The Global Privacy Enforcement Network (GPEN), an organization made up of privacy commissioners from 25 countries, including Canada, has just released its fourth annual Privacy Sweep report, and the results are not great.
Of 314 devices examined globally, from fitness trackers, thermometers and heart rate monitors to smart TVs, meters, cars, connected toys and household aids, 59% failed to “adequately explain how personal information is collected, used and disclosed.”
If we were already feeling squeamish about our personal information and passwords being hacked out of the cloud by malicious state sponsored actors, not to mention the NSA, or the RCMP conducting a Stingray operation, or just some precocious kids on a lark, the prospect that the for-profit handling of our health data, private behaviour, and location is policed by nothing greater than someone else’s sense of shame should probably be cause for alarm.
“This technology can improve our homes, our health and our happiness. But that shouldn’t be at the cost of our privacy,” said Steve Eckersley, Head of Enforcement for the U.K.’s Information Commissioner’s Office. “Companies making these devices need to be clear how they’re protecting customers. We would encourage companies to properly consider the privacy impact on individuals before they go to market with their product and services. If consumers are nervous that devices aren’t using their data safely and sensibly, then they won’t use them.”
But of course, we do use them, and we will continue to use them, clicking “Accept” on those Terms of Agreement without so much as thinking about it.
The only way a person living in 2016 could avoid giving their personal data over to companies motivated to exploit personally identifying information for profit would be to unplug completely and live off the grid.
The 2016 Sweep took place April 11-15, 2016, and saw each of the 25 countries select an area of special interest to examine, with Canada focusing on health devices.
Now that we can no longer walk into a shop and buy a non-smart TV, how data being transmitted by those TVs, fitness trackers, thermostats or cars, and the care with which companies handle that data, needs to be scrutinized and probably should not be self-policed.
“Overall there was significant room for improvement with respect to the privacy communications of the Internet-connected devices swept,” said Canada’s Privacy Commissioner Daniel Therrien. “With the proliferation of the Internet of Things, the activities, movements, behaviours and preferences of individuals are being measured, recorded and analyzed on an increasingly regular basis. As this technology expands, it is imperative that companies do a better job of explaining their personal information handling practices.”
For all the industry talk around the Internet of Things revolutionizing every aspect of our lives, with everything from washing machines to children’s toys and toaster ovens all communicating data back to the cloud, the prospect of a high-profile government watchdog raising red flags over privacy should probably trigger some kind of scrutiny.
But the Office of the Privacy Commissioner makes very clear that the Sweep was not an investigation, nor intended to identify compliance issues or violations of privacy legislation, but merely to increase public and business awareness of privacy rights, responsibilities and best practices, to encourage compliance with privacy legislation, and to enhance cooperation among privacy enforcement authorities.
“We would encourage companies to properly consider the privacy impact on individuals before they go to market with their product and services.” – Steve Eckersley, Head of Enforcement for the U.K.’s Information Commissioner’s Office
One new issue that keeps coming up in this era of the cloud, Big Data, the Internet of Things and smart devices, is that data is not merely gathered, stored and analyzed solely by each device’s manufacturer.
User data has itself become a product, as the success of Facebook and Google proves. Data is bundled up in aggregate form, like bales of cardboard for recycling, and sold along to whoever wants to buy it.
Any company that puts a “Terms of Agreement” check box or “End User License Agreement” in front of you, whether for the use of a tangible product or for a service, like a social network or cloud storage, treats user data as the resource that it is.
Sure, the object itself is the “product”, but data generated by that object is also the product, and not merely a subsidiary revenue stream for the makers of those devices, whether phones, fitness trackers, televisions, search engines, operating systems or social networks.
That data is sold, like the virtual bales of recycled cardboard that they are, to third parties who see value in that product so that they can then study and analyze people’s behaviour for advertising and marketing purposes.
What the Privacy Sweep has found is that this new fact of business is not made clear to people buying the products.
A full 69% of privacy communications, including location, photos, videos and date of birth, are not “specific to the device”, meaning that they’re being gathered for purposes unrelated to your actual purchase, a figure that climbs to 76% for devices looked at by Canada’s Privacy Commissioner.
52% of privacy communications “mention disclosure to other companies”, meaning that 48% do not mention it, and the reply to the question “Is the user told which companies?” is 76% in the “No” column for devices examined by by Canada’s Privacy Commissioner.
For the question “Are users fully informed about how personal information collected by the device is stored and safeguarded?” the response is 68% in the “No” column.
On the one hand, you should probably feel good about the fact that there’s a degree of international cooperation that can even produce a cohesive report written by 25 national government offices on issues related to data privacy.
But the fact that the report exists for “educational purposes” and has no teeth in its mouth should not particularly make you feel great about what your devices are up to all around you, now and “in perpetuity” as your terms of agreement would make clear to you, if you had read them.
FFS guys. pic.twitter.com/Z0stBWkxwJ
— Nigel Tolley (@discreetsecure) September 16, 2016