I remember back in 2013 when IoT was first being discussed that there was a lot of talk about creating an IoT Bill of Rights that would define the ethics that ought to be required for any smart device placed into people’s homes. The discussion then was that the benefits of smart devices could be outweighed by the harm that could come from IoT manufacturers secretly spying on us and collecting and selling personal data. There was also a lot of concern that IoT devices could provide entry points for hackers into home networks. That discussion largely died, and here we are six years later introducing IoT devices into our homes without any policies or standards defining the rights of smart device users or the obligations of manufacturers to protect privacy.
There were numerous concerns voiced in 2013 that are still valid concerns today, and unfortunately, are issues that most buyers of smart devices don’t think about:
Software Updates. We are used to routinely getting security patches and other software updates for our laptops and smartphone to keep us safe. However, few smart devices come with any mechanism for updates and over time become more vulnerable to hacking. You’ve probably heard the story of the casino that got hacked through a connection into a smart water pump in a fish tank. Hackers used that unprotected connection to gain access to the casino network. There ought to be a requirement that IoT software and firmware is somehow updated, and that would include figuring out how to deal with cases where a device manufacturer goes out of business for some reason. Unfortunately, most of our smart devices are never updated after we buy them.
Full Disclosure. There have been well-publicized cases where the public found out that IoT devices were listening in without their knowledge. There were big headlines when it was revealed that Samsung TVs could both listen and see into the living room. Parents panicked when it was revealed that Cayla dolls were listening to kids and sending conversations to unspecified data center. It’s nearly impossible today to know if a smart device includes a hidden microphone or camera since those devices are so small. Sellers of IoT devices should be required to clearly disclose when devices can watch or listen to buyers. There also should be required to provide clear instructions on how to disable unwanted surveillance.
The Sharing and Sale of IoT Data. Sellers of IoT devices ought to be required before purchase to provide full disclosure on what they do with data they collect from users. And these disclosures should be prominent and not buried in a fine print legalese terms of service document. I read late last year that as many as 1,500 data points are now gathered on the average connected adult every day. A lot of these comes from location data on our smartphones, but much of it also comes from IoT devices in the home. Manufacturers that violate privacy promises given to customers should be fined heavily.
Data Retention. IoT device manufacturers also ought to disclose how long they keep our data. It’s always an eye-opener to do a Google search on yourself and see things from fifteen and twenty years ago. At the early stage of search engines there was talk about having non-headline data purged after six months – that obviously never happened. We are just now seeing large companies figure out how to make sense out of mountains of data. It’s dismaying to think that years of old data about us, that was probably never used, can be sold to create personal profiles on each of us.
User Control of Devices. In a perfect world, the user would have complete control over the IoT devices in the home. We ought to be able to decide what data is and is not shared. We ought to be to disable surveillance. We ought to be able to encrypt and store data locally that we want to use for ourselves.
We’ve come a long way with IoT since 2013. Then there were a handful of IoT devices like the Nest smart thermostat. If you believe the Parks Associates numbers most of us have brought numerous smart devices into our homes. I’m personally going to bet the Parks number of ten devices is low because many of us own devices that are capable of connecting to our WiFi that we don’t even think about.
We’re allowing all of these devices in our homes without full disclosure from the manufacturers, with no mechanism for keeping device security up-to-date, and with no idea what data is collected on us and how it’s being used.
As consumers we ought to be able to trust that the manufactures of IoT devices are protecting our data and privacy. It’s more likely though that many IoT device makers are hoping to monetize our data, and there’s no part of the government that I’m aware of that is working on the side of the consumer for these issues. We need an IoT bill or rights a lot more now than we did in 2013.