Senators to push privacy, security legislation for IoT

One of them is Sen. Edward Markey, who plans to introduce legislation to require security measures in connected cars

Some Democratic senators want new laws that mandate security and privacy measures on the Internet of Things, as concern grows over personal data collected by connected devices.

Several democratic members of the Senate Commerce, Science and Transportation Committee said Wednesday they are exploring legislation that would enforce privacy and security standards for connected devices. Senator Edward Markey, a Massachusetts Democrat, plans to introduce a bill that will focus on security standards and the data collected by connected automobiles.

This week, Markey released a report saying that most auto manufacturers selling vehicles in the U.S. have "massive holes" in their data security. Only two of 16 car companies that responded to information requests from Markey's office said they have capabilities to respond to a hacking attack in real time, he said during a hearing.

New cars are now "computers on wheels," Markey said, and hacked vehicles can be dangerous.

"A small vulnerability or error in coding can lead to a catastrophic consequence for drivers, passengers and pedestrians," he said. "Thieves no longer need a crowbar to break into your car -- they just need a smartphone."

Markey's legislation will require that makers of wireless access points on connected cars use penetration testing technologies and that collected data is encrypted. The legislation will also require that the car manufacturer or a security vendor be able to detect and respond to hacking attempts in real time.

The bill will also require car makers to explain their data collection practices to drivers and allow them to opt out of data collection without having to disable navigation.

Car companies that can build software to track vehicle performance and other information "should have the same geniuses in those companies to build in protection for security and privacy," Markey said. "If you can figure out an algorithm that sends information around the world in the blink of an eye, you should be able to figure out an algorithm that provides consumers the security and privacy they need."

Representatives of auto makers didn't testify during the hearing. The Alliance of Automobile Manufacturers, a trade group, said it has not yet fully reviewed Markey's report, but its members take several steps to protect security and to tell customers about the data they collect.

"Automakers believe that strong consumer data privacy protections and strong vehicle security are essential to maintaining the continued trust of our customers," the group said in a statement.

Other Democrats in the hearing also suggested they are open to new legislation addressing the privacy and security of the IoT. The IoT industry is projecting huge growth by collecting customer data, and Congress needs to "find that balance" between the industry's data collection and customer privacy, said Senator Joe Manchin, a West Virginia Democrat.

More transparency about the kinds of data IoT devices are collecting is also needed, said Senator Richard Blumenthal, a Connecticut Democrat who plans to cosponsor Markey's connected cars bill. Congress should explore legislation that more easily allows consumers to file class-action lawsuits for data breaches, he said.

Congress should also consider legislation that requires companies to follow best practices in cybersecurity, said Justin Brookman, director of the Consumer Privacy Project at the Center for Democracy and Technology. While the U.S. Federal Trade Commission has brought dozens of data security complaints against companies, it is facing court challenges on its authority to do so, he noted.

Several speakers at the hearing brought up recent concerns about the ability of smart TVs to capture conversations via their voice command features. Brookman also mentioned the cases where hackers have taken over webcams and broadcast videos online.

Congress, while considering a national breach notification law, should expand the consumer data covered by notifications to include nonfinancial information held in online accounts, he said. "Internet of Things devices reveal really sensitive stuff about us," Brookman added.

While some committee Democrats said they will explore legislation, representatives of the IoT industry urged Congress to go slow. Consumer confidence in the IoT is important, "but we must not overregulate in a way that would stifle innovation," said Michael Abbott, a general partner in the venture capital firm Kleiner Perkins Caufield & Byers.

Most of the panel's majority Republicans, and a handful of Democrats, agreed. The IoT is in early stages of its growth, and Congress shouldn't rush in to regulate, they said.

"Let's treat the Internet of Things with the same light touch that has caused the Internet to be such a great American success story," said Senator John Thune, a South Dakota Republican and committee chairman. "We should let consumers and entrepreneurs decide where IoT goes, rather than setting it on a Washington, D.C., directed path."

Grant Gross covers technology and telecom policy in the U.S. government for The IDG News Service. Follow Grant on Twitter at GrantGross. Grant's email address is

Join the CSO newsletter!

Error: Please check your email address.

Tags U.S. SenateInternet-based applications and servicesJoe ManchinKleiner Perkins Caufield & ByersregulationJohn ThuneJustin BrookmaninternetEdward MarkeyAlliance of Automobile ManufacturerssecurityMichael AbbottRichard BlumenthalCenter for Democracy and Technologygovernment

More about ByersFederal Trade CommissionIDGNewsTechnologyTransportationWest

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Grant Gross

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place