Limiting the cyber security risks of Internet of Thing devices has long been a plea by experts. But a new report says lawmakers, regulators and manufacturers need to pay equal attention to sealing off the privacy risks of sharing data through so-called smart devices.
“Rather than wait until privacy norms have already been eroded by the IoT, regulators and designers should work together now to build usable privacy into the products they create,” says the report. Such measures will be essential to ensuring that our society continues to uphold the value of privacy as a fundamental right.”
Policymakers should take steps to regulate the privacy effects of the IoT before mass sensor data collection becomes ubiquitous, rather than after, the authors say. Omnibus privacy legislation can help regulate how data is handled in the grey areas between sectors and contexts.
At the same time makers of IoT products and services should employ a variety of standard measures to provide greater user management and control, as well as more effective notification about how personal data is captured, stored, analyzed, and shared.
“The IoT has the potential to diminish the sanctity of spaces that have long been considered private, and could have a “chilling effect” as people grow aware of the risk of surveillance,” the report says. “Yet the same methods of privacy preservation that work in the online world are not always practical or appropriate for the personal types of data collection that the IoT enables.”
The report calls for an omnibus privacy bill, which a number of countries have including Canada. The U.S. is one that doesn’t have a national privacy law. The report applauds the European Union’s General Data Protection Regulation, which calls for the principles of privacy by design to be built into products and services that collect personal data. Canada’s private sector law, the Personal Information Protection and Electronic Documents Act (PIPEDA) doesn’t go that far.
The report argues that as “smart” becomes the new default setting for devices, consumers are losing the ability to monitor and control the data collected about them, and they often have little awareness of what is done with their data downstream. The risks of sharing data through smart devices are not always clear, particularly as companies combine data from different sources to infer an individual’s habits, movements, and even emotions.
That’s why the authors say that having “broad non-specialist” public conversations about the use, collection, and effects of IoT data is essential to help people understand the IoT and how it affects privacy expectations.
There are lots of predictions of how many connected devices are coming to the world as industrial machines add sensors, retailers and police add surveillance cameras with facial recognition, and people buy voice-controlled connected home speakers, Internet-connected TVs and smart door locks. Google’s parent Alphabet wants to wire a Toronto lakefront neighborhood.
“The introduction of such a broad and diverse sensor fabric into society has undoubted benefits, but it also introduces risks that must be explored and managed,” says the report.
“Retreating to one’s home, closing an office door, or hanging up a phone may have previously allowed a person to feel a measure of control over who might be listening or watching,” the report points out, “but the presence of network-connected devices in private spaces can remove this sense of control and privacy.”
It doesn’t help, the report adds, that several government regulating agencies may oversee an industry and may fight for control over privacy. or example,
Companies should follow the privacy by design principles and be transparent and forthcoming about their data collection policies, says the report, and not collect or use data in ways that violate people’s expectations. Companies should commit to protecting users’ privacy by only collecting data for which they
have specific uses, and by deleting the data when it is no longer needed. In addition, users should be given more power to update their privacy settings during the pre-collection or post-collection phases.
A more detailed version of the report, entitled Clearly Opaque: Privacy Risks of the Internet of Things, can be found at https://www.iotprivacyforum.org/clearlyopaque.