We all worry about internet privacy.  Who could be eavesdropping upon you at that free hotspot café you so love?  Giggling at your personal Facebook posts – or more seriously – spying upon your business plans?

Privacy in the “Internet of Things” age is a complex and growing concern.  You may recall the famous case of Hackers taking control of a moving vehicle via the vehicle’s entertainment system – honking the horn, controlling the stereo, switching on the wipers and ultimately turning the vehicle off entirely!!

Scary stuff…   But on a less dramatic scale what protection may we expect from our devices and suppliers?  And what is the legal framework that this is based upon?

An IoT ‘Technology Aware’ Conceptual Framework for Privacy

It has been suggested that four modes of regulation be applied in cyberspace.  Namely:

  • Law – which includes prohibitions and sanctions for online defamation and copyright infringement.
  • Social Norms – which may involve a user ensuring the behavior of their avatar conforms to the community expectations in an online world eg:
  • Markets – Which regulates the price paid for access to the internet and access to information on the internet, and,
  • Architecture – which is the code, hardware or software that shapes the appearance of cyberspace.

Broadly, these concepts are what is already applied in the real world.

Spying through a keyhole (privacy compromised)

 

Further to the above, the Australian Law Reform Commission (ALRC), recommends that Agencies and Organisations work together to ensure that individuals are ‘empowered’ with the ‘requisite knowledge of how to protect their privacy’.

What does that mean?  In short, Industries will develop their own “Privacy Code”, for approval by the Privacy Commissioner.  And once that code has been approved, it is binding upon the organisations that have agreed to be bound by it.

That seems simple enough.  So how might these principles be applied to some of our more innovative technologies?

Location Detection Technologies

These days, location detection technologies such as GPS are included as a standard feature on many new mobile phones.  Location detection technologies provide ‘real time’ information on the position of the device and consequently the user of the device.  Furthermore, they can provide details as to the physical movements of an individual.  As such they have the potential to impact heavily upon an individual’s privacy.  The issue has been addressed by the European Union Directive on privacy and electronic communications.

Centrally the Directive provides that:

  • Location data must be anonymised before processing (unless consent has been provided by the user of the service).
  • Service providers must notify users, before consent,
    • As to the type of information to be processed,
    • The purpose and duration of location data processing, and,
    • Whether the data will be transmitted to a third party for the purposes of providing ‘value added services’.
  • Users’ must be given the opportunity to withdraw consent at anytime, and,
  • Processing of location data is restricted to that which is necessary for the purposes of providing the value added service.

Smart Cards and Privacy

The use of Smart Cards – particularly in the financial world – has potentially far reaching privacy concerns.  Obviously, the cards are linked to individuals for transacting purposes.   What this means is that the individual may ‘lose’ the ability to transact anonymously.  The ALRC warns that widespread use of Smart cards could enable the collection and storage of vast amounts of information about the activities of an individual.  By way of example they could:

“generate records of the date, time and location of all movements on public and private transport systems, along with details of all goods purchased, telephone use, car parking, attendance at the cinema, and any other activities paid for by smart cards”.

Potentially, this information could be used to generate highly detailed profiles of the user to market goods or services to them. Or of the possibility of unscrupulous government agencies seeking to capitalise upon, and/or abuse such information to the detriment of the individual.

Also of concern are smart card schemes that are used by numerous agencies or organisations.  Notably, they may lack a central data controller.  This means it is ‘unclear who is accountable for the use, disclosure, accuracy and security of personal information collected by the system’.

It should also be noted that “Function Creep” – (i.e. as technology improves more and more information is collected) – and the security of the smart card data pathways have been raised as privacy concerns.

Governments have moved to protect the privacy rights of individuals.  For example in 2004 the Council for Europe stated that the collection of personal information via a smart card system be for a “legitimate and specific purpose”.  They also require that suppliers offer an, ‘appropriate level of security given:

  • The state of the technology
  • The data stored on the card, and,
  • The security risks.’

Similarly, the Australian Government insists that Smart card systems include data protection clauses in agreements with third parties about the supply of smart cards.  Suppliers are also required to perform “Privacy Impact Assessments”, during the design of Smart Card systems.  And to ‘produce comprehensive privacy policy statements’ and to revise these statements ‘whenever a third party adds additional functionality to an existing smart card deployment’.

In conclusion, one can only assume that ignoring those long and wordy legal looking Terms and Conditions, with the ‘tick box’ at the bottom, is done so at the peril of your own privacy.

Do you worry about your privacy on the Net?

Thief stealing data from a smart phone (privacy compromised)