How far are we from Netflix Black Mirror TV Show?
To what dangers is our privacy exposed when using IoT devices?
1. Introduction to IoT
Netflix Black Mirror – a science fiction TV Show based on stories of Charlie Brooker – illustrates the terrifying ways technology can affect our lives and focuses essentially on tech’s dark side. One episode of this TV Show (called “Nosedive”) describes a dystopia where people’s lives are conditioned by ratings given by other persons and these ratings affect people’s rights and opportunities.
While it might seem a very distant reality, the threats posed by a few emerging technologies are not as far as today’s technological challenges show.
In this made-up episode, the protagonist (Lacie Pound) shares her daily activities through mobile devices and rates interactions with others on a scale of one to five stars, which has an impact on the others´ socioeconomic status. Due to a series of misfortunes, Lacie became negatively rated, which affected her personal life (for example, she was not allowed to rent a car or to buy a house). The rating was provided through eye implants which were connected to a social media app in the mobile phone.
This network connection between devices is called the Internet of Things (IoT). IoT enables everyday objects (vehicles, mobile phones, wearable devices, washing machines, etc.) to be connected in such a way, that they can send and receive information from each other and report about their status and the surrounding environment. The benefits brought by IoT are unquestionable, for example in smart homes enabling energy costs savings, or in healthcare sector while ease monitoring has become standard. However, the amount of data collected and shared between IoT devices is enormous, which raises important issues concerning the protection of user´s privacy.
It is estimated that the overall consumer IoT revenue worldwide will grow from € 105.7 billion in 2019 to approximately € 404.6 billion by 2030 (according to Transforma Insights, December 22, 2020). This evolution has been followed by the European Commission, which has launched an inquiry into the sector of IoT for consumer-related products and services in the European Union on 16 July 2020 and has recently published the preliminary report setting out the key findings of the sector inquiry into the consumer Internet of Things. Furthermore, in the Digital Single Market Strategy for Europe, the European Commission has underlined the need to avoid fragmentation and the importance of fostering interoperability for the IoT to reach its potential.
2. Categories of consumer IoT devices
During the past decade, IoT transformed our world, contributing with endless benefits to people’ lives and routines. We now see IoT spread all over the retail industry, supporting and simplifying our daily routines.
There are many types of consumer IoT devices, being the most popular:
a. Voice Assistants
Voice assistant is a software that can perform a variety of tasks or services acting both as a platform for voice and user interface applications.
The voice assistant collects the voice command, understands the request and generates the information identified as appropriate and/or responds to the user with the most appropriate option or a list of alternatives. Voice assistants might have different functionalities, such as (i) controlling smart home devices, smart displays, and smart watches; (ii) providing information (e.g. news, sports scores, recipes, and weather); (iii) assisting in planning daily routines (e.g. booking a taxi ride or creating calendar events); or (iv) playing music and videos, or listening to the radio.
b. Smart Wearables
Wearable devices are electronic devices that people can wear and that are able to collect, send and receive data through a network. Such devices generally include sensors and are powered by an operating system. Wearable devices include products such as ear-worn devices (earphones, headphones, earbuds) and wrist-worn devices (smart watches, fitness trackers and sport watches), as well as other wearable items (e.g. smart clothes and shoes, smart glasses, head-mounted displays, virtual reality headsets).
c. Smart Homes
A home is considered a smart home when it provides a better living standard with the benefits of energy saving, safety, flexibility, and the comfort of IoT devices. There are many functionalities that can be taken into consideration while building a smart home, such as temperature sensors, automatic refrigerators, washing machines and ovens, sound systems, smart TVs and receivers, smart light systems, intruder detection system and voice-detecting devices (echo bot).
3. Types of personal data
Manufacturers and providers of consumer IoT products and services might collect data in different circumstances.
Data might be collected directly from the user (e.g. personal and contact data provided by the user when installing a device) or by the device through its use, with or without direct interaction with the user (e.g. data collected by a smart TV whenever a user carries out certain actions or the map of a house stored by robotic vacuum cleaners in their internal memory). Besides, IoT devices can collect data automatically during their functioning or when in standby mode, and can passively collect data in situations where the user has not taken any action (e.g. the functioning of security devices do not require user interaction once they have sensors that collect data, including visual and acoustic data when they are triggered).
The type of data collected depends on the nature of the IoT device:
a) Voice assistant: data collected during the interactions with the device and data collected beyond such interaction (e.g. what device the request was made from such as its location or IP address);
b) Smart wearables: biometric data about users and data about the activities they perform (e.g. height and weight, heart rate during exercise and while at rest, body temperature, data on sleeping patterns); and
c) Smart home: user behavior and the usage history of the device (e.g. preferred beverages and times for making coffee collected by a coffee machine, information on user´s behavior regarding the frequency of use of the device or the preferred times for using it).
4. Privacy and data protection risks
The regularly processing of large volumes of personal data by consumer IoT devices may result in severe privacy implications. Where the collection of data by IoT devices involves the processing of personal data of individuals, the General Data Protection Regulation (2016/679) will apply.
The risks arising from the processing of personal data in the context of IoT devices have been already underlined by the European Data Protection Board (WP29 – Opinion 8/2014, on the Recent Developments on the Internet of Things and endorsed by EDPB).
a. Lack of control and transparency
Users may not always be properly informed about the processing of their personal data through a consumer IoT device, neither about the fact that the exchange of information and data between IoT devices is automatic. Moreover, users may be unaware of the type of data that is being shared, as well as the inferences that can be drawn from their data and the extent to which their data are accessible to third parties. In these circumstances, data may be processed for a different purpose from which they were initially collected. As a result of the information asymmetries and the lack of transparency, users find themselves in a vulnerable position.
b. Lack of informed consent
The existence of information asymmetries raises questions about the validity of the consent, which is a cornerstone of EU data protection law and the primary legal ground for data processing on the consumer IoT devices. To be valid, the consent must be informed and in order for consent to be properly “informed”, the European Data Protection Board (”EDPB”) lists a number of essential elements: the data controller’s identity, the purpose of the processing, what type of data will be collected, the right to withdraw consent, the use of automated decision-making, and possibility of data transfers (WP29 – Guidelines on Consent under Regulation 2016/679, endorsed by the EDPB).
Furthermore, consent must be as easily withdrawn as it is given. However, the possibility to renounce certain services or features of an IoT device is commonly only theorical. This situation might lead to the question of whether the consent to the data processing by IoT devices can then be considered as freely given, hence valid under EU law.
c. Inferences and repurposing of original processing
Data originally collected by an IoT device for a certain purpose might then be used to infer other information with a totally different goal (for example, smart watches collect information about the user´s average steps by day and might deduce potentially sensitive information concerning user´s physical condition). Hence, the information that users originally accepted to share with the IoT device might be used for a totally different purpose.
d. Profiling and discrimination
The collection of numerous data by these devices – most of the times, these devices collect much more data than necessary – allows the analysis of an individual life and behavior patterns, easing the creation of profiling. Linkage between IoT devices and services can contribute to discriminatory profiling (e.g. insurance companies, employers and police can use the data in combination with their own databases for purposes not consented by the user). Besides, the impossibility of remaining anonymous when using these services leaves users in a very exposed position.
e. Security of personal data
The plurality of functionalities, services and interfaces offered by IoT devices increases the risk of cyberattacks and the number of potential vulnerabilities through which personal data might be compromised. In addition, personal data collected by IoT devices and shared with a variety of platforms may be stored on service providers´ infrastructure that may not be adequately secured against unauthorized access.
5. Conclusions and general recommendations
Considering the threats to privacy related to the collection of personal data by IoT devices, manufacturers and providers of these products and services shall take reasonable measures to mitigate such risks, namely by:
i) identifying the minimum amount of personal data needed to fulfill the purpose of the data processing. In most situations, IoT manufacturers and providers only need aggregated data and do not need to store the raw data collected by the devices;
ii) respecting the principles of privacy by design and by default, through the implementation of technical and organizational measures at the earliest stages of system’s design, in such a way that safeguards data protection principles and ensures that personal data are processed with the highest privacy protection (for example limiting accessibility to such data);
iii) providing enough information to the users concerning the terms of the processing of their data (e.g. describing the categories of data collected and identifying the third parties to which the data might be transmitted), as well as offer the necessary tools for users to exercise their rights (namely by offering the right to refuse consent in a user-friendly way);
iv) collecting the informed and free consent to the use of the devices and to the resulting data processing;
v) performing a Privacy Impact Assessment in accordance with the methodology published in WP29, Guidelines on Data Protection Impact Assessment endorsed by the EDPB;
vi) adopting the necessary security measures to ensure the confidentiality and integrity of the data, for example by developing anonymization (when possible) or encryption and communication protocols adapted to the specificities of IoT, guaranteeing authentication and access control;
vii) drawing up a data processing agreement with data processors that process personal data on behalf of the manufacturer or of the provider;
viii) respecting the safeguards foreseen in Chapter V of the GDPR if data is transferred outside the European Economic Area.
Minimize the privacy impact of IoT devices will contribute to build consumer´s trust on these products and services which is essential to improve IoT ecosystem. In fact, trust and transparency play a major role in the implementation of these technologies, helping consumers to overcome the risks related to IoT technologies.