No, your ‘smart’ coffeemaker likely isn’t plotting to harm you. But it might well be leaking data about you to companies that don’t have the capacity to safeguard the information, says a Western Law professor specializing in privacy protection.
The ‘Internet of Things’ has its perks beyond mere convenience, said Sam Trosow, a professor with joint appointment in Law and Information and Media Studies. They can monitor our health, secure our homes, track our energy footprint, remind us of our food choices and improve our lives in myriad ways.
Cumulatively, these products also collect enough data to construct a virtual fingerprint of their users.
In a new paper advocating for updated privacy and security legislation, The Internet of Things: Implications for Consumer Privacy Under Canadian Law, Trosow says regulations need to be tightened to ensure the default position is that any information collected from the Internet of Things is deemed to be private.
“The ability of advanced information systems to collect, store, evaluate, transmit and reuse vast amounts of data linked to the personal activities of individuals has very serious implications for security and privacy. The types of information gathered by the emerging Internet of Things are potentially very valuable from a marketing perspective, especially with the growing ability to link and analyze vast stores of data,” the paper stated.
The Internet of Things is defined as connecting any device with an on and off switch to the Internet (and/or to each other). We’re talking cellphones and wearable devices, but also about coffee makers, washing machines and jet engines. One analyst firm told Forbes magazine there will be more than 26 billion connected devices in the world by 2020.
At their best, the devices can lead to dramatic improvements in people’s lives. “The trade-off is they get to keep, and use, your data,” he said.
Canadian privacy laws pre-date the development of the Internet of Things, and existing privacy frameworks aren’t well-equipped to deal with emerging technology.
Trosow contends the makers of connected things are selling more than physical products. “They are data collectors, first and foremost. As consumers, how many of us ask ourselves how this information is gathered and decoded – or even whether it is decoded? Few people ever read the products’ terms-of-service that may, or may not, tell us how our data is aggregated and used.”
That means few of us know what information is being collected, nor how it is being safeguarded, he said.
Many companies say the data they collect is anonymized and analyzed internally for better customer experience. Any data they share with marketers is aggregated and ‘de-identifies’ individual users. But that assurance is only as good as manufacturers’, providers’ and networks’ security measures, Trosow said.
And those have become notoriously vulnerable, with hackers able to gain access to home networks through webcams and baby monitors that tend to have fewer security features.
“When you have connected Internet of Things in your home, you have another source for unauthorized persons getting access to your home network,” he said.
A toy company recently withdrew its plans to sell a baby ‘hub’ that many consumers deemed too intrusive: it had the ability to hear a baby’s cries, answer its questions and sing lullaby responses.
Trosow said privacy provisions in Canada are far less stringent than in the European Union, although tougher than in the United States.
He said it’s important to have conversations with privacy regulators and legislators to make sure personal information from wired and wireless networks stays personal. Significant policy changes are needed to protect Canadians’ privacy and security.
“I don’t want to come off sounding like a Luddite or a technophobe because, handled the right way, these devices can make a dramatic improvement in people’s lives,” Trosow said. “But when we buy these products, we need to understand the privacy implications and security risks associated with bringing these devices into our homes. We also need to better understand how our personal information is being collected, analyzed and reused.”