IoT: Extending the internet into things

IoT refers to the extension of the internet into the physical world. In the IoT, the internet connects not only personal computers, tables and other ‘smart’ devices but also ‘dumb’ objects such as toasters, sofas, shoes, light bulbs, aeroplane wheels, cattle and human bodies. While IoT technologies offer the prospect of efficiencies, productivity gains and savings in costs and resources, there are many risks. Chief among these are concerns regarding data privacy.

Data privacy in the consumer IoT

Like all technological developments, IoT is open to many different uses and the potential consequences for the consumer are profound. For example, employers, insurers, lenders and others could make important decisions based on inferences drawn from data generated by IoT technologies without regulators having much understanding of the process. Consider activity trackers (such as the ubiquitous Fitbit): a prospective employer could request data generated from such devices to seek to predict a prospective employee’s efficiency and productivity using data on sleeping and exercise patterns and the setting and achieving of goals. In the home, connected televisions and other media consoles can reveal the type of content a person consumes, be it news or cartoons. Likewise, an internet-enabled couch and floor could determine how often a person is sedentary, leading to inferences about a person’s motivation and/or health.

Addressing privacy concerns: A question solely for regulators?

Much has been written about the application and potential shortfalls of data privacy laws in the context of the IoT. Legal protection of data privacy is obviously essential, and legislators and regulators around the world are grappling with how to best provide sufficient protection for consumers, and useful guidance for IoT developers, without stifling innovation.

Given the rapid rate of technological development in the IoT it may be that legislation and other regulatory guidance develops into a general (but useful) framework for IoT developers to operate in, rather than a step-by-step guide for data privacy compliance. Indeed, while the law sets certain standards for data privacy, when dealing with technology it can be difficult for legislators and regulators to be too specific, given the rate of change. Aside from any legal compliance, many consumer technology providers instinctively understand the importance that consumers place on the protection of their personal data. These providers are actively seeking to strike the right balance between leveraging the great insights that can be gleaned from personal data generated in IoT and building consumer trust through privacy enhancing applications.

Therefore, the key question now emerging is how do IoT providers meet data privacy expectations and legal requirements, not why they should be seeking to do so. 

Privacy by Design in IoT: A refocus on ‘the user’

Privacy by Design (PbD) refers to the process of building privacy enhancing mechanisms into the design of technology, as opposed to considering such mechanisms as an afterthought. Originally conceived by regulators, PbD holds that the future of data privacy cannot be assured solely by compliance with regulatory frameworks. The current Victorian Privacy Commissioner Mr David Watts has said that: “at a high level, what Privacy by Design mandates is embedding privacy into the information technologies, business practices and networked infrastructure, as a core functionality, right from the outset”.

PbD is arguably crucial to privacy enhancement and legal compliance in the IoT given the difficulties presented by new IoT technologies. For example, it may be difficult to obtain meaningful consent from individuals to the collection of personal data through certain IoT devices that do not have traditional user interfaces, such as a connected utility meter. Similarly, it may be difficult to provide sufficient data collection notices to consumers using devices like internet-enabled floor tiles or coffee machines.

Much of the guidance on how to implement PbD issued by regulators and the private sector is often very general, out of date, and, at times, assumes that data security is the same as privacy or conflates the two issues. In the absence of clear guidance, technology developers are struggling to meet the key requirements and outcomes of data privacy as distinct from security, which is often their native area of expertise.

In recent times, some developers have turned to a tried and tested but, as yet, largely overlooked approach to solving these issues: a focus on the user. While security engineers are needed to build secure systems, software developers are needed to address key data privacy issues in software and hardware specifications, and lawyers are needed to ensure compliance with the law, a key division is often overlooked: user experience designers (UX). UX designers specialise in improving the aesthetics, ergonomics and usability of products and services.

In placing the user experience at the heart of technology products and services, the consumer technology market has been transformed. Utilising UX design principles, IoT developers may approach data privacy compliance in a similar way. Examples of UX data privacy include data ‘featureisation’, which is the practice of making data a consumer-side feature of products and services, building systems that allow users to access their data in an easy, usable format while providing mechanisms that place a value on the sharing of data, and developing tools that permit providers to obtain real, meaningful consent to data collection and use.

IoT providers must tell their UX designers to take privacy considerations in account in the same way as they take into account aesthetics, ergonomics and usability when developing products and services.