Privacy concerns and safeguards in a world driven by smart devices
The Internet of Things (IoT) is a network of interconnected devices through the existing internet infrastructure which allows them to collect and exchange data. The said interconnectivity enables the data captured by the devices to be transformed into insights vis-a-vis a user’s behavior and the usage of the said devices.
IoT is a complex ecosystem consisting of aspects such as the devices, internet, analytics, cloud, applications and security. Therefore, the very complexity of the IoT network requires a certain degree of deep-diving in terms of analyzing the various privacy issues which could impact the interconnectivity of the devices, platforms and appliances which are IoT-enabled. For example, profiling done by health related smart devices can have consequences in terms of its clash with privacy legislations barring automated profiling of data subjects.
IoT enabled devices could backfire with respect to privacy of individuals (primarily its users) if appropriate safeguards are not established. For instance, a connected security camera could expose personal information, such as user’s location, if it gets compromised. Additionally, factors such as lack of technical safeguards and/or implementation of a consent mechanism could play as roadblocks to the readiness of IoT-enabled technologies in relation to data privacy related compliance. For example, if a device is not compromised, it could still be violating applicable privacy regulations (which may vary country to country) in multiple ways such as:
- On legitimate grounds of processing, especially if consent is the base for collecting individual’s personal data,
- Auto-profiling and decision-making based on user’s profiling, and
- Lack of technical safeguards in the device or appliance in question.
Moreover, there are various situations wherein lack of privacy safeguards could negatively impact a consumer. Following scenarios demonstrate data being compromised in IoT-enabled platforms (devices/appliances/platforms):
- Smart television is able to monitor viewing habits and record conversation of viewers.
- Smart devices storing data such as consumer’s weight, height and food preference can predict the possibility of diseases one could be afflicted with in future based on the analysis and then connect them with relevant products.
- Smart home devices can record consumers and/or clients personal conversations and if compromised, can send those conversations to someone from the consumer’s and/or client’s contact list or on internet, which cannot be predicted.
- It is possible to hack into a pacemaker and read the details of data stored in the device, such as names and medical data, without having direct access to the devices (by just standing nearby). It is also possible to reconfigure the parameters of the device– which can potentially incur a heart attack.
- Wearable devices are vulnerable to attacks due to their low computing power, thereby, disabling developers to equip such devices with security mechanism. Additionally, it could be the case that wearable devices could be used to steal geo-information or location information of users for malignant purposes.
Therefore, safeguards to protect
individual’s privacy must be implemented in the IoT enabled platforms so as to
mitigate the risks which could incur as a result of exposure to the IoT
Privacy safeguards that can be implemented/adopted by organizations
- Collection and purpose limitation– Defining the purpose of data that is to be collected and the limit to which data can be collected in relation to the operation of IoT-enabled goods and services would be beneficial in terms of proving compliance under privacy laws across jurisdictions and also in minimising the data that is stored within an organization.
- Consent– Implementing consent handling mechanisms such as legible consent forms, authorisations, records of onward processing and their consents in place would positively impact the aspect of consumer trust, compliance with privacy laws and events such as withdrawal of consent by a consumer.
- Record keeping– Keeping records of all processing activities would ensure demonstration towards privacy norms across jurisdictions since the same would reflect a bona fide intention towards complying with privacy norms that are transparent and fair.
- Privacy by design- Privacy by design is a requirement under various privacy laws and within the IoT, this would apply to devices, software and backend systems. Moreover, privacy by design is critical at every stage of an IoT platform’s development lifecycle to ensure that consistent protection & management of information from creation to final disposition is addressed. For example, password protection should be implemented with masking enabled in it along with multifactor authentication so as to secure the entire IoT ecosystem from being breached. Technical safeguards must be implemented basis applicable laws and regulations prevalent in a particular jurisdiction. In addition to implementing technical safeguards such as encryption, password protection, policies for security and privacy must be established and applied to the IoT devices that collect personal information, as well as to the networks and backend systems that transmit and process data. The said policies must also be subjected to periodic reviews in corroboration with the assessment of the implementation of such policies. For example, an organization must be able to delete data to comply with data subject’s right to erasure and the same can only be done by balancing the technical capability to respond to such a request along with organization’s policies respecting the rights of its customers.
- Data Protection Impact Assessment (DPIA)- Companies that process personal and/or sensitive personal data must consider conducting a DPIA so as to ascertain a systematic description of the operations that involve data elements and their purpose, including the proportionality and necessity in relation to the purpose. This exercise would enable an entity to assess the risks and vulnerabilities associated with privacy and security of their IoT enabled products and processes.
To conclude, since IoT devices are connected to the Internet, they are vulnerable to cyber-attacks that can impact consumer, commercial, industrial, and governmental computer systems. We have seen hackers being able to penetrate a casino’s high-roller database after gaining access to its network via the smart thermostat in a fish tank of the casino’s lobby. Another example would be when smart home devices are used by robbers to predict the time of the day the house would be empty. Hence, the very technology behind IoT permits the creation of a common attack vector for hackers to gain access to an entire network. Therefore, organizations must recognize the various privacy concerns that could compromise their networks, invest in privacy compliance and implement safeguards to mitigate privacy and security risks, so as to maintain the trust of its user base. After all, the IoT technology is reliant on the connection and communication of the individuals via their devices and appliances, and due care must be vested to ensure the interactions do not lead to undesirable situations for individuals and organisations.
By Ahmar Zaman, Guest Writer