IoT and protecting the customer

Companies must be held responsible for ensuring that customers understand their privacy rights when it comes to Internet of Things.
Published: Wed 17 Aug 2016

Brought to you by:

The Internet of Things is quickly gaining momentum around the world. With this growth, comes the reality that consumers are surrendering their privacy without even realizing it because they are unaware of what data is being collected and how it is being utilised. Older devices on the market are being replaced by mobile applications, wearables and other Wi-Fi-connected consumer products that have the ability to monitor or track consumers.

Because consumers want the latest in technology they often don’t think twice about their privacy.

The need for greater IoT transparency

This is where companies need to take responsibility and provide a level of transparency when it comes to their customers’ privacy rights.  

To maintain a high level of customer satisfaction, consumers should be advised exactly what data is being collected and what it will be used for. Often, consumers choose to skip past privacy policies for devices they have purchased since they are generally written using legal jargon, basically unintelligible to the average consumer. Those same devices also typically come with similarly unintelligible terms of use, which include mandatory arbitration clauses forcing consumers to relinquish their right to be heard in court if they are harmed by the product. As a result, the privacy of consumers can be compromised, and they are left without any real protection.

But how will this improved level of transparency be attained? According to Christine Bannan, a legal intern at the Electronic Frontier Foundation, it would have to be either by industry self-regulation or governmental regulation requiring companies to receive informed and meaningful consent from consumers before data is collected from consumers’ devices.

Taking responsibility for a consumers’ right to privacy

Generally, industries will respond if their customers demand more privacy. A good example of this is after McKinsey, a management and consulting company, reported that new-car buyers are worried about the data privacy and security of connected cars, the Alliance of Automobile Manufacturers (a trade association of 12 automotive manufacturers) responded by developing privacy principles they agreed to follow.

Businesses can self-regulate by developing and adopting industry-wide best practices on cybersecurity. When companies collect data, it is essential that responsibility is taken when it comes to protecting the privacy of their users. So basically, if they don’t want to be held responsible for the data, they should not be in the business of collecting it at all.

Some companies, such as Fitbit, an American company known for its products that measure data, embed privacy into their technology.

The benefit of industry self-regulation is that each industry can create standards specific to the needs of their customers and the sensitivity of the data they collect whereas government regulation would be country or region specific.

Layered privacy policies

Bannan suggests that layered privacy policies be a best practice adopted by industries and that ‘Creative Commons’ licenses could serve as useful models. These licenses have a three-layer design: the “legal code” layer, the “human-readable” layer and the “machine-readable” layer.

The “legal code” layer would be the actual policy, written by lawyers and interpreted by judges. The “human-readable” layer would be a concise and simplified summary of the privacy policy in language that an average consumer can understand. The “machine-readable” layer would be the code that software, search engines and other kinds of technology can understand, and would only allow the technology to have access to information permitted by the consumer.

Bannan says: “These best practices would make tremendous progress in protecting the privacy of consumers, but they are not enough. Companies must be legally bound to the promises they make to their customers.”

Because this is such a complex issue, involving a number of industries and implicating various privacy concerns, an adequate solution will require participation by consumers, businesses and the government.

IoT in the energy industry

Energy companies are certainly not immune to this challenge and although they are viewed as pioneers in working with multiple, large data sets and real-time challenges, it doesn’t mean that utilities are immune to the IoT trend and the security around it. IoT enables the connection of multiple new physical devices to the power grid and to the data networks that support the power grid. Rooftop solar, electric cars, home energy batteries, smart meters, smart thermostats and smart appliances all change the local distribution grid into a dynamic, bi-directional, and multi-party marketplace for energy, rather than the old one-way system of energy delivery. These new connected devices can cause chaos on distribution grids that were never designed to handle these new dynamics. Added to this is the challenge surrounding privacy and security. [How IoT data analytics is remaking the energy sector.]

As utilities search for new revenue streams and aim to please customers in an increasingly competitive industry, IoT devices, supplied or supported by utilities, will only grow.

In our upcoming webinar, The Limits of Utility IoT: The Policy, Privacy, and Security Landscape of the Internet of Things, David B Coher Principal, Reliability and Cybersecurity, Southern California Edison, discusses how to ensure end-user privacy, and the current and anticipated regulation of IoT (both in and outside the utility sector)!. This webinar is part of Engerati’s "IoT - Path to the Intelligent Grid" In focus track.


Related Webinar