 It wasn't all that long ago, just in 1999, that the term The Internet of Things was first coined. Soon after that, LG announced its plans to release the first connected refrigerator, which was programmed to sense and keep track of the groceries stored inside. Now, while we're at a relatively early stage in the development of The Internet of Things, we've certainly seen it grow by leaps and bounds. And the numbers confirmed the popularity of IoT devices. I'm sure that you've been hearing a lot of facts and figures over the last couple of days, but Tech Researcher Gartner reports that 6.4 billion connected things will be used worldwide this year, up 30% from 2015, and by 2020, that number will exceed 20 billion. Now, to put it more starkly, in 2016 alone, 5.5 million new devices will be connected every single day. And as new IoT devices continue to hit the market, they continue to increase in sophistication. Smart technologies no longer simply count steps or allow consumers to turn off their home lights remotely. IoT devices now have the ability to predict and prevent problems from just about anywhere. For example, connected cars can now notify drivers of dangerous road conditions and offer real-time diagnostics to drivers and service facilities. And companies in the oil industry have started to implement smart technologies that can detect issues, such as a corroded pipeline, or leaks and immediately address them before any accidents happen. And it's only a matter of time before your house will know that you're coming home because it's connected to a sensor in your car or your smartphone. But like its potential benefits, the potential risks from The Internet of Things have also emerged at a breakneck pace. Last year, researchers warned that we would soon start to hear about smart home hacking. And sure enough, several studies have shown that it only takes between 5 and 20 minutes to find a way to compromise home automation devices. Even more worrying, researchers have also shown they are able to hack remotely into various medical connected devices, such as insulin pumps, and change their settings so that they no longer deliver medicine. This is our new reality. We've now seen attackers infect connected medical devices with malware and ransomware at hospitals, and they have exploited connected medical devices to obtain medical data, which is now considered 10 times more valuable than a credit card number. Incidents like these risk the erosion of consumer trust, a key issue that's facing the continued growth of The Internet of Things. A 2015 survey conducted by trustee found that 79% of consumers are concerned about smart devices collecting their data. And 25% mentioned concerns about the security and privacy of the data collected as the primary reason why they did not currently own a smart device. So how can we enjoy the enormous benefits that The Internet of Things can offer while at the same time addressing potential risks to consumer privacy, safety, and security? How can we avoid waking up one day in the not too distant future, living in a world like the one Wired Magazine writer Matt Hohn and humorously describes in his essay The Nightmare on Connected Home Street where our homes become infected with malware, causing everything in them to go haywire, leading to a loss not only over control over almost everything in our home, but also the most basic semblance of privacy. In my view, we need to do a much better job of navigating the evolving IoT landscape in a way that both addresses our desire for convenience, efficiency, and innovation, but at the same time safeguards the most personal aspects of our lives. Before getting to a few thoughts about how we might go about doing that, first I'd like to spend a few minutes addressing what I see as the key risks that are presented by The Internet of Things. And then I'll suggest some steps that I think the IoT industry can take to address these risks and enhance consumer privacy and security, thereby building consumer trust in The Internet of Things. The ever-increasing collection of data and the growing sophistication of the tools to analyze that data present one of the central risks emanating from The Internet of Things. Today we're bringing IoT devices into our homes, our cars, our workplaces. And with the proliferation of wearables, we're increasingly placing them on our bodies. In other words, we're placing them and bringing them new sources of data collection into what used to be intimate spaces and we're effectively allowing companies to digitally monitor our otherwise private activities. The sheer volume of data that even a small number of devices can generate is absolutely stunning. For example, fewer than 10,000 households using an IoT home automation system can generate 150 million discrete data points per day. A recent report by ABI Research estimates that in the aggregate, the volume of data captured by The Internet of Things will exceed 1.6 zettabytes by 2020. A zettabyte is equivalent to about 250 billion DVDs. All of these independent data points, when patched together, present a deeply personal and startlingly complete picture of each of us, one that includes details about our financial circumstances, our health, our religious preferences, and our family and friends. And the collection of this personal information can lead to a host of other sensitive inferences, including our mood, stress levels, personality type, demographics, well-being, sleep patterns, level of fitness, to name just a few. This pervasive collection leads to the next inevitable question and another key risk that's presented by The Internet of Things. What is happening to IoT-generated data and how is it being used? As an initial matter, data gathered by IoT sensors and systems can pass through any number of hands beyond those of the user that generated the data. The company whose hardware collects it, the software business that processes it, and the app maker that provides functionality. Not only might they be collecting data that extends well beyond what is needed to provide a particular service, they may very well also be sharing it with a multitude of unknown parties. And all those with access can perform analyses that would not be possible with less rich data sets, providing the ability to make additional sensitive inferences and compile even more detailed profiles of consumer behavior. Let me give you a concrete example. In 2014, the FTC studied 12 health-related mobile apps to determine whether they were transmitting personal information to third parties, and if so, what kind of information they were transmitting and to whom. We found that these apps transmitted sensitive health conditions, such as information about pregnancy and ovulation, along with consumers' names, email addresses, and other unique and persistent identifiers to third parties, including ad networks and analytics firms. In the absence of appropriate controls over this kind of information, our research demonstrates that companies will continue to collect and infer sensitive data from consumers, often without their knowledge. Today, a consumer may use a fitness tracker solely for wellness-related purposes, but the data gathered by the device could be used to price health or life insurance or to infer the user's suitability for credit or employment. Some of these concerns are ones that we addressed recently in our Big Data Report. All of this is particularly problematic if these uses occur without consumers' knowledge or consent, without ensuring the accuracy of the data, or outside of the context in which the information was provided. There are also a number of other unexpected ways in which IoT technologies might be used that could infringe on consumers' privacy. Recent news reports show that a whole host of IoT devices, including baby monitors and other household video cameras, smart TVs, toys, and cars, can be used for identification, surveillance, monitoring, and location tracking. In light of various studies showing that consumers are deeply concerned about IoT's data collection, disclosure of sensitive information, and their lack of control and awareness of who has access to the data that's collected, it's particularly important for IoT manufacturers to design devices that take into consideration unexpected uses of their IoT data and the potential for misuse. Another key issue relates to the heightened security risks presented by the Internet of Things. Security risks in this area can be more acute because of the lack of economic incentives to provide reasonable security, the increased vulnerability from internet connectivity and use of shared networks, and the potential impact on consumers' physical safety. Many IoT devices are small, low-cost, and essentially disposable, and companies may not view it as cost-effective to update software, apply a patch, or provide other ongoing consumer support for existing devices, focusing instead on new product development or other opportunities for business growth. Moreover, the small size and limited processing power of many connected devices can inhibit encryption and other robust security measures. Second, there are a number of security risks that result from increased connectivity between IoT devices and the Internet. One risk is that attackers can exploit IoT devices by accessing and misusing consumers' personal information collected and transmitted to or from these devices. Let's take fitness trackers as an example. A recent study by a Canadian nonprofit called Open Effect found that seven of eight fitness tracking devices transmitted a persistent, unique Bluetooth identifier, allowing them to be tracked by beacons that are increasingly being used by retail stores and shopping malls to recognize and profile their customers. This study also found that companion apps for these fitness devices leaked login credentials and transmitted activity tracking information in a way that allows unscrupulous actors to intercept or tamper with them. As consumers use smart devices more regularly, intruders may exploit these vulnerabilities to facilitate ID theft or other types of fraud. Related concerns that vulnerabilities on a single device can facilitate attacks on other systems. For instance, recent news reports also show how hackers gained access to 900 Internet-connected closed-circuit TV cameras and used those cameras to perform a denial-of-service attack on a company. Denial-of-service attacks are more pernicious when the attacker has more devices under his or her control and as IoT devices proliferate, these types of attacks may become more common. As another example, just last month the FTC settled charges with computer hardware maker, ASUS Tech, that critical security flaws in its routers put the home networks of hundreds of thousands of consumers at risk. Specifically, we alleged that the routers' insecure cloud services led to the compromise of thousands of consumers' connected storage devices exposing their sensitive personal information on the Internet. As IoT devices connecting to home networks increase, the harm from insecure router security will only continue to escalate. Finally, security vulnerabilities can have a significant impact on our personal and physical safety. By exploiting vulnerabilities in IoT devices, attackers may well be able to open garage and other doors across the coal country, switch off critical medical devices, or set millions of ovens on full heat, causing some to catch fire. Last month in the UK, a temporary glitch in British gas resulted in smart thermostats raising the temperature of consumers' homes to 90 degrees Fahrenheit. As these examples show, as the use of the Internet of Things becomes more widespread, unfortunately, so do the risks. At the FTC, we're continuing to examine these and related risks in the context of the Internet of Things and related arenas. In fact, today we just announced a series of workshops that the FTC will be holding in the fall to examine consumer protection implications of ransomware, drones, and smart TVs. Now, having now spent some length of time discussing what I see to be the principal risks presented by the Internet of Things, let me now turn to what I think the IoT industry can do to address them. First, I firmly believe that companies should follow the principle of data minimization. While I recognize that the value of some data might lie in unanticipated uses, these interests can and should be balanced with the interests in limiting the privacy and data security risks to consumers. Companies should examine their data practices and business needs and develop policies and practices that weigh the potential benefits against the potential harms. So what might this kind of exercise look like? Companies should be asking questions at the front end about what types of data they're collecting, to what end, and for how long they anticipate keeping it. They should also weigh the potential usefulness of particular data against its sensitivity and consider making alternative choices. For instance, a company might choose to collect zip codes rather than precise geolocation after considering the risks. And once companies make a determination about what data they need to collect, they should consider what controls are in place to mitigate potential harms. As part of this analysis, companies should ask questions like, can the data be maintained in de-identified form? Can access to the data be limited? Is there a process for vetting new or innovative uses of the data to determine whether they may lead to adverse consequences for consumers before engaging in them? Through this kind of an approach, a company can minimize its data collection, take steps to address risks to the data that it chooses to collect and maintain, and still promote its business goals. Ultimately, companies should keep in mind that just as collecting and retaining data may bring unanticipated benefits, it might also bring unanticipated harms. Second, companies should give consumers clear notice of simplified choices for unexpected collection or uses of their data. Consumers know, for example, that a smart thermostat is gathering information about their heating habits and that a fitness band is collecting data about their physical activity. But would they know and expect this information to be shared with data brokers or marketing firms? Probably not. In these and similar cases, consumers should be given clear and simple notice of the proposed uses of their data and a way to give consent. Now, I recognize that providing simplified notice and choice in an IoT world where devices often lack a consumer interface is easier said than done. And we risk inundating consumers with too many choices as connected devices and services proliferate. But in my mind, the question is not whether consumers should be given a say over unexpected uses of their data, but rather how to provide consumers with control over their personal information. Whatever approach a company designs to take to provide choice, whether it's at the point of sale during setup and installation or in other ways, they should ensure that the privacy choices are clear and prominent and not buried within lengthy privacy notices. It's also important that companies aim to provide just-in-time choices in which they convey important information to consumers and allow them to exercise choice at the time of data collection, sharing, or use. There are promising ideas that may help companies provide consumers with more control. At Carnival e-mail and SyLab, for example, they're developing personalized privacy assistance that are capable of learning the privacy preferences of their users over time. Semi-automatically configuring many settings and making privacy decisions on their behalf. Imagine having a privacy assistant that is running on your smartphone or your smartwatch. The privacy assistant listens for sensors that are broadcasting their privacy policies and can make determinations on your behalf. If it knows, for instance, that you don't mind sharing your home's temperature settings, it can make that decision for you, or it can prompt you to make decisions. If it realizes that your thermostat is sharing your e-mail address with an ad network, it can ask you to decide whether you are comfortable with this kind of sharing. Clearly there's more work to be done in these areas, but I'm confident that the same ingenuity, design acumen, and technical know-how that is bringing us the Internet of Things can also provide innovative ways to give consumers easy to understand choices. Finally, companies should prioritize security and build it into their devices from the outset. Companies should conduct a privacy or security risk assessment as part of the design process. They should test security measures before products launch. Use smart defaults like requiring consumers to change default passwords in the setup process. They should consider encryption, particularly for the storage and transmission of sensitive information, such as health data. And they should monitor products throughout their life cycle and to the extent possible patch known vulnerabilities. In addition, companies should implement technical and administrative measures to ensure reasonable security, including designating people responsible for security in the organization, conducting security training for employees, and taking steps to ensure service providers also protect consumer data. So let me just close with final thought. The Internet of Things is clearly still in its early stages, but it's growing much more rapidly than many imagined. IoT devices and systems are becoming more integrated into important areas of our lives and transforming the way that we interact with technology. And while the Internet of Things can provide enormous benefits to consumers in a wide array of arenas, the risks IoT devices pose to consumers' privacy, safety, and security has also been significantly magnified. If we want to instill consumer confidence in the Internet of Things and ensure that we don't end up anywhere near the futuristic and dark scenario that Matt Honen set out in his Wired Magazine essay, companies need to develop and implement innovative approaches to protecting consumers' privacy and security, and they need to do that now. In my view, it's only with protections that are mindful of privacy and security that the Internet of Things will maximize its potential in our daily lives and across our economy. Thank you very much.