Personal and business devices that are enabled through the Internet are expected to have a huge presence over the next decade, expanding the ways information about individuals is collected without their knowledge and opening up new security risks and concerns about privacy.
Called the Internet of Things, it is a network of devices imbedded with electronic software sensors that connect through the Internet to exchange data. That can include the smart meter in your house, home monitoring systems that send alerts to your phone, wearable technology such as fitness trackers, and connected medical devices. The list will expand to include products that science fiction writers perhaps haven’t even yet considered.
In its research paper released in February, the Office of the Privacy Commissioner of Canada estimated that the Internet of Things will have an economic impact of $3.9 trillion to $11.1 trillion per year by 2025.
And it found that without adequate protections, these developments may pose significant risks to privacy and security.
“Several international experts, thinkers and technology builders are forecasting profound political, social and economic transformations; concerns about privacy and surveillance are chief among them,” begins the paper. “Ultimately, today’s profiling, tracking and targeting of individuals or groups by organizations of all kinds are expected to become more nuanced, specific and accurate with the Internet of Things.”
By connecting to the Internet seamlessly, this ever-increasing number of devices can communicate a wide range of information.
Much of the concern is tied into the idea of informed consent, says Martin Kratz, a partner with Bennett Jones LLP in Calgary where he leads the intellectual property practice.
“Part of the challenge here is: Do you know when your devices are collecting information on you, where it’s going to, how it’s being processed, and how it’s used?” asks Kratz. “As we continue to populate the environment with devices in our cars . . . in our homes, that are all speaking to each other, we need to start asking the questions of what are the security standards applicable to the data communications, who is collecting that data, what is it being used for, who is it being disclosed to.”
And, he asks, are users or those being surveilled entitled to additional protection in addition to what the law already provides?
“That I think is an emerging debate as we will see a number of cases come to the courts where these types of device-generated personal information are sought to be used in ways that might not be expected,” says Kratz.
Lisa R. Lifshitz, a partner in Torkin Manes LLP’s business law group specializing in technology and privacy law, points out that the issue of consent becomes complicated by all the players: the retailer, the manufacturer, and the entities with which they are involved.
She uses the increasingly enabled and connected car as an example. Smart devices may be handy for the driver, but it goes both ways, allowing manufacturers and retailers to collect data that may include driving habits and geolocation data, for example.
“There’s a lot of potential monitoring of consumers going on, so the devices can monitor you through location. They can also monitor certain content, like, for example, depending upon the device, your daily activities and behaviours, including audio and video recording,” says Lifshitz.
“So if you put that all together you end up in a situation where there’s a lot of data aggregation and you may end up with considerable user profiling. And depending upon the integrity of the data collectors, if this information gets sold on for secondary purposes, then that information ends up in a database somewhere and could be used in many different — and bad — ways, often without the express consent of the consumers.
“It’s great if you have a fitness tracker, but you don’t want the data collected to be used to determine whether or not you can get life insurance.”
Security measures across these devices, she adds, are inconsistent and haphazard. Security needs to be included in the initial development of the device. But part of the challenge is that when the security is baked into the device it can’t be updated to react to future risks.
That is driven, in part, by competition and the desire to keep prices down and the race to get the products into the market.
“There will be a lot more data out there. There will be a lot more potential for cybersecurity breaches or security breaches or data breaches depending upon how much is collected information,” says Roberto Ghignone, who practises privacy and data security along with health and insurance law with Borden Ladner Gervais LLP in Ottawa.
More work needs to be done to mitigate these new privacy and security risks, he says.
Ghignone sees the need for cybersecurity protections because of the increased potential for the use of the information that is becoming available. But how and when any policies and procedures are rolled out could depend upon the importance of the information and the potential for theft or misuse of it.
Initially existing legislation, such as the Personal Information Protection and Electronic Documents Act, are expected cover those concerns.
“And if that proves to not be an effective strategy or proves to not cover off all the concerns, then there may be new regulations or new legislation following,” Ghignone adds.
At the same time, there are benefits to the devices and the data they have the potential to collect.
Streamlined medical devices, for instance, can communicate vital information.
As the Internet of Things becomes a greater part of our lives, how that additional convenience is balanced with the necessary controls will become an increasing concern.
“It has the potential to really improve things,” Ghignone says. “It’s going to be important to harness both of those and make sure it can be done well but also to not hamper all the benefits that come out of it.
“So I think there are going to be, at the very least in the near future, some guidelines on consent on the use on all these things that are being put out. Even though they won’t be legislation, there will be some guidance from the various regulators.”