmingly called for the US government to reaffirm rather than reevaluate this well-established approach, focusing instead on developing a regulatory framework that is predictable and globally consistent.

NTIA Principles for Government Engagement

NTIA proposes four principles for future policy engagement:

1. The Department will lead efforts to ensure the IoT environment is inclusive and widely accessible to consumers, workers, and businesses;
2. The Department will recommend policy and take action to support a stable, secure, and trustworthy IoT environment;
3. The Department will advocate for and defend a globally connected, open, and interoperable IoT environment built upon industry-driven, consensus-based standards; and
4. The Department will encourage IoT growth and innovation by encouraging expanding markets and reducing barriers to entry, and by convening stakeholders to address public policy challenges.

Whether the NTIA under the Trump Administration will continue to emphasize in the same way these four principles for the Department’s IoT engagement remains to be seen.

IoT: An Undefinable Concept?

NTIA finds that there still is no consensus definition of IoT, nor is there consensus on whether a common definition would be useful. One commenter urged the agency to recognize IoT not as a new technological architecture, but as a “new concept that defines how we interact with the physical world.” But even this definition invites distinctions: interactions with the “industrial IoT” may raise different concerns than those with connected consumer devices, for example.

Recognizing the need to balance flexibility with a desire to develop a common language for description, NTIA uses the term IoT as “an umbrella term to reference the technological development in which a greatly increasing number of devices are connected to one another and/or the Internet.”

Key Policy Issue: Cybersecurity

No policy issue received as much attention in comments as cybersecurity. Commenters appeared to agree that the challenge of securing networks of internet-connected devices differs in both character and magnitude: the networked nature of IoT creates more “attack surfaces” that can be exploited, and connected devices may collect vast amounts of personal or other sensitive information. Many IoT device makers—pushing low cost devices to the market, often for the first time—may not follow established cybersecurity best practices.

Consistent with the prevailing trend among both industry and regulators, NTIA advocates for “flexible, risk-based solutions” for cybersecurity. Many commenters favorably cited to the National Institute of Standards and Technology’s Cybersecurity Framework as a model for developing corporate cybersecurity programs. Similarly, NTIA emphasizes the importance of “security by design,” the process of integrating security considerations into the entire lifecycle of IoT product development, deployment, and ongoing support. The approach is a cornerstone of the Federal Trade Commission’s “Start with Security” guidance.

Key Policy Issue: Privacy

Interest among commenters in the privacy issues raised by IoT devices was second only to cybersecurity. Commenters appear divided on whether IoT presented novel challenges and whether current regulation is sufficient. Although several commenters felt that it is either too early to craft regulatory responses or that the current frameworks are flexible enough to accommodate changes brought by IoT, others argued that privacy issues may be “different enough in scale, scope, and stakes to necessitate distinct consideration.” Among these commenters, the unprecedented volume of data as well as novel challenges in obtaining notice and consent presented by IoT were paramount concerns. On one issue, however, most commenters appeared to agree: the Department is not well-situated for developing policy relating to privacy.

Key Policy Issue: Cross-Border Data Flows

NTIA recognizes that protecting the free flow of information across national borders is a critical issue for companies across a variety of sectors and that laws and policies limiting cross-border data flows “could negatively affect the growth of certain IoT sectors.” NTIA proposes that the Department of Commerce collaborate with international partners to facilitate cross-border data flows and discourage attempts to “localize” data. Commenters suggested that the US Government may engage by promoting the interoperability of privacy and cybersecurity regimes and standards as well as seeking binding commitments with other nations.

Areas of Future Engagement

NTIA proposes four areas of engagement to advance the four principles described above:

1. Enabling Infrastructure Availability and Access: Fostering the physical and spectrum related assets needed to support IoT growth and advancement.
2. Crafting Balanced Policy and Building Coalitions: Removing barriers and encouraging coordination and collaboration; influencing, analyzing, devising, and promoting norms and practices that will protect IoT users while encouraging growth, advancement, and applicability of IoT technologies.
3. Promoting Standards and Technology Advancement: Ensuring that the necessary technical standards are developed and in place to support global IoT interoperability and that the technical applications and devices to support IoT continue to advance.
4. Encouraging Markets: Promoting the advancement of IoT through Department usage, application, iterative enhancement, and novel use of the technologies; and translating the economic benefits and opportunities to foreign partners.

The NTIA’s identification of principles for policy engagement and specific areas of engagement is against the backdrop of highlighting three key data-related policy issues, cybersecurity, privacy and cross-border data flows.

Request for Comment

In addition to requesting comments on the issues raised in the Green Paper, NTIA seeks input on the following four questions:

1. Is NTIA’s discussion of IoT presented in the Green Paper regarding the challenges, benefits, and potential role of government accurate and/or complete? Are there issues that NTIA missed, or that NTIA needs to reconsider?
2. Is the approach for Departmental action to advance IoT comprehensive in the areas of engagement? Where does the approach need improvement?
3. Are there specific tasks that the Department should engage in that are not covered by the approach?
4. What should the next steps be for the Department in fostering the advancement of IoT?

Comments are due on or before February 27, 2017 at 5:00 p.m. Eastern. NTIA will use the comments to finalize its IoT policy positions and it may issue a subsequent White Paper.