It only takes a healthy dose of paranoia to understand that our privacy is under constant attack. It’s no secret that our personal data is routinely being monitored by the likes of Facebook or the Government.
And your refrigerator might just be about to join the party.
The rise of the “Internet of Things”, or IoT, is described by many as the second Digital Revolution. It is a trend of increasingly “smart” devices — made aware of their environment, reactive to context, and more communicative as they are networked with fellow intelligent devices.
In simpler terms, the IoT is putting your fridge on the internet, along with your light bulbs, TV, and washing machine so that they can “talk” and collaborate with each other in real time. Cool.
Ultimately, the IoT remains a vague concept encompassing everything from life-saving applications to some hilariously ridiculous ones (does your kid’s piggy bank really need to be Wi-Fi enabled?). All in all, the number of such internet-enabled devices is expected to reach 24 billion by 2020 —eventually generating up to $11 trillion a year by 2025.
But while putting your fridge online might allow it to seamlessly order a couple of six-packs ahead of that crucial Patriots game, this convenience comes at a cost. That of your privacy.
XOXO, Gossip Fridge
As of today, it is likely that the tremendous value that the IoT will generate will feed off the unethical collection of unsuspecting users’ private information. In order to effectively safeguard privacy, the issue of data ownership and consent must urgently be reassessed in the brave new world of continuous monitoring.
While there is no universal definition of privacy, our current understanding of the concept has evolved well past the initial “right to be left alone” introduced in 1890 by US Supreme Court Justices Warren and Brandeis.
It is somewhat fitting that, while contextual awareness is touted as a central value of the IoT, there is a growing recognition that contextual integrity is — or rather should be — the founding principle of privacy protection in the digital age.
A not-so-far-fetched example will help illustrate this concept.
One crucial thing to recognize is that the data collected by two different IoT devices contain more personal information than the sum of their parts. Your fridge, for example, may not be able to infer much from the fact that you just bought 10 Ben & Jerry’s pints. Perhaps you’re very hungry. Or perhaps you’ve just recently decided to engage in an epic ice cream eat off with your best bodybuilder friends.
But what if, in addition to knowing your favorite ice cream flavor, your fridge learned from your smart TV that you’ve been binge-watching The Notebook late at night? What if gossipy Alexa joined the conversation and mentioned the truckloads of tissue you recently ordered from Amazon? Ouch. Sounds like a pretty bad heartbreak, doesn’t it? Should I order some more Sauvignon Blanc?
Now, you might have consented to having each puzzle piece be collected individually in the specific context in which you deliver them — after all, how cool is this that Netflix can guess that you’re in the mood to watch The Fault in Our Stars? But are you really okay with the fact that most objects in the comfort of your home secretly congregate to talk about how much of a mess your last breakup left you in? Yup. Didn’t think so…
This illustrates what privacy scholar Hellen Nissenbaum calls contextual violation. To put it simply: the collection and analysis of some data is appropriate in some specific contexts only. Just like you would not feel comfortable having your doctor telling all your colleagues about that weird lump under your arm, there is absolutely no reason to think that it is appropriate for your fridge to know about your mild obsession with Kevin Spacey.
Whose Data is it Anyways?
In this context, it is worth asking about who really owns the data generated by these new devices. Truth is, no one really knows. The problem with Machine-generated data is that it tends to blur the line between the generation of data and its ownership. Just think, for example, of the information collected every second by your smart watch. Have you, by simply wearing it on your wrist and blindly agreeing to its blurry Terms of Use, implicitly consented to having Fitbit keep — and use! — data as intimate as your heart rate or sleep pattern?
The notion of what constitutes meaningful consent is also blurred by the Internet of Things. Just like for online social media platforms, purposely unintelligible Terms and Conditions that no one reads are not satisfactory ways to govern the ownership of personal data — consent is by nature retractable and cannot be given away by the mere ticking of a box.
This situation gets even worse as the ubiquity and invisibility of the IoT makes it easy for you to “forget” that you are being monitored — especially and perhaps most creepily by your friends’ devices. Talk about informed consent…
Even more worrisome is the take-it-or-leave-it attitude that the IoT seems geared towards when it comes to the respect of its users’ privacy and consent. As most of the vital functions of our daily lives are increasingly brought on the internet, the feasibility of opting out of the IoT is simply made non-existent. If you don’t want your every moves to be monitored by your car or your city’s smart roads, better buy good shoes — that is, if you still manage to find shoes that don’t track you.
Because of its very nature, the IoT does not usually offer a big switch-off button. In the not-so-distant future, literally millions of eyes will monitor and analyze everything down to the most intimate parts of our lives. For those familiar with Foucault’s Panopticon, it isn’t hard to envision the troubling implications of such a situation.
It is therefore crucial that IoT companies incorporate privacy principles into their devices as early as the design level. This is obviously easier said than done. Privacy all-too-often remains an afterthought for hustling entrepreneurs needing to move fast and innovate even faster. However, as I have argued elsewhere, comprehensive and consistent cybersecurity practices are far from just being good ethics — they are quite simply good business. This is particularly likely to be the case as data breaches multiply and consumer awareness of the issue continues to rise.
This is not to let policymakers off the hook. New policy frameworks will be needed to address the countless privacy and security challenges created by those “smart” devices and to help steer manufacturers’ attitude in the right direction. The recent General Data Protection Regulation (GDPR) adopted last year by the EU tightens consent requirements and mandates privacy by design — a clear first step in the right direction.
Even still, the privacy and cybersecurity attitude at both policy and industry levels are all-too-often those of firefighters where a proactive, voluntarist approach is badly needed. We the People can and must change that.
It is our responsibility as citizens and consumers to make sure to push legislations forward and to keep the conversation going on an issue that will deeply affect all of us — whether we like it or not. One good place to start would be to ask ourselves whether we really need to put a chip in literally everything we lay our eyes on.
Because once all the objects we continuously interact with join the wild west that is becoming the Internet of Things, there will be no more hiding from your fridge.
Vincent Viers
Vincent Viers is a UCBerkeley and SciencesPo Paris Dual BA Student; interested in tech, entrepreneurship and ethics. Vincent is a Junior Consultant, a Strategy Business Developer @Startupflow.io, and a regular Content Author for Corix Partners.
The opinions expressed by guest bloggers are their views and do not necessarily reflect the opinions of Corix Partners.