By the year 2020, experts predict, there will be more than 20 billion connected devices, and some say twice as much as that. This ever-growing constellation of objects living on the web is often referred to as the internet of things (IoT).
The potential for innovation is mind boggling: The IoT will enable everything from smart grow boxes that produce next-gen tomatoes to driverless cars — Toyota is just one of many firms working on the idea and plans to bring them to market by the end of the decade.
But with this new digital ecosystem comes a raft of new privacy concerns and challenges. Data privacy is undoubtedly been a hot consumer issue for a number of years now, but businesses are also starting to take it seriously. Not only do many now have “data privacy” teams whose job it is to spot and manage risks of sensitive data being lost or stolen, but many internal auditors now cite it as the primary risk facing their organization.
Take “Hello Barbie,” as an example of how important this has all become. The latest version of the classic toy comes equipped with WiFi to enable a Siri-like functionality. To use it, owners must install a companion app on a smartphone. When a child speaks to the doll, it communicates wirelessly to the cloud to enable a real-time back-and-forth. Hello Barbie is quite the conversationalist, but it may not be on the shelf much longer. Critics have panned the toy saying it can be easily hacked, revealing everything from the owner’s account IDs to the location of his or her house.
Mattell, the maker of Barbie, and ToyTalk, the technology company behind the voice features of the doll, say they are working closely with one another on “the safety and security of Hello Barbie.” For its part, ToyTalk has started a “bug bounty” program that compensates independent security researchers for identifying and reporting vulnerabilities to the company, and a month after its debut, Hello Barbie was selling at a 30% discount.
Before managers work out any tactics for addressing IoT privacy issues, it’s important to understand the term and the concept it aims to capture.
Understanding the Internet of Things
Boiled down to its core, the IoT is the extension of the internet into the physical world. The smart home with connected ovens, toasters, lights and heating systems, is one manifestation of the IoT. This enables people to turn devices on and off remotely. Left the oven on? No problem; your phone can now communicate with your oven about that.
Connected cars, watches, and smartphones, among other portable devices, make up the mobile IoT. Your Fitbit telling your laptop how many steps you walked today is the mobile IoT at work. And then there is the industrial IoT, the ecosphere of connected factory equipment, medical devices, security cameras, and the like. A vending machine telling a supplier that sweets or chocolate are running low is the industrial IoT.
The IoT generates “data that can be analyzed to extract valuable information,” Marjorie Dickman, managing counsel of IoT policy at Intel Corporation, says. It also leads to “the creation of platforms for new applications and services.”
Any business leader worth his or her salt is looking at how to gain a competitive advantage with IoT. The challenge, says Giulio Coraggio, a privacy attorney at DLA Piper Italy, is “how to ensure privacy protection in a manner that does not impair business profitability, which requires the need to get access to large databases of personal data.”
In terms of risk, the IoT means the number of access points where personal information could be compromised will grow exponentially. The IoT can also, unwittingly, increase the risk of unlawful surveillance: Hello Barbie is a case in point. A hacker, potentially, could break into the ToyTalk cloud and listen to a kid’s conversation with the doll.
Industry Experts’ Advice on Privacy in the IoT
This comes in three categories.
Privacy by design: This is a recurring theme in conversations with privacy professionals about IoT. Simply put, it means building privacy into devices at the outset of production. Much of this won’t be the actual work of the privacy professional, but he or she should be consulted throughout the process.
“The privacy officer needs to work together with all parties involved in the development of an IoT service, be it software or code engineers, system designers and third party partners,” Yiannis Theodorou, a regulatory and policy executive at GSMA, says. The London-based trade association represents some 800 mobile operators worldwide.
“Privacy by design” may include:
Conducting a Privacy Impact Assessment for new products or services
Creating systems for internal oversight and assurance reviews on an ongoing basis
Developing mechanisms to put privacy policies in place such as employee training and tools.
“This is not only a technical process,” Coraggio says, “but requires the arrangement of documentation which shows the adoption of measures aimed at reducing the potential data breaches during the whole production process.”
Caution with third parties: The IoT means working with a larger number of vendors. Vet them carefully and make sure their technology and policies are up to snuff with respect to privacy concerns. Coraggio suggests having a contractual clause in place to address data ownership.
Transparency and consent: Explaining to consumers or business customers how their information will be used, and obtaining consent for that, is of paramount importance. One significant piece of the privacy equation in IoT is the user experience.
“IoT providers must tell their [user experience] designers to take privacy considerations in account in the same way as they take into account aesthetics, ergonomics and usability when developing products and services,” Tim Lyons, a privacy lawyer at DLA Piper Australia, wrote.
Examples he gives include:
Data “featurization”: the practice of making data a user-facing component of products and services
Building systems that allow consumers to retrieve their data in an easy, usable format while providing tools that facilitate the sharing of data, and
Developing mechanisms that permit providers to acquire real, meaningful consent to data collection and use.
Policymaker Advice on Privacy in the IoT
Some key regulatory bodies have issued guidance on the matter.
US Federal Trade Commission on the IoT; the agency wants companies to consider:
- Conducting a privacy risk assessment
- Minimizing the data they collect and keep
- Testing security measures before launching products
- Implementing a layered defense approach for high-risk areas
- Fostering a “culture of security” mindset among staff through training
European Data Protection Authorities on IoT; the Article 29 Working Party, a body that represents all of the European data protection agencies, adopted an opinion last year on the IoT. The group broke down its guidance by technology type: wearable computing, the quantified self (such as sleep trackers), and the smart home.
While the advice is technology specific, there are some key principles offered that apply to all of it:
- Give users the ability to remain in complete control of their personal data throughout the product lifecycle
- When a company relies on consent for processing data, “the consent should be fully informed, freely given and specific.”
- Consider privacy and data protection from the outset of product development
The IoT and its attendant privacy concerns are a classic example of a moving target for managers, who should keep up to date with news as well as regulatory and industry guidance. A number of governing bodies and nonprofits have issued or are in the process of developing advice on this topic.
The Online Trust Alliance (OTA), a nonprofit that aims to protect Internet users’ privacy and security, released a draft framework for responsible commercial use of the IoT. The Open Web Application Security Project (OWASP), another nonprofit with a similar mission, developed a testing guide handout for the IoT, including a section on privacy concerns.