Will Your Internet of Things Device Testify
Imagine this: Your wearable device is subpoenaed to testify against you. You were driving when you were over the legal alcohol limit and data from a smart Breathalyzer device is used against you. Some might argue that such a use case could potentially safeguard society. However, it poses a bigger concern about how data from the broader spectrum of Internet of Things (IoT) devices could be used against you. Doesn’t it seem reminiscent of George Orwell’s dystopian universe, Nineteen Eighty Four where children were indoctrinated to inform on suspicious activity, only now it’s an IoT device? But, this time it’s you who chose to use the device or network of devices that could start working in concert against you.
IoT devices range from wearables such as wristbands, shirts, and goggles to a range of household and other real-world objects that are increasingly being connected to the Internet using RFID chips, barcodes, sensors, bots via mobile applications. And as the technology has become cheaper and more efficient these devices have become enmeshed in our daily lives. Runners like myself regularly slip sensors into our shoes to track our distance and times. Many people wear fitness bands with the goal of optimizing their sleep, diet and lifestyle patterns. There is also a certain coolness and addictive factor associated with these devices and many rush to have the latest and greatest in these devices.
Data Brokers Are Waiting
What most people don’t think about is most if not all of the analysis of the data is not carried out on the device and is analyzed and often shared with third party data brokers via a cloud backend depending on the privacy policies in place. These third parties may share information and the aggregated data used to create profiles, which at best case may be use for marketing purposes but over time what’s to stop insurers and law enforcement gaining access to this information?
Earlier this year Federal Trade Commission (FTC) Chair Edith Ramirez warned of the privacy risks when at the CES tradeshow, she posed the question ”Or will the information flowing in from our smart cars, smart devices, smart cities just swell the ocean of “big data,” which could allow information to be used in ways that are inconsistent with consumers’ expectations or relationship with a company?” The Electronic Privacy Information Center has also written at length on the risks of the “hidden collection” of sensitive data from IoT devices. In Accenture’s survey report on the “Internet of Things” many of the 2000 respondents polled in the United States indicated they would be willing to share personal data in return for discounts and coupons.
Transparency, Standards And Data Confidentiality
I am a fan of IoT and the potential a great many of these devices offer for improved quality of living and safety, health, greater home and environmental efficiencies. However, consumers need clear standards for secure connections from the devices to a backend cloud and standards around data confidentiality, and transparency of that data stored and processed in the backend cloud. Until these standards are in place, I encourage users to be vigilant and to press manufacturers for clear answers on the following at minimum:
- Will your data shared with third parties? This is particularly important for any device that collects sensitive data about you. It may be challenging given the volume and legalese of privacy policies but well worth the time investment given it’s your private data.
- Understand how your information is transmitted. And, once in storage, who has access to the information? Is the information stored on a third party’s cloud? When you stop using the device, what happens to your data?
- Take time to understand your device’s privacy settings. Have you configured the device’s settings maximum privacy? Are you only sharing what you are comfortable sharing publicly?
The tension between convenience and privacy is at it’s most strained and hopefully that will accelerate the move towards much needed digital safeguards. But in the interim, a more cautious and defensive approach will help you preserve your privacy.
By Evelyn de Souza
Evelyn de Souza focuses on developing industry blueprints that accelerate secure cloud adoption for business as well as everyday living. She currently serves as the Chair of the newly formed Cloud Security Alliance (CSA) data governance and privacy working group. Evelyn was named to CloudNOW’s Top 10 Women in Cloud Computing for 2014 and SVBJ’s 100 Women of Influence for 2015. Evelyn is the co-creator of Cloud Data Protection Cert, the industry’s first blueprint for making data protection “business-consumable” and is currently working on a data protection heatmap that attempts to streamline the data privacy landscape.