The coming privacy crisis on the Internet of Things

Will privacy survive the coming of the Internet of Things?

It turns out that the concept of privacy as we know it today is only about 150 years old. Because while foundations were laid as early as 1200 AD, what we would regard as privacy is really only a child of the Industrial Revolution.

It isn’t something we think about every day, and we don’t often think about how our own actions will affect our privacy. At best, we might shred our bank statements before throwing them out, or cover the keypad as we type our PIN number.

Despite this most of us would regard privacy as a fundamental human right. But unfortunately the law hasn’t quite caught up with how we live our lives today.

“The coming privacy crisis on the Internet of Things,” TEDxExeter Salon on Saturday 7th October 2017

While your privacy may be protected in your home, you have “a right to be left alone,” in many countries the right to privacy isn’t explicitly protected, especially when it comes to the Internet.

Privacy isn’t really about keeping things private, it’s not about secrets, its about choice.

There, and for the last thirty years, we’re seen an increasingly aggressive erosion of our privacy. Because privacy isn’t really about keeping things private, it’s not about secrets, its about choice. The choice of what you tell people about yourself, and unfortunately there really is only one business model on the Internet, and that’s advertising.

People have refused to subscribe to services or pay for content on the Web. Instead advertising supports the services that sit underneath almost everything we do online, and behind advertising is the data that makes it possible.

Think about how your day-to-day experience of the Web would be different if Google charged a monthly subscription fee for its search service, or worse yet, used a micro-payment based approach to charge you on a search-by-search basis.

A series of almost accidental decisions and circumstances have led to a world where most things on the Internet appear to be “free.” That doesn’t mean they are free, just that we pay for them in other ways. Our data and our attention are the currency we use to pay Google for our searches, and Facebook for keeping us in touch with our friends.

Mark Zuckerberg at Techcrunch Disrupt SF 2013. (Photo by Max Morse)

More than a few years ago now Mark Zuckerberg famously stated that privacy should no longer be considered “a social norm.” I think Zuckerberg was right, but I also think there’s a serious privacy backlash coming. Because I really don’t think the current age — where privacy can no longer be assumed, where it’s not the social norm — will survive the coming of the Internet of Things.

Everyday objects are already becoming smarter and being connected to the network. Our computing is slowly diffusing out into our environment.

Everyday objects are already becoming smarter and being connected to the network. Our computing is slowly diffusing out into our environment, and whether we know it or not, we leave a trail of data behind us as we move through the world, a data exhaust. Shreds of our digital identity if you will.

In 10 years’ time your world will be full of sensors. They’ll be embedded in everyday objects, things that today you wouldn’t anticipate or expect. But for today, for now, those sensors exist in our cellphones, our smart watches, and our fitness trackers, and those sensors don’t just talk to you, they talk to the Internet.

Rachel Kalmar’s collection of wearables. (Photo by Cory Doctorow)

The data generated by those things — by those network connected smart things — is almost invariably sent to the cloud where it’s carefully aggregated, packaged, and then usually sold.

This model is forced on the companies selling the thing because the other Internet has made most of us unwilling to subscribe to services. While we might be willing to pay for the device itself, a physical thing we can hold in our hands, we just expect software and services to be “free.” Unfortunately this has turned us into the product, rather than the customer. Because there is no cloud, there are only other people’s computers a long way away, and if we don’t pay for them, then someone else will.

The privacy and attention we’re trading for our “free” services and content is now much more personal.

Which is a problem. Because suddenly, it’s not just your email or the photographs of your cat, but your location, your heart rate, your respiration rate. Not just how you slept last night, but with whom. The privacy and attention we’re trading for our “free” services and content is now much more personal.

A couple of years ago iRobot, the company that makes the adorable robotic vacuum cleaner the Roomba, gave it the ability to build a map of your home while keeping track of its own location within it. A couple of months ago, we found out that they were preparing to share those maps of people’s homes with their “commercial partners.”

Path taken by a Roomba cleaning a room. (Photo by Chris Bartle)

However it turns out people aren’t quite as sure trading this sort data for services is such a good deal any more. Especially when our “free” services now come bundled with smart devices that we had to pay for with actual money.

Unfortunately it’s not just the data that smart things create that is the problem. Metadata from web traffic generated by things installed in your home can reveal a lot of information about the your habits and lifestyle.

The footprint your devices leaves on the Internet tells a story.

Just looking at the traffic flow between Internet of Things devices and their cloud services shows emerging patterns. Whether you are at home, whether you’re sleeping, the footprint your devices leaves on the Internet tells a story.

The problem comes down to ownership. As customers we may have purchased a thing, but the software and services that make the thing smart remain in the hands of the manufacturer.

Last year for instance John Deere told farmers that they don’t really own their tractors but just licenses for the software that makes them go. That means that, not only can they not fix their own farm equipment, they can’t even take it to an independent repair shop. Farmers have restored to hacking their own tractors with Ukrainian firmware.

Which changes the very idea of what it means to own something.

As Hurricane Irma bore down on Florida, Tesla—the electric car company,—issued an over the air software fix for their cheaper car models in Florida that temporarily gave their drivers an extra thirty to forty mile range.

The cheaper models had been software locked to use only eighty percent of the available power. The remaining battery capacity would only normally have been unlocked by paying extra.

Which makes me wonder when the first death by smart device will happen. Because there are lots of smaller emergencies, with far less news coverage, and much less notice, where an extra thirty miles range could be the difference between life, and death.

Whether that death will end up being be an act of act corporate manslaughter, or of personal malice. The first death by the Internet of Things will probably be prosaic, it’ll be a water heater, a thermostat, or an electrical socket. It might even have already happened.

The rush to connect devices to the Internet has led to poor privacy controls, poor security, and to an economic model that means manufacturers are abandoning devices before we are done with them.

Right now the business model behind most smart devices in your home is fairly standard. You make a one-time purchase of the thing itself, but don’t commit to a subscription to support the cloud services that make the thing “smart” in the first place.

Unfortunately the fabric of our homes is far more static many companies, used to operating on “Internet time,” seem to have assumed and as a result that business model appears unsustainable.

While we might replace your phone every year or two, how often do you expect to replace the light switches on the wall, or the thermostat? In the longer term then, both consumers and companies may well have to settle for subscriptions to support their smart things.

You can see this being easy enough to sustain for Things that require consumables, the razor blade business model — where the razors themselves are practically free, but the replacement blades are relatively expensive — is well established.

But subscriptions may face stiffer resistance where traditionally the thing had no ongoing costs, except eventual replacement. Companies may have to accept a graceful degradation of functionality for their smart things. A smart light switch may gradually become “dumber” and — after a while — become something that you can use to turn a light on or off from the switch on the wall, and not a smart, Internet-connected device at all.

It’s taken us thirty years to have a constructive debate about privacy on the Internet, and it’s unfortunately it’s one that I think we have pretty much lost.

But I’m still hopeful for the Internet of Things. Because, while it is still in its infancy, the debate around privacy there is already well underway and privacy problems have quickly become public relations nightmares for the companies involved. Which rarely seems to happen when it comes to the other internet.

Uber for instance has decided to reverse its controversial move to track users even after their trip has ended. Uber decided to roll back the change after consumer backlash saying that “they hadn’t properly clarified what value consumers would gain” from letting them track you, even when your weren’t using their app.

Legislators both in Europe and the United States are looking hard at “right-to-repair” bills, often called fair repair laws, that restore some powers of ownership to us the consumer. In Europe the Parliament recently made a plea for manufacturers to tackle built-in obsolescence and make spare parts affordable.

The most hopeful sign however is the introduction of something called the General Data Protection Regulation (GDPR) which will come into force throughout Europe — and despite Brexit here in the United Kingdom — from May next year.

It’ll have a significant impact on the design of smart devices, and the business models behind them. It introduces requirements around consent. Giving you back choice about what you tell people about yourself.

You must consent to processing of your personal data, and consent your cannot be just be presumed if you do nothing. Importantly, consent also can’t be regarded as given if you have no real choice, or you are unable to withdraw your consent later.

It also requires privacy by design and by default, and impose obligations on manufacturers to assess the impact of any data they collect. So no more shrink-wrapped terms of service around your data, at least in theory.

It will also confer new rights with respect to your personal data. These include the right to be forgotten, and the right and ability to move your data between devices. Something that’s often been lacking on the other Internet.

Then also people, like myself, who are building the Internet of Things have also started to react to privacy concerns. I’m involved in a community-led effort to develop a consumer-facing certification mark for connected products.

It’s an attempt to give everyone some reassurance, and an attempt to push beyond the GDPR and look at the entire life cycle of a smart device—from design, to manufacture, to final disposal—and to encourage the industry to make different and more ethical design choices. Because in the future our privacy, or lack of it, will be inherent in the design of these the new smart devices.

But community led efforts like this, and even the creation of government legislation, can only really be effective in the presence of public pressure. The death of privacy can only be avoided if problems with your smart things continue to be be public relations nightmares for the companies involved.

The loss of privacy may seem inevitable, but the only thing that makes it that way is our own apathy. How we all react to the arrival of the new smart devices will determine whether it’s us or the manufacturers that own them, and control the data they generate. About whether we have a choice about what and we tell other people about ourselves, about whether we have any privacy at all.

The bulk of this article is taken from an expanded transcript of a talk I gave at the first TEDx Exeter Salon on Saturday 7th October 2017, which was held alongside the Lost Weekend festival in Exeter, U.K.

Scientist, Author, Hacker, Maker, and Journalist.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store