I remember having an uneasy feeling once, and several times since then, when I got an advertisement of the very same wine I was speaking of to my friend in my living room. She said “Privacy with connected devices is a myth” as soon as I told her about the advertisement, pointing towards my innocent Google Home Mini. In another instance, in the middle of night, my neighbor, trying to control his smart speaker, latched onto mine and started playing Metallica. Needless to say, I had to pull the plug off my speaker.
I assume all of us, fascinated by connected devices and virtual assistants, have at least one such device in our homes. However, as we turn our homes into smart homes, it is important to address diminishing private spaces, how our behavior is changing inside our own homes, and what is the responsibility of companies in terms of product design, privacy policies and self-regulation to help consumers gain control?
The Rise of Internet of Things
If you want to familiarize yourself with the term Internet of Things (IoT), you need to have a closer look at the term “things”. In the context of IoT, any physical device can be a “thing” — such as a house, a car, a wearable, even a human body. In this era of IoT, the “things” can communicate amongst themselves the way people communicate using the Internet. IoT devices can connect larger systems like buildings, transportation and utility grids. Using the data from these systems can lead to smart factories, smart homes and smart cities. Therefore, it is true that “anything that can be connected, will be connected” (1).
With the growth of the Internet of Things (IoT), there is deemed to be an increase of opportunities and benefits to our society. Larger automation leading to faster and timely outputs, and collection of data that could assist in monitoring. For example, knowing if you are low on eggs or money, and monitoring expiry dates of products. It can also be a technology that assists people in saving money within their homes. If all the electrical appliances within the home can communicate, they can operate in an energy efficient manner by taking the data collected individually, sharing it, and then interpreting the data into ways to make the systems more efficient.
With all the benefits that IoT brings, these changes have also introduced multiple risks- most prominent of which is Diminishing Private Spaces
The changing definition of privacy
Back in 2015, Former Google CEO, Eric Schmidt predicted, “ There will be so many sensors, so many devices, things that you are interacting with that you won’t even sense it. It will be part of your presence all the time. “ (2)
When we are constantly around these “always-on” devices, we are shifting what privacy means to us and how it is managed.
While browsing on the internet, we are somewhat aware that we are being monitored- what we browse, how much time we spend on each web page, what we click. We also voluntarily share our personal information. However, connected devices often work with “implied consent”, and data monitoring and collection continues even when we are not “online”, say when you are cooking or reading inside your home. IoT is normalizing what may be considered an invasion of privacy, an individual’s ability to seclude themselves completely.
In terms of behavioral changes, awareness of being monitored and the data being used by third parties can change people’s behavior inside their homes. They may stop trusting their homes as a private space and interact differently even within private walls. On the other hand, people who do not behave differently may assume that the information is not being captured, which may cause them to conduct themselves inaccurately. Both these scenarios can have altering effects on behavior. (3)
Managing private spaces also means dealing with consequences when the IoT ecosystem is compromised. That is surveillance cameras, smart refrigerators and even IoT toys for your children are vulnerable to security threats. Just months ago, a mother in Mississippi released a chilling video of a complete stranger speaking to her young daughter through a security camera installed in her bedroom. (4)
Even with Google Home and Amazon Echo, the risk of third party apps to eavesdrop and phish for passwords is high. Last year, White hat Hackers at Germany’s SR Labs created 8 apps — 4 Alexa “Skills” and 4 Google “Actions” which were masked to perform simple functions and passed Amazon and Google’s secure vetting processes. These apps were then able to eavesdrop and log in all conversations near the device to send to the developer. (5)
Establishing a culture of ownership :Responsibility of companies and consumers
It is evident that the current regulations are insufficient and outdated to monitor connected devices. In the current system, each device may fall under several regulatory authorities and frameworks and the responsibility of enforcement is vague. While stronger frameworks and government policies are being developed, it is imperative for not only IoT companies, but also consumers to take ownership when using these devices.
It is the responsibility of companies to self-regulate and adopt best practices:
- Comprehensible Privacy Policies: Nobody reads privacy policies, even when people do, they are often vague and hard to comprehend and the users often unknowingly consent to the collection of data. Europe’s GDPR ( General Data Protection Regulation ) imposes strict requirements on these notices. They must be in concise, understandable, transparent, and easily accessible form, using clear and plain language.
- Periodic Notifications: With new updates, changes in policies and even periodically, companies must notify the users what data is being collected. (6)
- User Control: Different devices have different user interfaces. Many of the IoT devices nowadays are controlled by smartphone apps. How will user control change for different individuals around one device? Will all of them require a smartphone app? How will the dashboard differ for different users? Do you also provide controls on the device? Some of the devices, including both Amazon Echo and Google Nest provide a toggle switch on the device to turn off the microphone. They also provide a camera shutter to shut the camera off when not in use. This is a great way to give control back to the user.
- Security by Design: Instead of putting the burden on consumers to change passwords frequently, ensure that the devices are secure by design
- What kind of data ( voice, images ) is being collected and used by the device?
- Who will use your data? Is it limited to the manufacturer or will the third party also have access?
- Can you access your own data?
- Can you erase your own data or some part of it?
- Can you change consent more than once? If yes, how?
- What is the User Interface for the device? In other words, how can you communicate with the device? Will you have to download an app to interact?
- How can you reach the company in case of questions? Are they willing to answer your questions?
As I speak to people around me, I understand that the adoption of the Internet of Things is a compromise between convenience and privacy. Even so, it does not necessarily mean that consumers have to conform to the rules made by the companies. It is more important than ever to be aware of your surroundings and consciously pick companies which are concerned about privacy.
On the other hand, while it is the ethical responsibility of IoT companies to help consumers gain control of their private spaces, it is also a sustainable advantage to them. Resolving privacy concerns will help establish trust between customers and companies and help people embrace IoT for long term. After all, it’s not a sprint, but a marathon!
 Margot E. Kaminski, Robots in the Home: What Will We Have Agreed To?, 51 Idaho L. Rev. 661 (2015), available at https://scholar.law.colorado.edu/articles/971