PRIVACY
Data and the Internet of Things
Data refers to the intentional or unintentional “exhaust”, or infinitesimal bits of information coming from Internet-connected products. Examples include data from smart cities, traffic, cars, energy, animals, wildlife, food, pills, toys, clothing, diapers, toothbrushes, lighting, mattresses, refrigerators, romance, “smart” sex, parking meters, and even rectal thermometers. Augmented reality (AR) and Artificial Intelligence/robots (AI) will provide additional sources of data. You name it, industry has thought of it. It’s in the works, and data will stream from it.
With a move to the Internet of Things (IoT) we largely unknowingly become providers of mega amounts of data as we go through our day. In fact, we are referred to as “digital workers.” There is already a massive amount of data available on each of us – in fact, a near life log.
Data streams from a multitude of IoT sources:
- IoT “things,” machines, and appliances
- Sensors embedded throughout our cities
- Robots
- Artificial Intelligence
- Online platforms such as Google, Facebook, Instagram etc.
- Apps
- Cell phones
- Smart meters
- Cars – both driver and driverless
- Credit cards
- Surveillance cameras
- Emails
- Text messages
- Augmented Reality (AR)
- Enhanced Humans
- And now, yes, even our minds
Our data is collected, mined, analyzed and stored indefinitely in data centers. Our data is used for targeted marketing (aka surveillance capitalism), surveillance, law enforcement, research, smart cities, and potentially more as the IoT evolves. In fact, a whole eco system is being built with our data. Data streaming from one application becomes fodder for another. Data of course will also be used by hackers for their purposes.
Fox News | How much info is Google getting from your phone?
In a lame attempt to offset the huge downsides of the Internet of Things, some IoT manufacturers are coming up with applications that may provide a modicum of benefits. But many IoT products are, at best, frivolous, and some shamefully harmful.Two such examples are blue tooth pacifiers for infants and musical tampons for babies in utero.
Data collected from different sources is combined thereby producing more data and more value. Although much data is anonymous, once collected, fusion databases aggregate the data and then link it back to the original source. As Peter Van Buren explains in a fascinating 2014 Mother Jones Article,
“In these [fusion databases], information from such disparate sources as license plate readers, wiretaps, and records of library book choices can be aggregated and easily shared. Basically everything about a person, gathered worldwide by various agencies and means, can now be put into a single ‘file.’”
Increasingly, government agencies, such as the FBI and NSA are using biometric identifiers such as facial and iris recognition technology to amass yet more comprehensive and detailed data on each of us. Referring to the National Security Agency (NSA), a CNET article reports,
“The agency is using sophisticated software to harvest ‘millions of images per day from emails, text messages, social media, video conferences, and other communications, according to the documents [referring to specific classified documents referenced by the NY Times].”
In an NBC News article, Chris Calabrese, Vice President at the Center for Democracy & Technology, states:
“It [facial recognition technology] means that I can identify you and know where you are going in public, I can record and keep that information and you don’t know it’s happening. I know where you are, I know whether you’ve just visited a protest rally, I can identify everybody at that protest rally and I can keep records of that. It has a chilling effect.”
Joel Rosenblatt shares an observation made by Marc Rotenberg, President and Executive Director of the Electronic Privacy Information Center (EPIC):
“Biometric identifiers are a key way to link together information about people, such as discrete financial, medical and educational records.…”
Metadata vs. Data
Data comes in two forms, data and metadata. Take for example email — the content of an email would be the data. But each email also carries information about the date, time, message size, sender, and recipient of the email, and the specific computer or device used to send the email. These constitute the metadata. Although it would appear that metadata has little value, as it turns out, it’s incredibly useful to law enforcement, governments, marketers, researchers, and cyber criminals.
The more metadata collected, the more valuable the data becomes. Profit is one of the main driving forces behind the collection, sale, and use of big data, as it allows companies to offer more “affordable” IoT products. In the words of Chris Rouland, CEO of Bastille, “Your sensor-packed wearable device isn’t really the product – you are.”
In a Guardian article, Tech titans are busy privatising our data, author Evgeny Morozov explains,
Since data – the fuel of advertising markets – is the source of their profits, tech firms are happy to offer, at highly subsidized rates, services and goods that yield even more data. Ultimately there is no limit as to what kind of goods and services those could be: they might have started with browsing and social networking, but they are as happy to track us exercise, eat, drive or even make love: for them, it’s all just data – and data means cash.
A recent paper co-authored by professors from Stanford University, Columbia, and a Microsoft employee argues that we – those who generate the data – should profit from it, not Google et al.
“…each person becomes something like an oil well, pumping out the fuel that makes the digital economy run. Both fairness and efficiency demand that the distribution of income generated by that fuel should be shared more evenly, according to our contributions.
But we are a far cry from that as industry’s voracious appetite for data is busy fueling the booming IoT market, and governments in the US are dutifully complying with little to no regulations.
Will Big Data Impact the 4th Amendment?
The 4th Amendment of our Constitution protects our right to privacy. It states that a search cannot be conducted
…without a
warrant, and probable cause supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
But according to the third party doctrine, data collected from a third party does not warrant 4th Amendment protection. So for example, government or law enforcement can access data without a warrant from cell phone companies about where, when, and to whom a particular call was made. Similarly, government and law enforcement can access IoT or smart meter data to use as evidence in court. Note two recent homicide cases, here and here. The rationale is that in using these technologies, customers presumably have agreed to relinquish this information. (It should be noted that in some states, one cannot opt out of a smart meter. and in other states, a customer must pay a hefty fee to do so, making “implied consent” meaningless.)
Apple Health Data on a smart phone was recently used to gather evidence in a murder trial.
The app recorded a portion of the suspects activity as “climbing stairs”, ‘which authorities were able to correlate with the time he would have dragged his victim down the river embankment, and then climbed back up. Freiburg police sent an investigator to the scene to replicate his movements, and sure enough, his Health app activity correlated with what was recorded on the defendant’s phone.
The streams of data literally oozing from everything we do, and the images increasingly being matched to our data, create a near picture-perfect life log of each of us and the end of 4th Amendment protections.
In Shredding the Fourth Amendment in Post-Constitutional America, author Peter Van Buren states:
In Post-Constitutional America, the government might as well have taken scissors to the original copy of the Constitution stored in the National Archives, then crumpled up the Fourth Amendment and tossed it in the garbage can….Our government spies on us. All of us. Without suspicion. Without warrants. Without probable cause. Without restraint. This would qualify as “unreasonable” in our old constitutional world, but no more.
Van Buren continues:
The techno-gloves are now off and the possible is increasingly whatever an official or bureaucrat wants to do. That means violations of the Fourth Amendment are held in check only by the goodwill of the government, which might have qualified as the ultimate nightmare of those who wrote the Constitution.
Who Will Regulate the IoT?
Industry has no interest in regulating privacy in the IoT.
Consumers remain largely unaware of the problems.
Government is reticent to get involved
So essentially, as of now, no one is regulating privacy in the IoT.
Why industry is not concerned with privacy:
A fundamental principle of the IoT is that products must be affordable. So profits from data must be maximized, and corners cut wherever possible. Data equals money. Privacy concerns, along with cyber security, health, environmental impacts, and social injustices must not get in the way of manufacturing affordable IoT products.
Why consumers are not concerned with privacy:
Consumers would probably be more disturbed about their loss of privacy if they were aware of it. But most are not. And even if they were, there is little they could do about it. Privacy agreements fail miserably due to their complexity. With surveillance cameras, sensors in public spaces, and driverless cars, reasonable privacy agreements would be virtually impossible to orchestrate. Were privacy disclosed and managed, it would jack up the price of IoT products. There is no fail-safe, practical, and affordable way ensure our privacy is protected except by disconnecting – and that’s only a partial fix.
Surely government will step in to regulate privacy:
The European Union recently passed new laws regulating privacy. (For more on this please see, https://www.eugdpr.org/.) But in the US, there is an unspoken complicity between government and industry. In 2017, Congress voted to remove FCC privacy protections on our Internet use, and President Trump formed the American Technology Council (ATC) to promote “secure, efficient, and economical use of information technology to achieve its missions.” What this council intends to do is as yet unclear, but chances are it hasn’t been created to safeguard our privacy. More recently, the House passed S 139, a bill that further removes privacy protections. The Senate will vote on this bill shortly. If passed, it would result in “…broad NSA surveillance of the Internet…and the government will still have access to Americans’ emails, chat logs, and browsing history without a warrant.”
Schneier elaborates on the workings of complicity:
Data that’s illegal for the government to collect, they purchase from corporations. Corporations purchase data from the government. It goes into databases in the United States. It’s bought and sold. And profiles are generated. And those profiles are used, in both cases, to pigeonhole us, to make decisions about us, maybe whether we can get a mortgage, maybe whether we can board an airplane, maybe what sort of credit card offer we see.
Georgetown University professor of law, Julia Cohen, notes this as well. Author Julia Powles quotes her in an article entitled; We are citizens, not mere physical masses of data for harvesting:
In her lecture Cohen outlines the deal we have struck with the ‘surveillance-innovation complex,’ involving a deeply worrying complicity between state and private actors – ‘a mutually satisfactory game of regulatory arbitrage.'”
As things stand now, government is electing to largely steer clear of regulating the IoT so as not to “stifle innovation.”
FCC Chair Wheeler was unequivocal in his views on regulating the IoT:
Turning innovators loose is far preferable to expecting committees and regulators to define the future. We won’t wait for the standards to be first developed in the sometimes, arduous standards-setting process or in a government-led activity. Instead, we will make ample spectrum available and then rely on a private sector-led process for producing technical standards best suited for those frequencies and use cases.
In a 2015 Senate Commerce, Science and Transportation Committee Hearing, Senator Thune (who incidentally is now sponsoring a bill intended to fast track the deployment of 5G infrastructure) echoes this sentiment:
“Let’s not stifle the Internet of Things before we and consumers have a chance to understand its real promise and implications.”
Even if government were to adopt a strong stance on privacy and Big Data, these efforts would likely not succeed. In the digital world. Innovation happens so quickly that by the time legislation is crafted and passed, it’s already outdated.
Policymakers are somewhere between three and 20 years behind what we’re doing. By the time policy is discussed, we’re on the third generation, and the reality on the ground overrides policy. Jim Waldo as quoted in Now arriving: Internet of Things.
Another reason for our government’s inability to regulate the digital world, is that government operates in a compartmentalized manner with each agency having jurisdiction over a specific area. Digital technology touches so many systems simultaneously that it defies regulation by a single agency or branch of government. Schneier explains:
Government operates in silos. In the U.S., the FAA regulates aircraft. The NHTSA regulates cars. The FDA regulates medical devices. The FCC regulates communications devices. The FTC protects consumers in the face of “unfair” or “deceptive” trade practices. Even worse, who regulates data can depend on how it is used. If data is used to influence a voter, it’s the Federal Election Commission’s jurisdiction. If that same data is used to influence a consumer, it’s the FTC’s. Use those same technologies in a school, and the Department of Education is now in charge. Robotics will have its own set of problems, and no one is sure how that is going to be regulated. Each agency has a different approach and different rules.
Furthermore, the Internet of Things is a global platform. Regulations set in one country will not affect products manufactured in other countries. Schneier calls it “a domestic solution to an international problem.”
Final Thoughts
Even If governments and industry are not asking the following question – we should be: Will the supposed benefits of a particular IoT product outweigh the loss of privacy and cyber security, health harms from the increased radiation, impacts on the environment, social injustices, conflict minerals, and the vast increase in e-waste? If not, you may well do without this IoT product or platform. Enjoy the freedom of one less gadget to configure, one less instruction manual to navigate, and one less useless “thing” that will likely break and lay dormant in a closet for years.
In light of all the harms from the IoT, it might be time to disengage from the gargantuan IoT albatross that is suffocating the public to benefit industry, at the expense of every living being on our planet.
For more up-to-date information about the current state of affairs on regulating privacy and big data in the IoT, see Electronic Privacy and Information Center’s overview, Big Data and the Future of Privacy.
Additional resources on privacy
- Is Facebook's Facial-Scanning Technology Invading Your Privacy Rights? A court case threatens the social network with multibillion-dollar claims.Joel Rosenblatt | Oct. 26, 2016
- Schneier on Security | Website and Blog
- Berkmann Klein Center for Internet & Society at HarvardPrivacy Series
- Bruce Schneier on Security and Privacy on the World-sized Web
- The Berkman Klein Center for Internet & Society | Video series49 videos | Last updated, Mar. 23, 2016
- Electronic Frontier FoundationDefending your rights in the digital world
- Electronic Privacy Information Center (EPIC)"Privacy is a fundamental right"
- Internet of Things; Privacy and Security in a Connected WorldFTC Staff Report | Jan. 2015
- Evgeny Morozov - What is technological sovereigntyZündfunk Netzkongress 2016
- Click Here to Kill Everyone | With the Internet of Things, we’re building a world-size robot. How are we going to control it?Bruce Schneier | NY Magazine | Jan. 27, 2017
- Privacy in Our Digital Lives: Protecting Individuals and Promoting InnovationJanuary, 2017
- New computers could delete thoughts without your knowledge, experts warnIan Johnston | 26 April 2017
- Otonomo raises $25M to help automakers make money from connected carsDarrell Etherington | April 7, 2017
- The Electronic Frontier Foundation | Website
- The Universal Declaration of Human Rights"No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence.”
- Electronic Frontier Foundation (EFF) | Website
- Universal Declaration of Human RightsPrivacy International | No one shall be subjected to arbitrary interference with his privacy, family, home, or correspondence.
- IT’S TOO COMPLICATED: HOW THE INTERNET UPENDS KATZ, SMITH, AND ELECTRONIC SURVEILLANCE LAWSteven M. Bellovin, Matt Blaze, Susan Landau, & Stephanie K. Pell| Harvard Journal of Law & Technology
- Phones Move – and So Should the LawSusan Landau | Aug. 16th, 2017 | Lawfare
- Internet of Things (IoT)Electronic Privacy Information Center (EPIC)
- First Digital Pill Approved to Worries About Biomedical ‘Big Brother’Nov. 13th, 2017 | Pam Belluk | The NY Times
- Why Silicon Valley wants you to text and driveNov. 30th, 2017 | Jack Barkenbus | The Conversation
Welcome to the neighbourhood. Have you read the terms of service?Mathew Braga | Jan. 18th, 2018 | CBC News
GDPR Portal | Websitewebsite is a resource to educate the public about the main elements of the General Data Protection Regulation (GDPR)
Are You Really the Product? The history of a dangerous idea.April 27th, 2018 | William Oremus | The Slate
- Alarmed by Admiral's data grab? Wait until insurers can see the contents of your fridgeThe Guardian | Nov. 2, 2016
- Corporate surveillance, digital tracking, big data & privacyDec. 29, 2016 | Wolfie Christi | 33th Chaos Communication Congress
- Networks of Control A Report on Corporate Surveillance, Digital Tracking, Big Data & PrivacyWolfie Christl and Sarah Spiekermann
- Internet of things: the greatest mass surveillance infrastructure ever?The Guardian | July 15, 2015 | Does the expanding network of connected devices herald a brave new compact for our digital lives – or the end of politics?
- The government just admitted it will use smart home devices for spyingThe Guardian | Trevor Tim | Feb. 9th, 2016
- Data populists must seize our information – for the benefit of us allThe Guardian | Evgeny Morozov | Dec. 3, 2016 |
- Data populists must seize our information – for the benefit of us all.The Guardian | Evgeny Morozov | Dec. 3, 2016 |
- US intelligence chief: we might use the internet of things to spy on youThe Guardian | James Clapper, US director of national intelligence. ‘In the future, intelligence services might use the internet of things for identification, surveillance, monitoring, location tracking, and targeting for recruitment’, says James Clapper, US director of national intelligence. Photograph: Alex Brandon/AP Spencer Ackerman and Sam Thielman | Feb. 9, 2016 |
- The internet of things - the next big challenge to our privacyThe Guardian | Jat Singh and Julia Powles | July 28, 2014 |
- How can privacy survive in the era of the internet of things?The Guardian | April 7, 2015 | Danny Bradbury
- Consumer organisations across the EU take action against flawed internet-connected toysBEUC, the European Consumer Organization | June 12, 2016
- Internet-Connected Toys Are Spying on Kids, Threatening Their Privacy and SecurityJosh Golin, Jeff Chester | Dec. 6, 2016
- Parents Across America - Our Children @Risk
- Class action filed against ‘smart’ dildo for tracking customers intimate movementsSept. 14, 2016
- The Human OSRoboticsRobot Sensors & Actuators Mood-Detecting Sensor Could Help Machines Respond to EmotionsCharles O. Choi | Sept. 20, 2016
- Why you may have good reason to worry about all those smart devicesWashington Post | Larry Downes | Dec. 6, 2016
- FTC Report on Internet of Things Urges Companies to Adopt Best Practices to Address Consumer Privacy and Security RisksJan. 27, 2015 | Report Recognizes Rapid Growth of Connected Devices Offers Societal Benefits, But Also Risks That Could Undermine Consumer Confidence
- Any computer connected to the Internet can be hacked by the US government without a warrantPrivacy International says the ruling will have 'astounding implications for privacy and security'
- Data Is a Toxic Asset, So Why Not Throw It Out?Bruce Schneller | Mar. 1, 2016
- The Eternal Value of PrivacyBruce Schneller | Wired | May 2006
- Don't Panic. Making Progress on the "Going Dark" DebateBerkman Center for Internet and Society | Harvard Univ. | Feb. 1, 2016
- PF Nov 2016 - The Internet of Things vs. Personal Privacy - Con PositionResolved: On balance, the benefits of the Internet of Things outweigh the harms of decreased personal privacy.
- The Privacy Wars are about to Get a Whole Lot WorseLocus Online Perspectives | Cory Doctorow | Sept. 4, 2016