This thesis provides an analysis of privacy and security controls for internet-connected data-driven systems, known as the Internet of Things (IoT). The grounding theory is that numerous pre-existing privacy and security control methods -- not necessarily crafted for IoT -- will bear on the future of IoT privacy and security. This thesis covers fifteen case studies across six different control categories: Individual Choice, Command and Control Regulations, Operational Standards, Technical Standards, Compliance Frameworks, and Federal Authorities. These case studies reveal major deficiencies in current IoT privacy and security controls. IoT privacy and security controls lack a domain or contextual-use focus. Further, most current controls also fail to specify the risks or harms they intend to resolve. Therefore, the current IoT privacy and security controls induce a significant privacy and security market failure. This market failure is evident in recent IoT privacy and security events such as the Federal Trade Commission's cases against the IoT system developers TRENDnet and D-Link. I define three necessary paradigm shifts needed to improve IoT privacy and security controls. I also recommend a specific research endeavor to develop domain-, risk-, and harms-centric privacy and security standards. The realization of these paradigm shifts, and the products from this research endeavor, will navigate the IoT ecosystem towards more effective privacy and security control.

Thesis: S.M. in Technology and Policy, Massachusetts Institute of Technology, School of Engineering, Institute for Data, Systems, and Society, Technology and Policy Program, 2017.; This electronic version was submitted by the student author. The certified thesis is available in the Institute Archives and Special Collections.; Cataloged from student-submitted PDF version of thesis.; Includes bibliographical references (pages 201-218).