The Internet of Things and privacy – Part one: Issues with consent
This article is part of a series exploring the Internet of Things and privacy:
- Part one: Issues with consent
- Part two: Solutions for consent
- Part three: Protections beyond consent
Mass collection of personal information
While it’s hard to say for sure just how much data is currently floating around the internet, one thing is for certain – it’s a lot. But those massive bodies of information are mere shallows compared to the deep dark ocean of data that the Internet of Things (IoT) will create.
The IoT is mostly made up of everyday objects that are connected to a network. Traditionally ‘dumb’ devices – fridges, streetlights, thermostats – are being made ‘smart’ by giving them a tiny computer and a WiFi connection. These devices use built in sensors to make use of their features – smart speakers have microphones to listen for your voice, smart doorbells have cameras to recognise your face, and smart watches have LED sensors to watch your blood vessels pulse as your heart beats. There are billions of IoT devices around the world; collectively they are continuously collecting a staggering amount of data.
And while predictions about the future of the IoT vary wildly, they all have one common theme: growth. The number of IoT devices is expected to grow enormously; more kinds of devices will become connected; the amount of data they collect will naturally increase alongside them; and with the deployment of 5G, carriers operating the networks used by the IoT will also collect greater amounts of data.
Meaningful consent
As IoT devices become ubiquitous, it may become increasingly difficult to find unconnected personal devices. Vendors have an incentive to sell smart devices instead of dumb ones: smart devices let them collect valuable personal information. However, generally speaking, vendors require the consent of individuals in order to make use of that information. Consent in this sense must be meaningful, one prerequisite for which is that the consent must be voluntary – individuals must have an actual choice, meaning that not giving up their personal information must be a viable option.
But what happens if you do not consent to an IoT device using your personal information? Does your smart hairbrush become a regular hairbrush? Does your connected car’s GPS turn off? Does your smart speaker become a paper weight? If you must consent to giving up your personal information in order to use a device that you own, it’s difficult to consider that consent voluntary.
The ‘notice and consent’ model for IoT devices suffers from another issue – the owner of an IoT device often isn’t the only one whose information is being collected and used. IoT devices tend to collect information from the physical area around them, meaning that they may collect personal information from anyone who happens to be in their vicinity. For instance, smart doorbells usually have a built-in camera so that they can take photos of people at the front door, upload the photos to the vendor’s servers, then process them in some way (such as performing facial recognition or sending the photos to the device’s owner).[1]
But if the vendor requires consent to use and disclose personal information, they must get consent from everyone who approaches the front door. This gets complicated quickly – other residents may not want to consent, children may not be capable of consenting, and visitors may not even be aware that their personal information is being collected. Many IoT devices don’t even have screens, making it difficult for them to provide information and collect consent. Often vendors address this by requiring users to download a smartphone app, but it’s hardly practical to make people download an app to ring your doorbell.
Inferring information
Even if an IoT device has a convenient way to show users privacy policies and collection notices, vendors are not always capable of providing enough specific information so that individuals can then provide informed consent. IoT devices collect a wealth of information, some because it’s necessary for the device to perform a function, some to help the vendor understand how people are using their products, but some is collected for unspecified purposes.
Advancements in artificial intelligence have allowed insights to be gleaned from unexpected sources. It often isn’t clear what could be learned from information until it is fed into a machine learning algorithm. This has led to the practice of organisations collecting all the data they can, just in case it turns out to be useful later.
If the vendor of an IoT device doesn’t know the specifics of why they are collecting personal information, it’s hard to imagine how anyone could be informed enough to meaningfully consent to providing it.
Read Part two: Solutions for consent for an exploration of how issues with consent could be addressed.
This article was written by Asher Gibson, Policy Officer, OVIC. The views expressed in this post are the author’s own and do not necessarily reflect the views of OVIC.
[1] See, for example https://support.google.com/googlenest/answer/9268625