Top 5 Legal Issues in the Internet of Things, Part 2: Data Collection and Invasion of Privacy

CC BY 2.0 https://creativecommons.org/licenses/by/2.0/

Highways Agency / Flickr

Last week I wrote about the incredibly lax privacy protections used in most Internet of Things (IoT) devices, and how vulnerable they are to hacking. Users are allowing more and more of their health, commercial, and other data to be stored in IoT devices, and the potential of the data being hacked into and misused is ever-present.

A closely related, but distinct, concern is the data about us in these devices that we don’t choose to put there–in other words, the capacity of IoT devices to collect information about us surreptiously.

Virtually everyone in Western society is already generally aware that CCTV security cameras are watching us more or less everywhere we go in public spaces. From the grocery store to the gas station to the workplace to the stoplight, business owners and law enforcement are monitoring. What fewer people realize is just how interconnected many of those cameras already are.  Although they aren’t quite the Panopticon portrayed in many action-adventure movies and TV shows–capable of tracking down anyone, anywhere, in real time, from a single control center–the video feeds from many of these cameras are, in fact, accessible through internet-connected networks.

And if something is online, it can be hacked. It should come as little surprise that the mesh video networks run by municipalities, airports, and other public authorities often do not employ strong privacy protection, but even I was surprised to learn at last year’s DefCon 22 just how easy this can be. As a result, virtually anyone could be watching you through one of those public cameras.

Even the cameras we choose to set up can be made to spy on us when we don’t want them to. In September 2013, the FTC took its first enforcement action related to IOT-collected information. TRENDnet, a company that markets video cameras designed to allow consumers to monitor their homes remotely settled FTC charges that its lax security practices exposed the private lives of hundreds of consumers to public viewing online. According to the FTC, TRENDnet marketed its numerous products as being “secure” when, in fact, the cameras had faulty software that left them open to online interception. The complaint further alleged that, in January 2012, a hacker exploited this flaw and made it public, and, eventually, hackers posted links to the live feeds of nearly 700 of the cameras. The feeds displayed babies asleep in their cribs, young children playing, and adults going about their daily lives. Once TRENDnet learned of this flaw, it uploaded a software patch to its website and sought to alert its customers of the need to visit the website to update their cameras.

The ability to track individuals through the IoT doesn’t stop with the sense of sight, either. Once more people are using IoT-enabled infrastructure, they will end up leaving the equivalent of digital fingerprints everywhere they go. Digitizing our physical interactions will create a digital record of our movements and whereabouts that had never previously existed.

For advertisers and retailers, this will be a goldmine of information just like social media was before it–a brand-new trove of personal data that can be used to send out even more precisely targeted commercial solicitations. Without doubt, those providing IOT services will not only want to recognize who we are, but also to remember where we’ve been. And just like we do online now, many users will consent to their information being collected in this manner. The convenience factor will be huge. Just like I want my webmail service to remember who I am without having to re-type my password every time, so too will I want my clothing store to remember my size, my restaurant to remember my favorite meals, my grocery store to remember the location of my favorite items, and the news feeds that I’ll see projected everywhere to remember my favorite topics.

But others will be remembering that data as well. Thanks to Edward Snowden and the NSA, the world is already aware of how much information private companies and the government collect about our emails and other online interactions. Law enforcement already does all it can to track a suspect’s physical movements, whether through cellular towers, IP addresses, or GPS trackers. With a IoT devices everywhere pinging our phones with NFC  or BLE-type-sensors, merely walking down the street will leave behind so much data about our physical location that it may well become possible to create precise maps of our every step going back hours, days, or even longer.

Comments

comments