Privacy Education Seen as Key For Smart Devices

These devices, such as smart speakers and doorbells, are “like a computer without a screen,” Debbie Reynolds, a data privacy and protection expert, told the Practising Law Institute webinar Friday. For example, they "can be accessed via the internet ... and updated or changed wirelessly,” she said: Most importantly, misuse of the personal data these devices collect can put people at risk.

Yet consumers often think only of their phones or computers as being internet-connected, said Reynolds. Indeed, risk is high with IoT devices. "A[n] Internet of Things device is typically attacked within five minutes of being connected to the internet."

Dan Caprio, privacy, cybersecurity and data risk practitioner at DLA Piper, said in industries like agriculture or healthcare, IoT devices are valuable. For instance, they can provide great convenience, but “the cybersecurity risk in some medical devices is still a real challenge … because of cost, because of proprietary systems [and] because of a lack of standards.”

Reynolds said teaching people about the pros and cons of IoT is crucial, “because these devices are with us already, we have to educate people as though this is going to be a part of life now and in the future."

Reynolds added, “We need to have workers who understand these devices, just like we have people who are trained to use computers [and] trained to use phones.” IoT devices can change and update over time, “so really understanding what that means in terms of either a company or individual managing that device and what they need to do to protect themselves is really important.”

IoT devices and systems “are not necessarily secure or as secure as they should be, are not necessarily transparent or as privacy-protective as they should be,” Caprio said. Information from the IoT often serves as training data for AI, which raises questions about the quality and trustworthiness of the data, he said.

Reynolds said there are also instances where an individual may not think certain information poses a risk, but in fact it could, “depending on how that data is used," who has the data "and who's looking at it, [and] what is actually being done with" it. For example, if a person sets a smart thermostat in their home to a different temperature while out of town, the information could be used to indicate nobody's home, she said. “We really need to think about governance here, and in a way that we never thought before,” Reynolds said, because “people just [don’t] understand how this data could possibly be used in a way that could be harmful."

IoT-collected data should have a life cycle, “where it has a cradle-to-grave life,” Reynolds said. There should be a start and an end to the collection of personal data, she said.

Transparency is key to knowing who has access to and manages the data, especially in situations where a company may go out of business, but a device made by them continues to collect data, she said.

Ronald Hedges, an attorney and former federal judge, said “one of the keys we need to be thinking about in the future is regulatory fragmentation,” or the idea that states, though not the federal government, are involved in these types of privacy issues.

Caprio said that while there are economic benefits to sharing information, companies, courts and legislators need to consider issues of trust, transparency and value in relation to people’s privacy.

Reynolds said one thing that could help is security by design, which “is trying to find a way to create a situation where the default is to make the device as secure as possible, as opposed to what we have now, where the device is less secure, and it is incumbent upon the [consumer] to try to make it more secure.”

Another suggestion is that instead of customers viewing "a wall of words" when they buy something, "consent eventually has to end up being more incremental, or just in time, based on what people are doing with these devices,” Reynolds added. Providing privacy this way helps companies improve transparency and trust, reduces confusion for customers and introduces measures for them to opt-out of certain practices, Reynolds said.

“Try finding a way to make sure that a consumer is informed,” she said. Leave “no shadow of a doubt that people understand what their data is being used for,” which also helps “prevent the type of backlashes that we're seeing.”