Stacey on IoT | Internet of Things news and analysis

Internet of Things

  • Home
  • Analysis
  • Startups
  • How-To
  • News
  • Podcast
  • Events
  • About
  • Advertise
  • Speaking
    • Facebook
    • RSS
    • Twitter
    • YouTube

We need laws and regulations on data use and privacy

May 9, 2022 by Stacey Higginbotham 2 Comments

If nothing else, the leaked Supreme Court draft opinion that would end the right to privacy allowing women to get abortions should serve as a scary wake-up call to companies that have vast stores of user data. Technology companies, including app makers and connected device companies, have a stunning array of information about people housed in their data centers. In many cases, that data is just a subpoena or warrant away from government hands.

In other cases, the data is actively harvested and sold to buyers, ranging from governments to advertisers to academic researchers. When you add connected devices into the mix — where remote access to a device and control of that device is possible — companies might be forced to turn over data and turn against customers.

The culture wars are coming for tech companies.

Without decisive regulations on what data should be considered private, how and who can access data, and clear rules about ownership and rights that ensure a buyer has physical control of a purchased device, technology firms are creating new windows into their users’ lives and then being forced to let the government peer in. In the case of connected devices, they may even let the government open the window.

If you think I’m overstating the potential for damage that could occur as technology firms and the state collide, consider some recent examples:

  • After Russian troops stole $5 million worth of agricultural equipment from a John Deere dealership in Ukraine, the company apparently bricked the combines and tractors remotely, turning them into bright green and yellow agricultural sculptures. In this case, John Deere was simply remotely controlling inventory stolen from its dealership, but I can see a future where a government pressures John Deere to remotely deactivate customer equipment if it was owned by a wanted criminal, or if doing so would change the direction of an armed conflict. In the meantime, we are currently debating, as part of the current infrastructure bill, whether or not new cars should have some kind of kill switch so that police could stop a car chase.
  • The Centers for Disease Control and Prevention (CDC) spent $420,000 to buy location data on millions of Americans from a private company. The CDC wanted to see if people were following COVID curfews but also wanted to track neighbor-to-neighbor visits, visits to church and pharmacies, and other related activities during the pandemic. Much of that data collection could be related to the agency’s auditing of lockdowns to better determine their effectiveness, but the CDC is also using location data for other more nebulous programs. Additionally, because location data can be tied back to addresses where a person lives or works, it’s not anonymous, which means the CDC could theoretically identify the people breaking curfew or quarantine and get law enforcement involved.
  • SafeGraph, the company the CDC contracted with to buy that location data, also gave up access — this time to Vice, and for a mere $160 — to location data on people visiting abortion providers. If abortion becomes illegal in certain states, those states could easily buy data to figure out exactly who may have accessed health care services and punish them. SafeGraph’s CEO said he was glad the media called him out; he also said his company has stopped selling that data. He added, however, that researchers trying to figure out the effect of recently enacted new laws on abortion providers were frustrated by the company’s reversal on providing that data.

This is why we need to call for technology companies to hold less data, and to hold it for less time. And when it comes to data such as location data, which can easily identify an individual, we need to apply the various protections and standards associated with Personally Identifiable Information, or PII.

PII is a broad term that is defined not by specific pieces of data, but by how data can be used to “distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual.”

There are several different regulatory frameworks for dealing with PII, so laws that govern how companies use it vary based on industry. But the fact is that location data is PII and that tech companies collecting it should treat it as such. Today it is treated as an asset, sold to companies seeking demographic data or other information.

In the future, tech firms should treat location data as something a consumer can share with third parties, but that those third parties should also respect. So while that would mean we could still enjoy location-based apps, it would also likely mean we’d have to pay for them since they would not be subsidized by data sales.

We also should recognize that even if law enforcement agencies don’t have a legal right to data, currently they can buy it from third parties. So we either need to eliminate that option or create rules around how, exactly, law enforcement can use privately purchased data.

For years, the tech industry has told its users that it only shares its data with law enforcement and the state in exceptional cases. Yet it’s clear that private data brokers are buying data on users from tech companies and selling it to the state, creating a disconnect between legal protections enshrined in the Bill of Rights and the reality of prosecution.

The challenges will only grow as people give more information to more services, and devices collect highly personal information that can be remotely accessed and controlled. Without laws governing data use and collection, tech firms will become complicit in laws such as prosecuting women for having abortions or outing LGBTQIA+ students to their families, which their employees and many of their users might find unfair.  And that’s not a fun (or profitable) position for them to be in.

Want the latest IoT news and analysis? Get my newsletter in your inbox every Friday.

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on Facebook (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)

Related

Filed Under: Analysis, Featured Tagged With: AI, Amazon, CDC, google, John Deere, Placer, SafeGraph

Sponsors



Become a sponsor

Subscribe to Blog via Email

Enter your email address to receive notifications of new posts by email.

Comments

  1. CCreek says

    May 9, 2022 at 8:29 am

    So we have to get political? Leaving this writer.

    Reply
  2. Nate says

    May 9, 2022 at 12:14 pm

    Thank you Stacey for this very on-topic analysis.

    Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

IoT Podcast

Listen to the latest episode of the Internet of Things Podcast. Just press play!

Sponsors

Become a sponsor







Get Stacey’s free weekly Internet of Things newsletter

  • This field is for validation purposes and should be left unchanged.

Recent Comments

  • Michael Rada on Podcast: Hacking sensors and securing medical devices
  • Jon Smirl on TP-Link Tapo Smart Plug with Matter: Simple and mostly smart
  • Lawrence K on TP-Link Tapo Smart Plug with Matter: Simple and mostly smart
  • Hugo on TP-Link Tapo Smart Plug with Matter: Simple and mostly smart

Stacey on Twitter

Tweets by gigastacey
Copyright © 2023 SKT Labs, LLC · Privacy Policy