Internet of Things and Privacy - Issues and Challenges - Office of the Victorian Information Commissioner (2023)

Introduction

The Internet of Things (IoT) is a broad term that generally refers to physical devices connected to the internet that collect, share or use data. This includes personal wearable devices such as watches and glasses, home appliances such as televisions and toasters, features of buildings such as lifts and lights, supply chain and industrial machinery such as forklifts and sprinklers, and urban infrastructure such as traffic lights and rubbish bins.

IoT devices and the data they collect can provide convenience, efficiency and insights into essentially every aspect of our world. For the public sector, the IoT is currently providing many benefits and has the potential to generate even greater public value in the future.

Smart bins can alert waste trucks when they are nearly full, networked ticketing systems can help optimise public transportation, and automated attendance systems can free up time for teachers in classrooms.

Consumers, governments and businesses everywhere have been increasingly using IoT devices, and it is widely expected that the use of IoT will continue to expand rapidly. However, rushing into the IoT without proper consideration of privacy can lead to harmful and unexpected consequences. As the IoT grows, the amount of data it generates will naturally increase alongside it. These large collections of data can, in many cases, constitute personal, health and sensitive information, raising many privacy challenges.

This paper has been developed to assist the Victorian public sector in understanding some of these challenges. It may also be useful to a broader audience.

Personal information

It is very common for privacy laws, such as Victoria’s Privacy and Data Protection Act 2014, to focus on the protection of personal information. While the definition of personal information varies between jurisdictions, it normally refers to information about an identified or identifiable individual.

Privacy laws generally protect personal information by giving individuals control over if how their personal information is handled by governments and businesses. Organisations using IoT devices that collect or use personal information must abide by laws and regulations that prescribe how personal information can be handled.

Wearable and home IoT devices frequently collect personal information, including biometric data such as voice and gait characteristics, and personal preferences such as eating habits and preferred TV shows.

These devices, and the data they collect, can be used to provide great convenience and benefits to consumers. For example, smart climate control systems can be controlled remotely and fitness trackers can provide personalised workout routines to their wearers.

Outside of consumer IoT devices, the amount of personal information collected can vary greatly. Smart buildings can use smart heating and lighting systems to greatly reduce energy consumption without collecting personal information. On the other hand, a building could have an IoT reception system to automatically verify the identity of visitors and issue them an access card, requiring the collection of personal information.

Smart cities often collect massive amounts of data, however whether or not those data collections are personal in nature can vary from city to city. It is common for smart cities to use IoT devices to collect data about the movements of pedestrians, public transport riders and traffic, as well as information about water and electricity usage. Data such as this can provide detailed insights into how cities work and can lead to better informed decisions. However, if smart city data is personal information, such as movement data linked with identified individuals, it can be potentially invasive and carries a greater risk of being misused.

As the name suggests, the Industrial Internet of Things (IIoT) refers to the rapidly growing practice of using IoT devices for industrial applications. The industrial focus of IIoT ecosystems means that they generally collect less personal information than regular IoT ones. However, the IIoT is not without privacy issues. For example, trucks and other heavy vehicles can have IoT devices that identify when a driver is fatigued, alerting their employer; and factory workers can wear wristbands that sense when they are fidgeting or procrastinating for extended periods of time, potentially leading to disciplinary actions.

Much of the data collected by IoT devices, personal or otherwise, was previously difficult to collect. For example, some fitness trackers can measure blood pressure, something that otherwise requires specialised equipment to collect. With millions of fitness trackers, the blood pressure of large groups of people can easily be collected. Data such as this could benefit everyone through better health research, but it could also cause harm if used inappropriately, such as by an insurer raising the premiums of fitness tracker users with high blood pressure.

Related technologies

The IoT contains and interacts with a broad range of technologies. This section will briefly cover the most relevant ones.

Artificial intelligence

Artificial intelligence (AI) is a field of computer science with the goal of creating computer systems that can perform tasks that normally require human intelligence. AI commonly performs tasks such as identifying objects, transcribing speech, making decisions and so on.

The most effective forms of AI at the moment are based on deep neural networks, which require large amounts of data to learn and work. The data collected by the IoT is well suited for use by AI, which in turn can provide IoT devices with functionality such as processing voice commands.

Cloud computing

The cloud refers to networks of computers that are used remotely instead of locally. It is made up of software, platforms and infrastructure that is provided on-demand to users. Common cloud services include running applications and storing, processing and delivering data.

IoT devices frequently use a range of cloud services. Data collected by IoT devices is often stored or processed on cloud platforms, primarily due to the scalability of cloud and limits on storage and processing power on small IoT devices, but also because many IoT companies see additional value in being able to easily access data from IoT devices.

Network technologies

IoT devices are almost always connected to the internet or private networks. Wearable, home and office devices tend to connect to networks using short range technologies such as Ethernet, Bluetooth or WiFi, while larger IoT ecosystems such as those in cities or farms often use longer range technologies such as cellular or satellite networks.

5G is a cellular network technology set to replace 4G. For the IoT, 5G will bring a range of benefits such as allowing many more devices to be simultaneously connected, and being able to track the location of those devices with considerably higher precision and accuracy.

Privacy issues

As noted above, the IoT poses a number of challenges to information privacy. This section provides an overview of the kinds of privacy challenges organisations and individuals can face.

Collection, use and disclosure of IoT data

The data collected from IoT devices generally comes from sensors including microphones, accelerometers and thermometers. Data from sensors such as these is often highly detailed and precise. This granularity allows additional information to be easily created through machine learning inferences and other analysis techniques that can yield results that would not be possible with coarser data.

In addition, devices with multiple sensors, or multiple devices in close proximity, can combine their data in a process known as sensor fusion, which allows for more accurate and specific inferences that would not be possible with data from a single sensor. For example, sensor data about the temperature, humidity, light level and CO2 of a room can be combined to track its occupancy with considerably higher accuracy than would be possible with only one of those kinds of data.

Inferences such as these can be extremely useful for a range of purposes, but they can also be highly personal and unexpected. Individuals are generally uncomfortable with organisations using IoT data to infer information about them. For example, IoT devices such as smart speakers can use inferences to make sales pitches, however, the use of inferences in this way can pressure individuals into making transactional decisions that they otherwise would not have made, particularly if they take place in a non-retail environment such as a home.

Care should especially be given to the purposes for which data is used when it is collected from people who have no choice. For example, the energy efficiencies created by smart meters and the ease of servicing them can cause utility organisations to cease offering and supporting traditional energy meters, meaning that residents may have no choice but to use smart meters.

However, smart energy meters can reveal a range of profoundly personal information about individuals, including obvious information such as how often they use their washing machine, and less obvious information such as which television shows they watch.Organisations such as insurers, advertisers, employers, and law enforcement are likely to find data and inferences from IoT devices such as smart meters highly valuable. However, care must be given to the appropriateness of using and disclosing such data when opting-out is not possible.

When personal information is collected by public IoT ecosystems such as smart cities, consideration must be given to who will own and control the information, and for what purposes it will be used. When a public entity like a city partners with a private organisation to use IoT devices or services, the city must ensure that personal information will be used and disclosed in line with the best interests of the citizens of the city. If private organisations that provide IoT devices or services can access IoT data, there is a risk that they could use or disclose personal information for purposes that are not in the public interest, such as for profiling, targeted advertising or sale of the data to data brokers.

At a more abstract level, humans change their behaviour when they are aware that there is a possibility they are being watched, causing them to self-police and self-discipline. Online, users constrain and censor themselves based on who could potentially see their activities. And when smartphones first became ubiquitous, the ability to easily upload information caused a ‘chilling effect’, in which people modified their ‘offline’ behaviour in response to the possibility of what could be made available online. It is currently unclear what effects the IoT could have on human behaviour and freedoms of expression through widespread data collection; one possibility is that the ‘chilling effect’ could spread to previously private spaces such as homes.

IoT devices can also allow practices that were previously only possible online to occur in physical spaces. For example, retail stores can restrict entry to people who have created an account through the use of automated gates that require an app to pass through. Online, AI can be used to predict how much a customer would be willing to pay, allowing a store to adjust its prices accordingly.IoT devices could potentially allow brick and mortar stores to easily perform similar price targeting.

De-identification of IoT data

The data collected by large IoT ecosystems like smart cities can be valuable for a range of purposes such as research or informing policy decisions. A common way to maximise the value of this data is to make it publicly available online. However, it is generally impermissible for datasets that include personal information to be made publicly available.

The simplest way to ensure personal information is not included in a dataset is to allow individuals to remain anonymous by never collecting information that can identify them. For example, a smart city could count pedestrians using IoT sensors that record movements, instead of images or video.

The process of removing personal information from a dataset is called de-identification. However, data collected by the IoT is often very difficult to de-identify due to its highly granular nature.Longitudinal information is especially hard to de-identify, even when aggregated.

A common way that organisations attempt to remove personal information from data collected from IoT devices is through hashing, transforming the data by means of an algorithm. However, hashing does not permanently de-identify information; instead it pseudonymises information by replacing an identifiable individual with what is effectively a unique identifier. While hashing can be useful for protecting personal information in some cases, hashed information is generally very easy to re-identify.

There are many other risks with sharing non-personal or de-identified IoT data with third parties. For example, the receiving organisation could use auxiliary information to re-identify it; AI could infer personal, or even sensitive, information from the dataset; and if the dataset is used to train an AI model which is then shared, information about individuals in the dataset could be revealed.

Consent

Consent is a common basis for organisations to use and disclose personal information. However, valid consent generally requires more than getting a user to click ‘I agree’. Meaningful consent has five elements: capacity, voluntary, current, specific and informed. The IoT challenges each of these elements.

Capacity

An individual must be capable of giving consent for it to be valid. A common reason that an individual does not have the capacity to consent is because they are a minor. For IoT devices targeted to children, such as smart toys, or devices designed to monitor children, such as IoT tracking wristbands, an authorised representative such as a parent or guardian may consent on behalf of the child. However, whether or not a minor is capable of providing consent becomes less clear as they mature. For IoT devices aimed at parents who want to monitor their teenagers, consent can be complicated.

Voluntary

Consent must be freely given in order to be meaningful. It must be a genuine choice. If an individual must choose between giving consent or not being able to use a device they have purchased, then that consent may not be voluntary. If accepting terms and conditions is a prerequisite to using an IoT device and refusing those terms will result in an inoperable device, it is likely not a genuine choice and therefore not meaningful consent.

In addition, IoT devices in shared spaces like smart cities, retail stores, smart homes or connected cars generally do not have an opportunity to provide notice and obtain consent from every person whose information is collected. Even if a device does have an opportunity to provide information and collect consent, the consent may not be meaningful if individuals have to choose between consenting or not entering a physical area.

A similar situation occurs when employers require employees to wear IoT devices. The purpose of these devices is generally to collect information about employees. For example, IoT wristbands can monitor warehouse workers’ performance; smart badges can measure the tone of voice, excitement and passion of call centre staff; and chemical sensors placed on doctors can detect when they have gone too long without washing their hands. If using devices such as these is a condition of employment, it is likely not possible for an employee to provide voluntary consent to the use of information collected by such a device, as if they choose not to give their consent, they may be ineligible for the job.

Current

Consent cannot be assumed to last indefinitely. The seamless and unobtrusive nature of IoT devices often makes it easy for people to forget they are there or what they are doing. Smart devices such as watches, doorbells, and billboards can blend into the background as they collect, use and share personal information.

Additionally, the way that an IoT device operates can also change over time. For example, a device may have a sensor that is inactive and serves no purpose when the device is first brought to market, but the vendor may later enable the sensor and introduce features that utilise it.Alternatively, an IoT vendor could be acquired by a different company that has different privacy practices, or could collect and use personal information for new purposes that existing users may not expect.

One off ‘I agree’ consent mechanisms are a single decision at a single point in time that may be inappropriate for the ongoing and evolving nature of the IoT.

Specific

Consent must be specific to an identified purpose. It is not possible for an individual to provide meaningful consent to their personal information being used for a vague or broad purpose. If an IoT device provides unspecific information, users can develop misconceptions about what happens to personal information collected by the device and can be surprised when they discover what they actually agreed to.

Informed

An individual must have full knowledge of all relevant facts for their consent to be meaningful. This includes, but is not limited to:

• what information will be collected, used or disclosed;
• the purpose for collecting the information; and
• who the information will be shared with and what they will do with

The complex interactions between the functions of an IoT device – and the interactions between different devices, organisations and third parties – can make it difficult for users to develop mental models for visualising how their devices operate, what information they collect, and how they use and disclose that information.When users do develop mental models, they can be inaccurate due to being based on misplaced assumptions about how devices work.Users may be further confused by extensive IoT terminology and jargon that is often used inconsistently.In addition, AI inferences can make it hard for individuals to understand what organisations could learn about them from information collected by IoT devices.

These factors, compounded by transparency issues discussed later, can make it difficult for individuals to understand how an ecosystem of IoT devices, infrastructure and organisations work, which can ultimately make it difficult for individuals to provide informed consent.

Dependency on vendors

Organisations and individuals who use IoT devices are often dependant on the vendors or manufacturers of those devices to handle security and privacy issues through the delivery of software or firmware updates to fix security vulnerabilities. Sometimes they are reliant upon vendors to ensure that collected personal information is sufficiently de-identified before it is shared.

However, vendors often focus on specific parts of IoT ecosystems and will not necessarily consider how those ecosystems function holistically. Vendors may also be based in jurisdictions with less adequate privacy legislation. They also frequently prioritise ease of use, novel functionality, and getting to market quickly, over privacy and security risks.Consumer IoT device manufacturers are predominantly consumer goods companies rather than software or hardware companies. This means that IoT vendors may not have adequate awareness of privacy and security issues, or the expertise to address those issues.

Vendors and owners of IoT devices often have different expectations for how long a device will remain in service. A vendor may cease supporting a device, or a third party may discontinue a service on which the device depends, long before the device’s owner anticipates retiring the device. A vendor ceasing support for an IoT device can lead to greater privacy and security risks compared to traditional devices. Software usually becomes more vulnerable as it ages, and it is often impossible for entities other than the device’s manufacturer to access or modify an IoT device’s software or firmware. This can leave privacy issues and security vulnerabilities unfixable and potentially invisible to the owners of the devices.

Interoperability

The rapid expansion of the IoT in recent years has led to the development of many different kinds of devices, Application Programming Interfaces (APIs) infrastructure, data formats, standards and frameworks.An API is a way for a computer to communicate with another computer, or for a person to interrogate or instruct a computer and get a result.

This has caused significant interoperability issues, in that devices, software and data from one vendor often do not work with devices, software and data from other vendors.

Inconsistent APIs and data formats can cause problems with data portability, where the data of users or organisations is stored in vendor ‘silos’ that are incompatible with one another, making it difficult to transition from one vendor to another while keeping existing data.

This lack of portability can lead to privacy and security issues. For example, if a smart city’s IoT vendor was found to have deceptively poor privacy practices, the city would face a choice between a potentially expensive struggle to transition to a new vendor, shutting down features or services of the city, or accepting that their citizens’ privacy may be interfered with.

These interoperability issues can also cause individuals to become ‘locked-in’ to a specific vendor. If every device in an individual’s smart home was from a single vendor, then that individual may be discouraged from purchasing a new device from a different vendor if it would be incompatible with their existing devices. In addition, the compatibility of devices can change over time as vendors support or lock-out other vendors.

Managing IoT devices

Many consumer IoT devices are ‘plug and play’, meaning that users are not required to configure them before use; they simply work out of the box. However, the default configurations of IoT devices tend to provide suboptimal privacy and security protections, and many users do not change settings from their defaults.

In addition, consumers will not necessarily be aware that a device is an IoT device. An individual replacing their old refrigerator might not realise that their new refrigerator is an IoT device and may not fully understand the implications of that.

For organisations, a particularly problematic issue is that many IoT devices do not have centralised management features, and the devices that do have those features often do not follow any particular standard.This means that identical devices may need to be managed independently from one another, and devices from different manufacturers often need to be managed through different interfaces. This can cause significant challenges when managing IoT ecosystems at scale.

When management options are not centralised or interoperable, the resources required to manage devices increases as the number and diversity of devices increases. If an organisation had thousands of devices from dozens of manufacturers, it would be near impossible to effectively manage them individually.

This issue can also apply to consumer devices, where it is common for devices to be managed by smartphone apps. If a person owns 10 IoT devices, they may require 10 different apps to manage them, likely leading to those devices being effectively unmanaged.

And when devices are not properly managed it can lead to privacy and security risks. For example, an organisation’s unmanaged device could continue to collect personal information after it is no longer needed for any purpose. Or, a device may not receive updates and become vulnerable to attack, allowing an intruder to access the rest of an organisation’s network, or use the device to disrupt the networks of other organisations.

IoT devices also generally provide less flexibility for administering or managing devices compared to traditional hardware. For example, it may be impossible for the owner of an IoT device to choose when to update the software of the device, with that decision restricted to the device’s manufacturer. Conversely, it may be impossible to use a device without updating it.

Accountability

The number of organisations that can be involved in an IoT ecosystem can make it difficult to identify who is, or should be, accountable for what. For example, an IoT camera could be owned by a local council, with data transmitted via a telecommunications company, stored by a cloud service provider, and accessed by law enforcement.

Each entity in this example has some degree of responsibility for the personal information collected by the device, and it may be difficult for an individual to know who to contact if they wanted to request access to the information that the camera has collected about them.

The nature of IoT devices can make it impossible for an organisation to have control over every aspect of it. For example, organisations often have little or no control over security and privacy risks with communication technologies such as satellite or 5G, as these are usually provided by third party telecommunications companies. This can also be the case for cloud services, which can allow users to have anywhere from no control to high control over the security and privacy settings of services they are using.

It is also common for organisations to have unmanaged ‘rogue’ IoT devices connected to their networks. Employees can easily bring personal consumer IoT devices such as smart speakers or watches and connect them to the organisation’s network. Groups within an organisation can also install devices such as IoT televisions in meeting rooms or smart appliances in kitchens.

These devices can pose privacy risks by, for example, collecting the personal information of unsuspecting employees, and can cause security risks by providing attackers with an easy entry point into an organisation’s network. These rogue IoT devices can be challenging for organisations as the individuals who should be accountable for them are often not aware of their presence.

Transparency

The passive nature of many IoT devices can make it difficult for individuals to be informed that their personal information is being collected. Devices in public spaces can collect information automatically, sometimes relying on individuals to opt-out if they do not want their information collected. But the non- interactive nature of many IoT devices makes it hard for opt-out models to work. Users may not be aware that their information is being collected, let alone that they can opt-out of that collection.

Additionally, when individuals want to inform themselves about what personal information a device collects and how that data is used, it can be difficult to find relevant information. IoT devices frequently do not have interfaces such as screens or input mechanisms such as keyboards, making it difficult for IoT devices to provide clarifying information like privacy policies.

Instead, individuals are often required to navigate to the device manufacturer’s website or download an app. However, even when privacy policies for IoT devices are easily accessible, many of them do not provide sufficient information about how personal information is collected, used and disclosed.

The transparency of IoT devices could be further complicated by organisations seeking to use intellectual property rights to protect the way an IoT device collects or uses personal information, the data collected by devices, or the inferences and insights garnered from that data.

There are also challenges with individuals seeking access to their personal information collected by IoT devices. It cannot be assumed that an IoT device will have a single user, or that the user will own the device. This means that an IoT device can collect and store information about a range of people, and may allow users to access the personal information of other people. This is a difficult problem to solve as the lack of interfaces can make it difficult for devices to authenticate users to ensure they can only access information about themselves.

Conclusion

The IoT is expected to grow rapidly, increasingly connecting different aspects of our lives and further blurring the lines between online and offline worlds. Ultimately it is a tool that has the potential to bring benefits for everyone. However, the expansion of the IoT will allow for new kinds of personal information to be collected and increase the amount of personal information collected in general.

How this data is used will play a large part in how much good the IoT creates. Traditional methods used to protect privacy and better inform individuals about how their personal information is collected, used and disclosed are largely incompatible or insufficient for IoT devices. New and innovative solutions that can work with devices and services that essentially form infrastructure may be needed.

Strong governance and transparency are also needed to reap the benefits of the IoT. Individuals should not have to choose between privacy and the convenience and efficiency of the IoT; it is essential that everyone be able to enjoy both.