Privacy & The Internet of Things: The Importance of Transparency in Accounting for What We Can’t See
By Jessica Groopman, Industry Analyst, Altimeter Group
Perhaps the most important lesson the Internet has taught us is that connectivity itself has infinite implications—for good, bad, and most importantly, the unforeseen. We’ve watched digital transform entire industries like publishing, media, music, and retail. As we enter into the next phase of the Internet—the so-called Internet of Things, or more accurately, the digitalization of the physical world through sensors, data and connectivity— the potential for unforeseen implications and unintended consequences skyrockets.
We Can’t Know What We’ve Never Seen
The ratio of unforeseen consequences of data use, aggregation, sharing and targeting eclipses what we can predict. Yet we can illuminate our understanding of this with the following two implications:
- Connecting things anoints them with context through the data that is inherently created.
- Connecting things renders the things themselves and the data these things emit vulnerable to threats—to security, privacy and safety.
As the IoT industry grapples with these two competing implications, weighing innovation, opportunity, and potential on the one hand with security, privacy, and safety risks on the other, all constituents involved have a role in helping pave the way. Today we see a dizzying amount of activity and discussion around how to navigate these implications, but we’re in the infancy of this discourse, nevermind its application.
Industry Sees Imperative for Privacy, but Slow to Communicate About It
As policy-makers, experts, and industry come together in search of (and incentivized by) new and various ways to collaborate, we’re seeing attempts to both leverage existing templates, such as the Data Protection Act, and build new ones. It was just months ago (January 2015) that the FTC released a report, “Internet of Things: Privacy & Security in a Connected World” wherein the Commission offers a summary of risks, opportunities and best practices businesses should adopt. Globally, we’ve seen other examples (with varying degrees of effectiveness and comprehensiveness), such as Europe’s Right to be Forgotten’ and South Africa’s POPI legislation, requiring that businesses may only process data for as long as there are clear and defined business purposes to do so.
Indeed we are seeing more emphasis on Privacy by Design (PbD), the concept of building, embedding, and broadly speaking, ‘baking’ security and privacy controls into connected products and infrastructure themselves. But the reality is, a world of ubiquitous sensors and connectivity is unlike anything humanity has seen to date, and requires a fundamental shift beyond litigation.
As industry interweaves itself more pervasively into the lives of consumers, there is another realm of the discussion that must be addressed: how to communicate and educate consumers on this complex reality and the risks associated with it.
Let’s be honest. The bar for articulating how consumer data is accessed, used, protected, and shared—particularly in how we educate people around these risks—is incredibly low. Today the standard for how brands communicate about the use of consumer data primarily exists at the Terms of Service (ToS) level. As end users, we’ve been conditioned to literally accept a long, complicated series of paragraphs typically written in legalese in order to enjoy a service or sign up for a product. If we refuse, we can’t use the service at all. The gates of a binary Yes/No, all-in/all-out agreement are the norm. But the role of these user agreements is not to protect consumers by educating them and soliciting informed consent, it is primarily to protect the business from legal sanction.
Why Transparency is More Important Now than Ever Before
As the Internet reaches into physical spaces—our stores, our cars, our homes, even our bodies—the gap between risk and consumer awareness is expanding. And while consumers are largely uninformed about the realities of how their data may be (read: is being) used and sold, their concerns are clear.
A recent survey we ran at Altimeter found that 38% of consumers rate their understanding of how companies are protecting their privacy as low or extremely low: 45% responded the same of their trust. But, this study also finds that while understanding and trust are low, interest is high—about half of consumers surveyed say they are interested or extremely interested in understanding how companies are using their data.
Data from TRUSTe finds that 42% of Americans are more concerned about their online privacy than they were just 12 months ago. In data from 2014, Eighty-five percent said they wanted to understand more about how their data is being collected before using connected devices. A recent survey by Nielsen supports this, finding that that 53% of Americans report their top consumer concern around IoT is that their data may be used or shared without their knowledge or consent. What businesses must understand is that this isn’t just a concerned citizenry; this is a fundamental barrier to realizing the potential (and their investments) in IoT.
As an industry analyst covering consumer-facing IoT, I cover the potential and risks of applying sensors to consumer products, services and lifestyle. I am currently conducting research on the topic of consumer perceptions of privacy around connected devices, which will inform a framework for ways businesses can indeed transform the manner, frequency, transparency, and depth to which they communicate with consumers.
As I continue this research, I am particularly looking forward to attending the growing number of conferences, consortia and other collaboration opportunities to advance this conversation. In particular, I will be attending TRUSTe’s IoT Privacy Summit, held in Menlo Park on June 17, 2015. This event has a dedicated session called “Finding a New Paradigm for Consent & Choice” which won’t just be addressing this question from a regulatory and legal perspective, but also from a consumer one.
We are in a critical juncture in the IoT industry, but also in the fate of our sociological norms and expectations, our understanding of, control over, and ability to provide informed consent around how we interact with the world around us and how it interacts with us.
Register for the IoT Privacy Summit on June 17th in Silicon Valley to join this discussion.