Lawmakers, regulators, and manufacturers need to address IoT privacy risks and Consent Management IoT Privacy on smart devices, according to a report issued by University of California’s Center for Long-Term Cybersecurity and the IoT Privacy Forum. The report details how the growth in Internet of Things (IoT) devices, such as fitness trackers, personal home assistants, and digital appliances, is leading to an unprecedented amount of data sharing brings with it privacy risks.
The dialogue about IoT devices was primarily centered on cybersecurity before Facebook-Cambridge Analytica happened. Despite the conversation shift toward individual privacy generally, the report calls for more attention to the privacy risks and the need for consent management for IoT privacy.
Among the recommendations of the report were:
- Omnibus privacy legislation is needed before mass sensor data collection becomes pervasive.
- IoT Devices should engage in more transparency and use consent management with preference controls.
Where is all of this data coming from?
Companies are predicting billions of Internet-connected devices due to miniaturization, cheap sensors, and inexpensive network access. The authors of the report compiled a partial list of IoT devices that are capable of collecting data and sharing it back to the manufacturer or other third parties:
On the Consumer side:
- smart speakers
- smart TVs
- connected cars
- smart lighting
- fitness/health wearables
- networked thermostats
- robot vacuums
- internet-connected toys
- networked bathroom appliances
- indoor security systems
- smart locks
On the Enterprise side:
- productivity tracking devices
- smart office lighting
- autonomous trucking
- disease management systems
- employee wellness trackers
- automated retail checkout
- security cameras with facial recognition
- building management sensors
- augmented reality maintenance equipment
What are the privacy risks and challenges of these devices?
Diminishment of Private Spaces: The presence of network-connected devices in private spaces such as one’s home can remove the sense of control and privacy, leading to the alteration of behavior. Malicious actors can also use the plethora of IoT devices to collect, use and disclose data in an attempt to exploit sensitive personal information for financial gain.
Bodily and Emotional Privacy: Wearable devices, implantable chips, fertility trackers and pills with the capability of communication are all challenging traditional notions of personal space. IoT connected devices also have the ability to read emotions through facial data, voice analysis, biometrics and other methods, which could lead to manipulation for marketing or use for other purposes.
Choice and Meaningful Consent: It can be difficult for consumers to get information about data collection and the privacy of devices, as well as tough to make changes to the privacy settings since IoT devices often lack screens. When combined with the fact that many people aren’t reading privacy notices, or doing so only during the initial agreement, it is hard to say that they are knowingly consenting.
User Control and Privacy Management
What can be done in order to enhance IoT device privacy? The report went into three primary areas of implementation that would help improve their user privacy:
Identity Management and Privacy Dashboards: The ability to identify people using a device, ensure authorization to see information, and modify privacy settings based on the consent and preferences of each user (on a multi-user device).
Transparency: The report suggests the use of just-in-time notifications (notices just before data collection occurs), periodic notifications (regular reminders to confirm ongoing data collection practices), layered notifications (use separate notifications to give users different information at different times, and context-dependent notifications.
Privacy by Design: Device manufacturers need to ensure that consent management IoT privacy is protected as part of the normal operation of the device given the unprecedented scale of data collection concerning people’s activities and behaviors. The report suggests companies should conduct privacy impact assessments, give users more power to control data collection, and withdraw consent to store data that has been previously collected.
Here is the link to the report (pdf) if you are interested in more information.