U.S. Homeland Security official predicts great “risk of privacy harm in IoT”
By Matt Hamblen
Billions of coming Internet of Things sensors pose troubling privacy concerns about the movements and behaviors of average citizens, according to government officials, including one attorney for the U.S. Department of Homeland Security.
“If past is prolong in how industry has treated privacy, we’re looking at a much greater risk of privacy harm in IoT,” said Erin Kenneally, an attorney and program manager for DHS in the department’s Cyber Security Division.
Kenneally spoke on a panel Wednesday (Feb. 7) at a gathering of 450 technology innovators from governments and private industry at a Smart and Secure Cities and Communities Challenge workshop in Washington. The event was sponsored by DHS and the National Institute of Standards and Technology.
The current prevalence of social media apps on smartphones and other devices has numbed users to the reality that sensors in public spaces can track our location and behavior. “People sort of assume this [surveillance] is going on and accept it,” Kenneally said. “We need to be very conscious of this.”
In the U.S. and elsewhere, there’s a “normalizing of surveillance harm,” she added. To deal with potential invasion of privacy, the European Union and some U.S. cities have passed laws to protect Personally Identifiable Information (PII) such as names, addresses, and Social Security and credit card numbers. The EU’s 200-page General Data Protection Regulations (GDPR) will take effect in May, dramatically affecting the way marketers and others reach people in 28 European countries. The impact is expected to be global, as companies and individuals communicate with 500 million EU residents.
Seattle and Kansas City, Mo., among other cities, have created data privacy laws to address potential concerns that sensors on doorways, light poles and buildings might pose as ordinary tourists and citizens move around city streets, businesses and shopping areas.
Kenneally urged governments and developers of IoT sensors to find ways to minimize collection of personal data. Possible solutions include giving users an easy-to-use “do not collect” switch on a device so that location tracking is not always on.
“Developers might want to think about getting consent [from users] along the lines of permissions as opposed to a macroscopic privacy model of ‘take it or leave it,’” referring to accepting an entire app or service, she said.
Cities and states should also consider creating a publicly-available computer dashboard that shows the kind of data being read by sensors, she said. Also, private companies should weigh the benefits of selling greater privacy protections with their apps and services as a competitive advantage over companies that aren’t protecting privacy as well.
“Privacy is risk management. It should be addressed as data governance… driven by ethical principles and governed by a reasonable expectation of privacy,” she said. “What is public? What is sensitive information? It’s a dynamic playfield. Existing privacy law won’t solve this for us.”
In the U.S, the Federal Trade Commission in 1998 established Fair Information Practice Principles to protect online privacy. https://en.wikipedia.org/wiki/FTC_Fair_Information_Practice
However, privacy advocates worry such principles won’t be adequate with the coming deluge of IoT sensors that can be used to detect and link to systems that identify faces and license plates in public places. As many as 7 billion sensors and related hardware will be installed globally by 2020, according to some industry projections.
In Kansas City, Mo., privacy with IoT has been given top priority by the elected City Council. “Before we turned on a single IoT sensor, we had a privacy bill of rights,” said Bob Bennett, the city’s Chief Innovation Officer. “Any time our city collects data, we have to tell our City Council about and get an OK.”
Last year, the city began receiving data from sensors along a 2.5-mile downtown streetcar route on Main Street. Information is available on a public dashboard to show the speed of streetcars, parking and other data. The city can also use sensors to detect when a large crowd has gathered, useful information for public safety.
The city has also begun collecting data on neighborhood demographics from publicly-available resources, such as the Internal Revenue Service and state crime statistics. “We have used IoT systems to augment what we already know about ourselves,” Bennett said. Kansas City modeled its privacy Bill of Rights on one being used in Seattle. “Seattle is more restrictive than we are,” he said.
Kansas City also has worked with Avis to collect the traffic-related data from hundreds of the company’s rental cars. The city gets information on the movements of the vehicles to assist traffic planning, but Avis collects the records and private information of the drivers.
David Heyman, co-founder of Smart City Works and past DHS assistant secretary of policy, suggested local and regional governments and private industry should appoint a Chief Privacy Officer or the equivalent to review policies impacting end users, including citizens passing through areas with sensors.
“Privacy needs to be seen as an asset and a public good,” Heyman said. “The reality is that as we get smarter with smart cities, we are in effect fusing the physical and cyber world with human experience,” he said. “We are seeing the blending of the physical and mechanical world with human behavior. Our wishes, desires and actions are seamlessly integrated into devices and services so that they support our desires and now are aggregated for civic leaders to see how communities are working.”
Heyman called on industry to develop applications and technologies that “build-in privacy programs…that axiomatically check for privacy and operationalize privacy in IoT architectures by design.”
However, Kenneally said she remains skeptical that privacy protections will get the attention they deserve—both from governments and technology innovators.
“With what’s happening in online privacy in the world over IoT, I’m very dubious,” Kenneally concluded. “Regulation is needed, but businesses don’t want it. I don’t see companies incentivized at this time to address privacy…I see a big threatening train coming down the tracks.”