Connected devices: The next frontier of data privacy?

As technological innovations continue to push human boundaries to new heights, the internet of things (IoT) has long been prophesized as the ‘next big thing’.

In case you didn’t know, the IoT basically refers to a network of connected objects able to collect and exchange data using embedded sensors.

It marks the era of the ‘smart home’, where in theory, consumers will be able to adjust temperatures, check what’s in the fridge, close windows and more, all from the palm of their hand (aka their smart phone device).

Right now, it is connecting more devices every day to the extent that by 2026, as per Insider intelligence, there will be 4.3 billion IoT mobile connections worldwide and more than 64 billion IoT devices installed. 

The application of IoT finds presence in almost all domains, including smart homes, wearables, smart cities, connected cars, etc. The increasing penetration of connected devices in consumer space, healthcare, and education verticals has undoubtedly transformed our way of living.

However, its wide adoption in our daily lives, from wearable gadgets to industrial IoT applications, is not risk-free.

It comes with a challenge: the data privacy of common users. 

As a recent Which? survey found, organizations seem to be gathering more data than is needed for products to function, for example, smart washing machines requiring people’s date of birth and smart TVs collecting viewing habits. This data is then being shared with third-parties, like TikTok and Meta, often without clear communication from the company selling it.

So what are the risks that come with connected devices and smart homes?

How should brands that develop and manage smart devices behave when it comes to data privacy in order to achieve compliance and build trust with consumers?

Technological advancement comes with a challenge: Data privacy 

IoT devices can collect user data for a number of purposes. It includes monitoring performance or controlling functions, providing personalized advertising or recommendations, analyzing trends to predict future behavior, and improving safety and security by detecting accidents or crimes. This variety of data is collected from sensors embedded in IoT devices, the configuration of devices, applications, or websites used, along with the personal data of users themselves. 

Data collected from a single device may not be problematic, but combining data across several devices may reveal patterns about a user’s behavior or preferences. As smart homes are increasingly becoming hubs of connected devices (be it a home security alarm, washing machine, electric toothbrush, or wearables), users’ concerns about organizations’ ways of managing and controlling data have become apparent. 

Despite the tons of benefits the internet of things may offer in the name of uplifting human lifestyles, it raises pressing privacy concerns. When consumers purchase and use IoT devices and services, companies often require them to accept their privacy policies. It empowers them to use personally identifiable information (PII) for their own purposes, including to transfer and disclose certain data to third parties. 

Mergers and acquisitions, especially as larger technology companies increasingly acquire smaller upstarts, allow large technology companies to obtain copious amounts of data about individuals across multiple platforms and devices. This consolidation of data through cross-device and platform tracking could empower businesses to track individuals’ movements, activities, and behaviors. It can also be used to build a 360-degree profile of the interests and preferences of users, leading to unbridled privacy and security-related risks. 

Concerns about data privacy and security have reached a critical juncture 

Amid people becoming increasingly conscious of privacy and, in effect, moving away from social media due to privacy concerns, incessant tracking, which once was confined to the walled garden of the online world, seems to pervade and intrude into physical spaces via connected devices. 

Often, users are unaware of the ways in which the data is being collected about them, how it can be used, and the controls over the data collection mechanisms. If left unchecked, IoT data combined with businesses’ traditional data business models can lead to unbridled expansion of surveillance capitalism, with a far-fetched consequence “predict and modify human behavior as a means to produce revenue and market control.” 

Although laws like GDPR and CCPA do provide protection against unlawful processing, IoT devices raise risks that fall outside the jurisdiction of contemporary data protection laws and regulations. These laws address data protection and privacy in general but do not provide comprehensive solutions tailored to the unique challenges posed by the IoT. For example, sensor data and non-identifiable data often fall outside the scope of these regulations. 

Implications of rapidly expanding ecosystem 

An average user interacts with at least 3 to 5 devices on a daily basis. This number is estimated to put about 15 connected devices into the hands of every consumer by 2030. Data generated and consumed by IoT devices speaks volumes about the risks of IoT. Simple data that may seem to pose no risk can be sensitive in certain contexts. 

For example: 

• Observing traffic generated by smart locks could provide information on whether the door was unlocked from outside or inside. This information can be used to predict if there is anyone in the house at any given moment. The same prediction can be improved with a combination of data generated by a smart home, such as power consumption and light switch data. 
• Devices that are disposed of after the completion of their lifetime can be risky if the information stored on them is not properly wiped out. Hackers can retrieve discarded devices from second-hand stores or a waste bin to steal credentials or information about the services the device has been connected to. 

Even worse, data garnered from IoT devices can be used by various entities to colonize and track the movements of the people residing in the home. Such possible corporate colonization and surveillance decreases individuals anonymity and obfuscates their knowledge of what happens to their information. 

Imperatives needed to address data privacy concerns 

Given the rapid proliferation of various smart and connected devices, it may be cumbersome to keep up with firmware and security requirements. However, keeping the security software of devices up-to-date and their status in check—from the day they’re purchased until discarded – is intrinsic to enabling a secure and trustworthy IoT environment. 

There is no silver bullet solution pertinent to combating data privacy risks with IoT devices. In fact, the complexity of the IoT is directly proportional to the number of devices and services an individual interacts with. Any new device may pose a security risk if actors involved in the value chain, including the user itself, do not handle it responsibly. 

• Privacy and security by design and default should be intrinsic to IoT devices. Regulatory bodies should require IoT service providers to embed security, safety, and equity into the design of the device rather than take a reactive measure to incorporate them as a response to end-users’ concerns. 
• People should have an opt-in choice to have their signal sensed. In this regard, devices that come with embedded sensors should not be able to decode the identity of an individual without their explicit consent. 
• As important as it is to secure network infrastructure and devices, users’ sentiments around how their devices operate and handle data should be trustworthy. Applying industry-best security practices should be the key responsibility of manufacturers and service providers. 

The issue of IoT security has drawn scrutiny from not only the White House but also the European Union regulators. The White House has recently announced an IoT security initiative called the U.S. Cyber Trust Mark program. It aims to ease consumers’ way into finding smart devices with strong cybersecurity. A set of cybersecurity best practices laid down by the National Institute of Standards and Technology (NIST) will serve as the baseline for manufacturers to meet cybersecurity requirements.