March 01, 2016

The Internet of Things’ Swelling Technology Tsunami and Legal Conundrums: Too Big to Regulate, Too Ubiquitous to Miss, and Too Fast to Keep Up?

Throughout history, technology has outpaced the law. Henry Ford’s Model T sped down dirt roads unencumbered by traffic laws and safety regulations. The Wright Brothers flew off of Kitty Hawk without first checking in with FAA air traffic control. And early peddlers hawked medicinal remedies like Kickapoo Indian Sagwa and Warner’s Safe Diabetes Cure without clearing FDA safety and efficacy hurdles.1

For technology outrunning the law, the Internet of Things (IoT) may soon shatter the air/sea/land speed records. By any measure, the pace of IoT is staggering:

  • More devices than people: “[In 2008], for the first time, the number of ‘things’ connected to the Internet surpassed the number of people. Yet we are still at the beginning of this technology trend. Experts estimate that, as of [2015], there will be 25 billion connected devices, and by 2020, 50 billion.”2
  • 127 devices per second: “Every second, . . . 127 items are added to the Internet.”3
  • $11 trillion: “The Internet of Things is expected to contribute up to $11 trillion in value per year globally by 2025.”4

While this overview may be outdated by the time the reader reaches the end of this article, it nonetheless raises key questions—and offers answers where they exist:

What is the Internet of Things? Like an arms race, IoT definitions have proliferated at an alarming rate, often hampered by the fact that most IoT innovations and applications have yet to be conceived and built.

Why do people care about IoT? The explosive acceleration of IoT innovation offers exponential advances in efficiencies and capabilities for government, industry, and individuals every day—and looming challenges for security, privacy, accountability, ethics, and risk allocation.

Who regulates IoT technology? With technology outpacing the law, everybody wants to drive the IoT train—but nobody currently stands as IoT’s chief conductor, thus creating uncertainty about future regulations.

What Is the Internet of Things?

Like colors and shapes in a kaleidoscope, IoT comes with many morphing definitions. Efforts to define IoT include dictionary definitions, as well as descriptions by type, application, or example. Given the uncertain definitions of what constitutes IoT, the definitions below are supplemented by examples of IoT analyzed in congressional and federal agency reports.

By Definition

Nearly every report, article, or standard seeks to define IoT—and most acknowledge the difficulties of defining it. Some examples include the following:

  • White House report: “The ‘Internet of Things’ is a term used to describe the ability of devices to communicate with each other using embedded sensors that are linked through wired and wireless networks. These devices could include your thermostat, your car, or a pill you swallow so the doctor can monitor the health of your digestive tract. These connected devices use the Internet to transmit, compile, and analyze data.”5
  • Federal Trade Commission (FTC) report: “Although the term ‘Internet of Things’ first appeared in the literature in 2005, there is still no widely accepted definition. One participant described the IoT as the connection of ‘physical objects to the Internet and to each other through small, embedded sensors and wired and wireless technologies, creating an ecosystem of ubiquitous computing.’ Another participant described it as including ‘embedded intelligence’ in individual items that can detect changes in their physical state. Yet another participant, noting the lack of an agreed-upon definition of the IoT, observed, ‘[w]hat all definitions of IoT have in common is that they focus on how computers, sensors, and objects interact with one another and process data.’”6
  • Congressional Research Service (CRS) report: “‘Internet of Things’ (IoT) refers to networks of objects that communicate with other objects and with computers through the Internet. ‘Things’ may include virtually any object for which remote communication, data collection, or control might be useful, such as vehicles, appliances, medical devices, electric grids, transportation infrastructure, manufacturing equipment, or building systems.”7
  • Congressional view: “‘Ask me what the Internet of Things is. My usual answer is, I don’t know,’ [Senator Deb Fischer] said. ‘But there are people out there that experiment, and they’re innovative and they’re entrepreneurs and they’re creating things like mad, and that’s their job. And it should be our job in government to make it easier for them to do their job and create and build without government immediately throwing up roadblocks.’”8

The last answer (“I don’t know”) underscores a basic truth: the technology is moving faster than the IoT definitions. Today’s definition is tomorrow’s anachronism.

By Type or Application

Without commonly accepted definitions ready for the dictionary, many reports and articles have turned to defining IoT by types or applications that already exist in the IoT marketplace. While not exhaustive, the list below illustrates the dynamic nature and expansive reach of IoT technology and innovation.9

Smart Homes

Within the home, smart devices “permit remote control of lighting, security, HVAC (heating, ventilating, and air conditioning), and appliances.”10 Such smart devices have already entered the front door and will multiply rapidly within the smart home market. A recent Consumer Electronics Association study predicts “smart thermostats, door locks, smoke detectors and light switches will expand from 20.7 million units in 2014 to 35.9 million units in 2017. . . . Home automation systems enable consumers to manage their security systems, turn on appliances, and manage heating, cooling and lighting systems, all from a smartphone.”11

Smart Cities

According to a White House initiative for smart cities, IoT technologies and data serve such functions as “reducing traffic congestion, fighting crime, fostering economic growth, managing the effects of a changing climate, and improving the delivery of city services.”12 Examples include the following:

  • Pollution monitoring: San Jose is “deploying a network of sensors to create a ‘sustainability lens’ that uses Intel IoT technology to measure characteristics such as particulates in the air, noise pollution and traffic flow.”13
  • Intelligent transportation systems: “In a smart city, an intelligent transportation system (ITS) may permit vehicles to communicate with other vehicles and roadways to determine the fastest route to a destination, avoiding traffic jams, and traffic signals can be adjusted based on congestion information received from cameras and other sensors.”14

Healthcare Applications

With smart medical devices, both healthcare providers and patients have the ability to obtain real-time data “to identify health problems sooner and get treatment faster.”15 Examples of specific smart medical devices currently in use include the following:

  • Smart inhalers: “[S]mart inhalers remind children to use their inhalers and automatically record each use. The data from these devices can be used to reinforce healthy habits in children, allow doctors to assess the effectiveness of treatments, and notify parents when a refill is needed.”16
  • Diabetes monitoring: “Individuals with diabetes . . . can use continuous glucose monitoring to learn when their glucose levels get too low or high and to track insulin delivery.”17
  • Smart pill bottles: “[P]atients can use smart pill bottles like GlowCaps to receive automated alerts when it is time to take a dose. Using these types of notifications can increase the rates of medication compliance and make a sizeable dent in the $290 billion annual cost of drug nonadherence in the United States.”18

Energy Applications

For the energy sector, IoT applications include “smart metering, other ‘smart grid’ technologies, and the ability to drive greater efficiencies in both energy production and consumption.”19 For example, IoT sensor technology has boosted the efficiency of clean technologies, such as wind turbines:

[N]ew wind turbines can use sensor and grid data to operate more efficiently, both bringing down the cost of clean energy production and increasing electricity production. By equipping turbines with sensors and algorithms to analyze the sensor data, companies are able to optimize energy production and keep their turbines running even in variable wind conditions.20

Smart Farming

For agriculture, IoT technology has already entered the fields and found multiple applications. For example, Senator Deb Fischer of Nebraska noted that IoT “technology is transforming her state, from the agriculture fields where farmers use GPS in their tractors to sensors that help them determine moisture content, land grade and fertilizer needs.”21 Specific technologies include the following:

  • Field sensors: “Field sensors test soil moisture and chemical balance, which can be coupled with location technologies to enable precise irrigation and fertilization.”22
  • Drones and satellite imagery: “Drones and satellites can be used to take detailed images of fields, giving farmers information about crop yield, nutrient deficiencies, and weed locations.”23
  • RFID sensors: “For ranching and animal operations, radio frequency identification (RFID) chips and electronic identification readers (EID) help monitor animal movements, feeding patterns, and breeding capabilities, while maintaining detailed records on individual animals.”24

Industrial Applications

The manufacturing sector and its supply chain represent major users of IoT technologies and data: “Commercial and industrial IoT devices are by far the largest category, and the area where many of our companies see the biggest opportunity to enhance productivity and efficiencies, improve real-time decision making, and solve critical societal problems.”25 Examples of industrial IoT applications include:

  • Factory sensors: “The rapid growth of low-cost sensor technologies has made nearly every manufacturing process and component a potential data source. As a result, factories can automatically turn off lights and air conditioning when workers leave, shut off valves if sensors detect leaks, and shut down dangerous equipment if sensors detect a malfunction.”26
  • Predictive maintenance: “[P]redictive maintenance . . . uses sensors to monitor machinery and factory infrastructure for damage. Resulting data can enable maintenance crews to replace parts before potentially dangerous and/or costly malfunctions occur.”27
  • Supply chain monitoring: “Companies can use sensors to collect real-time data about their shipments including location, temperature, moisture, and other environmental factors to help ensure quality and optimize logistics.”28

In summary, IoT technology has already been integrated across multiple sectors of the economy, with predictions of much more to come. As both the public and private sectors struggle to develop commonly accepted definitions of IoT, these current applications of IoT technology in the home, fields, hospitals, and factories offer concrete examples of what IoT is for now, as well as indicators of what IoT may be in the near future.

Why Do People Care about IoT?

Nearly every congressional hearing, federal agency report, and news account recognizes the dual nature of IoT technology and data—IoT brings huge economic and societal benefits, but also magnifies risks in such areas as security and privacy. This section provides an overview of some of the upsides and downsides driving the IoT debate.

Factors Driving IoT Technology Forward

In 2015, Congress became much more involved in addressing both the benefits and risks associated with the global ramifications of IoT technology in both the public and private sectors. For example, the Senate unanimously passed Resolution 110, which summarized key benefits propelling IoT products and services into homes, cities, and businesses:

  • Economic impact: “[T]he Internet of Things currently connects tens of billions of devices worldwide and has the potential to generate trillions of dollars in economic opportunity”;
  • Consumer benefits: “[I]ncreased connectivity can empower consumers in nearly every aspect of their daily lives, including in the fields of agriculture, education, energy, healthcare, public safety, security, and transportation, to name just a few”;
  • Business efficiencies: “[B]usinesses across our economy can simplify logistics, cut costs in supply chains, and pass savings on to consumers because of the Internet of Things and innovations derived from it”;
  • Smart cities: “[T]he United States should strive to be a world leader in smart cities and smart infrastructure to ensure its citizens and businesses, in both rural and urban parts of the country, have access to the safest and most resilient communities in the world”; and
  • Innovation and global competitiveness: “[T]he United States is the world leader in developing the Internet of Things technology, and with a strategy guiding both public and private entities, the United States will continue to produce breakthrough technologies and lead the world in innovation.”29

Congressional hearings and federal agency reports have underscored many of these benefits driving IoT technologies into the hands of consumers, businesses, and governments.

Economic Impact

With 25 billion networked devices in the world,30 IoT is already a major economic force in the global marketplace. In summarizing the economic data and forecasts, a CRS report put the IoT economy in the trillions: “The current global IoT market has been valued at about $2 trillion, with estimates of its predicted value over the next five to ten years varying from $4 trillion to $11 trillion.”31

Consumer Benefits and Safety

With driver error as a primary cause of more than 95 percent of automobile crashes according to the National Highway Traffic Safety Administration (NHTSA), IoT technologies for connected cars may significantly reduce such accidents.32 Similarly, with 83.7 million Americans over age 65 by 2050 (double the number in 2012), the enormous strain on public and private resources may be lessened by wearable IoT technologies “empowering older populations and helping them live comfortably in their homes years longer than today’s norm.”33 Similarly, a McKinsey Global Institute analysis of IoT health benefits estimated that “the value of improved health of chronic disease patients through remote monitoring could be as much as $1.1 trillion per year in 2025.”34

Business Efficiencies

In one report, CRS collected a number of references predicting efficiencies and savings from IoT technologies.35 For example, the McKinsey Global Institute analysis estimated that “[i]n the factories setting, value from the Internet of Things would arise chiefly from productivity improvements, including 10 to 20 percent energy savings and a 10 to 25 percent potential improvement in labor efficiency.”36 As another example, use of smart building technology saved a company “$1 million in just one building in the first year of deployment.”37

Innovation and Global Competitiveness

Preserving the United States’ leadership in IoT innovation represented a major theme of senators supporting Resolution 110:

  • Senator Deb Fischer: “The United States is well positioned to lead the world in innovation policy. Our bipartisan resolution commits our nation to a strategy for the Internet of Things.”
  • Senator Cory Booker: “The Internet of Things has unbounded potential to impact our economy, society, and individual well-being. . . . [W]e continue working together to build this shared vision to ensure that America leads the world in cutting-edge technologies.”
  • Senator Brian Schatz: “The Internet of Things holds enormous potential. And with more and more devices connecting to the Internet every day, the United States has a unique opportunity to continue leading this technological revolution.”38

However, some have raised concerns about whether IoT investments in the United States will suffice to maintain a technological lead. For example, the U.S. federal government has funding commitments to IoT projects of $200 million—compared with China ($774 million over five years), South Korea ($5 billion over five years), and India ($7.4 billion for smart cities).39

In summary, while the precise values of IoT benefits can only be roughly estimated at this point, nearly everyone agrees that the potential upsides are enormous.

Risks Associated with IoT

With billions of devices and zettabytes of data, IoT poses a variety of potential risks noted in various congressional hearings and federal reports. As Senator Bill Nelson noted, “No one is debating the promise of the Internet of Things . . . [b]ut the promise of the Internet of Things must be balanced with real concerns over privacy and the security of our networks.”40

Security Risks

In a solicitation for IoT security applications, the Department of Homeland Security (DHS) framed the challenges of securing the IoT world:

The diverse and widely distributed nature of IoT and the numerous ways in which devices and networks can connect with IoT systems significantly complicates the security challenge. The first and most far reaching complication is that IoT relies on the Internet to connect and control widely distributed devices. By using the Internet and its various connection mediums (e.g., Bluetooth, Wi-Fi, serial interface, wireless), any IoT system can be connected to any other device on the Internet. This level of connectivity opens tremendous opportunities for the capabilities of IoT-based systems, but also allows every node, device, data source, communication link, controller and data repository attached to IoT to serve as a security threat and be exposed to security threats. Therefore, any IoT system’s security is limited to the security level of its least secure component.41

The need for addressing IoT security challenges has been acknowledged in the President Obama's latest executive order (“ensuring that cybersecurity is a core element of the technologies associated with the Internet of Things”),42 an FTC report (“IoT devices may present a variety of potential security risks”),43 and congressional hearings.44

Privacy Risks

With zettabytes of data pouring from IoT devices, privacy concerns have often been raised. For example, the FTC report stated:

In addition to risks to security, participants identified privacy risks flowing from the Internet of Things. Some of these risks involve the direct collection of sensitive personal information, such as precise geolocation, financial account numbers, or health information—risks already presented by traditional Internet and mobile commerce. Others arise from the collection of personal information, habits, locations, and physical conditions over time, which may allow an entity that has not directly collected sensitive information to infer it.45

Such IoT privacy concerns have been discussed in the White House report on big data,46 CRS reports,47 and congressional hearings.48

Other Issues

Beyond the scope of this overview, a number of other concerns have been raised about IoT, including technical standards,49 spectrum management,50 safety, and more.51

Who Regulates IoT Now?

To the question of who regulates IoT technology, the short answer is everybody and nobody. Several factors account for the flip answer:

  • The IoT data firehose blasts out a multiplicity of data, but U.S. data laws have different rules for different data;
  • A major benefit of IoT is its ability to integrate with other technologies like drones and cloud computing—but regulations for drones or cloud computing may be the wrong rules for IoT as a whole;
  • Congressional committees divide up jurisdiction by topic, but IoT devices and data cross multiple congressional boundaries; and
  • Like Congress, federal agencies have jurisdictional boundaries that allow each to regulate and support a piece of IoT—but not the whole Thing.

IoT and the Patchwork Regulation of Data

By automating the collection and distribution of data, IoT will create an explosion of new data: “Where will the next trillion files be created? Broadly: the Internet of things. But UAVs [unmanned aerial vehicles] in particular are going to be a massive source of that information.”52 However, these “next trillion files” may be a patchwork of overlapping coverage and potentially applicable exemptions under a sector-by-sector approach governing privacy and personal data in the United States.

“There is no comprehensive federal statute that protects the privacy of personal information held by the public sector. Instead, federal law tends to employ a sectoral approach to the regulation of personal information.”53 Such laws range from the Gramm-Leach-Bliley Act governing certain financial data and institutions54 to the Family Educational Rights and Privacy Act of 1974 covering students and educational records55 to the Health Insurance Portability and Accountability Act (HIPAA) applicable to certain healthcare data and entities.56

This sectoral approach to regulating data quickly collapses when applied to integrated collection and distribution of the IoT “trillion file” data streams. When the IoT refrigerator checks inventories and transmits orders for bacon, beer, and cannabis (and warns the Fitbit), how many federal and state agencies regulate this order involving credit card information, lifestyle choices, medical options, alcohol consumption, and more? Quite simply, the patchwork regulatory scheme is not ready for the IoT data stream.

Integrated Technologies and IoT Regulation

In addition to the sectoral regulation of data, federal agencies follow similar approaches to regulating many devices. For example, Congress tasked the Federal Aviation Administration (FAA) with developing regulations for unmanned aerial vehicles and systems.57 Given that “UAVs in particular are going to be a massive source” of the “next trillion files” created by IoT devices, does the FAA have the authority to regulate any IoT technology or data connected with drones? Neither the statute nor the implementing regulations provide clear answers for what and how the FAA may exercise jurisdiction over drone-related IoT.

Similarly, IoT technology and data cannot be divorced from cloud computing and big data. Through regulatory creep, federal agencies continue to extend the boundaries of rules governing cloud computing. Initially, the General Services Administration (GSA) oversaw the development of cybersecurity requirements (FedRAMP) for federal systems and data connected to the cloud.58 The Department of Defense (DoD) now imposes its Cloud Computing Security Requirements Guide on any cloud service provider delivering commercial cloud services to DoD departments.59 For cloud service providers using public or community cloud models to deliver DoD cloud services, may DoD exercise regulatory jurisdiction over any IoT data or technology that touches such a cloud? So far, the scope of DoD authority over IoT via cloud computing remains untested and unclear.

Congressional Jurisdiction over IoT

To allocate its resources and responsibilities, Congress has committees with defined jurisdictions. But none of these committees has specific responsibility for IoT issues. The government “doesn’t have any single mechanism to address the Internet of Things or the challenges it’s presenting. Instead, the new networked-object technologies are covered by . . . more than 30 different congressional committees. Congress has written no laws or any kind of overarching national strategy specifically for the Internet of Things.”60

In 2015, both Senate and House committees proceeded with hearings covering various IoT issues, as summarized below:

  • On February 11, 2015, the Senate Committee on Commerce, Science, and Transportation addressed how IoT technologies are rapidly evolving and whether current federal regulatory actions could be slowing IoT innovation.61
  • On March 24, 2015, the House Subcommittee on Commerce, Manufacturing, and Trade held hearings on the IoT marketplace, economic effects, and potential security and privacy issues.62
  • On July 29, 2015, the House Subcommittee on Courts, Intellectual Property, and the Internet focused on IoT innovation, economic benefits, and potential security and privacy risks.63

While these congressional hearings marshalled substantial facts on the benefits and risks of IoT technology and innovation, no legislation resulted.64 On March 24, 2015, the Senate did unanimously approve a nonbinding resolution—Resolution 110—regarding the need for an overall IoT strategy.65 For this resolution, the Senate stated:

Resolved, That it is the sense of the Senate that— (1) the United States should develop a strategy to incentivize the development of the Internet of Things in a way that maximizes the promise connected technologies hold to empower consumers, foster future economic growth, and improve our collective social well-being; (2) the United States should prioritize accelerating the development and deployment of the Internet of Things in a way that recognizes its benefits, allows for future innovation, and responsibly protects against misuse; (3) the United States should recognize the importance consensus-based best practices and communication among stakeholders, with the understanding that businesses can play an important role in the future development of the Internet of Things; (4) the United States Government should commit itself to using the Internet of Things to improve its efficiency and effectiveness and cut waste, fraud, and abuse whenever possible; and (5) using the Internet of Things, innovators in the United States should commit to improving the quality of life for future generations by developing safe, new technologies aimed at tackling the most challenging societal issues facing the world.66

In summary, Congress has begun the process of identifying the benefits, risks, and issues associated with IoT technology and innovation, but the next steps remain to be determined.

Federal Agency Jurisdiction over IoT

Many federal agencies have authority over small pieces of IoT, but none has the overall lead for overseeing the sprawling and expanding IoT universe.67 In its October 2015 report, CRS identified 11 different federal entities with at least partial regulatory jurisdiction over some slice of IoT:

  • Federal Communications Commission (FCC): spectrum management for nonfederal entities;
  • National Telecommunications and Information Administration (NTIA): spectrum management for federal entities;
  • National Institute of Standards and Technology (NIST): standards for IoT devices;
  • FTC: regulation of consumer protection policies for consumer IoT devices;
  • DHS: coordination of security for the 16 critical infrastructure sectors that depend on Internet connections;
  • Food and Drug Administration (FDA): cybersecurity of Internet-connected medical devices;
  • Department of Justice (DOJ): oversight of law-enforcement aspects of IoT, including cyberattacks;
  • Department of Energy (DOE): activities relating to green buildings and smart electrical grids;
  • Department of Transportation (DOT): oversight relating to connected cars; and
  • DoD: development of foundational technology for IoT.68

The White House’s recent smart cities initiative illustrates how funding for IoT activities is also spread over multiple federal agencies.69 (See table on page 9.)

In summary, many federal agencies have some responsibility for some part of IoT—but no agency has overall responsibility for overseeing IoT activities, technologies, and data. While Senate Resolution 110 calls for a national strategy for addressing IoT, the current diffusion of federal responsibility raises the question about how to get there.70 A CRS report summed up the current IoT regulatory environment as follows: “Given the eclectic nature of the IoT, overall coordination of federal efforts may be challenging with respect to identification of both the goals of coordination and the methods of achieving them.”71 Beyond federal coordination, the IoT market will also need to factor in state, local, and international regulatory regimes that will be far more challenging than achieving a coordinated federal IoT strategy.

Regulating the Undefined IoT Universe

Like every other IoT discussion, this one started with “what is IoT?” Coming full circle, NIST’s recent paper raises the issue that we lack the basic building blocks to define IoT:

[T]he current Internet of Things (IoT) landscape presents itself as a mix of jargon, consumer products, and unrealistic predictions. There is no formal, analytic, or even descriptive set of the building blocks that govern the operation, trustworthiness, and lifecycle of IoT. This vacuum between the hype and the science, if a science exists, is evident. Therefore, a composability model and vocabulary that defines principles common to most, if not all networks of things, is needed to address the question: “what is the science, if any, underlying IoT?”72

How do legislators legislate and regulators regulate if IoT still lacks “the building blocks” to distinguish IoT from non-IoT? In its February 2016 draft, NIST is working to fill the void. However, until we have a test better than “I know it when I see it,” the IoT market will likely be subject to ad hoc oversight and uncoordinated strategies at the state, federal, and international levels.

The Conclusion—For Now

  • IoT represents one of the most transformative—and disruptive—technologies to hit the market. As the IoT technology tsunami has only begun its historic swell, any conclusions are preliminary at best. What we know is that billions of IoT devices, zettabytes of data, and trillions of dollars will drive IoT innovations and technologies at an exponential pace over the next decades, forcing legislators, regulators, and standards-makers into constant reactive catch-up mode with the law greatly lagging the technology—much like it did for automobiles, pharmaceuticals, drones, and other breakthrough technologies. u


1. Wallace F. Janssen, Pharmacy and the Food and Drug Law, 21 Am. Pharmacy 28 (1981). Congress did not adopt the federal Food and Drug Act until 1906 after much public debate and many failed legislative attempts. See Barry S. Roberts & David Z. Bodenheimer, The Drug Amendments of 1962: The Anatomy of a Regulatory Failure, 1982 Ariz. St. L.J. 581, 582.

2. FTC Staff Report, Internet of Things: Privacy & Security in a Connected World, at i (2015).

3. Darren Samuelsohn, What Washington Really Knows about the Internet of Things, Politico (June 29, 2015).

4. Joshua New & Daniel Castro, Center for Data Innovation, Why Countries Need National Strategies for the Internet of Things 2 (2015) (citing James Manyika et al., Unlocking the Potential of the Internet of Things, McKinsey Global Inst. (June 2015), digitizing-the-physical-world).

5. Exec. Office of the President, Big Data: Seizing Opportunities, Preserving Values 2 (2014) [hereinafter White House Big Data Report].

6. FTC Staff Report, supra note 2, at 5 (footnotes omitted).

7. Eric A. Fischer, Cong. Research Serv., R44227, The Internet of Things: Frequently Asked Questions, at i (2015).

8. Samuelsohn, supra note 3.

9. An excellent list of “domain specific IoTs” appears in the leading text Arshdeep Bahga & Vijay Madisetti, Internet of Things: A Hands-On Approach 47–64 (2014).

10. Fischer, supra note 7, at 3.

11. Internet of Things: Hearing before the Subcomm. on Courts, Intellectual Prop. & the Internet of the H. Comm. on the Judiciary, 114th Cong., 1st Sess. 14 (2015) [hereinafter Internet of Things Hearing] (statement of Gary Shapiro, CEO and President, CEA).

12. Press Release, White House, Fact Sheet: Administration Announces New “Smart Cities” Initiative to Help Communities Tackle Local Challenges and Improve City Services (Sept. 14, 2015) [hereinafter Smart Cities Press Release].

13. The Internet of Things: Exploring the Next Technology Frontier: Hearing before the Subcomm. on Commerce, Mfg. & Trade of the H. Comm. on Energy & Commerce, 114th Cong., 1st Sess. (2015) [hereinafter Next Technology Frontier Hearing] (statement of Rose Schooler, Vice President, Intel IoT Group).

14. Fischer, supra note 7, at 3.

15. Next Technology Frontier Hearing, supra note 13 (statement of Daniel Castro, Director, Center for Data Innovation).

16. Id.

17. Id.

18. Id.

19. Internet of Things Hearing, supra note 11, at 113 (statement of Telecommunications Industry Association).

20. Next Technology Frontier Hearing, supra note 13 (statement of Daniel Castro).

21. Samuelsohn, supra note 3.

22. Fischer, supra note 7, at 4–5.

23. Id. at 5.

24. Id.

25. Internet of Things Hearing, supra note 11, at 27 (statement of Dean C. Garfield, President and CEO, Information Technology Industry Council).

26. Next Technology Frontier Hearing, supra note 13 (statement of Daniel Castro).

27. Fischer, supra note 7, at 6.

28. Next Technology Frontier Hearing, supra note 13 (statement of Daniel Castro).

29. S. Res. 110, 114th Cong. (2015); see also Press Release, Senate Passes “The Internet of Things” Resolution (Mar. 24, 2015), [hereinafter Senate Press Release].

30. Julie Brill, Comm’r, FTC, Do Try This at Home: Starting Up with Security, Keynote Address at the FTC’s Start with Security Event (Feb. 9, 2016), 2016 WL 555220 (FTC).

31. Fischer, supra note 7, at 4; see also New & Castro, supra note 4, at 2 (citing Manyika et al., supra note 4) ($11 trillion by 2025).

32. Internet of Things Hearing, supra note 11, at 38–39 (statement of Mitch Bainwol, President and CEO, Alliance of Automobile Manufacturers).

33. Id. at 54 (statement of Morgan Reed, Executive Director, ACT The App Association).

34. James Manyika et al., McKinsey Global Inst., The Internet of Things: Mapping the Value Beyond the Hype, at vi (2015).

35. Fischer, supra note 7, at 6 (citing Manyika et al., supra note 34, and other sources).

36. Manyika et al., supra note 34, at 8.

37. The Connected World: Examining the Internet of Things: Hearing before the S. Comm. on Commerce, Sci. & Transp., 114th Cong., 1st Sess. (2015) [hereinafter Connected World Hearing] (statement of Douglas Davis, Vice President and General Manager, Intel IoT Group).

38. Senate Press Release, supra note 29.

39. New & Castro, supra note 4, at 13.

40. Connected World Hearing, supra note 37 (statement of Bill Nelson, Ranking Member, U.S. Senate).

41. Dep’t of Homeland Sec., Other Transaction Solicitation HSHQDC-16-R-00035 Project: Securing the Internet of Things (IoT) (Dec. 10, 2015),

42. Exec. Order No. 13,718, § 3(a)(ii), 81 Fed. Reg. 7441, 7442 (Feb. 9, 2016) (establishing the Commission on Enhancing National Cybersecurity).

43. FTC Staff Report, supra note 2, at 10.

44. Connected World Hearing, supra note 37 (statement of Justin Brookman, Director, Center for Democracy & Technology).

45. FTC Staff Report, supra note 2, at 14 (footnote omitted).

46. White House Big Data Report, supra note 5, at 53–54.

47. Fischer, supra note 7, at 16.

48. Connected World Hearing, supra note 37 (statement of Justin Brookman).

49. Fischer, supra note 7, at 13–14; Jeffrey Voas, Nat’l Inst. of Standards & Tech., NISTIR 8063, Primitives and Elements of Internet of Things (IoT) Trustworthiness (2016).

50. Linda K. Moore, Cong. Research Serv., IN10221, The Robot Did It: Spectrum Policy and the Internet of Things 1–2 (2015).

51. Fischer, supra note 7, at 15–16.

52. Clay Dillow, Get Ready for “Drone Nation, Fortune (Oct. 8, 2014), (quoting Aaron Levie, co-founder and CEO of enterprise cloud company Box).

53. Gina Marie Stevens, Cong. Research Serv., RL31730, Privacy: Total Information Awareness Programs and Related Information Access, Collection, and Protection Laws 5 (2003).

54. 15 U.S.C. §§ 6801–6809.

55. 20 U.S.C. § 1232g.

56. Pub. L. No. 104-191, 110 Stat. 1936 (1996) (as amended).

57. FAA Modernization and Reform Act, Pub. L. No. 112-95, §§ 332–333, 126 Stat. 11, 73–76 (2012).

58. FedRAMP, U.S. Gen. Services Admin., category/102371 (last visited July 18, 2016) (“The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.”).

59. Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018), 80 Fed. Reg. 51,739, 51,743–44 (Aug. 26, 2015) (subpart 239.76).

60. Samuelsohn, supra note 3.

61. Connected World Hearing, supra note 37.

62. Next Technology Frontier Hearing, supra note 13.

63. Internet of Things Hearing, supra note 11.

64. Fischer, supra note 7, at ii.

65. S. Res. 110, 114th Cong. (2015); see also Senate Press Release, supra note 29.

66. S. Res. 110.

67. Fischer, supra note 7, at i (“There is no single federal agency that has overall responsibility for the IoT.”); Moore, supra note 50, at 1 (“Many departments and agencies of the Executive Branch—as well as independent agencies such as the FCC—have or will have regulatory jurisdiction over some piece within this vast net.”); Samuelsohn, supra note 3 (“[T]he new networked-object technologies are covered by at least two dozen separate federal agencies[.]”).

68. Fischer, supra note 7, at 9–10.

69. Smart Cities Press Release, supra note 12.

70. A number of trade associations, companies, and think tanks have expressed concerns about how to coordinate a national strategy. See, e.g., Internet of Things Hearing, supra note 11, at 32 (statement of Dean C. Garfield); New & Castro, supra note 4, at 1.

71. Fischer, supra note 7, at 17.

72. Voas, supra note 49, at 1.