Limiting the cyber security risks of Internet of Thing devices has long been a plea by experts. But a new report says lawmakers, regulators and manufacturers need to pay equal attention to sealing off the privacy risks of sharing data through so-called smart devices.

That’s why the report from the University of California’s Center for Long-Term Cybersecurity and the IoT Privacy Forum says the public can’t wait for action.

“Rather than wait until privacy norms have already been eroded by the IoT, regulators and designers should work together now to build usable privacy into the products they create,” says the report. Such measures will be essential to ensuring that our society continues to uphold the value of privacy as a fundamental right.”

Policymakers should take steps to regulate the privacy effects of the IoT before mass sensor data collection becomes ubiquitous, rather than after, the authors say. Omnibus privacy legislation can help regulate how data is handled in the grey areas between sectors and contexts.

At the same time makers of IoT products and services should employ a variety of standard measures to provide greater user management and control, as well as more effective notification about how personal data is captured, stored, analyzed, and shared.

“The IoT has the potential to diminish the sanctity of spaces that have long been considered private, and could have a “chilling effect” as people grow aware of the risk of surveillance,” the report says. “Yet the same methods of privacy preservation that work in the online world are not always practical or appropriate for the personal types of data collection that the IoT enables.”

The report calls for an omnibus privacy bill, which a number of countries have including Canada. The U.S. is one that doesn’t have a national privacy law. The report applauds the European Union’s General Data Protection Regulation, which calls for the principles of privacy by design to be built into products and services that collect personal data. Canada’s private sector law, the Personal Information Protection and Electronic Documents Act (PIPEDA) doesn’t go that far.

The report argues that as “smart” becomes the new default setting for devices, consumers are losing the ability to monitor and control the data collected about them, and they often have little awareness of what is done with their data downstream. The risks of sharing data through smart devices are not always clear, particularly as companies combine data from different sources to infer an individual’s habits, movements, and even emotions.

That’s why the authors say that having “broad non-specialist” public conversations about the use, collection, and effects of IoT data is essential to help people understand the IoT and how it affects privacy expectations.

There are lots of predictions of how many connected devices are coming to the world as industrial machines add sensors, retailers and police add surveillance cameras with facial recognition, and people buy voice-controlled connected home speakers, Internet-connected TVs and smart door locks. Google’s parent Alphabet wants to wire a Toronto lakefront neighborhood.

“The introduction of such a broad and diverse sensor fabric into society has undoubted benefits, but it also introduces risks that must be explored and managed,” says the report.

“Retreating to one’s home, closing an office door, or hanging up a phone may have previously allowed a person to feel a measure of control over who might be listening or watching,” the report points out, “but the presence of network-connected devices in private spaces can remove this sense of control and privacy.”

Manufacturers are vague about what sensors are built into IoT devices and about which types of data constitute personal data, says the report. Few devices include a privacy policy in their physical packaging; instead, manufacturers provide links to websites, where the privacy policies are often difficult to find or insufficiently address privacy issues related to the device.

It doesn’t help, the report adds, that several government regulating agencies may oversee an industry and may fight for control over privacy. or example,

Companies should follow the privacy by design principles and be transparent and forthcoming about their data collection policies, says the report, and not collect or use data in ways that violate people’s expectations. Companies should commit to protecting users’ privacy by only collecting data for which they
have specific uses, and by deleting the data when it is no longer needed. In addition, users should be given more power to update their privacy settings during the pre-collection or post-collection phases.

A more detailed version of the report, entitled Clearly Opaque: Privacy Risks of the Internet of Things, can be found at https://www.iotprivacyforum.org/clearlyopaque.



Related Download
How GDPR can be a strategic driver for your business Sponsor: Micro Focus
How GDPR can be a strategic driver for your business

Register Now