Nearly two-thirds (65%) of people are concerned with how connected devices are collecting their data, and 55% of users do not trust those devices to protect their privacy.
This was revealed by a recent survey, conducted by IPSOS Mori on behalf of Consumers International and the Internet Society, that explored consumer perceptions and attitudes towards trust, security and the privacy of consumer Internet of things (IOT) devices.
Stories about baby cams being hacked, cameras in kids’ toys being used for spying, and attackers taking control of home security, have raised concerns about the security of IOT devices.
The research also showed that 63% of people surveyed find connected devices ‘creepy’ in the way they collect data about people and their behaviours, and 75% believe there is reason for concern about their data being used by other organisations without their permission.
So what should organisations be doing to ensure the safety of their IOT devices, and how can they be transparent enough about consumers' privacy?
Jeff Kase, chief architect at LocatorX, says the best practice for maintaining programmable IOT devices is to regularly update the firmware and software as it becomes available.
“This can be a challenging task on a system-wide basis, but something that needs to be included in the process. Typically, the responsibility of this falls on the individuals that are assigned those devices. This should be part of the expected use of these devices, just as we are accustomed to updating our smartphones and computers.”
Kase says most IOT devices have some mechanism for monitoring their health and status. These are typically smartphone or desktop apps that should be regularly reviewed for verification. Optional alarm and other notifications should be enabled, if available. Depending on the IOT device, there are often visual status indicators on the device, such as a red or green light or small LED panel that can be checked.
The Internet is a global community without a global set of well-defined guidelines or consistent regulations.
Jeff Kase, LocatorX
When it comes to being transparent and enabling consumers to make informed purchases in regards to their privacy, he says this is a question that applies to all connected devices -- not just those within the IOT domain, but also desktops, smartphones, smart televisions, security cameras, interactive assistants and similar.
“The Internet is a global community without a global set of well-defined guidelines or consistent regulations. Several scandals, like the Cambridge Analytica exposé and accounts of the depth of Google’s data collection policies have been reported, but worldwide governments have failed to stay ahead of this regulatory challenge.”
He asks: “What is considered an invasion of privacy, and how much 'data gathering' is considered theft? Virtual assistant’s and voice interfaces for smart TVs are by definition open microphones inside our homes, but they can’t work without this access. We use Google searches to find information from data sets all over the world, and we expect search completion and personal preferences to make it easier. But when we search for a term or open a specific page and are inundated with ads and e-mails for that product, is it a reasonable trade-off? Or, is our interest in potentially purchasing a product yet another piece of data that’s up for sale without our consent?”
Resisting full transparency
According to Kase, if government regulations, oversight and enforcement do not exist in any consistency, the safety of Internet-connected devices is based entirely on the trust developed between each company and its customers.
“Companies typically resist full transparency in these scenarios, often hiding their lack of transparency in the fine print of massive terms and conditions that the consumer must accept to use their products. Essentially, companies are considered trustworthy if there have been no negative news items to the contrary, and there is no consistent definition of privacy in respect to the data that’s gathered from personal devices.”
Speaking of how businesses can take control of the data they are collecting and ensure that IOT devices remain out of hackers’ clutches, Kase says unlike the lack of definitive regulations and guidelines for privacy, rules and regulations regarding collected and stored data have had a good deal of discussion over the years.
Certain categories of data are regulated and enforced, and broader efforts are either in place in certain countries or are in process. GDPR and POPI for example, provide definitions and consequences for data gathering and storage in the regions they cover. The US has FTC’s Fair Information Practice Principles, which are guidelines, but not enforceable for general data.
“In general, the modern best practices are to not capture and store individual health data, and identifying data for children under 13, and credit card information. Other sensitive data, such as driver’s licenses, passports, birthdates, and social security numbers should be stored only in an encrypted form and only shared using restricted access.”
These guidelines should be applied to data gathered and stored on Internet-connected servers, as well as IOT-stored data, he adds.
IOT helps us work smarter, not harder
And we shouldn’t forget about the benefits of IOT devices, says Scott Fletcher, president and CEO of LocatorX.
“These devices offer virtually unlimited benefits. Devices are now able to assist in streamlining our everyday activities, saving money, time, and frustration for users. The world of IOT enables consumers to connect their devices and have them work smarter, not harder to produce optimal results. Additionally, IOT allows companies better insight into the world of consumers, providing data regarding usage, preferences, and other helpful information to allow them to better market their products.”
To protect users, Fletcher says privacy policies need to be in place to protect consumer data, and all companies should have a robust policy designed to safeguard their consumers.
“Companies in the world of IOT need to understand the risks that come from the sheer amount of data they collect and being transparent with consumers is the best way to invoke trust.”
Share