More than a year after the Federal Trade Commission held a high-profile workshop on the security challenges posed by the Internet of Things-the estimated 25 billion Web-enabled devices worldwide that aren't computers, tablets, or smartphones-the agency's staff has produced recommendations for policies and business strategies to keep private data safe. The devices at issue include everything from a fitness monitor that you wear on your wrist to a home thermostat. Many don't have screens, or they require WiFi to reach the Internet. And some are entirely hidden, such as those that govern the working of cars, from Internet radios to software that downloads repairs automatically. Some of the FTC staff's conclusions, based on testimony and comment from academics and consumer and industry groups, amount to carefully researched wishes. For example, the staff's report admonishes companies to ensure that new devices are reasonably secure; to monitor the products throughout their life cycle; and to patch vulnerabilities the whole way through-processes collectively known as "security by design." Other recommendations reiterate notions first codified in the Privacy Act of 1974 and known as Fair Information Practice Principles. For instance, the FTC staff says companies should limit the data they collect and keep, an approach now known as "data minimization" but familiar since the 1970s. The report also says consumers should receive notice of how their data will be used and be able to choose what uses they allow. The report acknowledges the difficulty of letting users know their choices in some arenas. It suggests offering choices during tutorials or at the time of purchase or during setup. But it also expresses concern about a "use-based model" for choices, noting the significant risk that data relinquished for one use could be repurposed without permission. In part because change is happening so rapidly, the report recommended against legislation specific to the Internet of Things. Instead, it urges Congress to "enact strong, flexible, and technology-neutral legislation." FTC Commissioner Joshua D. Wright, a California lawyer and law professor, dissented from its release, saying such reports from the FTC normally "synthesize the record," and agency staff shouldn't make even those recommendations without more evidence. Lindsey Tonsager, a Covington & Burling associate whose practice focuses on privacy and regulation, says device makers may run into trouble if they try to anticipate the limits that future laws might impose. "Where industry is likely to struggle is in balancing a desire to comply with best practice against the need to offer consumers affordable devices," she says. Senior staff attorney Lee Tien with the Electronic Frontier Foundation heralded the report as flagging important issues about consumers' awareness and control over their own data. And he says the report sends an "important" signal that the FTC won't "buy the line" that broad data collection is inevitable or that existing privacy protections should be abandoned because the nature of privacy is changing.