Will there really be privacy in the Internet of Things? That’s the central question that a group of government regulators, university professors, and tech industry lawyers grappled with last week at a conference organized and hosted by TRUSTe at the Rosewood Hotel in Menlo Park, California, nestled in the shadow of Stanford University.
It would be tempting to simplify the daylong discussion by saying the ultimate answer is “no,” but the conference attendees heard more about the current landscape and challenges than actual solutions to protect user privacy. This was not surprising given that it was the first time such a conference had been held, and TRUSTe, a leading Data Privacy Management company, deserves much credit for at least putting the issue on the table this early in the game. As one presenter put it succinctly, “The issues are complicated.”
What’s complicating the protection of privacy is that every day someone, somewhere introduces a new way to link a gadget to the Internet, or uses the Internet for a whole new purpose. For example, during one of the panel discussions last week, attendees heard about Saga, a lifelogging app that uses smartphone sensors to capture your daily routines, travel and preferences.
On the surface, this would not seem a threat to privacy since anyone can choose to do this or not. But A.R.O, the company that developed Saga (and is funded by the Microsoft billionaire Paul Allen), also recently introduced a new companion product – OverHeard. This smartphone app automatically records your life sounds in 3 minute increments and shares them over your social networks. They are also stored on A.R.O. servers. Is this merely lifelogging or recording private conversations with other people without their consent?
Even the conference itself ran into a minor quandary when they handed out free Pokens to all attendees. Pokens are smart-tag equipped USB sticks that can store and exchange data about each attendee and the idea was to share this information by simply touching each other’s tags at the conference.
But when Professor Lance Hoffman of George Washington University gave his keynote speech on privacy in the afternoon, he launched into a short rant about the dangers of using devices like Pokens, since users cannot control where their data goes and must take a security risk by inserting an untested device into their computers to use them. Conference leaders moved quickly to reassure attendees that Pokens were trustworthy, but it was yet another example of how even technology with the best intentions can quickly run into privacy issues in the Internet of Things.
A panel of industry regulators wrestled with growing concerns around the question of notice and choice. In the “old” days, when everything was computer screen-based, users were presented with 80 page documents they never read agreeing to how their data would be used when they chose a certain tech product. Today, in this new era of wearable computing and smartphones, that kind of review and consent has become a lot more tricky. “It is still the law,” as TiTi Nguyen, California’s Deputy Attorney General for Internet Privacy, reminded the audience.
Yet, the inevitable march towards wide consumer acceptance of these devices has led to a situation where the privacy concerns get largely ignored. As one attendee commented after the regulators had their say, “I noticed (Nancy Libin) the former Chief Privacy Officer for the Department of Justice wearing a FitBit. Do you think she thought about the privacy of her data when she put that on her wrist?”
At the end of the day, Chris Babel, CEO of TRUSTe, announced that his company will call together a technical working group on privacy for the Internet of Things later this year to “figure out how it’s going to impact the multitude of groups that this involves.” Babel might want to hold his first meeting in the Vatican’s Sistine Chapel. Prayer and inspiration will be needed.