A coffee machine that turns itself on the minute you wake up in the morning. Menu suggestions from your refrigerator based on available food products which are near their expiration dates. The next digital revolution, driven by the ‘Internet of Things’ (IoT), is about to make it all possible with smart technology, enabling devices to think for themselves and connect through the internet. IoT offers many opportunities, for example it has the potential to make our living environment more efficient and sustainable. But what are the privacy risks involved? And what guarantees do we have when it comes to the safety of IoT systems? IoT devices are primarily developed with new functionalities and ground-breaking applications in mind, but security and privacy receive relatively little attention. So, in this blog, let’s turn that around, shall we? Let’s look at the privacy side of things.
What is the ‘Internet of Things’?
Broadly speaking, the Internet of Things, or ‘IoT’, is all about the internet as a way of connecting devices, enabling them to communicate with each other and send data to the ‘cloud’ without any form of human intervention. Think of the IoT as the total collective of internet-connected (‘smart’) devices. The Internet of Things consists of a large group of widely varying applications, of which smart houses and smart cities are two of the more prominent examples.
Privacy and security risks of IoT devices
IoT devices can contribute to increased efficiency, durability and ease of use, offering advantages that are primarily of an economic nature (time and cost savings) or related to behavioural improvement as in the case of smart watches stimulating healthier lifestyle choices. But there is a downside to IoT as well, which has to do with the privacy risks connected to the use of smart devices.
The whole concept of IoT is intrinsically dependent on data and that is exactly what makes user privacy a point of recurring concern. Privacy, in a nutshell, is the indemnity of interference, intervention or unwanted observation, in other words, the right to be left alone. In line with this definition, exposure of sensitive or private information to ‘unintended’ recipients constitutes a threat to privacy.
IoT devices collect data, including, more often than not, sensitive and personal data such as first and last name, address, phone number and potentially even financial data or information related to the user’s health or location. By storing sensitive information and sharing it with other internet-connected equipment, IoT devices contribute to a completely new level of privacy vulnerability. After all, as more and more home devices get connected to the internet, an ever more detailed picture of a person’s life can be created, for instance in terms of daily routines, changes in usual behaviour or specifics of family composition.
In this sense, IoT devices are a possible source of privacy risk. But there is more. The use of IoT devices is also increasing the potential for security and safety hazards. Because what makes these devices smart, apart from their internet connection, is the fact that they are controlled by computer systems consisting of two components – hardware and software – which may both contain security flaws and vulnerabilities which may facilitate access to these devices. Hackers can gain access to a person’s home network through any number of ‘innocent’ appliances, from the central heating system’s thermostat, a refrigerator or digital door lock to baby monitors or smartwatches. Once inside, hackers can not only steal possibly sensitive information, they may also, worst-case scenario, completely take over control of such devices. This way, an IoT device hack may constitute a direct threat to a person’s privacy and personal safety. If you are interested, follow this link for practical advice on buying, installing and safely using IoT equipment.
Laws and regulations on IoT devices
So far, there has been very little (government) supervision of the development and construction of privacy safe and security sound IoT devices. The definition of ‘reliable IoT’ mostly being left to the producers and sellers. But there are instances of (emerging) legislative frameworks that (may) cover, sales and use of, IoT devices.
Through IoT devices, all kinds of personal data are collected from their users. Therefore, the manufacturers or producers of IoT devices must comply with the General Data Protection Regulation (GDPR). The operational scope of the GDPR however, is limited to the European Union.
The GDPR applies not only to the collection and storage of data, but also to what is subsequently being done with these data. For one thing, the general principles of data processing (Article 5 GDPR) will have to be adhered to when personal data is processed by IoT systems. Also, there must be a lawful basis for processing data (Article 6 GDPR).
Consent is one of the possible bases, but only if it meets strict criteria: consent must be specific and informed, given voluntarily, and given in an affirmative act. It is therefore important for users that it is clear what exactly happens to their data, the more so because it is common practice for data to be stored and at a later stage be (re-)used for additional (commercial) purposes. Any entity wishing to process data must therefore provide information such as the nature of the processing and the purposes of the processing.
With regard to consent as a legal basis for the processing of data by IoT devices, there are a number of concerns. For example, consent is not always considered to be freely given. In some cases, the user is practically ”forced” to agree to the sharing of private data if he or she wants to use the device or install the necessary (security) updates for continued proper functioning of the device. However, under the GDPR, users should be able to make their own informed decisions on these matters, without consent to the use of their personal data being enforced by the device manufacturer. In other words, without being threatened with a penalty. Moreover, users will not nearly always have consented to specific personal data being recorded and analysed whenever they happen to use a connected device. These are aspects which the GDPR certainly covers.
EU Data Act (entry into force pending)
On February 23 2022, the European Commission presented its proposal for the ‘EU Data Act’, intended successor of the Data Governance Act which had introduced processes and structures facilitating data sharing. The EU Data Act is to offer additional information as to who, and on which conditions, can profit from the sharing of information. The common purpose remains to be the creation of an internal marketplace for promotion of the free flow of information consisting of data generated by smart products and services, like smartwatches. With these products, the consumer buying them does not always know who is allowed to use the generated data in what ways. This is one of the things the new legislation is intended to clarify and as such, the EU Data Act will also apply to IoT devices.
ePrivacy Regulation (entry into force pending)
The proposed ePrivacy Regulation, intended to replace the existing Guideline 2002/58/EG as a set of European directives better aligned with the technological realities of the present day and age, will also apply to communication between IoT devices. For more information on the ePrivacy Regulation, refer to this blog.
For some time now, the Dutch authorities have been calling for increased European IoT regulation. To this end, in 2018, in cooperation with companies from the private sector, the Dutch government created the Roadmap Digitaal Veilige Hardware en Software (Roadmap Digitally Secure Hardware and Software) while continuing to advocate more stringent European guidelines, in the form of, for instance, minimum safety requirements for smart devices. Also in 2018, the Dutch House of Representatives adopted a motion for mandatory certification of IoT devices. This would certainly help to solve some of the problems currently surrounding the Internet of Things and, as stated by Mona Keijzer, Dutch Secretary of State for Economic Affairs at the time, a regime of IoT equipment labelling or certification would be in line with the recommendations of the Roadmap.
Most people are hardly aware of the privacy risks associated with IoT devices. Digital security and reliability are not high on the priority lists of consumers shopping for ‘smart’ products. In reality however, IoT security is a fundamental condition for the protection of privacy because when an IoT device gets hacked, there is an immediate, direct threat to the user’s privacy and personal safety. Not only can hackers loot the devices for (sensitive) personal data, but they can also, in the worst-case scenario, completely take over control of any given device. For consumers to be able to fully profit from the countless interesting opportunities the Internet of Things undeniably has to offer, new laws and regulations have to be drawn up, with amendments made to existing legislation where necessary. Here, a (more) active attitude is required from legislators, both in a national context and on a European scale, in order to prevent the potential of far-reaching consequences from becoming very real and very serious problems. This may include broader regulation and minimum requirements in terms of security of IoT devices and use of data. The future of IoT depends on good regulation and awareness, on the part of consumers and policymakers, of the inherent risks.