[From last episode: securityRefers to whether or not IoT devices or data are protected from unauthorized viewers. depends on the weakest link on the networkA collection of items like computers, printers, phones, and other electronic items that are connected together by switches and routers. A network allows the connected devices to talk to each other electronically. The internet is an example of an extremely large network. Your home network, if you have one, is an example of a small local network.; even little connected things must be secure.]
We introduced the notion of privacyRefers to whether or not information gathered about your usage of IoT devices by authorized people can be made public, or shared with others, without your consent. Different from (although related to) security, which protects such data and devices from access by unauthorized people. Different from privacy, which is more concerned about use of data by authorized people. a few posts back, noting specifically that, while security and privacy are related, they’re not the same. Having looked at some security basics, let’s take on some privacy basics, starting with privacy rules.
As we noted before, there are no foolproof technology solutions. There are laws and regulations. Less foolproof, but better than nothing. In addition to reviewing various documents, I also spoke with Sahir Sait of Ayla Networks. This company was one of the first that I talked to years ago about the IoTThe Internet of Things. A broad term covering many different applications where "things" are interconnected through the internet.. You likely won’t recognize their name, since they don’t sell directly to the public. They sell IoT infrastructure – a so-called platformThis word can mean different things. It may mean a set of infrastructure on which someone can build an IoT device or service. Or it could be a generic piece of hardware that can be used for many different things.. That makes it easier for device makers to build something without having to start from scratch. (Sometime in the future we’ll look at some of that infrastructure.) So their experience can say something about how privacy is handled today.
European Privacy Rules
It would appear that one of the major forces in protecting privacy is the government – that is, the European Union (EU) government. They’ve passed the General Data Protection Regulation, or GDPRGeneral Data Protection Regulation. A set of privacy rules governing how EU residents' personal data must be handled., which goes into effect on May 25, 2018. Technically, this applies to any company – European or foreign – that collects and processes data pertaining to EU residents. It lays out some requirements:
- I haven’t seen this explicitly stated, but it would appear that data belongs to you, not the company. But don’t quote me on this one.
- Companies must disclose how long they keep data.
- Companies must make available contact information for someone that can address privacy issues.
- Your consent is opt-in (unlike the US, where you’re in by default and must actively opt out).
- Data that’s arm’s length from being able to identify you – that is, the data itself can’t, but it has something that, with some work, could (say, an encryptionEncryption refers to encoding and decoding (or encrypting and decrypting) data so that it can't be read unless you have the right key. It's critical for good security. keyA number used to encrypt (or encode) information so that no one can read it. Keys are used when encoding and decoding. You shouldn't have to mess with keys yourself. or some ID number that could be traced back) — is still considered personal data. They call this pseudonymized data (more on that next time). It’s considered not personal only if there’s no way to trace it back to you (for instance, if it’s been combined with other data) – which is then considered anonymized.
- Companies must notify authorities of a data breach within 72 hours of learning about it.
- In some cases, you have a right to have your data erased (with one company, not throughout the internet).
- You have a right to transfer your data unless it’s been fully anonymized. It has to be given to you in some structured, standard format (in other words, not some ridiculously jumbled mess that you can’t read).
- Privacy should be by design and by default. In other words, technology should support privacy, and privacy settings should be at their highest out-of-the-box. Settings should be weakened only if you do it yourself.
- There are penalties that can be enforced, up to €20,000,000 or 4% of the prior year’s revenue, whichever is more.
Why Do I Care About Europe?
You might wonder, “Why, as a US-oriented blog, would I spend so much time on Europe?” Well, first, we can learn from the rest of the world, so I don’t want to focus on the US to the exclusion of the restA way of programming that has evolved out of web programming, and it’s more abstract than other older languages like C. of the world. Secondly, the European Laws may impact you.
To borrow an analogy from the gentleman with whom I spoke, let’s look to cars. California has always been tougher on emissions than any other state – because they had to. No one wants to go back to the brown Los Angeles of decades ago.
Auto makers could include all the California stuff only in cars sold within California. But that gets complicated – now you need different models for different states. It’s easier to manage if you just make cars that all live up to the toughest standards and then sell them everywhere. (The same hasn’t happened for gasoline formulas, however.)
It’s the same here: many IoT designers are simply adhering to the toughest standards – Europe, in this case. And they’ll be selling those devices and services anywhere. Yes, when it comes to what’s actually done with the data, it’s easier to pay attention to national borders. But this is better than nothing.
You may also hear of something called Privacy Shield: this is a set of practices that US companies can self-certify to when getting data from Europe or Switzerland (which is not in the EU, but has its own regulations). Companies that sign up for this can transfer data without worrying that they’ll run afoul of the regulations.
So that’s a look at the regulatory picture. Next, we’ll look at some practical aspects of privacy.
Leave a Reply