The Internet of Things (IoT) is a
network of interconnected devices through the existing internet infrastructure
which allows them to collect and exchange data. The said interconnectivity
enables the data captured by the devices to be transformed into insights vis-a-vis a user’s behavior and the
usage of the said devices.
IoT is a complex ecosystem
consisting of aspects such as the devices, internet, analytics, cloud,
applications and security. Therefore, the very complexity of the IoT network
requires a certain degree of deep-diving in terms of analyzing the various
privacy issues which could impact the interconnectivity of the devices,
platforms and appliances which are IoT-enabled. For example, profiling done by
health related smart devices can have consequences in terms of its clash with
privacy legislations barring automated profiling of data subjects.
Privacy
Concerns
IoT enabled devices could backfire with
respect to privacy of individuals (primarily its users) if appropriate
safeguards are not established. For instance, a connected security camera could
expose personal information, such as user’s location, if it gets compromised.
Additionally, factors such as lack of technical safeguards and/or
implementation of a consent mechanism could play as roadblocks to the readiness
of IoT-enabled technologies in relation to data privacy related compliance. For
example, if a device is not compromised, it could still be violating applicable
privacy regulations (which may vary country to country) in multiple ways such
as:
- On legitimate grounds of processing, especially if
consent is the base for collecting individual’s personal data,
- Auto-profiling and decision-making based on user’s
profiling, and
- Lack of technical safeguards in the device or
appliance in question.
Moreover, there are various
situations wherein lack of privacy safeguards could negatively impact a
consumer. Following scenarios demonstrate data being compromised in IoT-enabled
platforms (devices/appliances/platforms):
- Smart television is able to monitor viewing habits and
record conversation of viewers.
- Smart devices storing data such as consumer’s weight,
height and food preference can predict the possibility of diseases one could be
afflicted with in future based on the analysis and then connect them with relevant
products.
- Smart home devices can record consumers and/or clients
personal conversations and if compromised, can send those conversations to
someone from the consumer’s and/or client’s contact list or on internet, which
cannot be predicted.
- It is possible to hack into a pacemaker and read the
details of data stored in the device, such as names and medical data, without
having direct access to the devices (by just standing nearby). It is also
possible to reconfigure the parameters of the device– which can potentially
incur a heart attack.
- Wearable devices are vulnerable to attacks due to
their low computing power, thereby, disabling developers to equip such devices
with security mechanism. Additionally, it could be the case that wearable
devices could be used to steal geo-information or location information of users
for malignant purposes.
Therefore, safeguards to protect
individual’s privacy must be implemented in the IoT enabled platforms so as to
mitigate the risks which could incur as a result of exposure to the IoT
network.
Privacy safeguards
that can be implemented/adopted by organizations
- Collection and purpose limitation–
Defining the purpose of data that is to be collected and the limit to which
data can be collected in relation to the operation of IoT-enabled goods and
services would be beneficial in terms of proving compliance under privacy laws
across jurisdictions and also in minimising the data that is stored within an
organization.
- Consent– Implementing consent handling
mechanisms such as legible consent forms, authorisations, records of onward
processing and their consents in place would positively impact the aspect of
consumer trust, compliance with privacy laws and events such as withdrawal of
consent by a consumer.
- Record keeping– Keeping records of all
processing activities would ensure demonstration towards privacy norms across
jurisdictions since the same would reflect a bona fide intention towards
complying with privacy norms that are transparent and fair.
- Privacy by design- Privacy by design is
a requirement under various privacy laws and within the IoT, this would apply
to devices, software and backend systems. Moreover, privacy by design is
critical at every stage of an IoT platform’s development lifecycle to ensure
that consistent protection & management of information from creation to
final disposition is addressed. For example, password protection should be
implemented with masking enabled in it along with multifactor authentication so
as to secure the entire IoT ecosystem from being breached. Technical safeguards
must be implemented basis applicable laws and regulations prevalent in a
particular jurisdiction. In addition to implementing technical safeguards such
as encryption, password protection, policies for security and privacy must be
established and applied to the IoT devices that collect personal information,
as well as to the networks and backend systems that transmit and process data. The
said policies must also be subjected to periodic reviews in corroboration with
the assessment of the implementation of such policies. For example, an
organization must be able to delete data to comply with data subject’s right to
erasure and the same can only be done by balancing the technical capability to
respond to such a request along with organization’s policies respecting the
rights of its customers.
- Data Protection Impact Assessment
(DPIA)- Companies that
process personal and/or sensitive personal data must consider conducting a DPIA
so as to ascertain a systematic description of the operations that involve data
elements and their purpose, including the proportionality and necessity in relation
to the purpose. This exercise would enable an entity to assess the risks and
vulnerabilities associated with privacy and security of their IoT enabled
products and processes.
To conclude, since IoT devices are connected to the Internet, they are vulnerable to cyber-attacks that can impact consumer, commercial, industrial, and governmental computer systems. We have seen hackers being able to penetrate a casino’s high-roller database after gaining access to its network via the smart thermostat in a fish tank of the casino’s lobby. Another example would be when smart home devices are used by robbers to predict the time of the day the house would be empty. Hence, the very technology behind IoT permits the creation of a common attack vector for hackers to gain access to an entire network. Therefore, organizations must recognize the various privacy concerns that could compromise their networks, invest in privacy compliance and implement safeguards to mitigate privacy and security risks, so as to maintain the trust of its user base. After all, the IoT technology is reliant on the connection and communication of the individuals via their devices and appliances, and due care must be vested to ensure the interactions do not lead to undesirable situations for individuals and organisations.
By Ahmar Zaman, Guest Writer