IoT is Going to Result in Privacy Troubles

Someone asked me the other day, what I meant when I said the Internet of Things was going to shake up privacy as an issue. I thought I would share my answer. The short answer is, “Dude, there are going to be billions of these things tracking us all the time. Of course there are going to be massive privacy issues.” But a more complete answer is nuanced.

First, when I say there are going to be billions of these devices, that is not hyperbole. Gartner predicts there will be 30 billion IoT devices in the marketplace by 2020. To put that into perspective there are currently just a couple of billion computers in operation. It is clear that IoT devices will be everywhere doing all sorts of tasks for us.

Secondly, it is the services they will provide that are the significant consideration. Think about all of the Jetsons-like devices the IoT promises. From the current reality of smart TVs, habit tracking wrist bands and refrigerators that can tweet to the yet to be realized networked milk cartons and closets that tell your dry cleaner your suit is dirty and to come pick it up. The common thread through all of these devices is that the provide value by leveraging your personal information.

The smart TV tracks your viewing habits and the milk carton will be able to tell farmer Brown down the street you are about to run out of milk by monitoring your milk drinking habits. Now you might not consider your milk drinking habits anything sensitive, but think about these considerations in the context of our current privacy laws and regulations.

Our current laws, both here and abroad, are generally founded on the Fair Information Practice Principals (FIPPs). At the core of FIPPs are calls for transparency and responsibility on the part of the entity collecting personal information, and broad controls over the uses of the data on the part of the subject of that information (the person’s own personal information). In privacy laws and regulations FIPPs is expressed as the notion of “notice and consent.”

Notice and consent is simply the idea that the entity collecting the personal information must tell the individual what they are collecting and why (provide notice), and once the individual understands the notice then they make the choice to the transfer of their personal information (give consent). In theory, in a free market economy this should work great, but in practice doesn’t work that well.

This is something I’ve covered before, but to reiterate, no one reads privacy policies and it can be so complicated to explain what a modern organization does with data that even if they read it they wouldn’t understand what the organization is trying to convey. These simple facts destroy the foundation of any laws and regulations based on notice and consent.

Now add the IoT to the mix. These devices either have a small screen or possibly no screen at all. How can you provide notice and gain consent? Keep in mind these devices will largely depend on the tracking of personal information to provide the consumer value, but how can they ethically and legally do that when they can’t adequately provide notice? That is the billion-device question and why I believe the IoT will shake up privacy in a big way.

 
1
Kudos
 
1
Kudos

Now read this

Privacy is not Security, II

Late last year I wrote about the differences between information security and privacy. What was true then is still true now: That information security professionals, often by default, are tasked with handling privacy for their... Continue →