Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Reassessing Regulation and the IoT - Gilad Rosner

202 views

Published on

Presentation delivered at FSR Communications and Media - Annual Policy Conference

Published in: Law
  • Be the first to comment

Reassessing Regulation and the IoT - Gilad Rosner

  1. 1. Reassessing Regulation and the Internet of Things FSR Communications & Media Annual Conference Dr Gilad Rosner gilad@iotprivacyforum.org Internet of Things Privacy Forum @IoTPrivacyForum @GiladRosner 27 May 2016
  2. 2. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum What is the Internet of Things? Converging trends: Widespread, inexpensive telecommunications and local network access Cheap sensors Cheap computing power Miniaturization Location positioning technology Inexpensive prototyping The ubiquity of smartphones as a platform for device interfaces
  3. 3. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum What is the Internet of Things? Internet of Things = Connected Devices
  4. 4. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum What is the Internet of Things? Internet of Things = Sensors
  5. 5. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum Internet of Things Devices may not do TCP/IP IoT Network and Messaging Standards Bluetooth WiFi ZigBee 2G/3G/4G Z-Wave 6LowPAN Thread NFC MQTT XMPP DDS AMQP
  6. 6. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum Evolution Not Revolution
  7. 7. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum Internet of Things Things on the Internet or Things that Network
  8. 8. “Promise or Peril”
  9. 9. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum
  10. 10. The Internet of Things: making the most of the Second Digital Revolution, UK Government Office for Science, 2014
  11. 11. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum • Consent must be “freely given, specific, informed and unambiguous” • Consent must be expressed “by a statement or by a clear affirmative action” • “Silence, pre-ticked boxes or inactivity” are inadequate to confer consent • “it shall be as easy to withdraw consent as to give it” GDPR and Consent
  12. 12. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum • Declarations to obtain consent must be presented “in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended.” GDPR and Consent
  13. 13. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum “Right to be let alone” - Warren & Brandeis
  14. 14. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum
  15. 15. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum The Intimacy of Things
  16. 16. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum Risk: Enhanced Monitoring
  17. 17. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum
  18. 18. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum Answerable questions implied by devices and organizations knowing your whereabouts: • Did you go to an anti-war rally on Tuesday? • A small meeting to plan the rally the week before? • Did you walk into an abortion clinic? • Did you see an AIDS counselor? • Were you the person who anonymously tipped off safety regulators about the rusty machines? • Which church do you attend? Which mosque? Which gay bars? • Who is my ex-partner going to dinner with? - Adapted from “On Locational Privacy, and How to Avoid Losing it Forever”, EFF, 2009
  19. 19. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum Tracking in public
  20. 20. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum Risk: Unconsented Capture
  21. 21. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum
  22. 22. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum
  23. 23. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum Users should have the ability to “continuously withdraw (their) consent without having to exit” a service. - Opinion on the Internet of Things, Article 29 Working Party, 2014
  24. 24. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum Risk: Collection of Medical Data
  25. 25. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum Reasons for privileged treatment of medical information: • an awareness that people will not disclose critical information to doctors if they fear a lack of privacy, leading to untreated illnesses • stigmatization, loss of job, or other harms from revelation of medical condition or disease • challenges to dignity – a baseline belief that people have civil rights to control the flow of information about their physical and mental health
  26. 26. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum Who can see my health information? What uses can it be put to?
  27. 27. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum Risk: Breakdown of Informational Contexts
  28. 28. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum Sensor Fusion “Just as two eyes generate depth of field that neither eye alone can perceive, two Internet of Things sensors may reveal unexpected inferences…. Sensor fusion means that on the Internet of Things, “every thing may reveal everything.” [meaning] each type of consumer sensor … can be used for many purposes beyond that particular sensor’s original use or context, particularly in combination with data from other Internet of Things devices.” - Regulating the Internet of Things: First Steps Toward Managing Discrimination, Privacy, Security, and Consent, Peppet, S., 2014
  29. 29. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum Theory of Contextual Integrity Norms of appropriateness Norms of transmission
  30. 30. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum Context matters
  31. 31. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum “Consumers have a right to expect that companies will collect, use, and disclose personal data in ways that are consistent with the context in which consumers provide the data. Companies should limit their use and disclosure of personal data to those purposes that are consistent with both the relationship that they have with consumers and the context in which consumers originally disclosed the data…” - White House Consumer Privacy Bill of Rights
  32. 32. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum • How do I ensure that my employer does not see health information from my wearables if I don’t want them to? • If I share a connected device with someone, how do I ensure that my use of it can be kept private? • What rules are in place regarding data collected in my home and sharing it with my insurance company? • What data from my car can my insurer get? • Who can see when I’m home, or what activities I’m engaging in? • What rights do I have regarding the privacy of my whereabouts?
  33. 33. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum Vehicle Event Data Recorder
  34. 34. “Perhaps the most prominent concern about EDRs is their impact on personal privacy. While current regulations provide only that EDRs, if installed, track 15 specific data elements, technological advances may allow greater data collection. In addition, individual auto manufacturers are free to collect more data, or to collect data for longer time periods, than required under [federal] EDR rule[s]. When combined with other technologies, such as onboard navigation systems and mapping apps, EDR data could be transmitted beyond the vehicle owner’s control.” “’Black Boxes’ in Passenger Vehicles: Policy Issues”, Canis, B. and Peterman, D., 2014
  35. 35. Montana 2015 SB 0209 • “The data on a motor vehicle event data recorder is exclusively owned by the owner ... of the motor vehicle and may not be retrieved or used ... without the written consent of an owner” • Data can be retrieved without owner consent in cases of a search warrant, a need to provide emergency medical care, a court order but with a period to request a hearing, and “for the purposes of improving motor vehicle safety, security, or traffic management and provided that the identity of the owner or driver is not disclosed in connection with that retrieved data.” (emphasis added)
  36. 36. Montana 2015 SB 0209 • “An insurer may not condition the payment or settlement of an owner's claim on the owner's consent to the retrieval or use of the data on a motor vehicle event data recorder.” • “An insurer or lessor of a motor vehicle may not require an owner to consent to the retrieval or use of the data on a motor vehicle event data recorder as a condition of providing the policy or lease.”
  37. 37. Dr Gilad Rosner http://bit.ly/grosner Internet of Things Privacy Forum http://www.iotprivacyforum.org @GiladRosner @IoTPrivacyForum More data means that citizens should be given more power and control over it through regulatory means.
  38. 38. Thank you! Dr Gilad Rosner gilad@iotprivacyforum.org Internet of Things Privacy Forum http://www.iotprivacyforum.org

×