The UK and Canadian data protection regulators have written to webcam manufacturers to highlight concerns about the safety of internet-connected devices and to enlist their assistance in reducing the risks posed by their products. In particular, the regulators call for manufacturers to roll out privacy-friendly default settings, implement “privacy by design” – whereby data protection and privacy considerations are built into the design and manufacturing process – and provide increased guidance to consumers about ensuring the security of devices.
This invitation for action is perhaps unsurprising as data protection and consumer-focused regulators have been saying for some time now that product manufacturers have a crucial role to play in maintaining consumer privacy rights and ensuring compliance with data privacy laws. The letter should therefore be read with interest by the manufacturers of all connected technologies (not just webcams) as it is another clear indication that businesses that do not consider privacy and security issues as part of the product design phase and on an on-going basis run the risk of regulatory scrutiny.
Why have manufacturers been contacted?
The recent letter to webcam manufacturers focuses on the privacy risks posed by the Insecam website which, until recently, was streaming live video footage from over 73,000 camera feeds in residential and commercial properties worldwide. The website was able to access unsecured footage because camera owners failed to change the manufacturer’s default password settings. In the words of the regulators, this caused a “major breach of privacy and data protection rights and was extremely concerning for us and many other global Data Protection Authorities (“DPAs”) around the world”. The regulators’ investigations into the Insecam website established that camera users were not aware of the risks posed by not changing the default settings of their devices which is why the regulators now seek the assistance of manufacturers to help protect the privacy rights of their customers.
What do the regulators expect of device manufacturers?
The letter advocates a “privacy by design” approach to the security settings on connected devices. In particular, manufacturers are asked to:
- Design and manufacture devices that cannot be operated unless the owner or user has first set a secure access code to prevent unauthorised access. This could be achieved by forcing customers to choose a new password during first use of the device or to consider an alternative authentication method.
- Provide increased guidance to customers about ensuring the security of their internet-connected cameras. For example, by:
- advising how to change their passwords and why they should do this;
- explaining the correct set-up process so that customers can easily choose which features they wish to use or access over the internet; and
- increased instructions provided upon purchase of the camera itself and clear, easy to find guidance on the manufacturer’s website.
This isn’t just about webcams – there is an increased emphasis on the responsibilities of all IoT device manufacturers
Although this particular letter is addressed to webcam manufacturers, it should be read with interest by manufacturers of all technologies that collect and share personal information more widely, particularly on the internet (commonly referred to as “Internet of Things” or “IoT” devices) because regulators are increasingly expecting manufacturers to recognise that they have a degree of responsibility to assist users of their products to do so safely.
In this connection, late last year the Court of Justice of the European Union published a ground-breaking decision in the case of Ryneš v. the Office for Personal Data Protection, where the Court held that ordinary individuals who rely on surveillance devices to monitor their properties in a public space are subject to the full weight of EU data privacy law and will be directly responsible for ensuring compliance with the law. The data protection authorities are very likely to wish to shift some of the burden from individual users to manufacturers who, according to regulators, will be in a better position to understand and explain the scope of those obligations and the privacy risks for others. Part of the reason for this is that regulators will not want to be inundated with enquiries from homeowners and individuals in general regarding their legal duties. In addition, the average consumer will be unaware of their data privacy legal obligations as users of IoT devices. This letter indicates that regulators think that consumers need the help of manufacturers to use such devices securely.
Furthermore, the draft new EU Data Protection Regulation also contains very specific responsibilities for businesses operating in Europe or with European-based customers to adopt policies and principles such as privacy by design and privacy by default, so taking steps such as those suggested by the regulators in the recent letter to webcam operators may soon become a legal obligation in black letter law.
Manufacturers looking at ways to ensure compliance may be interested to hear more about Hogan Lovell’s Privacy Innovation Assessment concept which aims to assist product innovation and to add value to new products, while highlighting the business benefits of adopting privacy practices (rather than simply recommending measures that are only focused on ensuring compliance).