In 1967, in an acclaimed book titled Privacy and Freedom, Alan Westin argued that privacy was just a form of control that individuals exert over their environment to determine when, how and to what extent information about them is communicated to others. The earliest example of this control was the walls we built to keep people from finding out what went on in the privacy of our homes. In time, this control was exercised through various laws that we enacted, including the confidentiality obligations that we invoke when we share personal information with our doctors and lawyers.
Viewed through this lens, privacy is nothing more than the process of exercising control over the boundaries through which personal information flows—so that, from time to time, this information can be made accessible to some people for specific purposes, while at other times, it is denied to some based on our own determination of whether or not that specific disclosure suits our needs. Privacy law establishes the framework within which these boundary controls operate, requiring persons to whom we offer data to take our consent before collecting it and be transparent about what they do with it—so that their use of it is limited to the specific purpose they have notified us about.
However, of late, our ability to regulate the boundary controls over our personal privacy has come under unprecedented stress. We are surrounded by smart devices that collect information from us all the time, that have changed the nature of these boundaries and, along with that, our ability to control what passes through them.
The Internet of Things (IoT) is a generic term used to describe a wide range of ordinary devices that have been upgraded so that they are, in addition to their normal functions, capable of collecting and analysing data that can be transmitted to remote data servers through Internet networks. These devices have proliferated so pervasively that they are all around us today, amassing data from us in so many different ways that the boundaries that previously protected our privacy have broken down completely. Since we were the ones who willingly brought these devices into our homes and agreed to the terms and conditions of their use, we have no one to blame but ourselves for all the consequences.
As invasive as individual IoT devices might be, the inferences generated from inputs collected by multiple IoT devices are significantly more insightful. For instance, measurements of heart rate and respiration by wearable devices can help a user track his or her exercise routine, but when combined, they can provide evidence of whether or not he or she uses cocaine, tobacco or alcohol. Data collected by voice recognition devices, combined with information collected by facial recognition technologies, can generate accurate emotion and sentiment analysis. The fact that these devices are among us everywhere we turn, means that our ability to control our privacy as we used to by simply closing the door whenever we wanted to have a private conversation is long gone.
Since most connected devices are familiar objects, we tend not to think of them as data collection devices, constantly recording everything we say and do. As a result, we act more uninhibitedly around them than we would have in the presence of strangers. Examples of our blatant disregard for IoT devices and the data they collect is reflected in the many instances where data from smart devices has been subpoenaed as evidence of crimes committed within the privacy of the home. As this becomes the norm, we will be forced to change the way we behave around our IoT devices.
That said, we often agree to put up with our limited ability to control the boundaries of our personal space in exchange for the many benefits these devices provide. Smart cities are saturated with sensors designed to collect, analyse and share information on traffic patterns, electricity consumption and the waste management habits of residents. All this data provides city administrators deep insights into the personal lives of those who live in it. And yet, we accept the diminished privacy that comes with living in these cities in order to access the many benefits that they offer.
Even so, surely there are some lines that should not be crossed no matter what benefits these technologies have to offer. For instance, can it ever be acceptable for employers to access information contained in an employee’s personal health tracker and use it to deny them a promotion on the grounds that they have an irregular heartbeat or are otherwise unfit? Should insurers be allowed access to data transmitted from within a connected car in order to evaluate whether the driver is rash or not—and then use that information to increase premiums or deny a no-claims bonus?
We need to upgrade our laws to appropriately account for the impact that IoT will have on our lives. We will need to find alternatives for consent if the devices and sensors that are going to be collecting our data in the future are too small to come equipped with screens through which notices can be communicated and consent obtained.
More importantly, we will have to build new levers through which we can exercise control at the boundaries of our personal space, since once IoT devices start being used against us, as they likely will, the effects of this new form of persistent surveillance will be chilling.
Rahul Matthan is partner at Trilegal and author of ‘Privacy 3.0: Unlocking Our Data Driven Future’