Data and the Internet of Things
Internet of Things (IoT) data refers to the intentional or unintentional “exhaust”, or infinitesimal bits of information coming from Internet-connected products, platforms, and applications. Examples include data from traffic, cars, energy, animals, wildlife, food, pills, toys, clothing, diapers, toothbrushes, lighting, mattresses, refrigerators, romance, “smart” sex, parking meters, and smart city applications. Data will also flow from “enhanced humans” aka the Internet of Bodies (IoB), and from our minds. Augmented reality (AR) and Artificial Intelligence/robots (AI) will provide additional sources of data. You name it, industry has thought of it. It’s in the works, and data will stream from it. With a move to the IoT, we become providers of mega amounts of data as we go through our day. In fact, we are referred to as “digital workers.”
Our data is collected, mined, analyzed, and stored indefinitely in data centers. Our data is used for targeted marketing (aka surveillance capitalism), surveillance, law enforcement, research, smart cities, and lots more as the IoT evolves. In fact, a whole eco-system is being built with our data, as the data from one application becomes fodder for another. Data of course will also be used by hackers for their purposes.
Many IoT products are intentionally built to leak data. But in order to market IoT products, manufacturers must come up with applications that also provide a modicum of benefits to the consumer. But sadly, many IoT products are not even succeeding at that. Many IoT applications are, at best, frivolous, and some shamefully harmful. Two such examples are blue tooth pacifiers for infants and musical tampons for babies in utero.
Data collection also brings with it a host of ethical problems. One such example is EarthNow, a company that is developing live satellite video feed of any spot on earth. If deployed, no place on earth would be free from monitoring. (For more on the ethical ramifications of loss of privacy, please see https://whatis5g.info/ethics/)
Data collected from different sources is combined thereby producing more data and more value. Although much data is anonymous, once collected, fusion databases aggregate the data and then link it back to the original source. As Peter Van Buren explains in a fascinating 2014 Mother Jones Article,
“In these [fusion databases], information from such disparate sources as license plate readers, wiretaps, and records of library book choices can be aggregated and easily shared. Basically everything about a person, gathered worldwide by various agencies and means, can now be put into a single ‘file.’”
Increasingly, government agencies, such as the FBI and NSA are using biometric identifiers such as facial and iris recognition technology, and even gait recognition technology to amass yet more comprehensive and detailed data on each of us. Facial Recognition Technology has even been introduced in some schools. Referring to the National Security Agency (NSA), a CNET article reports,
“The agency is using sophisticated software to harvest ‘millions of images per day from emails, text messages, social media, video conferences, and other communications, according to the documents [referring to specific classified documents referenced by the NY Times].”
“It [facial recognition technology] means that I can identify you and know where you are going in public, I can record and keep that information and you don’t know it’s happening. I know where you are, I know whether you’ve just visited a protest rally, I can identify everybody at that protest rally and I can keep records of that. It has a chilling effect.”
Joel Rosenblatt shares an observation made by Marc Rotenberg, President and Executive Director of the Electronic Privacy Information Center (EPIC):
“Biometric identifiers are a key way to link together information about people, such as discrete financial, medical and educational records.…”
Metadata vs. Data
Data comes in two forms, data and metadata. Take for example email — the content of an email would be the data. But each email also carries information about the date, time, message size, sender, and recipient of the email, and the specific computer or device used to send the email. These constitute the metadata. Although it would appear that metadata has little value, as it turns out, it’s incredibly useful to law enforcement, governments, marketers, researchers, and cyber criminals.
The more metadata collected, the more valuable the data becomes. Profit is one of the main driving forces behind the collection, sale, and use of big data, as it allows companies to offer more “affordable” IoT products. In the words of Chris Rouland, CEO of Bastille, “Your sensor-packed wearable device isn’t really the product – you are.”
Since data – the fuel of advertising markets – is the source of their profits, tech firms are happy to offer, at highly subsidized rates, services and goods that yield even more data. Ultimately there is no limit as to what kind of goods and services those could be: they might have started with browsing and social networking, but they are as happy to track us exercise, eat, drive or even make love: for them, it’s all just data – and data means cash.
Will Big Data Impact the 4th Amendment?
The 4th Amendment of our Constitution protects our right to privacy. It states that a search cannot be conducted
…without a warrant, and probable cause supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
But according to the third party doctrine, data collected from a third party does not warrant 4th Amendment protection. So for example, government or law enforcement can access data without a warrant from cell phone companies about where, when, and to whom a particular call was made. Similarly, government and law enforcement can access IoT or smart meter data to use as evidence in court. Note two recent homicide cases, here and here. The rationale is that in using these technologies, customers presumably have agreed to relinquish this information. (It should be noted that in some states (such as Pennsylvania, one cannot opt out of a smart meter at all. And in other states, a customer must pay a hefty fee to opt out, rendering “implied consent” meaningless.)
Apple Health Data on a smart phone was recently used to gather evidence in a murder trial.
The app recorded a portion of the suspects activity as “climbing stairs”, which authorities were able to correlate with the time he would have dragged his victim down the river embankment, and then climbed back up. Freiburg police sent an investigator to the scene to replicate his movements, and sure enough, his Health app activity correlated with what was recorded on the defendant’s phone.
The streams of data literally oozing from everything we do, and the images increasingly being matched to our data, create a near picture-perfect life log of each of us and the end of 4th Amendment protections.
In Shredding the Fourth Amendment in Post-Constitutional America, author Peter Van Buren states:
In Post-Constitutional America, the government might as well have taken scissors to the original copy of the Constitution stored in the National Archives, then crumpled up the Fourth Amendment and tossed it in the garbage can….Our government spies on us. All of us. Without suspicion. Without warrants. Without probable cause. Without restraint. This would qualify as “unreasonable” in our old constitutional world, but no more.
Van Buren continues:
The techno-gloves are now off and the possible is increasingly whatever an official or bureaucrat wants to do. That means violations of the Fourth Amendment are held in check only by the goodwill of the government, which might have qualified as the ultimate nightmare of those who wrote the Constitution.
Thankfully, in an landmark decision on June 22nd, the Supreme Court ruled that police must get a warrant to obtain location information from cell phones. Hopefully, this will have a positive impact on law enforcement’s access to IoT data.
Who Will Regulate the IoT?
Industry has no interest in regulating privacy in the IoT.
Consumers remain largely unaware of the problems.
Government is reticent to get involved
No one is regulating privacy in the IoT.
Why industry is not concerned with privacy:
A fundamental principle of the IoT is that products must be affordable. So profits from data must be maximized, and corners cut wherever possible. Data equals money. Privacy concerns, along with cyber security, health, environmental impacts, and social injustices must not get in the way of industry producing affordable IoT products.
Why consumers are not concerned with privacy:
Consumers would probably be more disturbed about their loss of privacy if they were aware of it. But most are not. And even if they were, there is little they could do about it. Privacy agreements fail miserably due to their complexity. With surveillance cameras, sensors in public spaces, and driverless cars, reasonable privacy agreements would be virtually impossible to orchestrate. Were privacy disclosed and managed, it would jack up the price of IoT products. There is no fail-safe, practical, and affordable way ensure our privacy is protected except by disconnecting – and that’s only a partial fix.
Surely government will step in to regulate privacy:
The European Union recently passed new laws regulating privacy. (For more on this please see, https://www.eugdpr.org/.) But in the US, there is an unspoken complicity between government and industry. In 2017, Congress voted to remove FCC privacy protections on our Internet use, and President Trump formed the American Technology Council (ATC) to promote “secure, efficient, and economical use of information technology to achieve its missions.” What this council intends to do is as yet unclear, but chances are it wasn’t created to safeguard our privacy. More recently, the House passed S 139, a bill that further removes privacy protections. The Senate will vote on this bill shortly. If passed, it would result in “…broad NSA surveillance of the Internet…and the government will still have access to Americans’ emails, chat logs, and browsing history without a warrant.”
Schneier elaborates on the workings of complicity:
Data that’s illegal for the government to collect, they purchase from corporations. Corporations purchase data from the government. It goes into databases in the United States. It’s bought and sold. And profiles are generated. And those profiles are used, in both cases, to pigeonhole us, to make decisions about us, maybe whether we can get a mortgage, maybe whether we can board an airplane, maybe what sort of credit card offer we see.
Georgetown University professor of law, Julia Cohen, notes this as well. Author Julia Powles quotes her in an article entitled; We are citizens, not mere physical masses of data for harvesting:
In her lecture Cohen outlines the deal we have struck with the ‘surveillance-innovation complex,’ involving a deeply worrying complicity between state and private actors – ‘a mutually satisfactory game of regulatory arbitrage.'”
As things stand now, government is electing to largely steer clear of regulating the IoT so as not to “stifle innovation.”
FCC Chair Wheeler was unequivocal in his views on regulating the IoT:
Turning innovators loose is far preferable to expecting committees and regulators to define the future. We won’t wait for the standards to be first developed in the sometimes, arduous standards-setting process or in a government-led activity. Instead, we will make ample spectrum available and then rely on a private sector-led process for producing technical standards best suited for those frequencies and use cases.
Even if government were to adopt a strong stance on privacy and Big Data, these efforts would likely not succeed. In the digital world. Innovation happens so quickly that by the time legislation is crafted and passed, it’s already outdated.
Policymakers are somewhere between three and 20 years behind what we’re doing. By the time policy is discussed, we’re on the third generation, and the reality on the ground overrides policy. Jim Waldo as quoted in Now arriving: Internet of Things.
Another reason for our government’s inability to regulate the digital world, is that government operates in a compartmentalized manner with each agency having jurisdiction over a specific area. Digital technology touches so many systems simultaneously that it defies regulation by a single agency or branch of government. Schneier explains:
Government operates in silos. In the U.S., the FAA regulates aircraft. The NHTSA regulates cars. The FDA regulates medical devices. The FCC regulates communications devices. The FTC protects consumers in the face of “unfair” or “deceptive” trade practices. Even worse, who regulates data can depend on how it is used. If data is used to influence a voter, it’s the Federal Election Commission’s jurisdiction. If that same data is used to influence a consumer, it’s the FTC’s. Use those same technologies in a school, and the Department of Education is now in charge. Robotics will have its own set of problems, and no one is sure how that is going to be regulated. Each agency has a different approach and different rules.
Furthermore, the Internet of Things is a global platform. Regulations set in one country will not affect products manufactured in other countries. Schneier calls it “a domestic solution to an international problem.”
Even If governments and industry are not asking the following question – we should be: Will the supposed benefits of a particular IoT product outweigh “downsides” – loss of privacy, cyber security risks, health harms from the increased radiation, impacts on the environment, social injustices and other ethical issues, use of conflict minerals, and the vast increase in e-waste? If not, you may wish to do without this IoT product or platform. Enjoy the freedom of one less gadget to configure, one less instruction manual to navigate, and one less useless “thing” that will likely break and end up taking up space in a closet.
In light of all the harms from the IoT, it might be time to disengage from the gargantuan IoT albatross that is suffocating the public to benefit industry, at the expense of every living being on our planet.
For more up-to-date information about the current state of affairs on regulating privacy and big data in the IoT, see Electronic Privacy and Information Center’s overview, Big Data and the Future of Privacy.
Additional resources on privacy