Strategy and Governance /

Will Privacy be under threat from the Internet of Things?

Cyber Security Information Security

What is the Internet of Things?

Essentially, more and more devices are being connected to the Internet and are collecting data. Like many technology hypes, IoT is not really new – and there are many existing control systems which have been reliant on a large number of networked monitoring devices, such as oil rigs – which typically have 30,000 sensors each.

However, IoT is expanding into increasingly wide and varied everyday devices – from a component device in a much larger product (e.g. engine sensors in a motor car), to complete products such as smartwatches. As our lives increasingly depend on consumer electronics and technology, the number of connected devices is proliferating exponentially.

How can IoT benefit us?

Many manufacturers are now ensuring that their devices are always connected, enabling them to collect data about how the device is being used and performing. This means that these manufacturers now have unprecedented access to data regarding the actual usage of their products – something which has been challenging to obtain with any degree of accuracy in the past. There are two ways in which this provides benefits:

  •     To the manufacturer – this data can be used to improve their products to better suit the real world use of that product. This should enhance the value and desirability of the product, leading to increased sales
  •     To the end user – this data will be able to provide an enriched user experience and provide a level of convenience which was not previously available

According to McKinsey’s recent report, “Unlocking the potential of the Internet of Things” – published in June 2015, less than one percent of data collected by IoT is actually used – and it’s mostly for alarms and real-time control. To unlock the full potential of IoT, this needs to change – and significant effort is underway, especially given that McKinsey has estimated that its economic impact in 2025 will be between $3.9 and $11.1 trillion.

Is IoT really about “Things”?

The hype around IoT has simply focused on connecting devices so that they can collect data, but these devices can be classified into two broad categories:

  •     Those that form part of a control system (e.g. oil rig sensors), collecting data about an object
  •     Those used directly by people (e.g. a car or smartwatch), collecting some data relating to a person

The big challenge with data privacy lies with the second category of these devices, because they ultimately collect data which may be traceable to a person. Added to this, the more beneficial a particular device is perceived to be to its owners, the more it will be used and the more data will be collected which may relate to the person. Therefore, IoT is actually about Things and People!

Who owns the data and how will it be used?

IoT devices generate a large amount of data which cannot be stored on the devices in the long term, so it is transferred to mass storage on the Internet – raising the key question, “who owns the data?”.

For devices which are owned by an individual, surely the data which the device generates belongs to and is owned by that individual. To further support this agreement, in many cases, this data directly relates to the individual’s lifestyle and constitutes personal data. A good example of this is a smartwatch which records your exercise and heart rate.

For personally owned devices, the owner should have to provide their explicit permission for the data it generates to be collected and stored. To enable this, it is necessary for the allowed usages of this data to be specified so that the owner can make an informed decision. However, it should be noted that, if the owner does not agree to participate in data collection, then the usefulness of the device will be significantly reduced.

When many vendors ask the users for explicit permission, these are frequently presented as click-through agreements with long text which is written in complex language. Such agreements are often hard for most people to understand and shrouded in legal phases, of which even lawyers would argue over the exact meaning. This is simply not good enough, as people do not read them. Greater effort should be made to simplify these agreements by using plain language which is native to the user. Additionally, it should be clear as to the length of the agreement and how the user can cancel it.

There might be an interest from manufacturers of IoT devices to use the data that they are collecting for additional purposes. When the data is classified as personal data, there are clear legal limitations on its usage and the location where the data is physically stored needs to be safeguarded. It is, however, possible for the data to be anonymised and then used for trend analysis – offering benefits without endangering privacy.

How does this affect your privacy?

A greater number of IoT devices collecting data relating to their users will inevitably mean that more data about an individual is available somewhere to be manipulated and analysed. In the context of the data collected from an individual device, there is only the potential for a minor erosion of your privacy – and many people will just accept this because of the benefits that a particular device offers.

Unfortunately, there is not an agreed global view on a citizen’s entitlement to privacy because this is politically motivated. The degree of privacy afforded to a country’s citizens varies vastly, from heavy state control to relative freedom in some democracies. Even in the countries which are believed to offer a high degree of personal privacy, their governments seek to significantly reduce privacy in certain circumstances, e.g. intelligence bodies trying to prevent terrorism. This is a complex issue which means that there are likely to be different impacts across the globe!

If the data from multiple devices can be correlated and associated with an individual, there is a much greater danger to the erosion of their privacy. In the next article in this series, I consider how combining the data from multiple devices and using Big Data to analyse it could impact your privacy in a more significant manner.


Neil Cordell


Corix Partners

Find out more about how your business can truly protect its future from cyber threats by contacting Corix Partners. Corix Partners is a Boutique Management Consultancy Firm, focused on assisting CIOs and COOs in resolving Security Strategy, Organisation & Governance challenges.