CellTrust Blog

The perils of connectivity: Privacy and security on the Internet of Things

I was recently asked to speak on a panel discussing “The perils of connectivity: privacy and security on the Internet of Things,” at the State Bar of Arizona’s annual conference for attorneys. My co-panelists included David Bodney, Ballad Spahr LLP and Chair of ABA Forum on Communications Law; Daniel Christensen, Global Group Counsel of IT, Privacy & Security at Intel Corporation; and Leon Silver, co-managing partner of Gordon & Rees, LLP.

Our session opened with an overview of the Internet-of-Things (IoT), eloquently presented by Frank Jones of Intel Corporation, the Internet-of-Things Group.

Intel is establishing itself as the leader in IoT—“sparking change through innovation.” The company states that ‘the IoT is “made up of billions of ‘smart’ devices—from miniscule chips to mammoth machines—that use wireless technology to talk to each other.’ The IoT world is growing at a “breathtaking pace—from 2 billion objects in 2006 to a projected 50 billion by 2020.”

Intel’s proposition is built on a tiered system:

Monetize HW, SW, and Data Management
Horizontal/Scalable Analytics
Data Normalization
Connectivity, Device Discovery, and Provisioning
Security as the foundation – HW and SW

So where do we find IoT used in our day-to-day lives? According to Intel, the majority IoT implementations are currently in business and manufacturing, with analytics and robotic machinery. One third is in healthcare, 8.3 percent is in retail, and 4.1 percent is in transportation, such as GPS locators, performance tracking, and self-parking cars. Home applications, such as shutting garage doors remotely, is also a part of the IoT market.

This is where the panel came in. What are the privacy implications in the IoT?

Daniel kicked it off with several impressive statistics about the amount of data currently in digital form. He followed this with his list of ten considerations for the IoT:

  • Vulnerability
  • Sensitive data inferences
  • Lack of control
  • Quality of consent
  • Intrusive profiling
  • Repercussions of secondary use of data
  • Uncertain legal responsibilities
  • Continuous publicity
  • IoT culture in creation
  • Jurisdiction creep

There is a lot to consider with those elements, but we only touched on a few in the two hours we were given.

David followed with a discussion on privacy rights. With an extensive background in media law, commercial speech, privacy, and First Amendment law, David has seen the industry grow over the years (having started practicing law in 1979). He is careful to watch for unintended impacts on commercial speech during regulation.

The audience was highly engaged and asked many questions, including the following:

Who owns the data? 1

This is a tricky question. In a regulated environment—financial, healthcare, education—the data belongs to both parties. For example, the information in a medical record belongs to the patient, but the record itself belongs to the doctor or facility by law. State laws require that doctors retain this information. So in an IoT environment, where perhaps data is being transmitted to the doctor—who owns it? Both sides would own it. Of course, the individual should always consent to data being both collected and transmitted. But even if a person or specific company owned the data, another company that pulls that data together in a unique manner, aggregation, or format might have a valid claim to intellectual property rights.

If data is anonymized, with or without your knowledge and agreement, it is still very rich data and can be a source of valuable business intelligence.

Is this a U.S. issueeither the IoT or the privacy concerns?

IoT: No. Devices collecting data and speaking to each other is a global occurrence. Unfortunately, despite the fact that major U.S. companies based in Silicon Valley are in the news frequently (Google, Facebook, LinkedIn, Intel, Microsoft, Uber), metrics have shown for several years that the U.S. is actually behind other developed countries in technological advances and capabilities—specifically in warfare, mobile devices, and social media.

Privacy: The U.S. vastly differs from every other country in the world when it comes to privacy laws. The U.S. regulates privacy on a customer basis—a patient, a student, or a financial customer. However, its requirements and enforcement within those regulations are tight and active. Conversely, all other countries with privacy laws—and they do vary—provide privacy protections on the basis of being a person, not restricted to a certain industry.

How should the IoT be regulated?

Oh, this is an excellent question. It will be difficult to foresee strict privacy regulations in the U.S. on a general basis, although bills are constantly proposed in Congress annually. On the State level, we see more legislative activity with 47 states having data breach laws (plus Washington DC, Guam, Puerto Rico, and Virgin Islands). Ten of these states include the word “privacy” in their Constitutions, whereas the U.S. Constitution does not.

If the government does not regulate IoT, then we rely on self-regulation by the industry or watch-dog groups. This will also be a challenge. As Daniel referenced early on, a person’s data is worth $1,200 and only costs a nickel to obtain. That’s hard for any business to turn down, although there are many ethical businesses out there. It’s a solid business proposition.

Given these statements and the prevalence of IoT now, what can a person do to protect his/her data?

I recommend these ten tips2:

  1. Get accustomed, get smart or get off the grid.
  2. Use passwords to protect your accounts and devices.
  3. Use strong passwords with different tiers based on the risk of the account/device. Be sure not to write them down for others to see. I hear great things about password vault.
  4. Read the privacy policy AND the terms of use. You cannot negotiate, but you can be aware and make informed choices.
  5. Find the off switches – not all capabilities need to be activated.
  6. Don’t leave connectable devices connected when it is not necessary: the baby monitor does not need to be on when s/he is in your arms.
  7. Install those security updates and check the manufacturer’s website periodically.
  8. If possible, use antivirus and malware detection.
  9. If connection is not important to you for that device, buy the version without it.
  10. Don’t provide personal data unless it is required, and even then balance benefit against risk.

 

1 These are my personal opinions and do not reflect those of my employer and should not be considered legal advice.

2 Taken in large part from “Privacy tips for the Internet of Things

Worried that your connected devices are collecting too much personal data? Here’s what you can do.” ConsumerReports.org April 30, 2015.

About

K Royal is the Vice President, Assistant General Counsel and serves as the Privacy Officer for CellTrust. An attorney and compliance professional with 20 years of experience in the legal and health-related fields, she brings a thorough perspective in global program implementation. Skilled in privacy law, breach management, compliance and program development, Ms. Royal was recently honored as the ACC’s 2015 Robert I. Townsend, Jr. Member of the Year.

  • Follow: