Perhaps I’ve spent too many years thinking about the privacy and security implications of emerging technologies, but as I was walking the floor at this year’s massive CES 2015 tech extravaganza, I couldn’t help but think of the heartburn that privacy professionals and advocates will face in coming years.
Walking the cavernous halls of the Las Vegas Convention Center for this year’s show, I suspect most show-goers were thinking, “Wow, that is cool,” or “I wonder how much that will cost and when I can get it?” By contrast, anyone whose career is focused on digital privacy and security must have had a sinking feeling in their stomachs in light of all the potential grief that lies ahead.
While the cornucopia of new technologies on display at CES was truly exciting and will bring consumers many wonderful benefits in years to come, I was asking myself questions like, “Now how do you craft a privacy policy for this?” or, “I wonder how notice and choice will work for that?” And so on.
Toward that end, based on my time at CES, here are a few of the challenges that privacy and security professionals will need to stay on top of in 2015.
The Internet of Things Comes of Age
If last year’s CES was the coming out party for the Internet of Things (IoT), CES 2015 was its mainstreaming moment. IoT tech was on display everywhere, and it was the topic of countless sessions and keynote addresses throughout the event. Beyond the wearable tech and digital health technology discussed below, “smart home” technologies commanded a huge portion of floor space at the show.
As I have noted here before, IoT technologies pose formidable privacy and security challenges for individuals, corporations and governments. On the first day of the show, I participated in a panel discussion on “Privacy and the IoT,” during which Federal Trade Commission (FTC) Chairwoman Edith Ramirez highlighted some of these challenges in her opening remarks.
Speaking before a standing-room-only crowd, Ramirez reiterated concerns she has highlighted in previous speeches about the IoT. She did not offer more specifics about how the FTC would go about enforcing traditional Fair Information Practice Principles (FIPPs) for the IoT, but we’ll learn more once the agency issues its eagerly anticipated forthcoming report on the issue, which is apparently coming in the next few weeks.
The agency is likely struggling with the same issues that privacy professionals are grappling with in real time as IoT products and services proliferate. When we think about Privacy by Design, it’s hard to know where to begin with some of these technologies. Privacy professionals should continue to push IoT innovators to take reasonable steps to limit data retention, give users more choice about what is collected at all and offer better transparency about how data is collected, used and shared.
Those were a few of the items of Ramirez’s wishlist, and we can expect the FTC report to push them. But it’s very hard to establish bright-line rules that conform nicely to traditional FIPPs principles. Each IoT technology is a little different and poses different challenges, as this new Future of Privacy Forum report notes. Generic IoT best practices can be informed by FIPPs, but “Privacy by Design” may end up being something more akin to “privacy on the fly,” as privacy professionals and the companies they work with address problems that, in many cases, are not foreseeable, or manifest themselves in unique ways as consumer demands and creative secondary uses continue to evolve rapidly.
Of course, even without new law or regulation for the IoT, the FTC has already played a major role. As Ramirez and her fellow FTC commissioners who spoke the next day reminded us, their agency has been remarkably active on the data security front, with more than 50 cases and consent decrees being issued using the FTC’s broad Section 5 authority. Privacy professionals will obviously need to make sure that IoT innovators are aware of this growing body of “FTC common law,” as some have called it, to make sure that they do not find themselves in the agency’s crosshairs.
Wearables Becoming More Fashionable
As I note in a forthcoming law review article, wearable technologies represent the most important subset of the IoT universe today. That is due, in large part, to the growth of fitness trackers and “quantified self” technologies. Needless to say, when every aspect of our health and daily activities can be tracked, archived and shared, the benefits can be enormous, but a variety of thorny privacy and security concerns are also created in the process.
There were countless “digital health” products on display at CES 2015, which accomplish a wide variety of objectives, from basic fitness and activity tracking to far more sophisticated monitoring of ailments and disease. As with everything else I saw on display at the show, miniaturization was a key theme. Wearable tech entrepreneurs are in a race to create technologies that are more fashionable and almost invisible.
The goal of many wearable tech developers is to make “ambient computing” and “always-on” connectivity a reality, such that you don’t even think about the fact that you are literally wearing computers, sensors and communications devices all over your body. Some critics won’t like what they regard as the cyborg-ification of humans, but that isn’t going to slow this train down because it will offer consumers compelling benefits, especially increased convenience and personalized experiences.
But the sheer amount of data these devices collect about us, and others in close proximity to us, will be staggering. That’s where privacy professionals will need to take many of the steps already described above for other IoT devices to ensure that the potential for misuse is minimized. This will likely represent the most formidable short-term challenge that privacy professionals face because these wearable technologies are multiplying faster than law and regulation can keep up.
Beyond “baking-in” some privacy and security best practices and encouraging encryption and de-identification of data whenever possible, privacy professionals must work harder to encourage these innovators to educate their own customer base regarding appropriate use. That’s especially the case for the specific wearables devices discussed next.
Stay tuned tomorrow for Part Two of Thierer’s Dispatches from CES 2015 as he delves into the rise of personalized robotics, mainstreaming of drone technology and the continued miniaturization of the camera.
Top image taken at CES 2015 courtesy of Adam Thierer.