The main focus of this blog is the challenges faced by the law to monitor and regulate the fields of privacy and data protection in an inter-connected world.
Let’s start with a strange and realistic narrative. Imagine being woken up by your smart alarm clock. It is interconnected to your daily electronic calendar and uses the data gathered from your smart wristband to analyse the end of your sleep cycle, thereby calculating the optimum time to wake you up to the sound of your favourite music.
Your Wi-Fi enabled bath is ready on time and the water is at the perfect temperature. Your smart refrigerator is fully up to date with its contents and alerting you of fast approaching expiry dates. It uses the information to communicate with your oven to search or create the perfect recipe for tonight’s dinner.
The above may seem like science fiction but some of the events described are already part of today’s reality. More and more objects are connected to one another and programmed to be autonomous, making machine to machine data transfer possible and requiring less and less human input. The internet of Things (IoT) refers to the interconnectivity of everyday objects, ranging from household appliances to cars and buildings.
These everyday objects are able to produce and gather a range of data which can be profiled, stored, and analysed to gain detailed insight into mundane components of an individual’s lifestyle. Whilst this has the potential of significantly improving our lives, it also raises fundamental issues relating to security and privacy.
These concerns became prominent in the first action against a seller of an IoT product, namely TRENDnet Inc. The United States Federal Trade Commission filed a complaint against TRENDnet Inc which manufactures and retails small wireless cameras to the general public. These cameras send motion captured videos to connected devices such as computers or smart phones. In 2012, the software was hacked and nearly 700 live feeds from the cameras were leaked online. Private videos taken by ingenuous consumers (many of whom had used these cameras to monitor home security or their children at home) became easily accessible and visible to anyone with an internet connection. Moreover, the location of these cameras, as well as the homes and individuals they portrayed, were ascertainable from the camera’s IP addresses. The FTC complained that TRENDnet deceived customers into thinking that it had reasonable security measures in place when in reality it did not. The FTC and TRENDnet entered into a settlement agreement, pursuant to which TRENDnet cannot misrepresent its software as secure and will need to receive an independent assessment of its security programs once a year for the next 20 years.
This case highlights the risks and security concerns that the IoT raises, and in parallel the increasing need for regulation.
IoT opens the door to intrusions into private life. Criminals and hackers can not only monitor individuals but can also actively intrude into the everyday lives of people who use these technologies, especially as many of these interconnected objects can be controlled and accessed remotely.
In addition to the potential for active intrusion, the IoT enables extensive data profiling. Mundane appliances which pervade our lives will be able to collate data documenting our everyday habits, food preferences, health, location, sexual preferences and religion. It will be possible for data platforms to paint, and share, detailed user profiles. It will make it far more difficult, if not impossible, to elaborate and enforce laws which seek to prevent unauthorised access and use of personal data.
Against this background, the draft Data Protection Regulation is going through the legislative process and may be adopted by 2015. Amongst other things, the reform aims to strengthen the powers of data protection authorities and allow for significant sanctions to be imposed for violations of data privacy. This includes the potential for colossal fines on companies reaching up to 5% of their annual worldwide turnover or 100 million euros.
The Regulation also places a clear emphasis on security being at the heart of the device’s conception and design. This is particularly important given the development of devices interconnected to one another (Machine to Machine Transfer). The EU states that the protection of one’s data should be built into the product from the earliest stages of development and should be embedded in the technology of the device itself.
In addition, the EU has prioritised the issue of consent. Consumers should be conscious and aware of the security and privacy issues that these devices raise and therefore able to make informed decisions whether to use such products. Individuals should be given easier access to their data, a right to be informed when data has been hacked, along with the right to “be forgotten” and have data deleted at their request.
It remains to be seen how this will work and apply in practice to appliances which will be interconnected with each other autonomously on complex and multiple levels. There may be many more “spammer fridges” in the years to come as interconnected devices become ubiquitous.
The challenge that lies ahead for the law in the IoT firmament is to protect personal data without stifling technological innovation.