Data Protection and the Internet of Things
March 20, 2019
The internet has changed consumers’ lives dramatically and we have undoubtedly benefited from technology. As more people gain greater online accessibility and connectivity, smart products will become more of a day-to-day reality for consumers everywhere, marking a major change in the way many consumers interact with products and services.
This emergence of smart products brings many opportunities for consumers, access to new services, more responsive products and greater convenience and choice. It is also pertinent to note that smart products are no longer limited to handheld devices, tablets and desktops with internet connection. There are now smart TVs and smart fridges that can monitor your consumption and order groceries accordingly; smart watches that are used with fitness apps to track movements; and even smart CCTV cameras.
These connected devices now make up the Internet of things (IoT) – a network of interconnected devices that are able to connect to the internet to interact and exchange data. This data can also be accessed and stored by the parent company producing the smart product.
This has obvious advantages for consumers. Interconnected devices are able to generate large volumes of high quality data on everyday actions, habits and preferences of their users. Companies can then use this data to improve the overall user experience of their products and tweak their products to ensure they meet the expectations of consumers. At the same time, the data can be used to improve their marketing strategies.
There are, however, some significant causes of concern with products on the IoT, including a lack of security, privacy and meaningful choice over how we use them, as well as a lack of clarity on who is responsible when things go wrong.
Lack of regulation can lead to gathered data being sold off or used by third parties for their unethical purposes. The most high profile case of this involved Facebook, an extremely popular app in Fiji and around the world and a data firm called Cambridge Analytica.
According to news reports from New York Times, the personal data of approximately 87 million Facebook users was improperly shared with Cambridge Analytica by a third party app. The data was accessed when Facebook users agreed to share it with an app called “This is Your Digital Life”. This gave the app opportune access to information on the user’s network of friends as well. However these friends did not necessarily consent to their information being shared. The app developer then breached Facebook’s Terms of Service by sending the data to Cambridge Analytica.
These high profile data breaches as well as the proliferation of smart products and IoT have led to discussions on consumer consent and the right to privacy, taking centre stage across the globe. Consumers are raising their voices and joining the conversation on protecting their data and ensuring that companies do not use data for any purpose other than originally intended.
Unfortunately, studies have shown that a pattern of poorly informing users of how their data is used and protected is emerging. A 2014 study conducted by Prof. Scott Peppet surveyed twenty popular IoT devices including the Nest Thermostat, the FitBit, health products, and home monitoring systems, in an attempt to gauge the depth and degree of their privacy disclosures. The research found them to be shockingly inadequate. None of the twenty devices included privacy- or data-related information in the box.
None was even referred in the packaging materials or user guides to the existence of a privacy policy on the manufacturer’s website. Some policies seem to apply to both website use and sensor-device use. Other policies limit their application to website use, not sensor-device use, but provide no means to locate a device-related privacy policy. This leaves unanswered whether any privacy-related policy applies to the data generated by these devices.
In the same vein, a 2013 study of 23 paid and 20 free mobile health and fitness apps found:
- 26% free and 40% paid apps had no privacy policy; and
- 39% free and 30% paid apps sent data to someone not disclosed in the app or the privacy policy.
- In 2016 a study of over 300 devices by 25 world’s data protection authorities found:
- 59% of devices failed to adequately explain to customers how their personal information was collected, used and disclosed;
- 68% failed to properly explain how information was stored;
- 72% failed to explain how customers could delete their information off their devices; and
- 38% failed to include easily identifiable contact details if customers had privacy concerns.
To combat the above and to give consumers a choice on how their data is used, countries around the world are enacting data protection and privacy laws. One example is the European Union’s General Data Protection Requirements. The law lays out the rules of data capture, storage, usage, and sharing for companies, and stiff penalties for those that fail to comply. Similar laws have emerged in the US, primarily in California in the form of the California Consumer Privacy Act. However where the law is lacking, users are advised to be careful and be smart when using smart products. Different measures are undertaken to address privacy and security risks.
The Consumers International in collaboration with Internet Society have also created “Connect Smart” tips to help consumers safeguard themselves from potential risks in the absence of prudent laws and regulations. Therefore it is advisable for all consumers to take heed of the SMART tips below to:
“BEING SMART”
S
•SEARCH for potential security and privacy issues– Search the product online for reviews or news articles that identify security or privacy issues. Check whether you can make your device more secure by changing the password and adjusting the privacy settings. Confirm if the device receives regular updates so any security vulnerabilities can be fixed.
M
•MAKE strong unique passwords for each device- Generic default passwords can be easily identified and allow attackers to gain access. Set strong unique passwords for each device, service and your home router. The longer the password, the better, mix upper and lower case letters, numbers and special characters to increase strength.
A
•ADJUST settings for maximum security and privacy- Many devices and services come with minimal security protection by default and collect significant amounts if important information about you-so change your settings for greater security and privacy.
R
•REGULARLY update software- If the device or app has an auto update feature, turn it on. Find out how to check for software updates in each device and do it within a month. Most companies will release updates when they patch security vulnerabilities. Also accept updates for the apps on your mobile phone that control your device.
T
•TURN OFF features you don’t need and device when not in use-Lots of features on your device can continue to monitor you even when you don’t expect or need them to. To avoid this, disable cameras, microphones or location tracking apps when you are not actively using them. And if you are not using this device, turn it off
SMART tips ensures that consumers are guided whilst purchasing and using the smart devices, thus safeguarding them and ensuring their consumer rights are not breached.
Consumers can also raise any concerns they have on protection of their data with the Consumer Council via the National Consumer Toll Free Helpline – 155. This will assist the Council in mapping the data protection issues for Fiji that need to be addressed.
-ENDS-