Your television is watching you: How information stored by internet-connected home devices could be used against us

From internet-connected TVs to wristbands monitoring our fitness, the things we own are stockpiling information about us. Jason DaPonte asks leading privacy adviser Gilad Rosner how this affects our freedom to speak and act freely

IN A WORLD where you can exchange texts with your home appliances, where wristbands are monitoring our health and fitness data, and “smart” TVs can record what we say in our own lounges, new possibilities for surveillance and privacy breaches are emerging in ways most consumers can’t even imagine. So, how much protection do we have? Gilad Rosner, founder of the Internet of Things Privacy Forum and an adviser to the UK government on privacy, argues that traditional digital privacy practices aren’t enough as what he calls the “third wave” of the internet takes hold.

“The first wave of the internet was made up of fixed devices [desktop computers] and the second wave is mobile computing. The internet of things is a third wave that puts connectivity into devices that weren’t on networks before,” he told Index, citing examples like internet-connected TVs and “smart-home” energy meters.

There are more than 25 billion internet-connected “things” now and this will grow to as many as 50 billion by 2020, according to the US Federal Trade Commission.

So far, most internet privacy policies have been built around consumers agreeing to what data service providers can collect about them but haven’t normally touched on just how that data can be used. Rosner and others want to see a shift to a consent-to-use model, similar to those used in the US around personal credit and medical data.

“Internet-of-things devices can amplify the leeching out of data as the devices become more mainstream,” said Rosner. The fact that smart meters are able to determine when you’re at home or not, to increase your energy efficiency, may not seem sinister, but if this data becomes public and is combined (correctly or incorrectly) with other data, it could be used against you in a criminal hearing to help determine your location during a crime. Location information from a consumer’s phone (which consumers are largely happy to share) could also be combined with events data that places them at a protest or event. If this gets into the wrong hands, it could bring them under police surveillance. This could, in turn, lead to false accusations, threats to employment or restrict a person’s freedom of expression.

Rosner believes that the power of combining data sets is “too hard to conceptualise [for consumers]. There’s no way for people to envisage their own privacy. The capacity for the devices to contribute to deep and broad profiles of us [the consumer] contributes to the worry about the internet of things because it inputs into the analysis of big data.” This is why Rosner is convinced that a consent-to-collect approach to data must shift to a consent-to-use approach, and that simple consumer awareness and education is not enough.

OPEN IN VIEWER

“We’re more than the sum of our data, but there are a lot of forces that would drive us towards the commoditisation of ourselves [via our data],” he said. He believes regulation needs to change, but this would be complex, provoking accusations from the industry that innovation was being stifled.

The Open Data Institute, a non-profit organisation that connects, enables and inspires people to innovate with all types of data – including open, shared and closed – believes that “both privacy and openness create trust” in relationships between customers and companies. “We believe that the value of our data infrastructure can be maximised when we maximise openness but also keep private what should be private,” Peter Wells, an associate from the ODI, told Index.

OPEN IN VIEWER

Credit: Brian John Spencer

He added: “The European Union regulations are being strengthened … but regulation won’t deliver informed consent on its own. Internet-of-things services could choose to embrace openness by being prepared for new regulations, being transparent in how they are using data, and by helping both their staff and their customers make better choices in how to use data.”

The EU and the USA are taking different approaches towards regulating these new developments. The US approach has been to enact broad-based privacy laws without being technology specific; whereas the EU has come up with more prescriptive laws expected to take effect in 2018. Conflicts between these approaches could still leave consumers feeling confused and disempowered about what happens to their data and how they can control it.

The EU regulation will require companies to use “privacy by design” – a set of principles that takes consumer data protection into account from the start. Rosner, the ODI and Nesta (a UK charity that advocates for innovation and growth) support this as a best practice that can help improve the consumer experience. Using privacy by design could potentially avoid cases like the one where Samsung was accused, in 2015, of having its smart TVs “listening” to customers in their own homes.

The TV manual read: “If your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.” After a press exposé and a public outcry, the company clarified the legalise. Like other voice-activated services from Apple, Motorola and Amazon, the device didn’t start processing data until it “heard” the right command, such as “Hi TV”, or had the microphone turned on manually via the remote control.

Rosner remains optimistic that the internet of things can deliver on its promise of empowering consumers without turning into a dystopian nightmare. “Ultimately, I’d like to see the data about us … treated radioactively,” he said. “In that it’s understood to be deeply personal and not thrown around and commoditised willy-nilly.”