 |
| Figure 1, Guru99 |
The Internet of Things
The Internet of Things (IOT) describes the network of
devices that have imbedded sensors, software, and electronics that enable them
to collect data and transfer it over the internet. The IOT typically refers to “smart”
objects such as thermostats, toasters, vacuums, and other devices that don’t
usually connect to the internet, but are able to offer more or better services
by doing so [1]. The IOT offers the benefit of automation, convenience, and optimization.
Users of smart devices can turn off lights or play music with a voice command. They
can remotely lock doors, monitor children, or start their car by using an app
on their phone. By analyzing the data collected, devices can help users to
track health or sleep patterns, or to identify a problem in their home such as
an inefficient device. “Smart cities” can utilize devices to monitor traffic
patterns or to reallocate resources [1,2]. Medical care can also be improved by
the IOT because more robust data can be collected from medical devices that send
real-time data, and patients can monitor their own vital signs at home [2,3].
There is a tradeoff with these benefits. The IOT poses a great
risk to privacy unless devices are developed with security in mind, and there is
regulation on what data is collected and stored. Some states have privacy
regulations in place that companies will have to comply with, such as the
California Consumer Privacy Act, but there is no comprehensive federal privacy legislation
to provide this regulation [4]. In 2015 the Federal Trade Commission (FTC)
issued a report where they recommended that “strong, flexible, and
technology-neutral federal legislation” be enacted [2]. The question is this: Is
federal regulation necessary? Or would it be better to allow industry to self-regulate?
Concerns of Government Regulation
Those who oppose government regulation argue that premature
legislation will stifle innovation at a time when there is great potential for
the industry to grow [2]. Legislation that is too strict could prevent certain
technologies from fully developing. Many IOT devices incorporate AI, so that the
device can learn to accomplish a task more efficiently. In order to do this, a neural network needs to be trained with large amounts of data. Many of the
devices also need to react quickly to stimuli such as temperature change or
motion detection. This means that they need to be collecting data about the
environment often. So, if legislation places restrictions on the data that can
be collected, capabilities could be limited [5]. It is also difficult to impose
regulation on the IOT because it spans so many different industries with
devices for all different purposes. Some of the devices will need more data
than others to function, and some will deal with far more sensitive data. It is
also difficult to enforce legislation requiring consent because most of the
devices are always running in the background and can’t gather consent from
every person that might be affected [5,6].
Privacy Concerns
The IOT raises many privacy concerns due to the vast amount
of data that is being sent through it, often without encryption. Kashmir Hill
and Surya Mattu conducted an experiment where they “hacked” Hill’s smart home and
found that her smart devices were constantly communicating with their
manufacturers, even when no one was home. They also found that information such as the
shows she watched on Hulu were sent unencrypted, while data that was encrypted
still revealed information about her habits through the metadata [6]. All of
the data that is sent over the internet has the potential to be
intercepted, and even after that data is stored by a company it can still be
vulnerable to data breaches, especially if it is known that a company stores
lots of sensitive data. Even if it doesn’t seem like the data being collected
is that sensitive, “the collection of personal information, habits, locations,
and physical conditions over time may allow an entity that has not directly
collected sensitive information to infer it” [2]. It has also been shown that
even when data is depersonalized, if it is robust enough, individuals can be reidentified
[4]. Smart devices are creating a more detailed picture of people’s private lives
than they might realize.
While smart devices often have the same privacy risks as
using the internet on a traditional device, there are some unique qualities of
the IOT that increase concerns. Because the majority of smart devices are made ready
to use out of the box, and because they are passive devices, most people don’t
change the default settings. They don’t think about what data is being sent
over the internet, and they don’t consider checking the privacy settings [5].
Many smart devices are also made to work together to form a whole network of
shared data. Some devices are more secure than others though, and the more
devices connected, the greater security risk. If one device is hacked, then the
whole network can become compromised [1,2]. Unlike traditional hardware,
manufactures of smart devices often maintain a lot of control; they decide when
to update, what features are available, and how often data is transferred [5]. If
users try to take control, for example refusing an update, they might find that
they lose functionality.
The concern has also been raised that if the use of data
collected by the IOT isn’t regulated than companies will take advantage of it. Data
collected on a user might factor into decisions about their credit, their employment,
or their insurance, which opens the door to discrimination [2]. Patients who use
smart medical devices could be monitored by their insurance company who might
then deny access to insurance if they deem the patient isn’t making enough
effort towards recovery or isn’t using the device correctly [3]. Data could also be used for targeted advertisement, or potentially used by law enforcement.
Conclusion
I think that the FTC should adopt regulations about the
collection, storage, protection, and use of information by the IOT. Even though
each device is different, and they require different levels of data collection and
protection, I do think there should be a baseline of what is acceptable.
Companies should only collect as much information as is reasonable for the function
of their device. They should also limit who has access to the data within the
company and should have security protocols in place such as encryption. They
should also only store the data for as long as it is in use and only request
more data from the devices as often as is required for them to function.
Sources
[1] Williams, L. (2023,
January 19). IOT tutorial: Introduction to internet of things (IOT basics).
Guru99. Retrieved March 17, 2023, from https://www.guru99.com/iot-tutorial.html
[2] Federal Trade
Commission. (2015, January). Internet of things: Privacy & security in a
Connected World. Retrieved March 17, 2023, from
https://www.ftc.gov/system/files/documents/reports/federal-trade-commission-staff-report-november-2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf
[3] Asay, M. (2018,
November 21). How IOT medical devices save your life and threaten your
privacy. TechRepublic. Retrieved March 17, 2023, from
https://www.techrepublic.com/article/how-iot-medical-devices-save-your-life-and-threaten-your-privacy/
[4] UNESCO. (2022,
February 9).Data Privacy and the internet of things. Retrieved March 17,
2023, from
https://en.unesco.org/inclusivepolicylab/analytics/data-privacy-and-internet-things
[5] Office of the
Victorian Information Commissioner. (2022, October 6). Internet of things
and privacy - issues and challenges. Retrieved March 17, 2023, from
https://ovic.vic.gov.au/privacy/resources-for-organisations/internet-of-things-and-privacy-issues-and-challenges/
[6] Hill, K., & Mattu,
S. (2018, February 7). The house that spied on me. Gizmodo. Retrieved
March 17, 2023, from https://gizmodo.com/the-house-that-spied-on-me-1822429852
I am curious as to how the FSA could go about defining the information being in use. While I agree that it should not be stored longer than necessary, IOT devices are so commonly used it feels harder than normal to define necessary. Oftentimes people will use things like their vacuum just until it breaks. Or in the case of a smarthouse, theoretically they could be using that for the rest of their life. I am not sure how I would define necessary in this instance.
ReplyDeleteYeah interesting point, I am also curious to see what even defines the parameters that concern a "proper amount of time" to store someone's information.
DeleteYeah, it is difficult to give an exact time that data should be stored because it's different for every device. For something like a smart vacuum, it would always need to know what your house looks like, but for something like a smart camera that connects to your phone, the videos probably don't need to be saved beyond a few weeks. What I was thinking was that each company should have to prove that the data that they store has a purpose and is actively providing a benefit.
DeleteI also think that there should be more regulation regarding all this data, but like Lindsay, I'm also pretty stumped on how to go about all of it. One IOT I own is an Amazon Alexa, and I understand that it is one of the most data collecting devices with a lot of potential of privacy invasion, but like many other owners, I've come to become extremely used to the convenience of it, and I wouldn't get rid of it even knowing the kinds of privacy risks attached. It is really hard in this society of convenience and technological advancement to find a line for privacy protection while still being able to personalize things, so to be honest, this would take a lot of thinking to really figure out the best kind of laws for IOTs, but very interesting post!
ReplyDeleteYeah, great point, I think one of the reasons why devices such as Alexa work so well is because it is always listening, always gathering data about its owner. If for some reason that would be taken away, then the delegated individuality of each Alexa would be stripped away.
DeleteI agree with both of you. It is difficult to set regulations when the constant data collection is part of what makes the devices function. That being said though, the default setting for Alexa is to only delete voice recordings if the user goes into the app and manually deletes them, which most people aren't going to do. Surely Amazon doesn't need to remember every conversation you have ever had with your Alexa, and could automatically delete these recordings after a month or so.
DeleteNice post on the IoT! Personally, this is my first time hearing this term, and I hardly own any IoT devices myself, so it was great learning about the IoT. One thing that makes me weary of these devices is the fact that they can be updated and changed after you purchase them. You may buy something at one point, but then it becomes something different later down the road. Regarding privacy, I think I would agree that there should be some sort of regulation, but of course, like people have said, it's difficult due to how diverse the IoT is.
ReplyDeleteI agree with Andrew, great first blog post Alex on education us on what an IoT even is.
DeleteThanks for posting! I thought this was really interesting and I'm definitely going to look into my privacy settings on the Google Home I have. I think that there should be regulations on IoTs but like my peers, I'm struggling to see an effective and usable measure. I think if regulations are too vague they risk being effective for consumers. If they are too narrow, they could impede the evolution of the tech industry. I wonder if other countries have done something similar with their law?
ReplyDeleteAs far as I could find, there are some countries that have overarching privacy or data collection laws (like the GDPR), but there aren't any privacy laws specifically for the IOT. There is some regulation on IOT devices from The Internet of Things Cybersecurity Improvement Act that was passed by Congress in 2020.
DeleteWonderful post! I am curious to see in the future is impacted by ongoing government regulations. I do think there should be regulations on the information collected on consumers should be, but as Hannah says, if they are too narrow could it impeded our ability to progress in the technological sector. Also, for the many devices as you pointed out, how would we have a concurrent legislation that addresses all the nuances in how devices work and collect information?
ReplyDeletePerhaps more regulation on collection of data isn't necessary. When it comes to these smart devices, they're still such a new technology that they are not ubiquitous in every home. Instead of legislation preventing what they can do, it may be better for legislation to be passed that requires companies to be more transparent on what they collect and how it is used. These devices increase in functionality as they increase in data collected, so limiting what they can collect limits their ability. The option best for consumers in my opinion is to let the consumer make the tradeoff of privacy for utility, as long as companies allow the consumer to make a truly informed decision.
ReplyDeleteI agree that the FSA should get better regulations about IOT. If the security, storage, etc was better it would be a much better system. The amount of information they collect is a lot and they should have a strong security and an organized collection of the data in the system. Also I love the point on how every household has a connected network of devices. If one is hacked than all of the devices are in jeopardy.
ReplyDeleteI agree that there should be some sort of legislation, but I think I am more leaning towards legislation for education and transparency, rather than limiting what they can do at this point. I think that if there is a block in what devices can do then the technology won’t develop as much as it could, and we won’t be able to see the full potential of the industry, so there is a harm to limiting collection. Also, I agree with what Ryan said about how we would even be able to limit collection on such a broad spectrum of technology. I think that if we limit it there will already be something new that needs to be limited, so transparency is best as the industry evolves.
ReplyDeleteI just updated this post to say FTC where I had mistakenly put FSA. I apologize to anyone who copied me and put the wrong acronym as well.
ReplyDeleteI loved Andrews point of view he mentioned in his comment about this post. Devices being able to be updated and modified after purchase can be a potential risk to the consumer if the updates are not fully transparent or able to let the consumer “opt out” of those changes. Privacy control is essential for these devices that run on trust from the consumer to the company, like amazon and google with their alexa and google home items respectively. If these companies don’t update and monitor their privacy collections/data, then the consumer is the most vulnerable and most likely wouldn’t know.
ReplyDeleteChloe Hagan :)
DeleteThis comment has been removed by the author.
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteI think that the privacy concerns of having all this smart technology outweighs whatever convenience they may give, at least on the level of having an entire "smart home". To me these things seem more like a status symbol than something that is actually useful, although things like smart watches and smart speakers are very common and do have uses.
ReplyDelete