Privacy and the Internet of Things: Emerging Frameworks for Policy and Design
Rosner, Gilad and Kenneally, Erin, Privacy and the Internet of Things: Emerging Frameworks for Policy and Design (June 7, 2018). UC Berkeley Center for Long-Term Cybersecurity/Internet of Things Privacy Forum
28 Pages Posted: 4 Mar 2019
Date Written: June 7, 2018
The proliferation of network-connected devices, also known as the “Internet of Things” (IoT), offers unprecedented opportunities for consumers and businesses. Yet devices such as fitness trackers, personal home assistants (e.g., Amazon Echo, Google Home), and digital appliances are changing the nature of privacy as they operate silently in the background while transmitting data about a broad range of human activities and behaviors.
As “smart” becomes the new default setting for devices, consumers are further losing the ability to monitor and control the data collected about them, and they often have little awareness of what is done with their data downstream. The risks of sharing data through smart devices are not always clear, particularly as companies combine data from different sources to infer an individual’s habits, movements, and even emotions.
This report provides an overview of some of the key privacy issues resulting from the expansion of the IoT, as well as emerging frameworks that could help policymakers and corporate leaders reduce potential harms through regulation and product design. Among the findings outlined in this paper:
• The IoT has the potential to diminish the sanctity of spaces that have long been considered private, and could have a “chilling effect” as people grow aware of the risk of surveillance. Yet the same methods of privacy preservation that work in the online world are not always practical or appropriate for the personal types of data collection that the IoT enables.
• Several frameworks have emerged for addressing the privacy issues that the IoT presents. Some focus on giving users more meaningful, granular control over the data that is collect- ed, when data is collected, and how it is shared, while others focus on the accessibility and correct timing of privacy notices.
• Policymakers should take steps to regulate the privacy effects of IoT before mass sensor data collection becomes ubiquitous, rather than after. Omnibus privacy legislation can help regulate how data is handled in the grey areas between sectors and contexts. Europe’s General Data Protection Regulation (GDPR), coming into force in 2018, will have an impact initially on IoT devices created and sold in the EU, and will affect those from the US as well over time.
• Having broad non-specialist conversations about the use, collection, and effects of IoT data is essential to help the populace understand technological changes in this space and how they affect privacy expectations.
• Makers of IoT products and services should employ a variety of standard measures to provide greater user management and control, as well as more effective notification about how personal data is captured, stored, analyzed, and shared.
The findings in this paper were developed through two workshops, seventeen semi-structured interviews, and an extensive literature review. A detailed analysis can be found in the full research report, Clearly Opaque: Privacy Risks of the Internet of Things, which was funded by the William and Flora Hewlett Foundation. Sample quotations from these interviews and workshops are included throughout this paper.
Suggested Citation: Suggested Citation