The Public Privacy

Tag: Behavioural Profile

Are you ready for the Internet of Things?

November 13, 2014 / / 0 Comments
Everything is connected.

Everything is connected. [1]Copyright by Wilgengebroed under the Creative Commons Licence – Attribution 2.0 Generic

Imagine a world where people would receive information on their smart phone about the contents of their fridge; cars involved in an accident would call emergency services, allowing for quicker location and deployment of help; cars would suggest alternative routes in order to avoid traffic jam; personal devices would allow to monitor the health developments of patients or to control the regular medication of elderly persons; washing machines would turn on when energy demand on the grid would be lowest and where alarm clocks and coffee machines could automatically be reset when a morning appointment would be cancelled; a smart oven could be remotely triggered to heat up the dinner inside by the time you would reach home…

If it is true that these scenarios once belonged to the sci-fi world, it is not so hard to picture any of these technologies nowadays. The momentum we are living in and all the progress which is already involved in our lives brings the certitude that it is only a matter of time for us to reach such a future. Technological advancements are allowing achievements that once may have seemed impractical and are turning the sci-fi scenarios into reality.

We are smoothly entering in a new age… The age of the Internet of Things (hereafter IoT). The IoT might be indeed already start happening around us. It suffices to think about all the quite recent changes that we already accept as ordinary.

But what is the IoT all about?

The IoT is a concept which refers to a reality where everyday physical objects will be wirelessly connected to the Internet and be able, without human intervention, to sense and identify themselves to other surrounding devices and create a network of communication and interaction, collecting and sharing data. It  is therefore associated to products with machine-to-machine communication capabilities, which are called ‘smart’.

The high-tech evolution has made ‘smart’ more convenient and accessible and made the vast majority of us technologically dependent on several areas of our daily living. Connected devices have proliferated around us. Consider, for instance, the number of smart phones and other smart devices that most of us cannot conceive a life without anymore as it allows us to connect with the world as it was never possible before.

Similarly, our domestic convenience and comfort have been expanded in ways that once belonged to the imaginary. Homes, housework and household activity can be fully automatized in order to enable us to remotely control lighting, alarm systems, heating or ventilation. The domestic devices that can be connected to the Internet are usually referred to as “home automation” or “domotics”.

In parallel, we are currently able of the ‘quantified self’, which is commonly defined as the self knowledge acquired through self tracking with technology (for instance, pedometers, sleep trackers). One can now track, for example, biometrics as insulin and cortisol, or record more random information about our own habits and lifestyles, as physical activity and caloric intake. This monitoring can be done increasingly by wearables, i.e., computer-powered devices or equipment that can be worn by an individual, including watches, clothing, glasses and items alike. The Google glasses, Google Wear and the Apple Watch are the most famous recent examples.

Scarily enough, the number of objects connected to the Internet already exceeds the number of people on earth. The European Commission claims that an average person currently has at least two objects connected to the Internet and states that this is expected to grow to 7 by 2015 with 25 billion wirelessly connected devices globally. By 2020 that number could double to 50 billion.

However, every time we add another device to our lives, we give away a little more piece of ourselves.

Consequently, along with its conveniences, and due to the easy and cheaply obtained amount of data collection it allows, the idea of a hyper-connected world raises important concerns regarding privacy, security and data protection. To be true, while it is a relatively well-known fact that our mobile devices are frequently sending off data to the Internet, many of us do not understand the far-reaching implications of carrying around an always-on connection, let alone to have almost all your life connected to the Internet.

In fact, such objects will make it possible to access a humongous amount of personal data and to spread it around without any awareness nor control of the users concerned. From preferences, habits and lifestyle, to sensitive data as health or religion information, from geo-location and movements to other behaviour patterns, we will put out there a huge amount of information. In this context, the crossing of data collected by means of different IoT devices will allow the building of a very detailed user profile.

It is essential that users are given control over the data which directly refers to them and are properly informed of what purposes its processing might serve. In fact, currently, it is very common that the data generated is  processed without consent or with a poorly given consent. Quite often further processing of the original data is not subjected to any purpose limitation.

Moreover, as each device will be attributed an IP address in order to connect to internet, each one will be inherently insecure by its very own nature. Indeed, with almost everything connected to the Internet, every device will be at risk of being compromised and hackable. Imagine that your car or home could be subjected to a hacking attack through which it could take control of the vehicle or install a spying application in your TV. Imagine that your fridge could get spam and send phishing e-mails. The data collected through medical devices could be exposed. After all, it is already easier to hack routers and modems than computers.

Last but not the least, as IoT devices will be able to communicate with other devices, the security concerns would multiply exponentially. Indeed, a single compromised device could lead to vulnerability of all the other devices on the network.

Now imagine that all your life is embedded in internet connected devices… Think, for instance, fridges, ovens, washing machines, air conditioners, thermostats, light systems, music players, baby monitors, TVs, webcams, door locks, home alarms, garage door openers, just to name a few. The diversity of connected devices is just astonishing! So we may reach the point where you will have to install firewall for your toaster and a password to secure your fridge.

From a business point of view, questions regarding the security setup and software and operating systems vulnerabilities of devices that will be connected to the internet also have to be answered. Indeed, companies are increasingly using smart industrial equipment and IoT devices and systems, from cars to cameras and elevators, from building management systems to supply chain management system, from financial system to alarm system.

On another level, the security of nations’ critical infrastructures could also be at stake. Imagine, for instance, that the the traffic system, the electric city grid or the water supply can be easily accessed by a third party with ill intentions.

Of course, the EU could not be indifferent to this emerging new reality and to the challenges it presents.

In 2012, the European Commission launched a public consultation, seeking inputs regarding a future policy approach to smart electronic devices and the framework required in order to ensure an adequate level of control of the data gathering, processing and storing, without impairing the economic and societal potential of the IoT. As a result, the European Commission published, in 2013, its conclusions.

Last month, the European data protection authorities, assembled in the Article 29 Working Party, adopted an opinion regarding the IoT, according to which the expected benefits for businesses and citizens cannot come at the detriment privacy security. Therefore, the EU Data Protection Directive 95/46/EC and the e-Privacy Directive 2002/58/EC are deemed to be fully applicable to the processing of personal data through different types of devices, applications and services in the context of the IoT. The opinion addresses some recommendations to several stakeholders participating in the development of the IoT, namely, device manufacturers, application developers and social platforms.

More recently, at the 36th International Conference of Data Protection, Data Protection Officials and Privacy Commissioners adopted a declaration on the Internet of things and a resolution on big data analytics.

The aforementioned initiatives demonstrate the existing concerns regarding Big Data and IoT and the intention to subject them to data protection laws. In this context, it is assumed that data collected through IoT devices should be regarded and treated as personal data, as it implies the processing of data which relate to identified or identifiable natural persons.

This obviously requires a valid consent from data subjects for its use. Parties collecting IoT devices information therefore have to ensure that the consent is fully informed, freely given and specific. The cookie consent requirement is also applicable in this context.

In parallel, data protection principles are deemed to be applicable in the IoT context. Therefore, according to the principle of transparency, parties using IoT devices information have to inform data subjects about what data is collected, how it is processed, for which purposes it will be used and whether it will be shared with third parties. Similarly, the principle of purpose limitation, according to which personal data must be collected for specified, explicit and legitimate purposes and not be further processed in a way incompatible with those purposes, is also applicable. Furthermore, considering the data minimization principle, the data collected should not be excessive in relation to the purpose and not be retained longer than necessary.

Considering the vast number of stakeholders involved (device manufacturers, social platforms, third-party applications, device lenders or renters, data brokers or data platforms), a well-defined allocation of legal responsibilities is required. Therefore, a clear accountability of data controllers shall be established.

In this context, the Directive 2002/58/EC is deemed applicable when an IoT stakeholder stores or gains access to information already stored on an IoT device, in as much as IoT devices qualify as “terminal equipment” (smartphones and tablets), on which software or apps were previously installed to both monitor the user’s environment through embedded sensors or network interfaces, and to then send the data collected by these devices to the various data controllers involved…

Thus said, one can only rejoice that the enchantment about the possibilities of IoT does not surpass the awareness regarding the existent vulnerabilities. But it remains to be found how can these and the other data protection and privacy requirements be effectively implemented in practice.

We certainly are in the good way to dodge any black swan event. However, it won’t be that easy to find the appropriate answers for the massive security issues that come along. And one should not forget that technology seems to always be one step ahead of legislation.

So, the big question to ask is:

Are we really ready for the Internet of Things?

References

References
1 Copyright by Wilgengebroed under the Creative Commons Licence – Attribution 2.0 Generic

The strange case of Cookies or the flimsy balance between convenience and privacy

September 29, 2014 / / 0 Comments
All cookies have a dark side, and no, it's not the chocolate.

All cookies have a dark side, and no, it’s not the chocolate.

Once upon a time, visits to websites were discontinuous, weren’t recorded and each was treated as the first one. This would make any multi-step operation impracticable as any commercial transaction would thus have to be conducted from start to end in one visit. This was due to the fact that, being the HTTP a ‘stateless’ protocol [1]Web browsers and web servers communicate using the HTTP – Hyper Text Transfer Protocol. This is the mean by which websites can be accessed. , websites weren’t able to store information about their visitors activity.

All that changed with Cookies.

Cookies are small pieces of data, stored on internet users’ browsers, which record their online activity and which websites use to store information about visitors. Among the stored information one can find the operating system, the Web browser and its version, the webpages visited using that browser, the time and date of the visit and the IP address, username and password, and other types of order form information or personal information like e-mail, phone numbers and addresses.

The practical and pleasant outcome is that we are now able to surf the Web more enjoyably and efficiently, while saving significant amounts of time. For instance, cookies allow a persistent login to various online websites, as they recall your previously created session identifier for every website, hence, enabling to finalize an online purchasing transaction in several visits without having to start the operation from scratch. Cookies allow as well the showing of advertisements tied directly to the parts of the website a visitor has consulted.

All this is possible due to a unique identifier assigned anonymous and randomly to the user on the first connection to the website, which the browser will store and use in subsequent visits.

Cookies may be used to many ends, such as remembering behaviours or movements within the website pages in order to customize the visitors experience or convey more personalized advertisement according to those activities.

Without cookies, much of the Web as we know it would cease to exist… Frequent visits to websites would require constant registration and shopping online would be almost impossible.

But cookies came with a price…

Indeed, cookies are the main reason why internet users enjoy all kinds of apparent free online services, as Youtube, Facebook, Amazon. The thing is: they are not really for free. They cost us bits of our privacy.

While cookies provide a variety of benefits, they also raise some concerns regarding the potential for abusive invasion of privacy of users, due to fact that they might store personal or sensitive data.

One of the issues is, as a website’s owner compile databases of information about individual users through cookies, it can sell the users personal information to third parties to its own profit. For instance, the user’s search preferences and purchasing habits might be linked to its e-mail address and sold, within a list of other users with similar behaviour, to a company which offers related or not so related goods or services which can result in unwanted marketing.

Another issue is represented by third-party cookies—also known as “tracking cookies”. Mainly used by advertisers, they are able to track your browsing activity across multiple websites and compile surfing habits. The risk of a matching between user’s e-mail, home address, and other personal data to his surfing history – behavioural profile – is a risk to privacy.

So cookies are not dangerous in themselves. They do not contain viruses and they do not download malware (malicious software) or spyware in your computer. Most of the information it contains has been presented by the user to a website as part of a registration form, payment pages, and other online forms. So one must always consider which websites the information is given to, reading the privacy policy of the website before sharing any personal information. These policies serve as a contract with the user regarding what the company may and may not do with the user’s information.

If you are concerned about your privacy, you can disable cookies. Web browsers as Mozilla Firefox have options which allow you to decide whether or not you want to block cookies on your computer. You can choose, as well, to automatically delete cookies when the browser is closed. Another option is to corrupt the cookies of specific websites so no information could be get out of it and the cookie won’t be replaced by another.

What does the law have to state on this matter?

Well, EU law doesn’t prohibit the use of cookies. It recognizes their importance and usefulness for the functioning of modern Internet but warns about how intrusive they might be to privacy. Therefore the legislative strategy consisted in establishing some requirements regarding the information to be given by website operators to end-users about their purpose and the consent of the latters.

The Privacy and Electronic Communications (e-Privacy) Directive, in its 2002 version, was amended in 2009 and major changes were introduced, now foreseen under Directive 2009/136/EC.

Article 5(3) of the e-Privacy Directive was amended as follows:

Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with Directive 95/46/EC, inter alia about the purposes of the processing. This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an information society service explicitly requested by the subscriber or user to provide the service. [2]Article 5(3) of the old law of 2002 provided as follows: Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in … Continue reading

That provision is complemented with recital 66, which states:

(…) The methods of providing information and offering the right to refuse should be as user-friendly as possible. (…) Where it is technically possible and effective, in accordance with the relevant provisions of Directive 95/46/EC, the user’s consent to processing may be expressed by using the appropriate settings of a browser or other application. (…)

 

The amended article 5(3) determines now that storing and accessing information on users’ computers would only be lawful on condition that the user concerned, having been provided with clear and comprehensive information about the purposes of the processing, has given consent to that end.

The meaning of ‘consent’ under the e-Privacy Directive is taken from the definition under the EU’s Data Protection Directive. Consent to personal data processing must therefore be “freely given, specific and informed”. It can be referred to as ‘opt-in’, meaning that the user must give his or her consent before cookies or any other form of data is stored in their browser.

This shall not prevent strictly necessary storage or access for the provision of a service “explicitly requested” by the user.

Considering the vast room for abuse associated with the use of cookies, and the concerns related to privacy that it raises, initiatives as the ‘Cookie Sweep Day’ announced by the French data protection agency (“CNIL”), whose director is the current chair of the Article 29 WP, and to which other European Data Protection Authorities (DPAs) adhered, might not come as a surprise. In order to assess the general level of compliance with the current legal framework, several random checks to websites were conducted.

Recently, Jean-Claude Juncker, the new President of the European Commission, recommended that the new EU Commissioner for Digital Economy and Society, Günther Oettinger, further the reforms to the e-Privacy Directive.

A new reform might be well needed as tech giants as Google, Microsoft and Apple are already developing new tracking technologies, which are intended to replace cookies, deemed to be inefficient.

Cookies might belong to the past anytime soon, but the privacy concerns are here to stay.

References

References
1 Web browsers and web servers communicate using the HTTP – Hyper Text Transfer Protocol. This is the mean by which websites can be accessed.
2 Article 5(3) of the old law of 2002 provided as follows:
Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller. This shall not prevent any technical storage or access for the sole purpose of carrying out or facilitating the transmission of a communication over an electronic communications network, or as strictly necessary in order to provide an information society service explicitly requested by the subscriber or user.

© 2023 The Public Privacy

Theme by Anders NorenUp ↑