Bluetooth sunglasses, temperature-controlled insulated bottles, voice-controlled dishwashers and other kitchen appliances, smart TVs, and doorbell cameras are just a handful of examples of the many everyday items that have been enhanced with “smart” capabilities to better fit within our increasingly connected and convenience-centric society. As we intensify our reliance on such “smart” Internet-of-Things (IoT) devices, a previously only slightly cracked-open door continues to swing wider to potentially problematic privacy and security considerations.
For example, take the unfortunate and frightening hacking incident that recently occurred in December 2019. Wishing to keep an eye on their young daughter, a couple placed a smart camera in her room. Within days, a man was able to hack into the device and then proceeded to creepily watch, talk to, and taunt the child through the camera and its integrated speaker. In a prior, similar incident involving another home security camera and a smart thermostat, a hacker hurled insults at the homeowner through the camera’s speaker and gained control to the thermostat, jacking up the home’s heat to a sweltering 90 degrees. And there remain concerns among experts – almost 5 years after researchers published the results of their informal study that a modern passenger vehicle can be completely hijacked by remote intruders through the vehicle’s integrated control software – that “smart car hacking” is still a real risk.
As evidenced by the few troubling examples described above, some smart devices can surely pose potentially serious safety and security risks due to bad actors and hackers; however, most of the issues relating to these devices seem to be significantly less nefarious, yet are still troublesome, as they can (often surreptitiously) affect consumers’ expectations and rights of privacy. At the heart of this debate is how manufacturers can continue to innovate while appropriately balancing the security and protection of their users’ most sensitive personal information being collected in vast quantities by their devices, sometimes unbeknownst to the user. One part of this complicated equation relates specifically to how IoT manufacturers actually communicate their privacy policies and data collection and use practices to users. Many IoT devices are necessarily operated without the benefit of a visible interface, instead relying on related apps and websites to relay user data and information. Others, however, do include an interface – typically small – through which the manufacturer often attempts to convey important information to their users. In both cases, the manufacturer must grapple with presenting its privacy statement and data use practices in tiny, unwieldy print in an effort to attempt to comply with applicable laws and be able to say with a straight face that it adequately presented this information to its customers for them to make informed decisions before gaining access to and using the product at issue and thereby disclosing certain private information to the manufacturer itself and possibly then to downstream third parties (like advertisers), in turn, by the manufacturer. However, it’s probably safe to assume that the average user isn’t compelled to actually read even a single word of the privacy statements presented to them in this manner (let alone in any other manner), instead favoring immediate use and enjoyment of the product. A recent Consumer Reports article highlighted this tendency.
But the issues with privacy policies and IoT devices described above aren’t particularly novel, nor have any significant changes been instituted by the technology industry that make much of a difference since the inception of smart devices. Some companies have taken to including layered privacy policies that outline the most important notices for the viewer to accept before they can gain access to and use a smart device, yet pages of fine print containing still-crucial information remains buried in a tucked-away tab or hyperlink to the vendor’s website, typically never to be found or reviewed.
Tech attorneys, industry experts, and regulators alike continue to urge IoT device manufacturers to think more proactively about the kinds of privacy and security issues their devices pose, and to legitimately implement privacy-by-design into their development processes. If planned for accordingly, including by arming devices with built-in safeguards, the potential for privacy and security risks like the ones described above may be mitigated. The question remains, though: is self-regulation – whether at the individual company level or at the industry level – possible, or will there be a need for continued government oversight? So far, it seems, the answer is both.
On January 1 of this year, California’s broad new (and, so far, unique and not particularly widely publicized) IoT law – the California Civil Code on Security of Connected Devices – went into effect. It serves to regulate IoT device manufacturers that sell or offer to sell their devices in California, andit represents the first state cybersecurity law specifically pertaining to the regulation of IoT devices. Although this new law somewhat hides in the shadow of its bigger, more comprehensive and very widely publicized California Consumer Privacy Act brother (which became effective on the same day), it pointedly requires “the manufacturer of a connected device … to equip the device with a reasonable security feature or features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.” While many have appreciated the push for regulation, unsurprisingly, some factions argue that this law is too lenient and leaves too many loopholes for companies, and others argue that the law is too restrictive.
As with most legal issues relating to technology, there exists a grey space between regulation and practicality. As smart devices continue their hockey stick growth in popularity, the push to legislate and regulate will likewise continue, and eventually we may even have some helpful guidance by way of significant enforcement actions and litigation. Pity the smart device manufacturers that represent that first wave of examples of what not to do.