Safeguarding Privacy in the Internet of Things
By Jason Kohn, Contributing Columnist
You can’t open a web browser these days without coming across a story on the Internet of Things (IoT), and the ways that connected, autonomous devices will revolutionize every industry. There’s a reason for the hype: Cisco forecasts 50 billion connected devices by 2020, with the potential to create more than $14 trillion in value for global businesses over the next decade.
But IoT also heralds another revolution, in the degree to which individual behavior can be tracked and analyzed. While much of IoT focuses on verticals like manufacturing, energy exploration, and industrial applications, where the massive data generated by fine-grained monitoring is almost entirely beneficial, IoT will also touch on a broad range of consumer devices. From transportation to home automation to connected medical devices, machines will be monitoring the behavior of individuals more than at any time in human history. This raises a number of serious questions about consumer privacy and information security.
Attorneys Philip Blum and Bryan Goff recently explored these questions in the Law360 blog:
The IoT’s potential to generate large amounts of personal information has serious implications for consumers. IoT data may reveal an individual’s identity, location, medical issues, sexual orientation, socioeconomics or political profile. It might include a live video feed, or report whether doors and windows are locked. And the list goes on.
IoT data collection likewise has implications for the privacy and security practices of entities that collect or have access to the data. Questions abound about when and the extent to which data may be collected, when disclosure may be required, and when the sale or sharing of data may be allowed.
So what will IoT vendors and enterprises need to do to assure that consumers get the benefits of IoT without fearing for their privacy and security? And what kinds of regulatory frameworks can we expect along those lines?
Forecasting IoT Regulatory Regimes
The law firm Morrison Foerster, which specializes in international business law and digital privacy, recently published an article discussing the IoT regulatory landscape in the United States and Europe (beginning on page 7 of the PDF). The piece runs through the key legal and policy issues surrounding IoT, including potential loss of privacy and data collection, unlawful tracking and profiling of users, potential for malicious attacks, and repurposing of data outside of what the user has consented to allow. It’s a good survey of the issues that regulators on both sides of the Atlantic are now weighing as they draft an emerging body of IoT rules.
According to the report, the new EU regulatory framework, expected to be adopted this year, updates existing European data protection regulations. It will likely call for privacy by design and default. This would require IoT vendors and technology providers to protect the data rights of users, assure that devices collect only the data necessary to fulfill a specific purpose, and assure that data is not kept or shared indefinitely. EU regulations will also likely require IoT vendors to gain affirmative consent from users before collecting and sharing their information. And it would require companies to clearly spell out the scope of any tracking and profiling performed.
In the United States, the authors of the report expect federal regulators to approach IoT in much the same way as they approach data security and privacy today:
“The FTC is most likely going to rely upon its standard notice and choice framework on the privacy side, and its position that the lack of reasonable security measures to protect consumer data may be an unfair or deceptive act or practice under Section 5 of the FTC Act. To that end, future FTC enforcement is most likely to focus in particular on two main areas when it comes to IoT: (1) providing notice and choice when a networked device is not consumer-facing; and (2) how to ensure that devices that are part of the IoT ensure reasonably data security.”
What to Expect
Clearly, there are many questions that still need to be answered—such as how a company provides for notice and consent in a device that doesn’t have a direct user interface. But in general, it appears that the architecture for protecting IoT consumer data will follow the format of current regulatory regimes for data privacy and security overall.
On the one hand, we can imagine a lot more of the licensing and user agreements we see in our software and devices today. (And we can imagine that end consumers will spend about as much time reading them, which is to say not much.) But on the other, new regulations will raise the bar for IoT vendors and companies using connected devices. Setting an expectation that systems will be built to protect privacy and security, and that companies must be transparent about how they use consumer data—especially when those expectations are backed by real monitoring and enforcement—won’t just benefit end consumers. Ideally, as IoT touches more of our lives and devices, it will mean that the companies we trust with our data will be spending a lot more time thinking about information security and confidentiality.