In search of privacy on the Internet of Things
The Internet of Things is rapidly gaining traction as an amorphous blob into which data can be placed and retrieved and, as it does so, questions are starting to be asked about who owns the data (the collector, the keeper or the analysts), how long it should be kept for and what re-use purposes are suitable.
The new General Data Protection Regulation (GDPR) that is to take effect in the European Union goes some way to setting out what is acceptable in the areas of data collection, data expiration, and the right to access that data, however it does not specify the levels at which data can be collected and is very much a “Catch All” act when it comes to applying the rules to the data once stored.
We have to ask ourselves “What do I care more about protecting?”
My home address is already widely available from public registers such as the electoral role or (in the case of company directors in the UK) Companies House and is protected under law by the existing Data Protection Act and the soon to be enacted GDPR, yet the details of my debit card that could quickly be used to validate an individual to my online banking and give them a far greater detail of my life and expenditure than my address ever could falls within the remit of the Payment Card Industy Data Security Standards (PCI-DSS) which is a private set of regulations as opposed to national or international law.
Dr Tally Hatzakis and her team at the Open University have taken the work of the team behind “A Typology of Privacy” (Koops et. al. 2016) and created both a definition of Privacy, and four key areas that we need to talk about when discussing Privacy.
The work that Dr Hatzakis and her team are involved in surrounds the how and why of business commercial agreements on personal data and Internet of Things data, what they call” the big data of the self”. It is important not to lose sight of what we eventually try to protect, which is our rights to be left alone, to be known intimately only by those we choose, to be able to let our hair down in our private lives without being accountable by acquaintances and institutions, to take for granted that others will discretely leave us alone in public spaces.
These principles need equally to apply to how we design the opt-in areas of our applications, the encryption decisions for our back-end databases and whether we use secure, ciphered connections just between us and the customer, or behind our firewalls as well.
A simple example of how privacy can suddenly interfere with the Internet of Things is temperature tracking. This in and of itself is not identifiable information, we simply track via a basic sensor the current temperature and report it back to our analytics platform for querying and display by our users. Now think about a hundred sensors (or even a thousand) located in houses across your town or city of which you are one. How do the analysts at the other end of the data pipeline know which sensors are close enough to each other to be statistically significant?
The short answer is that they don’t, so they decide to upgrade your device to include GPS co-ordinates and now they can map where each device is. They can now also see that one particular house in a cluster is significantly colder than those around it. If they choose to investigate why this is, they may well discover that the property is vacant, and through this go on to find out more about the current owner’s financial status etc. Equally, they could see that one house is hotter than the others, and pass the information to the police for investigation into a potential cannabis factory or similar.
Very quickly, we have gone from completely anonymous information (the temperature on it’s own) to a data set that can pinpoint with great accuracy the times that the central heating might be switched on for a given property, thus providing an indication of routines for habitation of the premises.
If the analysts were to then add further modifications to the sensors such as particle sensors, humidity and noise pollution, they could very quickly build up a profile of the individuals living at that address, and as the only data they have linking everything to the property is GPS co-ordinates, it would fail to fall within the remit of current law as this is not “personally identifiable information”.
To summarise, if we are to place Internet of Things sensors within properties, and allow open access to the data, we must ensure that the four areas of privacy are respected and maintained, and we must allow our users to opt in or out of the scheme as they desire.
Mockingbird Consulting are in the process of creating a number of guides to data privacy and related areas in the age of the Internet of Things. If you would like to receive a copy of these documents when they are complete, or are interested in talking to us further about how we can help you secure your IoT network, please email us at email@example.com and we will keep you up to date with our progress.
Koops, Bert-Jaap and Newell, Bryce Clayton and Timan, Tjerk and Škorvánek, Ivan and Chokrevski, Tom and Galič, Maša, A Typology of Privacy (March 24, 2016). University of Pennsylvania Journal of International Law, Forthcoming; Tilburg Law School Research Paper №09/2016. Available at SSRN: https://ssrn.com/abstract=2754043