What are connected objects? Consider home assistants, smart thermostats, fitness wearables, and connected cars, to name but a few, which advocate the advantages of convenience, home efficiency, health monitoring, safety, and security. Collectively known as the Internet of things (IoT), these are devices with unique identifiers that interconnect via the Internet, Bluetooth and other means.
Manufactured by hardware and software companies from around the world, they contain sensors for motion, image, sound, pressure, and optics which serve a range of market sectors, such as the industrial, medical, automotive, consumer, communications, computer, military, and aerospace. In practice, they have the capability to collect increasing amounts of data which can be accessed by manufacturers, mobile application companies, and third-party vendors.
In 2017, there were an estimated 27 billion connected devices. This is expected to grow by 12% every year, reaching more than 125 billion devices by 2030 and generating revenues into the trillions of US dollars.
Home alone: How visible should we be?
I had previously thought that when I entered my home and shut the front door, I could be, to some extent at least, left alone, free to access information, to form opinions without interference, to make important life decisions, and discuss intimately with family members. But with the ability of everyday objects to listen, see, and gather data from my home, I now ask myself whether I can effectively exercise my right to privacy and family life, my home, and private correspondence.
The knowledge that our ‘always-on’ smartphones, tablets, and PCs make us visible, trackable, and identifiable, now extends to televisions, refrigerators, ovens, vacuum cleaners, and other home appliances leaving a trail of ‘digital breadcrumbs’ which reveal data about our behaviour and movements. Consider the capabilities of Samsung televisions to send living-room chatter to third parties, the iRobot vacuum cleaner to map home interior locations, or the Sleep Number Bed mattress to track your heart rate, breathing, sounds, and movements.
As consumers, we have some choice in the matter. We are required to consent to the terms and conditions of service agreements when purchasing these objects. We can also buy appliances that are not connected to the Internet. But for how long will the offer of unconnected objects last, and will consent really be possible if their functionality and security are limited or compromised by a decision to opt out of data-sharing arrangements? The functionalities of the abovementioned iRobot vacuum cleaner and Sleep Number Bed have been shown to be limited when users do not consent to their terms and conditions of service. They have also been criticised for not being able to guarantee the secure storage of user data, and that this data will not be transmitted to others.
The potential surveillance and predictive capabilities of connected devices, coupled with relatively inexpensive data storage, makes them ever more affordable and attractive to consumers with little thought given to their potential risks and threats especially when they are left unsecured. Obfuscated by lengthy and complex policies and agreements, consumers will ignore, dismiss, or at best, tolerate the autonomous capture, collection, and transfer of behavioural data which are collected and cross-referenced with other data to reveal personal attributes and profiles.
The collection of health-related data is a particular cause of concern.The Google (Alphabet Inc.) purchase of the Nest thermostat in 2014, Fitbit in 2019, and Coefficient Insurance in 2020, provide a glimpse of the power accruing in one actor to monitor, aggregate, predict, and share health-related data. In this connection, John Hancock, one of the largest life insurance providers in North America, will now sell only interactive policies that collect health data. By design, such connected devices pay close attention to their owners and log many of our daily activities. These perceived benefits may be a friend of the healthy but could quickly become a foe of the vulnerable, those without the means to adopt a healthy lifestyle.
Regulation and governance
In the absence of specific IoT regulation, existing laws can be relied upon to protect privacy and data protection, and to tackle abusive and otherwise criminal behaviour (e.g. harassment, spying, and surveillance). The need to balance privacy with wider commercial and public benefits can be reconciled by various instruments, initiatives, and watchdogs. Importantly, the rulings of the European Court of Justice (ECJ) and the European Court of Human Rights (ECHR) continue to draw the red lines for what privacy and data protection looks like in the digital society.
To some extent, however, the governance of the digital society is forming outside of treaty and legislative frameworks, and is involving many non-state actors, norms, procedures, processes, and institutions. The pace of innovation is also resulting in ‘law-lag’, making it difficult to control or change technology once it has become entrenched in economic markets. Consumer reliance and trusted relations between companies and users might also blunt the regulatory efforts of states. Instead, contracts, technical standards, and best practice prevail, which can differ from legislation and regulation, and even lead to legal conflicts and situations where different norms cover the same actors without the existence of clear rules.
What the market will bear
For companies accountable to shareholders, it is the market value of behavioural patterns and personal preferences that matter most, obtained with or without the knowledge or consent of data subjects. The billions of sensors deployed in these objects will be hard to police, especially noting the proprietary nature and opacity of the algorithms that analyse the collected data. Furthermore, for those tech companies touting their freedom to innovate, the potential threats and harms of connected objects will be of secondary consideration until there is overwhelming evidence to the contrary. Most likely, the large majority of connected objects will pass by unnoticed, while the personally identifiable data leaking from them will be masked by software updates designed to fix security flaws and other bugs in an effort to protect consumers.
Considering the consumer and human rights issues of connected objects, to what extent do you think you will have control over their tracking and analytics features?
Join the discussion in the comments below!