Connected devices are moving into more and more intimate spaces. This post explores the social dimensions of Things entering those spaces, and asks the question, at what layer do we build privacy into the fabric of devices? Written by Dr Gilad Rosner, founder of the Internet of Things Privacy Forum.

Data Protection Policy Privacy by Design Privacy Impact Assessment

Samsung drew the ire and attention of the internet recently by releasing a television with voice recognition that might scoop up some of your personal conversations. Major news outlets like the Guardian and the Independent ran stories on it, both inspired by EFF activist Parker Higgins’ tweet comparing the Samsung privacy policy to Orwell’s 1984.

The Samsung privacy policy states: “Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party through your use of Voice Recognition.”

Samsung told the Guardian that they care about privacy, that they encrypt, and so on, but the Privacy Policy speaks for itself: we may capture your utterances, and your only choice is to shut off that feature completely. Is this Orwellian? I think not. Is this poor planning and tone deafness? Certainly. The language in the Privacy Policy clearly doesn’t put people at ease; it also an example of how Notice and Choice, those cornerstones of ‘fair information practice principles’ are becoming more and more inadequate. The Samsung story is arbitrary in a way because there wasn’t the same outrage over Google’s always on “OK Google” or Apple’s “Hey, Siri.” Still, outrage and bad press are useful tools in the regulation of behavior – naming and shaming to effect better privacy.

Privacy by Design

Data Protection Policy

The WA State House Technology & Economic Development Committee passed a reasonable drone privacy bill last week. Basically, you can’t fly a drone onto someone’s private property and record them without their consent. Obviously, such an intent is more easily implemented when you have houses with property lines rather than windowed apartment buildings, but still, it’s a good addition to the fledgling body of drone privacy law. There was clearly some thought and technical advice put into the bill, as evidenced by the definition of “active sensing device”: “including, but not limited to, cameras, thermal detectors, microphones, chemical detectors, radiation gauges, and wireless receivers in any frequency.” The bill’s definition of personal information (note, not PII) is similarly broad: “Any information that describes, locates, or indexes anything about a person including, but not limited to, his or her social security number, driver’s license number, agency-issued identification number, student identification number, real or personal property holdings derived from tax returns, and his or her education, financial transactions, medical history, ancestry, religion, political ideology, or criminal or employment record,” as well as of course image. Willful violation of the proposed law is a misdemeanor, and victims can sue for $5,000 or actual damages plus attorney’s fees.

Drones Law

Data Ownership

Welcome to the Internet of Things Privacy Forum. We’re new… very new. But our goal is to be a valuable resource for industry, regulators, academics and government; a place to get news, research and guidance on the privacy challenges of the Internet of Things, connected devices, and all related topics.

There’s so much to do, and we’re just getting started. We’re tweeting at @iotprivacyforum, and we’re putting together an initial mailing list to keep everyone informed of our progress. Please sign up on the right to hear about our plans and our growth.