It’s like when I walk into a candy shop that happens to have imported Dutch liquorice and I say “I would like all of the things, please.” You may end up with more than you bargained for.
Internet of Things encompasses pretty much everything on the internet. Our smart TVs, our voice-activated cloud-connected assistants, our streaming media devices, our smartphones, our home security systems, our thermostats, our webcams, our watches… these technologies are increasingly connected and sending sophisticated data to central servers, to each other, and who knows where else. Also, our power grid, our infrastructure, our factories, and other places where the standard consumer does not go is increasingly connected as well.
IoT – What it is and How Quickly it’s Growing
The Internet of Things is literally any device with an IP address. The Internet of Things is also not new: your ten year old PC is also part of the IoT.
It is estimated by the IDC that by 2020, the Internet of Things will comprise no less than 50 billion devices and 212 billion sensors, generating 44 zettabytes of information. A zettabyte is 1021 bytes or 1,000,000,000,000,000,000,000. It’s an incomprehensible number to me, like the distance to another galaxy, or the size of an atom versus the size of Jupiter.
In its recent report entitled “Internet of Things: Privacy & Security in a Connected World,” the FTC found that fewer than 10,000 households, which adds up to a relatively small number of devices, can together generate a whopping150 million discrete data points – daily.
Why Should We Care About What’s Happening with ‘All of the Things’?
Privacy concerns relating to the multitude of IP devices relate directly to our rights as humans, our contractual relations with business partners, and our individual and collective security.
“Privacy” is not merely the ability to close the proverbial door to the outside world and mask information about ourselves. Privacy also includes our individual control over information held, and things said in databases about ourselves.
For instance, a major privacy principle behind the Fair Credit Reporting Act is the principle that an individual has a right to the accuracy of information held about them when it has important consequences with regard to their privacy rights. This principle is widely referred to as the “data integrity” or “accuracy” principle. Similarly, when connected devices capture data that relates to us, and where it has an impact upon an important decision made about us, we have a right to the accuracy of that information.
The parade of scary scenarios
What if one day a company selling you fuel oil to heat your home had access to more specific data about your usage than you do, and came to your front door prepared with that information in order to sell you your fuel requirements for the year? Clearly, that salesperson would have a stronger negotiating position with superior information while you are trying to decide whether to buy monthly or yearly. Actually, this likely happens today. Your fuel company does have information about all of your usage. What they might not have yet, is detailed information about your thermostat settings over time and how that might relate to the efficiency of your home and your personal comfort preferences. If they did have that information, they might have even more detailed information about how the weather will affect your usage.
For businesses, poorly understood IoT devices can cause problems. One internal area of privacy for a business is employee monitoring. Let’s say a company installed webcams for security inside of the office near entryways. This is a fairly common, generally legal, and reasonable practice. On the other hand, there are many brands of webcams, and there are secure and insecure ways of configuring webcams. Some webcams don’t even encrypt the video feed that they send across the public internet to web interfaces of questionable security practices. Such devices are easily hacked. While it may be legitimate for an employer to monitor the premises (in places that are not considered places of personal privacy like a restroom), an employer is probably violating employees’ rights to privacy and security by not protecting such systems from hackers who could access and publicly post videos and images of employees.
Similarly, device monitoring systems are frequently employed to keep track of mobile assets like laptops and to secure networks, but a poor choice of monitoring tools can create more problems. A disreputable device monitoring software developer might not properly secure the information gathered and expose it to hackers.
Automobiles are computerized devices with internet connections, and they have joined the IoT in recent years. The manufacturers of automobiles must be aware of the design and architecture of their data flows in order to be compliant with privacy laws. France’s data protection authority (CNIL) has recently released a “compliance package”, providing guidelines for how to treat the personal data gathered by connected cars. In a less formal setting this February, FTC Commissioner Terry Sweeney presented as keynote speaker at the Connected Cars 2016 conference, stating that the Commission was watching to ensure that automobiles protect the security and privacy of consumers. As the FTC is the agency that enforces privacy notices under their mandate to protect consumers from unfair and deceptive trade practices, manufacturers do well to ensure that their privacy notices properly represent and disclose their use of data, and even if they do so, there is still the chance that the use might be considered unfair to the consumer.
The parade can easily continue into infrastructure, highways, the energy sector, manufacturing robotics, airlines, home automation…
Risk Assessment: An IoT Privacy Incident can Be Analyzed Like Any Other Incident
Like any other incident, an IoT incident should be analyzed under the multitude of state, federal, and international laws (and contractual obligations) to determine whether it is a breach that should be reported.
Similar factors must be analyzed to understand the seriousness and sensitivity of the incident. In the prior example of an employer’s webcam, we are talking about the unauthorized use or access of information by a hacker third party. Under some states or according to some federal agencies (and definitely in European jurisdictions and some Canadian ones), the webcam could have leaked personal information and may therefore have been a breach.
In order to know for sure if an incident is a breach, the assessor needs to think about the facts of the incident and how they fit into the laws, rules, and guidance in these jurisdictions. This is not a simple task – consistency in conducting a multi-factor risk assessment and maintaining thorough documentation remains a key aspect in maintaining your culture of compliance.
Interested in learning more? A panel of experts including RADAR Senior General Counsel Alex Wall discussed the Internet of Things at The Privacy and Security Forum in Washington DC. A recording of this session will be made available.
The Internet of Things
Alex Wall, Senior Counsel & Global Privacy Officer, RADAR, Inc
Julie Brill, Partner, Hogan Lovells US, LLP, Former FTC Commissioner
Ned Miller, Chief Technology Strategist, Public Sector Division, Intel Security Group