Without a doubt, Internet of Things (“IoT”) offers us convenience and effectiveness that we have not envisaged before. We are so accustomed to IoT devices that they become an indispensable part of our daily routine. Utility aside, we will look at the associated privacy risks.
IoT refers to the interconnection of ordinary household or personal devices via the Internet. IoT devices are generally equipped with sensors, able to communicate and exchange data with other devices, and can be controlled remotely. Examples of IoT devices include smart watches, smart TVs, AI home assistants, connected cars and smart lamp posts. IoT devices are integral to ‘smart living’ and ‘smart cities’. Core functionalities of IoT devices entail the collection and transmission of data, and often with some levels of automated monitoring and decision-making.
Many IoT devices such as wearables, smart TVs and home appliances have the ability to collect a vast amount of intimate information concerning an individual’s health, movements, habits and private life. Piecing together information gathered via different IoT devices could allow a profile to be constructed of the IoT user. The tracking of an IoT device may be tantamount to behavioural tracking of the user.
In August 2018, the US Court of Appeal for the Seventh Circuit handed down a judgment in Naperville Smart Meter Awareness v City of Naperville, No. 16-3766 (7th Cir. 2018) that energy consumption data of a household collected by a smart energy meter was protected by the Fourth Amendment to the US Constitution (ie the right of people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures) because the energy usage data revealed information about the happenings inside the house. In spite of this, very often individuals are not aware that data is being collected by the IoT devices, the purpose of collection and where the data may end up. There is virtually no transparency and proper notification provided to the users on the vital information concerning their personal data.
Pursuant to the requirements of the Data Protection Principle (“DPP”) 1 of Schedule 1 to the Personal Data (Privacy) Ordinance, organisations (data users) have the obligation to collect data in a lawful and fair manner. It is essential that consumers (data subjects) are notified of the purpose for which the data is to be used, and the potential for any data to be transferred to third parties. Data collection must not be conducted covertly. DPP 3 (Use of Data) requires data users to obtain data subjects’ consent for secondary use of personal data, such as profiling of the data subjects and advertising.
Data security is another sticky issue relating to IoT. IoT devices being relatively inexpensive, manufacturers and users may not have put in place adequate security measures in the devices. In an IoT ecosystem with many devices interconnected, the security level of the whole system may only be as strong as the weakest access point. Hackers may infiltrate information systems by first hacking into insecure IoT devices. Hackers may also launch distributed denial-of-service (DDoS) attacks by controlling thousands or millions of compromised IoT devices. Corroborated by the figures published in the Hong Kong Information Security Outlook 2018 of the Hong Kong Computer Emergency Response Team Coordination Centre, IoT attacks are clearly on the rise. Organisations have an obligation under DPP 4 (Data Security) to take all practicable steps to ensure that personal data under their control are protected against unauthorised or accidental access, use or loss. Security measures should be proportionate to the risk of harm of any potential breach.
We as individual IoT devices users should also be vigilant about the security setting of our IoT devices. For example, some time ago, a lot of webcams were compromised by hackers, leading to the online broadcast of device users’ lives at home. To stay away from the prying eyes, we could simply change the log-in credentials of our webcams (and other IoT devices) from factory defaults to user-customised ones.
To tackle the security problem at source, we highly encourage manufacturers of IoT devices to adopt the practice of Privacy by Design, and that consumers only deploy those IoT devices which have incorporated such design.
Website of the Privacy Commissioner for Personal Data, Hong Kong: www.pcpd.org.hk