Welcome back for the fourth article in our “A Beginner’s Guide to IoT” series! On the back of our article on Security (check that out here), we’re now going to be taking a look at privacy in IoT, how it differs from security (trust us, it’s a little more complicated than you might expect), and what we, as human data generators, should be aware of in a world ever increasingly filled with sensors.
If you’re suddenly tempted to go away and read another Buzzfeed article at the first sign of the word ‘privacy’, fight the urge! Privacy is vitally important in every aspect of digital technologies, but if you doubt us, I present to you the acronym that pretty much every consumer is aware of, and every business fears: GDPR. More on this later.
As always, start with the basics
At CroudThings, we often like to start explaining a concept by giving you the literal definition of the topic we’re discussing, then go on to conclude that the definition is, shockingly, unhelpful, and use this as the first foothold for the article in explaining further details in the topic. Just in case you were worried that we weren’t going to do that for this article, fear not. Here’s the definition from the Cambridge English Dictionary for privacy: “someone’s right to keep their personal matters and relationships secret”. (Sometimes, it is actually rather useful to start from literal definitions in discussing highly complex topics 😉)
What’s key about this definition is that two distinct parts represent the principle of privacy. First, that it described privacy as a “right”, i.e. something which everyone has without exception, and that it’s fundamentally non-negotiable. And second, that the use of the words “personal matters and relationships” can be abstracted to the idea of personal data. When we take these two parts and reinterpret them in the context of digital technologies, we’re able to come out with a new definition, which was proposed by Norton as: “the rights you have to control your personal information and how it’s used”.
In our last article we discussed security, and if you’ve read it, by now you might be thinking “this sounds awfully similar to security!”. In all fairness, privacy and security do indeed have a huge amount of overlap, but this is largely because you never normally get one without the other. For example, someone hacking into a server and stealing private data is both a breach of security and privacy.
That said, it’s more helpful to think of privacy and security as two separate perspectives or points of view. Security is more often focused on the technological aspect of handling information, while privacy is concerned with what’s achieved by handling the information in a specific way (like keeping it out of the hands of malicious hackers). Privacy is also concerned with the ethics and rights associated with how people’s data is collected and used.
A fantastic example of the relationship between privacy and security was given by Norton in their article here. Definitely go over and check it out, it’s under the “What’s the difference between privacy and security” heading.
How your data is handled, and how it should be handled
Okay, so we understand security and privacy, and we have a general understanding of the role privacy plays in the digital world. But, what relevance does it have to IoT?
Well, a fundamental purpose of the Internet of Things is about using sensors and devices to collect data about the world, and as a direct knock-on-effect of this, it’s often about gathering information about people. A great example of this is Sidewalk Labs (an Alphabet company) and their work on the Quayside in Toronto, Canada. In their own words, Sidewalk Labs are looking to make the Quayside “a place that’s enhanced by digital technology and data, without giving up the privacy and security that everyone deserves.” (find their full vision here).
Sidewalk Labs are looking to achieve this through implementing various digital technologies with the aim of making the Quayside a centre for innovation, and generally a better place for people to live and work in. In terms of privacy, the most interesting part of the work being carried out is concerning open digital infrastructure. As part of the Quayside development, Sidewalks Labs wants to enable companies to use the information collected from the Quayside in order to encourage “creation and collaboration to address local challenges.”.
In principle, all of the data would be centrally managed using something called the privacy by design framework, which aims to keep people’s data privacy protected. On the face of it, this is great however, recently it was reported that the central body governing the use of data could actually have the power to give companies access to data that hasn’t been anonymised (think, video footage that might have people’s faces on it). The reason this is concerning is that it represents a “slippery slope” decision, that might eventually lead to the privacy of individuals’ data being completely compromised (you can read more HERE). Non-anonymised data is a lot more valuable to companies, and so with the option to use non-anonymised information, companies will always try to get this data even if they don’t really need it.
The big question that looms here is that if people object to how the data is collected by an Internet of Things system, how can they express their non-consent to the collection of their data? A similar question in regard to digital information management was recently answered by the European Union in the form of General Data Protection Regulation, a.k.a. GDPR.
As you probably noticed, as soon as GDPR came into force you were bombarded by emails from companies asking your permission to keep your data in their systems. If you didn’t want them too, you simply didn’t re-consent. But there is no similar action for people to take to prevent their data being collected by IoT systems; just entering the physical area where sensors are deployed is enough for your data to start being collected.
Will we ever have privacy with the Internet of Things?
Clearly, there are very serious questions surrounding the collection and use of public data. Ensuring all data is anonymised is an obvious first step and one that shouldn’t be compromised. But beyond that, we may well face a reality where there is simply no feasible mechanism for people to prevent data being collected by IoT systems, aside from simply moving into the middle of nowhere.
It’s not an absurd proposition to suggest that with time, and a younger generation growing up with this technology, that society will gradually accept this lack of consent as acceptable. This is after all how many technologies end up being adopted. It’s not because the technology fundamentally changes, but because of the societies ability to accept it. Think how the concept of having a Facebook account still escapes many older people, and yet is the social norm for millennials and following generations. That said, just because this might work, doesn’t really make it ok.
In all likelihood, it will fall to the public and privacy advocates to fight this battle against this gradual acceptance of potentially very harmful privacy policies. We’re not exactly saying we’ll end up living with Big Brother, or worse, with enormous companies manipulating us to spend more money based on data collected from our last supermarket trip (…wait, doesn’t this already happen?). But we need to be ever more aware of our digital footprint in a world where that footprint is becoming increasingly detailed.
That’s all we’ve got for this week, and we hope you’ve enjoyed reading, and as always, we’d love to hear your thoughts in the comment section below! Remember to subscribe to make sure you don’t miss an update and check out our What We’re Reading page for your weekly fix of IoT articles!
With lots of ❤,