Dr Gilad Rosner, the founder of the IoT Privacy Forum, will be giving a free webcast today at 10a PT / 1p ET / 6p GMT. You can register for it here. Topics include privacy in the IoT, privacy by design, and the sociotechnical nature of connected devices.

Intimacy Privacy by Design

Ashkan Soltani, the FTC’s Chief Technologist, penned a good article on the particular security challenges of cheap, connected, low-power devices. He uses the venerable refrigerator example to get some important questions across:

“… a refrigerator was once just a refrigerator with one purpose: cooling food. Now that we live in an IoT world, embedded inside that refrigerator is a full-fledged network computer which could potentially be exploited to launch a DDOS attack against the consumer (or some external) network. As the technology behind the household items we buy evolves, so must the way we think about the long-term effect to consumers when they purchase them:

What will be the level of security and support while under warranty? If a critical vulnerability is discovered, will an update be provided? What happens after the warranty expires? Should modern refrigerators have a shelf-life, much like the food contained within?

http://www.ftc.gov/news-events/blogs/techftc/2015/02/whats-security-shelf-life-iot

Security

Connected devices are moving into more and more intimate spaces. This post explores the social dimensions of Things entering those spaces, and asks the question, at what layer do we build privacy into the fabric of devices? Written by Dr Gilad Rosner, founder of the Internet of Things Privacy Forum.

http://radar.oreilly.com/2015/02/the-intimacy-of-things.html

Data Protection Policy Privacy by Design Privacy Impact Assessment

Samsung drew the ire and attention of the internet recently by releasing a television with voice recognition that might scoop up some of your personal conversations. Major news outlets like the Guardian and the Independent ran stories on it, both inspired by EFF activist Parker Higgins’ tweet comparing the Samsung privacy policy to Orwell’s 1984.

The Samsung privacy policy states: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

Samsung told the Guardian that they care about privacy, that they encrypt, and so on, but the Privacy Policy speaks for itself: we may capture your utterances, and your only choice is to shut off that feature completely. Is this Orwellian? I think not. Is this poor planning and tone deafness? Certainly. The language in the Privacy Policy clearly doesn’t put people at ease; it also an example of how Notice and Choice, those cornerstones of ‘fair information practice principles’ are becoming more and more inadequate. The Samsung story is arbitrary in a way because there wasn’t the same outrage over Google’s always on “OK Google” or Apple’s “Hey, Siri.” Still, outrage and bad press are useful tools in the regulation of behavior – naming and shaming to effect better privacy.

Privacy by Design

Data Protection Policy

The WA State House Technology & Economic Development Committee passed a reasonable drone privacy bill last week. Basically, you can’t fly a drone onto someone’s private property and record them without their consent. Obviously, such an intent is more easily implemented when you have houses with property lines rather than windowed apartment buildings, but still, it’s a good addition to the fledgling body of drone privacy law. There was clearly some thought and technical advice put into the bill, as evidenced by the definition of “active sensing device”: “including, but not limited to, cameras, thermal detectors, microphones, chemical detectors, radiation gauges, and wireless receivers in any frequency.” The bill’s definition of personal information (note, not PII) is similarly broad: “Any information that describes, locates, or indexes anything about a person including, but not limited to, his or her social security number, driver’s license number, agency-issued identification number, student identification number, real or personal property holdings derived from tax returns, and his or her education, financial transactions, medical history, ancestry, religion, political ideology, or criminal or employment record,” as well as of course image. Willful violation of the proposed law is a misdemeanor, and victims can sue for $5,000 or actual damages plus attorney’s fees.

http://lawfilesext.leg.wa.gov/biennium/2015-16/Pdf/Bills/House%20Bills/1093-S.pdf

Drones Law