Standard notice and choice aren’t going to cut it when it comes to the IoT.
“As the Internet of Things ecosystem grows and more devices are connected to the Internet, you might not even know that they are,” said Pedro Pavón, Oracle’s senior corporate counsel, speaking at a two-day International Association of Privacy Professionals (IAPP) event held Tuesday and Wednesday in Washington, DC.
“Self-regulation and online behavioral advertising are very heavy on notice,” Pavón said. “But how do you provide notice on a Fitbit? How do you update a policy and provide appropriate notice or even give consent?”
The Federal Trade Commission is pondering the similar questions at the same time as marketers are getting more excited about IoT-related opportunities.
Sixty-two percent of CMOs around the world cited the Internet of Things as one of the three technologies that will be “particularly important” over the next three to five years, according to IBM’s Global C-suite study, released in November. That’s just behind cloud computing and services (64%) and just ahead of mobile solutions (61%).
“You will see cases around the Internet of Things,” declared Jessica Rich, director of the FTC’s Bureau of Consumer Protection, at the IAPP event.
In January, the FTC released a report detailing privacy guidelines around the IoT, including a recommendation to “build security into devices at the outset, rather than as an afterthought in the design process.”
Technology in general has increasingly become what Rich called “a huge focus” for the commission. The dynamic has certainly shifted since Wired razzed the FTC in 2012 for issuing antiquated Blackberries to its tech staff rather than Apple or Android devices.
In October 2014, the FTC hired as its chief technology officer Ashkan Soltani, the privacy researcher who consulted with The Washington Post for stories written off classified NSA documents make available by Edward Snowden. And in April of this year, the FTC opened the Office of Technology Research and Investigation to help the commission unpack the privacy implications of everything from cross-device tracking to smart toasters and connected cars.
Although it’s a little early to talk about the IoT toaster at scale, it’s not too early to consider the potential. Toasters are actually a particularly handy hypothetical use case because, as Justin Brookman, policy director at the new tech research office noted, “You have a basic understanding of what a toaster is going to do” – which is that it will make toast, not collect data.
The question of what sort of actionable or useful data could be derived from a user’s toast consumption patterns or preferences is beside the point. The market is creative, and if there is a use case, the market will find it. If a device can be connected to the Internet, it will be connected to the Internet.
Imagine a not-too-distant future in which a consumer owns a smart fridge with a sensor in the door. The sensor registers over a period of time that this person likes to snack every night at around 12:30 a.m.
“Don’t be surprised if it’s 12 and you see an ice cream ad [on your phone],” said Pavón. “I think of my mom when I think of notice and consent – will she understand that her fridge is a big driver of the marketing she’s receiving?”
Of course, there are some cases where consumers don’t need to know the ins and out of how everything works.
“Informing consumers is not always the same thing as protecting consumers,” Pavón said. “You wouldn’t expect consumers to understand how a nuclear power plant works, for example.”
Harking back to his mom and what she’d be likely to understand, in Pavón’s view, self-regulation makes more sense than education. “Explaining to Mom what hashing is won’t help, but having a regime to protect my mother’s identity will.”
Just what that regime will look like, however, is far from obvious.
Mobile devices have diminutive screens, but other devices have no screens at all. There’s not even anywhere to put a just-in-time notification, like the ones that apps pop up when they want something from you. (“This app would like to use your mic for no discernable reason.” “Yes” or “No.”)
Most toasters today don’t have displays, or if they do they’re fairly small. Even if manufacturers start making toasters with larger displays, it’s hard to envision providing consumers with any kind of disclosure on a toaster.
Perhaps we’re entering a world in which simply buying the toaster in the first place will be accepted as a proxy for consent – an outcome brands would most likely be very pleased with.
“It’s hard and we’re working on this,” Rich said. “But we did conclude that privacy and security by design is more important in the Internet of Things because the amount of information being collected is greater than ever. Notice and choice can still work, but they ultimately need to be adapted.”
That’s a big part of Brookman’s remit at the FTC’s Office of Technology Research and Investigation – to mess around the lab, ask questions and get involved early on with guidance to “stop things from going in a direction we think consumers might not be interested in.”
“We fully understand the important part that innovation plays … [but] if the relationship starts to feel adversarial with your things, if you’re looking at your TV kind of side-eyed and worry about what’s going on there, that could turn into a dangerous spiral,” Brookman said. “The Internet of Things is one example, but all sorts of things are amazingly possible today that weren’t possible a few years ago.
“For consumers, everything they own is a little black box and we’re trying to make sure that their interests are provided for.”
