Data Collection Must be Limited for Internet of Things Privacy

The recent Consumer Electronics Show (CES) in Las Vegas was overflowing with new types of gadgets and devices that will become part of the Internet of Things (IoT). A business friend of mine attended the show and when he filled me in on all that he saw, he expressed amazement at what he estimated to be hundreds of wearable gadgets that he found there; they literally “dominated” the show. I had asked him prior to his attendance if he could check with some of the vendors on an important privacy topic while he was there, and so he had a lot to tell me about what he found, as well as what the vendors he spoke with wouldn’t tell him, that are directly related to privacy.

Data collection limitation mitigates privacy risks

So what is this mysterious topic that the vendors were not willing to share? Something very basic that relates directly to the collection limitation privacy principle: the types and volume (e.g., 10 MB, 2 GB, 1 TB) of data that is collected by each of the wearables that a person has attached to their body. Not clear on why this is a privacy issue?

Well then, let’s consider a project I’ve been leading since 2009; the NIST Smart Grid Interoperability Panel Privacy Subgroup, where we’ve been researching the ways in which smart meters, and other types of devices within the smart grid, create privacy risks. Our group determined, and described why the amount of data in devices revealing the behaviors of individuals need to be restricted to only that which is necessary to support the purpose of the devices in NISTIR 7628 Volume 2, and then re-emphasized it within the next release NISTIR 7628 Volume 2 Revision 1 as provided in the following two excerpts:

“The granularity, or depth and breadth of detail, captured in the information collected and the interconnections created by the smart grid are factors that contribute most to these new privacy concerns.”

“Manufacturers and vendors of smart meters, smart appliances, and other types of smart devices, should engineer these devices to collect only the data necessary for the purposes of the smart device operations. The defaults for the collected data should be established to use and share the data only as necessary to allow the device to function as advertised and for the purpose(s) agreed to by smart grid consumers.”

So, let’s take this concept beyond the smart grid. Directly related to the wearables is the risk of collecting more data than necessary to meet the goals of the device collecting the data. For example, how often, how much, and what kinds of data need to be collected from a smart wearable device whose purpose is measuring how many miles or kilometers the individual wearing it has walked or run during the day? Does it really need to collect location data? Or other types of data such as: Heart-rate? Brain-activity data? Blood pressure? Menstruation cycles? Contraceptives used? Activity level? Sweat production? Blood sugar levels? Temperature? Alcohol content? Drugs identified? Etc.?

Some of these smart wearable devices may sound far-fetched, but a large portion of the new and emerging wearables have such capabilities as analyzing your blood sugar levels, content of your sweat, and even determining by your vital signs if you may be at imminent risk of a heart attack.

Like my friend who went to the CES a few weeks ago found out, when he started asking vendors of devices that do one type of analysis exactly how much of that data is constantly being collected, and how much of it actually relates to the purposes explained to the wearables consumers, he heard crickets chirping in response. But communicating the specific types and amounts of data collected is something to address since more than 10% of people have fitness wearables.  And of the many people I know that use them, most constantly wear them. If someone is wearing a heath monitoring device prescribed by their doctors that is one thing; the person wearing it knows it is collecting some very specific data showing various types of bodily data analysis. But, if someone buys a fitness device to simply try and stay in shape, they will not expect for such intimate data analysis to also be occurring. Even though it is now possible.

Build in privacy protections!

Wearable fitness device companies, and actually all types of companies that are creating smart devices people can wear continuously, need to make sure that they only collect the amount of data necessary to achieve the published goals of their devices. To collect more not only creates privacy risk, it is also a deceptive and unfair business practice that the Federal Trade Commission does not take lightly.

Companies making smart wearable devices need to take the following actions to help mitigate privacy risks that occur from over-collecting data:

1)    Provide notice and choice. Be transparent and let consumers know the types of data you are collecting with the wearable device, and how much of that data is being sent to the vendor. Is it a once a day reading, or a once a minute reading? If you claim to be transparent with your data collection practices in your privacy notice, then you need to communicate this clearly and accurately.

2)    Establish use-based restrictions. Do not collect more data than is necessary to achieve the stated purposes of the wearable device. To not do so will be an unfair and deceptive business practice. If you collect more than necessary, then that will lead others to believe you are going to use it in ways that you’ve not communicated, putting privacy at risk.

3)    Do not share with others inappropriately. Be transparent about all the types of entities with whom you are sharing the collected data. And don’t use some vague statement like, “We share your data with trusted third parties to support the use of the wearable device.” This statement tells consumers nothing about all the types of entities who may be getting their data.  Do you share it with marketing companies, health insurance companies, health researchers, etc.?

4)    Assign privacy responsibility. Make sure someone in your organization, who fully understands how the devices works, and also all the applicable data use and protection laws, is assigned responsibility for not only establishing privacy policies, procedures and standards for the device makers to follow, but also will be able to completely and honestly answer consumer privacy-related questions about the data collected by the devices.

5)    Stay aware of emerging laws and standards. The FTC and other regulators are pushing device manufacturers to establish industry-wide privacy and security standards for wearables. Make sure you keep an eye out for new requirements and then change your wearables’ design accordingly.

I know people use and love the wearable fitness devices and credit them with helping them to get into better shape. However, consumers concerned about privacy want to know about all the data the devices are collecting, along with how it is being used and shared, before using the devices.


This post was written as part of the Dell Insight Partners program, which provides news and analysis about the evolving world of tech. To learn more about tech news and analysis visit Tech Page One ( Dell sponsored this article, but the opinions are my own and don’t necessarily represent Dell’s positions or strategies.


Tags: , , , , , , ,

Leave a Reply