My data, my choice

11 December 2014

How the Internet of Things changes online security, and how it doesn’t

The world is changing fast. More data is being collected, processed and transferred than ever before, leading to new economic and social value creation.

The future Internet of Things (IoT), which will connect nearly 26 billion devices by 2020 according to estimates, will create a myriad of new applications. Cars, homes, buildings, along with whole cities, industries and large-scale infrastructure such as transport and energy networks will start collecting data to serve our needs better. The new services enabled by these connections will reach into every aspect of our lives – from leisure (think fitness gear) to health and safety (think monitors for elderly people).

A large portion of such data will be collected passively via systems and sensors, without people realising it or being able to control the process. This will create massive privacy challenges, in particular from a data protection law perspective.

Let's take the case of mobile devices from our everyday life. With more than 6 billion people using them, an increasing variety of data is produced and linked to their identity. Smartphones are now able to capture and track an individual’s location patterns, however wearable personal-health devices can measure daily physical activities and help individuals set wellness targets, measure progress and more effectively engage in achieving healthier lifestyles.

So with all this sensing, we can “see” so much more about people, leading unavoidably to several privacy challenges. For example, the data could be forwarded to third parties (e.g. insurance companies or advertising companies) to create more granular profiles of people, or they could be used in other ways to divide and discriminate people.

From a technical point of view, two key aspects need to be considered early on if we want to reap the full benefits of the Internet of Things without compromising on privacy.

Progress towards the IoT does not involve choosing between innovation and privacy. On the contrary: rather than undermining established principles, technological advances will enable us to better safeguard them – by offering novel ways to protect data, or to control what we release. Examples of this are innovative ways of obtaining a user’s notice and consent, as well as advanced anonymisation algorithms.

The IoT is being created to serve the individual, not the other way round. To address the new challenges of hyperconnectivity, we must move towards a user-centric approach, where the individual ultimately determines the fate of his or her personal data.

This triggers the fundamental question of what exactly is ‘our’ data. Many smart sensors and devices are very simple, and the data they collect is not personal. However, personal information can be inferred from raw sensing data when later processed, as well as when aggregated with other datasets. Faced with a complex ecosystem of market players (including data brokers, analysis companies, third party advertisement companies, etc.) and large quantities of ‘raw’ data, how can we provide individuals with the ability to control their data?

Again, technology is as much a part of the solution as it is part of the problem. Appropriate regulatory frameworks, and mechanisms to ensure compliance with these frameworks, are crucial, but they are not enough. IoT applications and services must be designed having privacy in mind from the beginning: this is what we call ‘privacy by design’.  Also, new and upcoming solutions that enable users to control the collection, management, and disclosure of their personal data can help a lot to increase transparency, awareness, and engagement of users with their data.

If we can empower individuals to make conscious decisions about how they want to use their data, while ensuring that safeguards are in place to protect privacy, we can embrace the Internet of Things as a step towards more, not less, individual freedom.