Principle

Description

Proactive not reactive; preventive and not remedial

Within the context of the IoT, it is important to spend time considering the potential privacy ramifications for all stakeholders prior to making a device available for sale. The beginnings of this analysis will of course focus on the data types collected to understand which are sensitive and which regulations apply to each data type. More in-depth analysis should be undertaken, however, to understand the indirect privacy ramifications for the various IoT component operations. As an example, when dealing with applications that track connected vehicles, it would be important to understand whether the tracking would expose driving patterns that, although anonymized, would be able to be traced back to an individual or group given the addition of other data—perhaps collected by other systems. Looking at privacy of data-in-aggregate versus privacy of the data collected by a single system will allow for the identification of potentially serious privacy concerns, prior to them being exposed or taken advantage of by unscrupulous persons.

Another great case in point is the collection of data regarding energy usage by smart meters and fed to the utility for analysis. The collection of this data, if not controlled, could inadvertently expose data such as when a person is at home, opening that person up to physical attacks. 

Privacy as the default

In January 2014, the Chairman of the Federal Trade Commission (FTC) noted that IoT stakeholders have a responsibility to make security a part of their product development process, to collect the minimum amount of data necessary, and to notify consumers of unexpected use of their data and provide simplified choices regarding this use. 

Developers should take note of this, and ensure that they have built in privacy controls within their devices and supporting systems. 

Device vendors should make users aware of all of the data collected from or about them, and should provide the opportunity to opt out of data collection practices at a granular level. 

Recognizing the concerns that many of the IoT devices may not have proper user interface, companies should find suitable methods to provide the choice and notice to consumers.

Privacy embedded into design

Apply appropriate safeguards at design time based on the privacy threats faced by a device, rather than after a privacy concern has been raised or exploited. Also, companies should reevaluate their personal data breach notification program to cover the aspects related to IoT.

Full functionality – positive sum, not zero-sum

There is typically a balance between the objectives of functionality and security that must be maintained to ensure that any particular system works correctly, meets business objectives, and is still secure. The same can be said of privacy. In the case of the IoT, it is critically important that trade-offs between functionality, security, and privacy be made early on in the design process in order to ensure that all objectives are met equally. Identifying a privacy issue well into the operational life of an IoT system will make the process of retrofitting privacy controls challenging. 

End-to-end security – life cycle protection

Within the IoT, data collected will have a long life span. Organizations should make stakeholders aware of any data that could potentially be provided to a third-party organization. Organizations should also provide details on the security controls applied to data in storage and notify stakeholders of the life span of that data (for example, how long the data is stored) as well as of how the data is disposed.

Life cycle protection also applies to second-order data (information about people that is inferred or determined based on primary data) as well. For instance, if a sensor in your car collects how far, where, how fast, and other attributes of your driving habits, then someone can infer various things about you, for example, your shopping or working habits, or who you socialize or interact with. The owner of the data (for example, the car company) may erase your primary data upon sale of your vehicle, but in fact keep all the inferred information (social connections, shopping habits, and so on).

Visibility and transparency

Stakeholders should be able to easily identify the data collected from them for any particular IoT system, as well as the planned or potential uses for that data. Stakeholders should also be allowed to opt in to data collection, at both a coarse and granular level. As an example, if an application tracks their driving patterns (for example, for insurance purposes), the user should be able to explicitly authorize the use of their data for that purpose (coarse). The user should also be able to explicitly authorize individual data elements if so desired, for example, the storage of driving patterns or history, obtained through GPS. 

Respect for user privacy

Instill a culture of privacy awareness within the organization. (For example, appoint privacy advocates to evaluate the privacy impacts of any new IoT device). These people would ideally be given the authority to mandate changes to IoT system designs in the event that privacy concerns are identified.