Is privacy possible in the Internet of Things?

Internet of Things Icon Flat Design

In past policy reports, I’ve supported the right of private-sector companies to collect personal information on individuals who voluntarily agree to disclose it. Whether it was Google, Facebook, Amazon or the local brick-and-mortar supermarket, it was my choice to tell a third party more about myself in exchange for better prices, better service or more convenience. My answer to those who raised privacy concerns was to note there was always the choice to opt out.

But opting out isn’t easy anymore. In many areas of private-sector commerce – such as banking, air travel and health care – the government now requires private-sector companies to collect certain personal information. Dealing directly with the government usually requires it, too. Other times, the government just takes it, as with the National Security Agency’s warrantless bulk-data collection under the Patriot Act.

Beyond that, we are nearing a point where sharing of all manner of personal data will be necessary to accomplish the tasks of everyday life. All that data are stored in third-party servers, in the figurative Internet cloud. With each new technology cycle, that data becomes easier and cheaper to find, search, cross-reference and analyze. At the same time, the line separating data collected by industry and data collected by the government has been blurred, if not erased altogether.

A recent Fox News report offered a disquieting preview. Vigilant Solutions provides local police in two Texas jurisdictions with cameras equipped with license-plate-reading (LPR) technology. The cameras, mounted in police cars and outdoors, scan vehicle license plates as they pass. The LPR software automatically cross-references this data against the police departments’ lists of license plates of vehicles with outstanding speeding tickets or other warrants. When a match is detected, officers are alerted to stop those vehicles. Police are even given credit-card readers to collect fines during a roadside stop. Vigilant, for its part, takes a 25 percent cut on all fines recouped using its data.

What’s troubling here is law enforcement’s “search-and-sift” strategy—recording and inspecting everyone in hopes of catching a lawbreaker. This is different from using license-plate readers and traffic cameras for forensic investigation; for instance, to track a vehicle used in a bank robbery or assault. In those cases, police are looking for a specific suspect vehicle.

While there may be some public-safety benefits to the use of surveillance tools, at the same time, lawmakers must understand and appreciate the ease with which information networks can correlate separate databases of seemingly innocuous information to create more detailed profiles of individuals that threaten both privacy and due process.

Police and lawmakers may argue that catching scofflaws—and the fines they owe— is important to the community. Still, the end does not always justify the means, particularly when we consider the proliferation of laws and ordinances that legislatures and government agencies seem bent on creating.

For example, if the Department of Housing and Urban Development gets its way and bans smoking in public housing, will the surveillance cameras that are supposed to be keeping residents safe be used to see who is buying cigarettes at the local bodega and taking them home? Will analytics kick in and dispatch an officer to come knocking and catch the resident puffing, simply for the chance to write a citation and collect a fine?

The so-called Internet of Things really kicks things up a notch. Anyone who attended January’s Winter Consumer Electronics Show can appreciate how close we are to having everything from our cars to our home appliances connected to the Internet. We aren’t quite to the point where, just as you leave your office, your refrigerator can prepare a shopping list and send it to your phone, which can then link to Google Maps to find the nearest grocery store, then link to another app and generate an electronic coupon for your favorite brand. But very soon, you’ll be able to buy a refrigerator with an interior camera that you can access on your smartphone to see if you’re short on milk or beer.

Cool, yes, but the buzz is tempered when you remember that all this information about you—where you go, what you buy, what you eat, what media you stream—is now out there in the cloud. Think of all the data you and your devices transmit or access over the Internet every day. At the moment, there are no laws that protect it from search or seizure by any inquisitive government agency. Think no one in the government cares what’s in your refrigerator? Look at how intrusive child protective services departments have become. CPS will write you up if you let your children play unsupervised in your own front yard. Next thing you know, a nosy agent will be demanding third-party cloud data to see what you’re feeding your children or how much beer you’re drinking every weekend.

During the presidential debates in the current election cycle, candidates in both parties, when asked about improving homeland security, have said they would seek to work with private-sector technology companies. Beyond that, they offer few specifics.

Certainly the private sector has much to teach the government, particularly in areas of cybersecurity. But I would hate to see the government deputize companies that engage in cloud-services management—Google and Amazon are the two biggest—to provide personal information about the habits of individual citizens without explicit constitutional safeguards in place.

The counterargument that law enforcement likes to use, that there is no expectation of privacy, has limits. While there’s no right of privacy for activities done in public, neither is there an expectation of constant surveillance. On a societal level, the law recognizes this as stalking and allows court-ordered redress.

The Fourth Amendment protects our property and documents from warrantless search. The Fifth Amendment protects against self-incrimination. If an individual can’t go anywhere, meet anyone or transact any business without the government either recording that event or using its power to demand a third party to surrender that record, it can be interpreted as a way to compel testimony  against oneself.

The majority of Americans believe it is important that they be able to maintain privacy and confidentiality in commonplace activities of their lives, according to a recent study by the Pew Research Center for Internet, Science and Tech. In the study, 93 percent of adults said that being in control of who can get information about them is important; 90 percent said that controlling what information is collected about them is important.

The Pew report found these views are especially pronounced when it comes to individuals knowing what information about them is collected and who does the collecting. Those feelings extend to Americans’ desire to maintain privacy in their homes, at work, during social gatherings, at times when they want to be alone and when they are moving around in public.

As we become more dependent on the Internet of Things, to ensure our privacy and right to due process, we need more than mere guidelines and best practices. We need the legal protections stated outright in the Bill of Rights. Here are three ideas to get thinking started:

  • We need a comprehensive rewrite of the Electronic Communications Privacy Act to extend explicitly the Fourth and Fifth Amendment protections to personal data stored in the cloud. Private companies should not be required to turn over customer data without a warrant.
  • Without specific legislation and limits, no government agency should be permitted to collect and perform data correlation, analytics or other processing from two or more independent sources unless it pertains to a specific suspect or the target of an investigation. Government agencies should not be able to create databases for non-specific sifting and search for random violators of various laws, ordinances and regulations.
  • Personal data collected for one specific purpose, such as toll collection, should not be used ad hoc for other purposes.

The Internet of Things has terrific potential, but much of it will go unfulfilled if people sense that data they share will be used against them. Vigilant Solutions’ license-plate-sharing program isn’t going down well with the populations affected, and it’s not just the stereotypical crotchety grandpas who see the problems.

Update Feb. 17, 2016: This post has been updated to correct an earlier statement that Vigilant Solution LPR system was using images collected from red-light cameras.


Email this page.
Print Friendly and PDF