Entering the IoT Era: Is it Too Late to Save Privacy?

We live in an increasingly interconnected world, where our embrace of digital technology continues to blur the lines between public and private. The formation of the Internet allowed people from all over the globe to get and share information, and the Internet of things is poised to further revolutionize how we communicate and interact with the world around us. The Internet of things (IoT) refers to the network of physical objects and devices that connect and exchange data with each other via the Internet. The IoT field emerged in the mid-to-late 2000s, when the number of internet connected devices per person ratio grew rapidly from 0.08 in 2003 to 1.84 in 2010. In 2020, the number of IoT compatible products surpassed the number of non-IoT products for the first time. And by 2025, it is expected that there will be more than 30 billion IoT connections and almost 4 IoT devices per person on average worldwide. These complex systems of IoT devices will benefit and assist many areas of our daily lives, but at the same time will be collecting vast amounts of personal data and pose a serious threat to privacy. As we move forward into the IoT era, developers, manufacturers, regulators, and consumers of IoT devices must work together to address these major privacy and security issues.

The very concepts of IoT and privacy have often been described as directly opposed to one another. How can the two coexist when the goal of IoT is interconnectivity and the goal of privacy is to keep things self-contained? The UN’s 1948 Universal Declaration of Human Rights states in Article 12 that “No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence…” and explicitly establishes the right to privacy in one’s home, but in the age of IoT, how will this right to privacy be affected by consumer adoption of smart home technology with the capacity to record and monitor them 24/7? Already, products such as Amazon’s Alexa record audio and usage data from any connected device and Amazon stores this information indefinitely. The potential personal data recorded by IoT enabled home devices would be of enormous value to third parties. For example, a kitchen containing a smart refrigerator that helps keep an inventory and smart ovens or microwaves that can remember settings for specific recipes or foods offer remarkable convenience. But a health insurance company could use the information collected from such appliances to calculate rates based on your diet. Similarly, as IoT devices become further integrated into cars, car insurance companies will be able to use the data provided to determine your policy. In another real-world example, an employee with a company car was tracked by their manager on their lunch break and fired for attending a local strip club. The employee successfully sued for wrongful termination and argued such tracking was a violation of their privacy. In such cases, questions arise as to who ultimately owns and should have access to data recorded from IoT devices. Is it the consumer, employer, manufacturer, or will insurance companies also stake their claim?  

Given the established right to privacy it is easy to argue consumers should have control over their data, especially when it is collected in their own homes, but this is not always the case. There have already been several instances of data from IoT devices being used as evidence in criminal cases. Eventually, determining what reasonable expectations of privacy in the IoT era will be left up to lawmakers. While the European Union has sought to address data privacy issues through legislation like the General Data Protection Regulation, which was implemented in 2018, in the United States there is still no data privacy law or central data protection authority at the federal level. Governments should engage with both manufacturers and consumers to answer an array of data privacy questions to draft practical IoT regulations.

Even though data privacy laws may be able to address how personal data from IoT devices is collected and used, the security of IoT devices also requires scrutiny. An aspect of IoT that is often overlooked by the public is that by interconnecting many digital devices, any security vulnerability in a single device will affect the entire system. According to Frank Abagnale (the world renowned cybersecurity expert and famous con artist whose life is the basis for the film Catch Me If You Can), a single hack into a smart home device could potentially be used to collect sensitive personal data from other devices on the network, be it cameras or microphones. Such hacking risks extend to all IoT infrastructure. In the case of cars, most computer architecture is a remnant of a time when vehicles were a closed and isolated system. In the IoT era, however, cars are becoming sophisticated members of global networks that relay large amounts of GPS and diagnostic information. Cybersecurity experts have demonstrated that IoT enabled cars can be hacked in order to track drivers and in some cases, even manipulate systems to cause an accident. Security vulnerabilities also apply to the corporations collecting and storing our personal information. In 2019, a study by the Ponemon Institute concluded that business data breaches arising from unsecured IoT devices had doubled in only three years. A majority of healthcare organizations now incorporate IoT devices, and as more and more highly sensitive health data becomes stored digitally the privacy of patient data is put at significant risk. A recent example of the growing dangers to patient privacy was the hack of a Singapore firm SingHealth, which exposed sensitive data, including DNA repositories, of over one million patients. Therefore, it will be necessary to also consider cybersecurity issues when lawmakers address the relationship between privacy and IoT. 

Establishing trustworthiness for IoT systems is critical as more IoT-enabled devices enter the market and are adopted by the public. The Industrial Internet Consortium (IIC) defines the trustworthiness of an IoT system by five main characteristics: security, safety, reliability, resilience, and privacy. Currently, consumer trust in the ability of companies offering IoT devices to protect their private data is extremely low, and no industry was able to garner a trust rating of over 50 percent. Interestingly, a growing number of consumers not only care about data privacy, but are also willing to make purchasing decisions dependent on privacy policies. Unfortunately, the vast majority of consumers do not understand privacy policies or the risks to their data and relevant information about the privacy and security of IoT devices is not readily available. While legislators in the US have proposed adding clear and concise labels to inform consumers, there has been no guidance on the content of these labels. As companies rush to introduce IoT technology, regulators must hold them accountable for the collection and handling of data from IoT devices and ensure consumers are aware of these practices. Governments need to interface with device manufacturers and consumer advocate groups to establish robust industry standards that will protect IoT data, include IoT-specific language in data privacy agreements, and introduce laws that protect individual rights. Sensible policies addressing these issues must be enacted now, before IoT implementation redefines privacy as we know it.

+ posts

Established in 1995, the Georgetown Public Policy Review is the McCourt School of Public Policy’s nonpartisan, graduate student-run publication. Our mission is to provide an outlet for innovative new thinkers and established policymakers to offer perspectives on the politics and policies that shape our nation and our world.