The privacy issues on the Internet, in general, have not been resolved even after over two decades of consumer use. Regulations like HIPPA have been put in place to try and improve privacy, but still, data leaks continue. If anything, web-based incidents of leaked data, or tracking information, are growing, as we use more mobile apps to connect to it. Many people have tried to address the privacy issues of our connected world. People such as the ex-Canadian Privacy Commissioner Ann Cavoukian, who in her 2009 treatise on Privacy by Design outlined 7 principles which set out guidance for creating privacy-enhanced applications. And professional bodies such as the International Association of Privacy Professionals (IAPP) lead the way on education in the industry. But privacy often takes a back seat to commercial interests. This is perhaps best exemplified by the recent ISP and consent debacle, where on March 28, 2017, the U.S. Government agreed to nullify a FTC ruling (“Protecting the Privacy of Customers of Broadband and Other Telecommunication Services“) that ensured that ISPs required consent to share personal information – removing the need for that consent. The Internet seems to have become a free-for-all in terms of user information. Within this environment of, at best, fluid privacy, we now we have to deal with myriad devices, all Internet-enabled, and otherwise known as the Internet of Things (IoT). The IoT is massive, it is everywhere: from our homes to industrial sensors to the watch on our wrist. And it will continue to take over our lives as the IoT market is growing and B2B IoT spend alone is expected to be around $285 billion in 2020. Within all of these connected devices sits one thing, data. Keeping that data private is one of the challenges of the century.
Shhhhh…The Privacy of Things
More Internet of Privacy Scares
The privacy scares caused by the hyper-connectivity of IoT devices continue to shock us. In many ways, IoT and privacy are reminiscent of when we began to watch cybersecurity incidents spiral. We started to see major incidents like the ‘I Love You’ virus around the time that email became ubiquitous. And large scale DDoS attacks took off when the use of websites for commercial purposes became de rigueur. Now that we have the hyper-connectivity of the Internet of Things, we are seeing specialized cybersecurity attacks, like the Dyn DDoS attack of last year. The IoT has become the focus, however, of not just security issues, but privacy ones too. In many ways, the IoT is the poster child for how to get privacy by design completely wrong. The following cases exemplify this nicely: Watching you, watching me: “My Friend Cayla” is an Internet connected doll. Cayla is the children’s version of Alexa. The child speaks to the doll, asking a question. Cayla then sends the child’s voice data to an app, which translates it to text, then used to search the Internet for an answer. The doll was recently banned by the German government for being a surveillance device; Germany’s Federal Network Agency giving this response: “Items that conceal cameras or microphones and that are capable of transmitting a signal, and therefore can transmit data without detection, compromise people’s privacy. This applies in particular to children’s toys.” In line with this thinking, the U.S. Federal Trade Commission (FTC) has recently put out a compliance plan to businesses to comply with the Children’s Online Privacy Protection Rule (COPPA), which sets out the limits of protecting the privacy of children’s data collected by IoT toys. An unhealthy obsession: The healthcare industry has been one of the early adopters of the IoT and the market size for healthcare IoT is expected to reach $158 billion by 2022. Privacy within a healthcare arena is a fundamental of the service. Some of our most sensitive data is now being transferred across Internet connections and stored in Cloud repositories. Point of care technologies, such as diabetes and heart monitors, and even health wearables like Fitbit, will link your Personally Identifiable Information (PII) to your day-to-day health information, and even your location at any given time. But what is perhaps more worrying is that there are now solutions in the form of wearable IoT devices that track and monitor patients within hospitals. In itself, this is a good way to optimize hospital services and layout to improve patient care. But the privacy implications are that you, as a patient, are under constant surveillance at a most vulnerable time in your life. Tripping the IoT: On the subject of tracking, the connected car is the obvious all-in-one tracking device. IoT cars have an astonishing array of sensors. Many of these will be instrumental in improving the safety and the economy of cars. If you have a crash, data from the car’s sensors can be sent to the Cloud, this is then analyzed and improvements made. On June 28, the Federal Trade Commission and the National Highway Traffic Safety Administration held a workshop specifically about the challenges of privacy within the context of the connected car. The workshop set out three focus areas to get privacy within connected cars right:
Education amongst consumers and businesses about privacy implications of connected cars Law enforcement around privacy and connected cars To lobby for data breach notification legislation similar to that for healthcare breaches
IoT For Good
Education about the whys and wherefores of IoT privacy is paramount. There are a number of organizations that are working in the area of IoT privacy to educate and improve the technology. These include: OWASP – who offer advisories around privacy and protection of IoT devices. OWASP has developed the Internet of Things Project which, amongst other things, offers security guidance for manufacturers and developers. IoT Security Foundation – a vendor neutral, not-for-profit organization looking at setting security standards across the Internet of Things. Industrial Internet Consortium – a multi-industry body working on the Industrial Internet Security Framework to build the framework for IoT security best practice.
Privacy Makes Better Products
The Internet of Things is a powerful technology movement. It can give us great advantages by understanding the data that it generates. These advantages range from improved patient outcomes to understanding car accidents to a digital friend like Alexa. We do have to reign in our excitement however and be more cognizant of the privacy impact of our always-on connected world. In the next article on the IoT and privacy, I’ll look further into how privacy is impacting different industry areas that are taking up the challenge of the IoT.
