It is 11.15am and you are in the middle of a doctor’s appointment when a reminder message for your Melbourne to Sydney flight that departs in two hours, pops up on your mobile phone. It warns you that with the current traffic conditions you will need to leave your location in the next 10 minutes to ensure you don’t miss your flight. It is the first time you have received a message like this and for a moment you wonder where this message comes from. Is this a time saving service, or an invasion of privacy?
A team of researchers from the Melbourne Networked Society Institute, led by Dr Rachelle Bosua and Professor Megan Richardson, have conducted a qualitative research project to discover how IoT users and developers view ‘privacy’ and the adequacy of current legal regulations to protect individuals’ privacy.
The study has found that both IoT technology users and developers lack understanding about the privacy issues involved with personal data collection and storage. In their haste to access new services, users often do not read the fine print and consent forms are often overly lengthy and jargon-filled. Equally many technology developers seem unaware of their legal obligations when it comes to safely seeking, using and storing people’s data.
Dr Bosua, from the School of Computing and Information Systems, and Professor Richardson, from the Melbourne Law School, suggest some modest changes could go a long way to securing our data, without threatening the benefits we receive from technological innovation.
Simple measures can ensure developers collect minimal data, are transparent about how data is used and stored, and use consent forms that are easy to understand, reducing the risk of hacking and other breaches of privacy. They also recommend that embedding legal aspects into the design and development of software should be taught as part of the curriculum.
The mobile devices we carry track most of our movements and gather data about our location that we aren’t aware of, possibly through apps that we haven’t added or don’t even actively use. More often than not, we receive IoT services, without being asked if we would like them.
To gain access to IoT enabled services, there is a vast amount of data being collected, some of which can be personal. Many of us are willing to give away our personal data in return for a service, but are we always aware of what we are giving away, how it will be used, and if it will be stored securely once collected?
Dr Bosua and her team conducted interviews with IoT technology users and developers to discover how they felt about the potential privacy issues surrounding their use of these technologies.
“Initially IoT users spoke in favour of the IoT devices they were using, focusing on the benefits, such as convenience and connectivity that they provided; most seemed unaware or unconcerned about privacy issues,” she says.
It was only as the interviews progressed that Dr Bosua noted users started to voice some concern about their privacy, as they became more aware of potential problems.
“By the end of the interview many users admitted they were no longer sure about their views on privacy, most felt that they did want more control, and better understanding of how their data was being used and why.”
Many reported that they wanted consent forms to be shorter and simpler and written in plain English.
“Users want to know how and why their data is being used, along with some guarantee that private data will be stored securely and not be vulnerable to hacking.”
Interviews with IoT developers and designers found they were also deficient in their knowledge of the privacy issues involved with data collection, usage and storage.
“We discovered there could be many young entrepreneurs, who aren’t fully aware of the right thing to do from a legal perspective. Compliance doesn’t seem to be an issue at the moment either,” explains Dr Bosua.
She is keen to see some reform to the regulations protecting privacy in regards to the IoT, but does not want to stifle technological innovation, acknowledging IoT developers are creating innovative solutions and services that can be of huge benefit to our lives. She believes privacy can be protected by some simple changes, such as moving towards a model of privacy by design, in which a minimum standard of data protection is guaranteed, and enforcing more transparent standards.
Teaching IoT developers to apply privacy by design should be the default position, she says.
“We must start with educating developers about privacy and this should begin with the education system.”
But why is privacy online so important? When you sign up for a new IoT service and provide your data, it flows into the digital domain, and forms a digital footprint of who you are. Your digital footprint has a long lifespan and can give a misleading impression of who you are today. Youthful mistakes may live on in the cyber world, long after they have ceased to have any meaning or relevance to you, and can cause damage.
“Potential employers often check social websites before hiring staff, which can lead to people having real regrets if they have given too much of their privacy away,” Dr Bosua says.
The tools that analyse big data are getting smarter and can recognise patterns in data to make inferences about users. So for example, if you are a person that regularly sees the doctor, a negative inference could be made about your state of health, which could increase your health insurance premium.
In a world that is so reliant on online service delivery, hacking has become a major problem. Cybersecurity will become more and more crucial as time goes on.
“More robust security tools focusing on small devices will need to be developed and I think as our awareness of buying things and getting access to services increases, we will become more careful about security and privacy,” says Dr Bosua.
Dr Bosua suggests the development of a locking system could be beneficial, so that very personal data could be locked down more securely and data that is not as important, could have less strict controls applied. For example, extremely private data such as health data that may be used by a personal medical device such as a wirelessly enabled pacemaker or a drug infusion pump, would require a very secure lock, whereas wellness data collected through a device such as a Fitbit, might not need such secure locking.
While hacked wellness data may result in a higher health insurance premium, hacking into a medical device could actually lead to someone’s death and was the reason former US Vice President Dick Cheney had the wireless capability of his pacemaker disabled.
Dr Bosua says the only reason that stricter regulation and more transparency has not been required in Australia to date, is that nothing has gone badly wrong yet.
“We have gone a bit out of control with the information that is online, but often the law kicks in when things go wrong. People don’t have a good awareness of what they are giving away and asking the right questions such as: do I need this service? Is it legal? Will they use my data with protection and security in mind, or not? We need to be more aware and start doing this differently.”
Banner image: iStock