reassessing regulation and the iot - gilad rosner
TRANSCRIPT
Reassessing Regulation and the Internet of Things
FSR Communications & Media Annual Conference
Dr Gilad Rosner [email protected]
Internet of Things Privacy Forum @IoTPrivacyForum @GiladRosner
27 May 2016
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
What is the Internet of Things? Converging trends:
Widespread, inexpensive telecommunications and local network access Cheap sensors Cheap computing power Miniaturization Location positioning technology Inexpensive prototyping The ubiquity of smartphones as a platform for device interfaces
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
What is the Internet of Things?
Internet of Things = Connected Devices
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
What is the Internet of Things?
Internet of Things = Sensors
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Internet of Things
Devices may not do TCP/IP
IoT Network and Messaging Standards
Bluetooth WiFi ZigBee 2G/3G/4G
Z-Wave 6LowPAN Thread NFC
MQTT XMPP DDS AMQP
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Evolution Not
Revolution
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Internet of Things
Things on the Internet or
Things that Network
“Promise or Peril”
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
The Internet of Things: making the most of the Second Digital Revolution, UK Government Office for Science, 2014
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
• Consent must be “freely given, specific, informed and unambiguous”
• Consent must be expressed “by a statement or by a clear affirmative action”
• “Silence, pre-ticked boxes or inactivity” are inadequate to confer consent
• “it shall be as easy to withdraw consent as to give it”
GDPR and Consent
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
• Declarations to obtain consent must be presented “in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.”
GDPR and Consent
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
“Right to be let alone”
- Warren & Brandeis
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
The Intimacy of Things
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Risk: Enhanced Monitoring
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Answerable questions implied by devices and organizations knowing your whereabouts:
• Did you go to an anti-war rally on Tuesday? • A small meeting to plan the rally the week before? • Did you walk into an abortion clinic? • Did you see an AIDS counselor? • Were you the person who anonymously tipped off safety regulators about the rusty machines? • Which church do you attend? Which mosque? Which gay bars? • Who is my ex-partner going to dinner with?
- Adapted from “On Locational Privacy, and How to Avoid Losing it Forever”,
EFF, 2009
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Tracking in public
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Risk: Unconsented Capture
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Users should have the ability to “continuously withdraw (their) consent without having to exit” a service.
- Opinion on the Internet of Things, Article 29 Working Party, 2014
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Risk: Collection of Medical Data
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Reasons for privileged treatment of medical information:
• an awareness that people will not disclose critical information to doctors if they fear a lack of privacy, leading to untreated illnesses
• stigmatization, loss of job, or other harms from revelation of medical condition or disease
• challenges to dignity – a baseline belief that people have civil rights to control the flow of information about their physical and mental health
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Who can see my health information?
What uses can it be put to?
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Risk: Breakdown of Informational Contexts
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Sensor Fusion
“Just as two eyes generate depth of field that neither eye alone can perceive, two Internet of Things sensors may reveal unexpected inferences…. Sensor fusion means that on the Internet of Things, “every thing may reveal everything.” [meaning] each type of consumer sensor … can be used for many purposes beyond that particular sensor’s original use or context, particularly in combination with data from other Internet of Things devices.” - Regulating the Internet of Things: First Steps Toward Managing Discrimination, Privacy, Security, and Consent, Peppet, S., 2014
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Theory of Contextual Integrity
Norms of appropriateness Norms of transmission
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Context matters
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
“Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Companies should limit their use and disclosure of personal data to those purposes that are consistent with both the relationship that they have with consumers and the context in which consumers originally disclosed the data…”
- White House Consumer Privacy Bill of Rights
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
• How do I ensure that my employer does not see health information from my wearables if I don’t want them to?
• If I share a connected device with someone, how do I ensure that my use of it can be kept private?
• What rules are in place regarding data collected in my home and sharing it with my insurance company?
• What data from my car can my insurer get? • Who can see when I’m home, or what activities I’m
engaging in? • What rights do I have regarding the privacy of my
whereabouts?
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
Vehicle Event Data Recorder
“Perhaps the most prominent concern about EDRs is their impact on personal privacy. While current regulations provide only that EDRs, if installed, track 15 specific data elements, technological advances may allow greater data collection. In addition, individual auto manufacturers are free to collect more data, or to collect data for longer time periods, than required under [federal] EDR rule[s]. When combined with other technologies, such as onboard navigation systems and mapping apps, EDR data could be transmitted beyond the vehicle owner’s control.”
“’Black Boxes’ in Passenger Vehicles: Policy Issues”, Canis, B. and Peterman, D., 2014
Montana 2015 SB 0209
• “The data on a motor vehicle event data recorder is exclusively owned by the owner ... of the motor vehicle and may not be retrieved or used ... without the written consent of an owner”
• Data can be retrieved without owner consent in cases of a search warrant, a need to provide emergency medical care, a court order but with a period to request a hearing, and “for the purposes of improving motor vehicle safety, security, or traffic management and provided that the identity of the owner or driver is not disclosed in connection with that retrieved data.” (emphasis added)
Montana 2015 SB 0209
• “An insurer may not condition the payment or settlement of an owner's claim on the owner's consent to the retrieval or use of the data on a motor vehicle event data recorder.”
• “An insurer or lessor of a motor vehicle may not require an owner to consent to the retrieval or use of the data on a motor vehicle event data recorder as a condition of providing the policy or lease.”
Dr Gilad Rosner http://bit.ly/grosner
Internet of Things Privacy Forum http://www.iotprivacyforum.org
@GiladRosner @IoTPrivacyForum
More data means that citizens should be given more power and control over it
through regulatory means.
Thank you!
Dr Gilad Rosner [email protected]
Internet of Things Privacy Forum http://www.iotprivacyforum.org