reassessing regulation and the iot - gilad rosner

Reassessing Regulation and the Internet of Things

FSR Communications & Media Annual Conference

Dr Gilad Rosner [email protected]

Internet of Things Privacy Forum @IoTPrivacyForum @GiladRosner

27 May 2016

Dr Gilad Rosner http://bit.ly/grosner

Internet of Things Privacy Forum http://www.iotprivacyforum.org

@GiladRosner @IoTPrivacyForum

What is the Internet of Things? Converging trends:

Widespread, inexpensive telecommunications and local network access Cheap sensors Cheap computing power Miniaturization Location positioning technology Inexpensive prototyping The ubiquity of smartphones as a platform for device interfaces




What is the Internet of Things?

Internet of Things = Connected Devices




What is the Internet of Things?

Internet of Things = Sensors




Internet of Things

Devices may not do TCP/IP

IoT Network and Messaging Standards

Bluetooth WiFi ZigBee 2G/3G/4G

Z-Wave 6LowPAN Thread NFC

MQTT XMPP DDS AMQP




Evolution Not

Revolution




Internet of Things

Things on the Internet or

Things that Network

“Promise or Peril”

The Internet of Things: making the most of the Second Digital Revolution, UK Government Office for Science, 2014




• Consent must be “freely given, specific, informed and unambiguous”

• Consent must be expressed “by a statement or by a clear affirmative action”

• “Silence, pre-ticked boxes or inactivity” are inadequate to confer consent

• “it shall be as easy to withdraw consent as to give it”

GDPR and Consent




• Declarations to obtain consent must be presented “in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.”

GDPR and Consent




“Right to be let alone”

- Warren & Brandeis




The Intimacy of Things




Risk: Enhanced Monitoring




Answerable questions implied by devices and organizations knowing your whereabouts:

• Did you go to an anti-war rally on Tuesday? • A small meeting to plan the rally the week before? • Did you walk into an abortion clinic? • Did you see an AIDS counselor? • Were you the person who anonymously tipped off safety regulators about the rusty machines? • Which church do you attend? Which mosque? Which gay bars? • Who is my ex-partner going to dinner with?

- Adapted from “On Locational Privacy, and How to Avoid Losing it Forever”,

EFF, 2009




Tracking in public




Risk: Unconsented Capture




Users should have the ability to “continuously withdraw (their) consent without having to exit” a service.

- Opinion on the Internet of Things, Article 29 Working Party, 2014




Risk: Collection of Medical Data




Reasons for privileged treatment of medical information:

• an awareness that people will not disclose critical information to doctors if they fear a lack of privacy, leading to untreated illnesses

• stigmatization, loss of job, or other harms from revelation of medical condition or disease

• challenges to dignity – a baseline belief that people have civil rights to control the flow of information about their physical and mental health




Who can see my health information?

What uses can it be put to?




Risk: Breakdown of Informational Contexts




Sensor Fusion

“Just as two eyes generate depth of field that neither eye alone can perceive, two Internet of Things sensors may reveal unexpected inferences…. Sensor fusion means that on the Internet of Things, “every thing may reveal everything.” [meaning] each type of consumer sensor … can be used for many purposes beyond that particular sensor’s original use or context, particularly in combination with data from other Internet of Things devices.” - Regulating the Internet of Things: First Steps Toward Managing Discrimination, Privacy, Security, and Consent, Peppet, S., 2014




Theory of Contextual Integrity

Norms of appropriateness Norms of transmission




Context matters




“Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Companies should limit their use and disclosure of personal data to those purposes that are consistent with both the relationship that they have with consumers and the context in which consumers originally disclosed the data…”

- White House Consumer Privacy Bill of Rights




• How do I ensure that my employer does not see health information from my wearables if I don’t want them to?

• If I share a connected device with someone, how do I ensure that my use of it can be kept private?

• What rules are in place regarding data collected in my home and sharing it with my insurance company?

• What data from my car can my insurer get? • Who can see when I’m home, or what activities I’m

engaging in? • What rights do I have regarding the privacy of my

whereabouts?




Vehicle Event Data Recorder

“Perhaps the most prominent concern about EDRs is their impact on personal privacy. While current regulations provide only that EDRs, if installed, track 15 specific data elements, technological advances may allow greater data collection. In addition, individual auto manufacturers are free to collect more data, or to collect data for longer time periods, than required under [federal] EDR rule[s]. When combined with other technologies, such as onboard navigation systems and mapping apps, EDR data could be transmitted beyond the vehicle owner’s control.”

“’Black Boxes’ in Passenger Vehicles: Policy Issues”, Canis, B. and Peterman, D., 2014

Montana 2015 SB 0209

• “The data on a motor vehicle event data recorder is exclusively owned by the owner ... of the motor vehicle and may not be retrieved or used ... without the written consent of an owner”

• Data can be retrieved without owner consent in cases of a search warrant, a need to provide emergency medical care, a court order but with a period to request a hearing, and “for the purposes of improving motor vehicle safety, security, or traffic management and provided that the identity of the owner or driver is not disclosed in connection with that retrieved data.” (emphasis added)

Montana 2015 SB 0209

• “An insurer may not condition the payment or settlement of an owner's claim on the owner's consent to the retrieval or use of the data on a motor vehicle event data recorder.”

• “An insurer or lessor of a motor vehicle may not require an owner to consent to the retrieval or use of the data on a motor vehicle event data recorder as a condition of providing the policy or lease.”




More data means that citizens should be given more power and control over it

through regulatory means.

Thank you!

Dr Gilad Rosner [email protected]


reassessing regulation and the iot - gilad rosner

Law