The Internet of Things (IoT) may offer vast improvements in convenience and efficiency, but how secure is it, and do we need to protect ourselves from it?
The US Federal Trade Commission (FTC) released a report early this year exploring these issues, as they relate to consumers. Based on a workshop in November 2013, the report, Internet of Things: Privacy & Security in a Connected World, highlights several risks, and makes some recommendations, which should be of interest to Canadian businesses and legislators as well.
For instance, consumers may have to contend with unauthorized access and misuse of personal information via the IOT, the report warned, adding that devices could also create safety risks (sensitive financial information transmitted via a smart TV could be compromised, for example). Devices can also be used to mount attacks on other systems (what about if that Smart TV was joined to a botnet?).
The level of information gathered by IoT devices also presents privacy risks, not least because of the inference capabilities in modern analytics systems. Smart phone sensors can already be used to infer a user’s mood, stress levels, personality type, and even demographics, the report warned.
One clear example given here are fitness trackers, which could conceivably be used by life insurance companies to infer the user’s suitability for a policy, for example. But other risks outlined include eavesdropping remotely into an otherwise private space.
Lawmakers should enact general data security legislation to cope with these risks, the report said, arguing that it should be technology-agnostic, because technology moves so quickly in this area. Data breach notification was a key recommendation here, and this is something that neither the US nor Canada currently has at a federal level.
The FTC’s report recommended the same approach with privacy standards, arguing that the level of data collection possible by IOT-connected devices is so great that some baseline levels of protection are necessary. Self-regulatory reprograms for companies active in the IOT marketplace would also be appropriate, the report added.
The Internet of Things is a phenomenon that Canada’s Federal Privacy Commissioner has also highlighted as a potential privacy issue. In September, he called for proposals under its 2015 – 16 Contributions Program, which funds independent privacy research. The Internet of Things was specifically called out as an issue that needed addressing.
The Privacy Commissioner has also announced funding for projects including a study on intelligent vehicle technology.
At least Canada has some form of technology-neutral privacy law, with its PIPEDA legislations. The Commissioner’s Office nevertheless asked in the past whether PIPEDA is enough to cope with the development of technologies that didn’t exist in any meaningful form before was introduced in 2004.
One pressing issue here is the lack of order-making capability on the part of Canada’s Privacy Commissioner. Should Bill S4 make it into law, this will provide some data breach notification requirements on the part of commercial organisations in Canada, which would extend to breaches of all sensitive information, including data collected by devices connected to each other on the Internet. It would also give the Privacy Commissioner more teeth to enforce punitive measures against companies that didn’t treat privacy responsibly enough.
That’s all well and good, but it’s been six years since the number of devices connected to the Internet surpassed the number of people, and we are already seeing companies like Telus in Canada actively selling IOT -related products and services. Perhaps the government should be conducting more substantial research into the IOT, not only from a privacy perspective, but also from a security one, to protect Canadian consumers from the risks that may lie ahead.