U.S. Markets closed

Q&A: The Internet of Things Is Here, And Privacy Has Catching Up to Do

Regulators are nibbling. Privacy advocates are wary. And meanwhile consumers are being presented with an ever-widening array of internet connected gadgets that promise to simplify daily life. (A voice-activated mirror? An egg tray that notifies you when you’re running low? Seriously!)

For this week’s Q&A from the What's Next briefing, we catch up with Jennifer King, director of consumer privacy at Stanford Law School’s Center for Internet and Society, and ask what has her attention when it comes to the Internet of Things. One issue she’s watching is who bears responsibility for privacy in a world where there are fewer screens and more voice-activation.

Do you have a smart home device or other internet connected devices in your home?

I do not, on purpose. I have been testing smart speakers for research purposes but I do not use them in my normal life. I have one IoT device which is a picture frame that I can connect to the internet, but I don’t let it connect.

What is the biggest concern you have with IoT as it relates to consumer privacy?

The notion that consumer defaults are set for maximum information collection. People have information collected about them that they’re not aware of and that they can’t control at all, and that it happens without much visibility. The smart TV case where the FTC settled charges with Vizio, that’s a really good example. Here’s an object that most of us are completely familiar with. We have all these expectations around what a TV is supposed to do and how it’s supposed to operate. And suddenly it’s made into a smart TV and the FTC argued that Vizio provided pretty poor notice to consumers that literally the TV was tracking everything that people watched. That was not done in a way that I think most people understood or would have been happy about.

➤➤ Would you like to receive What's Next as an email? Sign up here.

You should, at the very least, be able to turn that functionality off. This is not a free subscription service where the implicit or explicit trade-off is that you’re paying with your data. This is an actual physical object that you purchased, so you should arguably have some control over it.

Is there something that’s different about engaging with a physical object versus a website that impacts the privacy calculation?

One of the things that I find very fascinating about IoT is that you don’t have an interface, meaning there’s no screen, for the most part, to interact with, to configure, to present a privacy policy, or to help the user configure their privacy setting. Today, when we do have IoT technology, even something like an Amazon Echo or Google Home device, we are still using apps to configure those things. But we’re interacting with them using our voice. That’s just a whole game changer. As it is, we do a pretty poor job trying to communicate privacy through interfaces, but once we get rid of the visual interface, the challenges become even more daunting.

A lot of what we’ll have to do right depends on how we design these different products, so privacy by design becomes a really important concept. The M.O. that we’ve had for a long time of just get the product launched and then “Oh, does it have privacy issues? We’ll go back later and fix those.” You’re not going to be able to do that with IoT. And it’s not just a legal compliance issue, it’s a huge customer trust issue. Companies ignore that at their peril.

I think we are dragging the industry kicking and screaming into a world of more forethought and privacy by design rather than privacy after the fact, but I’d say we’re still in the transition phase. To the extent that your business model relies on customers not reading notices and not understanding what they’re doing, I think that is shifting and will change.

What will we be talking about next year in the area of IoT?

The public conversation is so dominated by AI that it’s going to squeeze all the oxygen out of the room for other issues. IoT is kind of the sleeper in that case. It hasn’t become any less important. It’s just that a lot of the current hand-wringing and focus has been on AI and to some degree robotics and automation, while at the same time no one has stopped making these devices, and they’re going to become more popular and more pervasive.

One of the things I haven’t seen discussed is how the GDPR has affected the IoT market. … I am wondering if we are in a waiting period where we’re trying to see how the different member states enforce the GDPR and its opt-in provisions, for example. There have been lots of consumer complaints in general. When we finally see decisions coming out of the EU, it will be interesting to see if that will be a game changer.