The House Energy and Commerce Committee’s Subcommittee on Digital Commerce and Consumer Protection held a hearing this week to discuss the State of Modern Application, Research, and Trends of IoT Act (SMART IoT Act). This proposed legislation would direct the Secretary of Commerce to conduct a comprehensive study of the IoT industry and Federal agencies with jurisdiction over the IoT industry, as well as all IoT regulations and policies implemented by those agencies. The SMART IoT Act would also require the Secretary of Commerce to produce a report to Congress within one year of the bill’s enactment, detailing the results of the study and recommendations for enabling the secure growth of IoT.  Although this legislation has not yet been formally introduced, the Subcommittee on Digital Commerce and Consumer Protection has published the bill’s full text as well as a summary.

Three witnesses testified:

  • Tim Day, Senior Vice President, Chamber Technology Engagement Center, U.S. Chamber of Commerce;
  • Michelle Richardson, Deputy Director, Freedom, Security, and Technology Project, Center for Democracy and Technology; and
  • Dipti Vachani, Vice President, Internet of Things Group, General Manager, Platform Management and Customer Engineering, Intel Corporation

At the hearing, the SMART IoT Act drew broad support from all of the witnesses as well as from members on both sides of the aisle. However, there were differing opinions regarding the focus of the study called for by the SMART IoT Act, as well as the next steps that Congress should take with respect to IoT.

Agreement on Importance of Studying IoT but Differences on Approaches

All of the witnesses emphasized the importance of the study itself, albeit for different reasons. Mr. Day testified that study would be an opportunity to evaluate existing regulation and policy with an eye towards cutting back unnecessary regulation and lowering compliance costs. Ms. Vachani added that the study should develop a robust, non-proprietary, technology-neutral definition of IoT that accounts for both consumer and industrial applications.

Ms. Richardson testified that the study should investigate the rate at which industry stakeholders have, in practice, adopted voluntary standards, and whether gaps in government oversight and agency jurisdiction have resulted in consumers facing a dearth of meaningful options, a poor understanding of the risks of data aggregation, and few statutory protections.

Calls for Indirect Government Intervention for IoT Standards but Disagreement on the Role of Government in Regulating IoT Security

Ms. Vachani and Mr. Day supported the continued development of industry IoT standards, in particular interoperability standards, which they said should inform federal regulatory activity. They argued that rather than setting standards, the government should study and adopt incentives to support industry standard setting. Ms. Richardson noted that the federal government, through incentives like mandatory privacy and security guidelines for procurement of its own IoT technologies, could effectively influence the market. Mr. Day added that infrastructure investment by the federal government will be critical to the future development of IoT.

The witnesses disagreed when it came to security protocols in the consumer context. Ms. Richardson asserted that, while the standards themselves could be set by the private sector, compliance with these standards should be more closely regulated across the government, citing, as examples of security failures posing significant risk to consumer safety, smart locks that can be hacked or surveillance cameras used to spy on their owners. Ms. Richardson advocated for a sector specific approach to IoT security regulation, spread out across several agencies with the relevant domain expertise, which would prioritize higher-risk applications, like location tracking and facial recognition. Ms. Vachani, on the other hand, testified that the market for IoT security is maturing and growing rapidly. On top of the extensive security due diligence work performed by companies like Intel on both the hardware and software level, Ms. Vachani asserted that the secondary security market serving the IoT ecosystem will resolve most high-risk security risks without the threat of government sanction.

Witnesses Agree on Need for Privacy Legislation Not Tied to IoT

All three witnesses agreed on the need for congressional action in regards to privacy and that such action should not be tied to IoT specifically. Of the three, Ms. Richardson was the most adamant on this front, repeatedly asserting that baseline privacy legislation would be a critical first step in resolving many of the risks posed by IoT.

Among the witnesses, only Mr. Day advocated for additional IoT-specific legislation, citing the Developing Innovation and Growing the Internet of Things (“DIGIT”) Act. The DIGIT Act, which passed by the Senate in August 2017 on a voice vote but has stalled in the House, would direct the Department of Commerce to, among other things, examine how federal agencies can implement IoT technologies and require the Federal Communications Commission (“FCC”), in consultation with the National Telecommunications and Information Administration (“NTIA”), to issue a notice of inquiry seeking public comment on current and future spectrum needs relating to IoT. A detailed breakdown of the DIGIT act can be found here.