The need for means for managing user privacy as more and more devices become connected is a topic that has been raised a number of times on this blog. This week, at CES, someone slightly more influential, the chairwoman of the Federal Trade Commission, Edith Ramirez raised these very concerns. While highlighting all the wonderful benefits the Internet of Things can bring, she highlighted the risks of ubiquitous data collection, the impact of unintended uses of data and the increased security risks will have upon user trust.
Already, in the online world, we are generating a set of footprints that are tracked by Internet companies, online ads, and retailers, who build a comprehensive demographic, behavioural and preferences profile. Similarly, the business model of many ‘free’ mobile apps depends on sharing our smartphone usage with online advertisers in order to drive more effective targeting of ads. This trend will become more pervasive as our houses, cars, cities, shopping malls, transport networks and our person all become swamped with sensors sending data to the cloud. There will be no way of avoiding generating a significant digital footprint – even the very act of avoiding doing so, will create an easily-trackable ‘hole’.
Ramirez proposes three solutions to be adopted by the industry:
Security by Design
This is critical. A one size-fits-all security solution, or strong firewalls or perimeter security will not work. All devices, apps, networks, sensors need to implement appropriate security measures to be allowed to connect, and service providers, mobile operating systems, networks, gateways and standards must all enforce these security mechanisms. ‘Appropriate’ is the key word here – the encryption mechanisms and other technology applied must be appropriate to the use case and the complexity of the device used.
Data Minimisation
Here Ramirez proposes that companies only collect the minimum amount of data required to make the service work. This flies in the face of what the Internet companies have been doing for years, and short of some fairly tough regulation is unlikely to happen. The dwindling cost of data communications and storage, and the increasing power of cloud-based analytics means that data is an increasingly valuable resource, and the main source of value of many a tech start-up. One technique proposed by Ramirez is de-identification, the process by which personal data can be anonymised. However, in much the same way as biometric information can identify users uniquely, given the amount of data produced, it will be near-impossible to properly anonymise the information. Travelling habits, physical activity, location, shopping routines all uniquely pin-point who we are.
Notice and Choice
Ramirez’ final recommendation is to provide user with information on how the data is being used. But will this really help? How many people can identify whether the app being installed on their smartphone makes what they would consider to be an inappropriate use of the data. How are shoppers to manage how the information collected by beacons in store is used. This is perhaps the thorniest problem. While user consent is critical, consent can only be given if it is informed. And the process of informing users in a simple and clear way of how their data is being used will pose extremely challenging questions.
Already Google provides single pages where much of one’s personal profile can be reviewed. However as the physical and online Internet become more fragmented, where are users to go to? Perhaps a combination of clear regulatory guidelines on how data can be used (e.g. can health and life insurance companies access your Fitbit data) and one-stop-shops for accessing one’s digital profile, similar to what credit agencies do today in the finance space can provide a way forward. Nevertheless it is encouraging that finally the web of things is also being spoken in terms of challenges that have to be overcome, than simply the billions of devices connected and billions of dollars of generated value.
The full text of Ramirez’s speech can be found here: http://www.ftc.gov/system/files/documents/public_statements/617191/150106cesspeech.pdf