We all talk a lot about the impact of the Internet of Things (IoT). In almost every article about the topic, the author will include one sentence saying that personal data is important, and we need to think about privacy. Consider this recent article by Ali Durmus for Telcoprofessionals.com:
2015 – The year the wearable market explodes
…IDC estimates that 72.1 million devices will be shipped in 2015 up 173.3% from the 26.4 million units shipped in 2014. Fitbit continues to be the market leader with 34.2% market share in 1Q15 with Xiaomi coming second at 24.6%. Fitness, including activities such as how many steps a person has taken in a day along with running, hiking and multi-sport activities continues the dominate the reasons why people are buying wearables…
…The use of wearables in a connected healthcare and lifestyle environment will become of increasing important especially with the management of illnesses as well as for health predictions and the use of calculating things such as health insurance. There are the obvious security and privacy issues that need to be addressed with that.
I am sorry, but it is not good enough to write a long article about the huge revenue growth that will come with IoT, and include one bland sentence that says ‘obvious’ issues will ‘need to be addressed’. How? By whom? At what cost? What will be the penalties if they are not?
When it comes to the IoT, we are not talking about trivial or unimportant data about a human being. But there will be few easy answers to the questions we must face. Consider that a wearable medical device will capture lots of sensitive data, and need to transmit it. We also want them to be light, unobtrusive, and have a long-lasting battery – nobody’s life will be saved by a sensor that is switched off. But that immediately creates huge challenges. Encryption is a computationally intensive process, so the stronger the encryption, the worse the battery life! Who decides what is an acceptable trade-off between safeguarding a patient’s data, and the chance of a flat battery?
This concern came up again and again when I talked to manufacturers at Wearable Tech 2015. To be fair to them, they admitted to the scale of the challenge. But many manufacturers were start-ups in fierce competition with rival firms. We are at grave danger if we foster an approach that focuses on the revenues now, and deals with the issues later. And it would be irresponsible for a big comms firm to slap their established brand over a new service, then point fingers of blame when their manufacturing partner builds devices with inadequate security. To its credit, the industry knows we face problems. This was illustrated when I engaged in a RIMS Twitter chat about cybersecurity and the IoT. This was the comment that prompted most response.
@jarrodsmagan @VinnySakore Security by design is good idea, but who forces it on VC-funded startup maker of wearable med tech? #RIMS15Chat
— Commsrisk (@Commsrisk) March 18, 2015
We know that those IoT devices already in widespread use have failed to incorporate adequate protection of data. Smart meters face fewer technical challenges than wearables, but academics lambasted the poor cryptography of one of the most popular smart meter specifications.
Thankfully, one positive message I heard at Wearable Tech 2015 is that regulators are thinking about the risks, even if they do not yet have all the answers. Confirmation of that came recently with Ofcom, the UK comms regulator, commissioning a report by independent consults WIK-Consult. The purpose of the report was to study recent academic research into the best ways to interact with customers when handling data gathered via the IoT. This report is not the end of a process; we need much more industry debate about these risks. However, I hope the report will inject some urgency into the pursuit of compromises that will take all risks into consideration. What follows are some of the key findings from that report.
The IoT multiplies the scale of the data and privacy challenge.
If expectations about the take-up of such connected devices are correct, online tracking of personal data is likely to become seamless across all areas of people’s lives. Besides the increase in the amount of data, one may also expect that data gathering, aggregation and analysis will become even more subtle as machines talk to machines without (almost) any human intervention. Thus, consumers have even less opportunity to learn about data-gathering practices. In some cases, they may not even be aware that the device they are currently using is actually connected to the Internet.
…it is likely that the IoT will multiply the number and complexity of contractual relationships, which has to be reflected in the terms and conditions… Furthermore, it is likely that many connected devices will feature only very small screens or even no screens at all. This will also render attempts to make such agreements easier to read, for example by turning them into a label, largely futile… Finally, the IoT is likely to increase uncertainty about the consequences of consumers’ actions because as the complexity of interactions multiplies, so do potentially adverse effects of willingly or unwillingly disclosing personal data.
The need for informed consent is well established in privacy law.
Consent plays a central role in most data privacy laws in the world.
[In Europe] the stance on personal data and privacy is clear-cut. The right to protection of personal data is a fundamental right constituted in the European Union, and the European Data Protection Directive of 1995 which is implemented by the member states. The directive entails specific requirements for the processing of personal data. Within that, informed consent plays a central role.
However, informed consent is rarely given in practice.
Consumers rarely read terms and conditions at all.
The signing-without-reading problem or, in the online environment, the clicking-without-reading problem is a well-documented phenomenon.
…consumer surveys consistently show that consumers do say they worry about their personal data and what happens with it. However, in practice, they show very little if any interest in engaging with terms and conditions or even more specifically privacy policies. The most seminal study in this area finds that only about 0.05% of agreements are actually accessed by consumers before they consent to them. It was found that access does not necessarily translate into consumers actually having read the terms and conditions as the average time spent viewing the content of the agreements was significantly below one minute. Understandably, this is not enough to grasp the meaning of the respective agreement.
…if one were to read all the terms and conditions of the websites one visits throughout a year, this would take up several weeks assuming a full 40 hours of reading time each week.
Cranor and McDonald found that significantly less than half of web users (40%) were aware that their emails may be scanned to enable targeted advertisements. The “discrepancy between attitudes and behaviors” phenomenon is referred to as the “privacy paradox”. Furthermore, 29% of users in the same study did not believe that this was actually common practice as they thought such practices would be unlawful. These results may be taken as an indication that consumers do not have the (ex-ante) knowledge to make informed decisions about privacy.
Commonly, the length of terms and conditions and the legalistic jargon are blamed for consumers not being able to understand them. In fact, even law students were found to have significant problems understanding them. Studies investigating the readability of terms and conditions consistently find that at least university-level reading skills are needed to understand them.
Businesses can do a better job of communicating the important facts to their customers.
There are signs that (in the UK at least) firms are becoming more pro-active as regards communicating their privacy notices. For instance, they are moving towards “just in time” notices that pop up at appropriate times.
Standardization, perhaps led by governments, is one way to improve communication.
Some countries have already adopted laws governing how information on public administration websites needs to be presented. For instance, in 2011 Germany implemented a provision for barrier-free access to digital information. Since then, national government institutions have been obliged to offer digital information not only for disabled people but also in “easy-to-understand language”. Website users can easily switch from elaborate to simpler code.
Another way to improve communication is to encourage consumers to speak for themselves.
…new developments in digital media may also have a positive impact on consumer privacy as they can enhance their position in negotiating privacy concerning general as well as specific issues. Via video, blog entry, tweet or Facebook post, individual consumers are able to publish their opinions on privacy and to protest against, for example, changes in terms of contracts. Consumers can generate more attention on a certain topic, network with other consumers and eventually a provider might be more easily forced to react than in the offline world. Digital publication of information and arguments can result in enormous pressure on the “data collectors”. We would see information and the potential response of the public as one necessary but not sufficient tool of consumer empowerment.
We do not have all the answers.
It seems that a single solution for all – or at least most – issues is yet to be found.
However, one of the better answers involves raising consumer awareness in general.
…future research could perhaps address the phase of the consumer information process before they even come in contact with terms and conditions, namely when they become aware that there is an issue at all. Currently, there is a lot of uncertainty with consumers and experts alike regarding the potential effects of data collection. First, we have to be able to point to the specific (adverse) effects that may emerge from the tracking of personal data. Specific information about these effects is likely to raise awareness among consumers. This, in turn, is likely to motivate them to engage with terms and conditions and in particular privacy policies of services and products they consume.
Low consumer awareness of issues means they are not ready to debate the balance between risks and rewards. However, we need that debate.
…the key to agreement on an acceptable level of costs is likely to depend on… whether we can agree on the risks and benefits that consumers derive from using online services. Clinical research went through a decades-long painful process before finally reaching agreement on the importance of trial participants understanding both the risks and the benefits. As a result, clinical research has accepted significant transaction costs in order to ensure informed consent. This would suggest that a key first step in thinking about how such an approach could be adapted to online services, there would need to be agreement on the risks and benefits to consumers. Such agreement would need to reflect a consensus on socially and economically acceptable behaviour in the data-driven economy, especially with respect to data harvesting, forwarding, aggregation and analytics practices. As we know that consumers are unaware even about relatively simple analytics techniques… it will be interesting to learn about how consumers value more advanced techniques – and how they would express the potential of these techniques in terms of a risk/benefit trade-off. We are by no means implying that this trade-off is negative; what we want to emphasise is that risks and benefits appear mostly unexplored today – which appears to be the obvious result of unaware consumers and the widespread use of data harvesting and processing practices that take place in secrecy. Delineating right from wrong thus will be an essential part of naming risks and benefits to consumers. Valuing risks and benefits will, in turn, be an essential part of defining how serious we actually take informed consent as a requirement. This valuation – in combination with the assessment whether other means to improve informed consent have the desired effect – will be an important consideration in determining whether providers need to take measures to ensure that consumers understand the risks and benefits, and under what circumstances providers might need to document that consumers understood.
We must learn from historical mistakes, or we will repeat them.
We refer… to the example of clinical research, where it was first necessary to establish the actual risks if informed consent was not actual informed consent. It took a long list of – from today’s perspective – unethical and quite frightening cases to come to the attention of researchers in the domain, courts and society at large before the domain could establish a notion of right and wrong, of what is ethical and that human trial subjects have rights after all. As much as it was a challenge for clinical research, it will be challenging for our domain to establish a widely acceptable understanding of relevant risks and benefits to consumers. However, if informed consent is to be the benchmark, there is no way around this debate in our domain. If the goal truly is that consumers make informed decisions, we can learn from clinical research that we have to make consumers understand and that we have to be able to specify relevant risks and benefits for consumers when they choose to use a digital and data-driven product or service.
You can obtain the full WIK-Consult report for Ofcom from here.