The Internet of Things and the protection of personal data
Written by
Victor Vieira (See all posts from this author)
29 de January de 2018
Most likely, you may have noticed that while browsing a social network like Facebook, Instagram, among others, there are several sponsored ads throughout your feed. You may have also noticed that often advertised products are just items that you had searched online for shortly before accessing the social network. It may even seem like magic: in an instant, you’re looking for something in an online store; in the next instant, this exact product appears as a suggestion of purchase in an announcement of the same retailer whose site you accessed, minutes before. Is this just a coincidence?
The answer is simple: of course not. What happens to social networks like Facebook is that the famous “cookies” (navigation information saved by the websites we access) are used to detect the personal interests of each user and direct them to the most relevant advertisement among the various advertisers which pay for a commercial space on the site. It is from these ads that much of Facebook’s profit comes, for example – although it seems “free” at first glance, the truth is that social network users “pay” for the service by providing their data to the company, which uses this information to distribute the advertisements of each advertiser in the most efficient way possible.
From all this, one can draw the conclusion that in today’s world, where virtually everything is interconnected, the data produced by each of us is of enormous value – and companies have realized that, and they take advantage of customer data whenever possible for self-interest purposes – do you remember the last time you asked for your CPF in a supermarket or drugstore? You can be sure that this information was used to integrate a database with your consumer profile in those places, in order to offer customized discounts based on this information in exchange for the breach of your privacy.
The fact is that we live in a reality where, whether we want it or not, personal data is considered the “new oil” due to its immense profit potential through direct use or even sale to other agents who take advantage of the information purchased. Concern only increases with the knowledge that this data is not limited to the information of your purchases in a particular place or the searches you make online: this information tells you more about yourself than you can imagine at first – to report, for example, when you have consumed more alcohol than usual, if you have a sexually transmitted disease or a delicate health condition, among many others. In a reality where the Internet is in force, your data is you.
In the same context, we recently experienced the emergence of the Internet of Things phenomenon, which basically consists of the implementation of an Internet connection for the tools we use in everyday life. These tools collect data from their users to function and send them via Internet connection to the companies that develop them. From that point on, the same story as before is repeated: the data can be explored in a variety of ways. And the problem is not restricted to the use of data by companies: any device connected to the Internet in a careless way (without the use of encryption protocols, for example), allows anyone with sufficient technical knowledge in the area to have access to all the information which can be extracted from these utensils, including location, names, patterns of consumption and daily habits mentioned above, among many others – the possibilities are practically endless.
The main issue that permeates the Internet of Things and the (lack of) data protection concerns the scale at which it becomes possible to collect and use our personal data. Imagine a house in which the appliances are mostly connected to the Internet – a refrigerator and a cellar that order from the supermarket what is lacking in an autonomous way; a stove that sends messages when your food is ready, so you do not forget, or turns itself on automatically when you leave work, so dinner is ready by the time you get home, among many other possibilities. Now imagine that there are diapers in this house that tweet to you whenever your child gets dirty, as well as toys that interact with children through various sensors (microphones, cameras, etc.) and an Internet connection, to make online searches and “realistic” interaction with humans. Did you see the extent to which the potential collection of our data, and the restricted privacy environment that these technologies make possible?
It may seem an overly pessimistic prediction, but it is a reality that is gradually approaching our daily lives. In the year 2015, for example, a model of the popular Barbie doll, called “Hello Barbie” was announced and motivated an extensive discussion about risks to privacy. The doll would be able to listen to its surroundings and, through a Wi-Fi connection, make online searches to interpret the sounds around it and respond accordingly, thus “talking” with the user.
Since the announcement of the doll, there was some fear of the population, who feared the possibility of espionage (even as a result of clauses in the Toy Terms of Use, which mentioned the storage of the audios recorded by the manufacturer, and the use of them to improve the doll’s intelligence and “other research and development or internal purposes”. The problem escalated, however, when a hacker named Matt Jakubowski demonstrated that despite the manufacturer’s efforts to keep the doll safe while connected to the Internet (which, according to Matt, were safer and more sophisticated than most Internet of Things gadgets) it was possible to hack the doll, and extract information such as data from the network to which the toy was connected, internal MAC addresses, account IDs, plus the address of the owners and personal information, not to mention that it would be possible to access the Wi-Fi network from the home in question and hear everything Barbie recorded. Due to this scandal, Germany banned the marketing in the country not only of Hello Barbie, but also of any other doll connected to the Internet.
The purpose of this text is not to present a direct resistance to the Internet of Things itself, but to alert people about the dangers that are related to this technological advance and to reinforce the importance of a specific law of protection of personal data in Brazil that goes in addition to the generic statements on the subject that can be found in our Federal Constitution and in the Civil Internet Framework (Law no. 12.965 / 2014). In order to avoid giving up our privacy for innovation in the future, mechanisms must be put in place to prevent the commercialization and misappropriation of the data we generate on the Internet, and it is essential that we encourage manufacturers of Internet of Things products to make every effort to produce appliances that are increasingly safe, which make it impossible or at the very least that the intrusion of these devices by unwanted third parties is very difficult.
The views and opinions expressed in this article are those of the authors and do not necessarily reflect the official policy or position of the Institute for Research on Internet and Society.
Written by
Victor Vieira (See all posts from this author)
Victor Vieira holds a Bachelor’s Degree in Law from the Federal University of Minas Gerais (UFMG) and is a postgraduate student in Personal Data Protection at the Pontifical Catholic University of Minas Gerais (PUC Minas). He is a researcher and data protection officer at the Institute for Research on Internet and Society (IRIS), and a lawyer. Member and certified by the International Association of Privacy Professionals (IAPP) as Certified Information Privacy Professional – Europe (CIPP/E).