Building Trust Internet of Things (IoT) Privacy

Does Big Data and the Internet of Things spell the End of Privacy As We Know It?

Rajnesh D. Singh (ISOC) and Yoonee Jeong (TRPC) at the “Online Privacy in an Internet of Things World” Roundtable, Bangkok, Thailand (December 2014)

In the last few years, there has been a phenomenal increase in the number of connected devices globally and we now have more connected devices than people in the world. These ever-increasing number of connected devices are going to keep growing – exponentially at least for the short term as the Internet of Things (IoT) evolves into the Internet of Everything and becomes mainstream in the things we do everyday.

These devices are – for the large part – also generating, collecting, and transmitting data, while still other devices are busy analysing and processing this data. In the process, vast amounts of data are being collected about pretty much everything about and around us – be it personal data (think your fitbit-type device or home automation) or data for things like environmental conditions, traffic flow, industrial processes, etc. etc.

Analysing, and processing this data can help us with with making informed choices and decisions, help improve how we live as a society at large and – looking into the future – the data we collect today may allow future generations to better innovate, invent and to find solutions to a myriad of situations and problems.

This vast collection of data also means we are also – in some cases voluntarily, in some cases not so voluntarily – giving up this data and some say with it our right to privacy. Earlier on – provided you read, understood and accepted all the terms and conditions (sometimes running into scores of pages of text) associated with a particular service – you consented to giving up some data about you and your online presence in exchange for the service. In some instances this service was provided to you “free”, in others at a nominal price. This provided all parties involved had some clear guidance as to what was being given up, under what circumstances, by whom, and how what was given up would be used – though this has and continues not to be a perfect science by any stretch of the imagination.

In this bold new IoT-Big Data everything-connected world, vendors and service providers have the ability to tailor their offerings to consumers as well as all parts of the value chain; and it allows potentially greater efficiency and productivity all around.

But at what cost?

Rapid advancement in data analytics capabilities mean the ability to identify, connect and mine personal information from aggregated data is far much easier than it has ever been.

There are already concerns with existing privacy and data protection policies and lapses, as well security breaches. Coupled with various mass surveillance programmes that have come to light in the recent past, these concerns become further amplified; and more so when we throw Big Data-IoT into the mix.

The actual concept of what privacy is has also been evolving. Personal privacy as practiced by our parents and grandparents are very different to that of us, and further still different for the next always-connected digital native generation.

Big Data and the Internet of Things does not necessarily mean the end of privacy. Personal data protection laws have generally followed the OECD template which requires the data controller to seek explicit permission of the data subject for the collection and use of their data. In the Big Data-IoT world, data controllers may not be able to fully deliver on their commitments.

Perhaps an alternative approach which may be useful in such circumstances would be to  look into the ways in which the data controller uses the data. This may include efforts taken to protect the data and the transparency of the processes used. Another important component would be the user’s ability to understand the data privacy policies in place – and in plain language rather than pages and pages of legalese – together with an accompanying assessment of the risks involved.

The global borderless nature of the Internet means that data could be stored, processed, etc. pretty much anywhere – this requires greater efforts and commitment in the harmonisation of policies towards personal data protection across jurisdictions. Doing so would also potentially reduce the costs of compliance and the likelihood of breaches of local laws.

We have already seen the line between voluntary and involuntary sharing of information rapidly blurring with e-commerce and social media. With Big Data and IoT, the kinds and depth of personal information that can (and will be) collected by operators and businesses will increase, and this requires some effort towards the ability of individuals being able to manage the online behavioural information they reveal. The transparent and ethical use of collected data should be the norm and the collectors of such data must ensure privacy by default; otherwise users and policies will always have to be vigilant and play catch-up. At the same time, there are other drivers such as technologies around data anonymisation, regulatory forces and business incentives that could help strike the balance to ensure the full potential of Big Data and IoT are realised by protecting the most important part of the Internet ecosystem – the user.