"internet of things" are collecting data on consumer behavior but consumers have no informed consent, no standard rules to expect, and usually no options over the licensing protocols. Borrowing from standards intellectual property agreements, we can establish norms -- "rules of engagement" -- that give consumers more control over the data they are creating. At a minimum, these should include control over who has acces rights, terms for holding and use of data, and level of identification. Examples are provided.

1. The governance of data in the
age of the internet of things
Melissa A. Schilling
New York University

2. Privacy concerns from internet of things
• Devices collect data that could lead to:
• Loss of autonomy, individuality, and personhood
• Discrimination (price, social, employment, etc.)
• Predation (financial, physical, social)
• Consumers should have control over “opt in” and standard rules for times
when rules are not specified (e.g., public surveillance)

3. Types of Data – Benefits and Risks
Data Type Biological/
Medical
Consumer
Preferences
Financial Geographic Social/Emotional
Examples Lab tests
Prescription data
Fitness trackers
Purchase history
Browsing history
Bank records
Taxes
Credit/Debt
GPS on phone
GPS on car
Tolls
Social media
posts
Alexa, Siri, etc.
Browsing history
Benefits/
Risks
**/***
Health alerts
Science
Employment risk
Insurance risk
**/**
Targeted ads
Innovation
Price discrimination
Inf. for other cats.
*/***
Targeted offers
Discrimination
ID Theft & Fraud
Predation
***/***
Targeted offers
Safety services
Price discrimination
Predation
*/***
Science
Discrimination
Emotional harm

4. Data Governance
• Data is intellectual property; consumer produces the data and thus should own the data and
control the license rights
• Standard license terms could make the licensing process simpler and safer
• License should specify at a minimum the following:
• Level of user access restriction, including:
• who has access
• rights or prohibitions regarding transfer of data to others
• Identification level of the data, e.g.,
• Anonymous
• Anonymous with identifier code (to match data sets)
• Identified
• Time window for data holding and use
• Instant flush
• Medium term window (0-3 years)
• Long term window (3-10 years)
• Permanent

5. Level of User Access Restrictions
• Should have standardized access-level restrictions,
e.g.,
• Public
• Passive licensing (any users with limits of use)
• Restricted licensing (specified users with limits of use)
• Restricted licensing to specified bonded and licensed
professionals
• No access

6. Identification Level Protocols
• Should have standard identification protocols, e.g.,
• Authenticated ID
• Anonymized with code for data concordance
• Guaranteed anonymous (no ID)

7. Data Holding and Use Periods
• All license should have specified data holding/use
period restrictions, similar to standard license
agreements, e.g.,
• Permanent
• Long window (3 - 10 years)
• Medium window (1 - 3 years)
• Short window (<1 year)
• Instant flush

8. Some Data Examples and Suggested
License Standards
Biological/
Medical
Consumer
Preferences
Financial Geographic Social/
Emotional
Highest
restriction
(bonded
licensed
professionals)
with user
consent; 5 year
window
Consumer can
license;
anonymized
with code, 1-3
year time
window
Highest
restriction
(bonded
licensed
professionals)
with user
consent; 5
year window
Consumer can
license; ID or
anonymous
with code, <1
year window
Highest
restriction
(default: no
access)
Instant flush

9. Thanks!
• Questions & comments: mschilli@stern.nyu.edu