A privacy standard for Internet of Things suppliers
Industry analysts agree on one thing: An explosion of Internet-enabled consumer products, connected cars, smart homes and wearables will generate a global economic boom over the next five years. One third of enterprise respondents to Computerworld’s Forecast Study 2015 last November said they were initiating IoT initiatives this year. Forbes reported in July that the pace had dramatically accelerated, with over three-quarters now jumping onto the IoT bandwagon.
The result Twenty-four billion Internet-connected devices — over three per person on the planet — before the decade is up, by some estimates.
Whether this explosion amounts to the $1.7 trillion annual spend that IDC predicts depends on two factors: the value this IoT delivers to users and user trust in its privacy and security.
In a May analysis, Gartner said cybersecurity and privacy concerns are the main obstacles to IoT adoption. A January report by the U.S. Federal Trade Commission enumerated the risks of a standard-less IoT: enabling unauthorized access and use of personal information, facilitating attacks on other systems and endangering personal safety.
What are the specific IoT risks people worry about
Vendors of IoT components should expect that researchers and movie scriptwriters will capitalize on these scenarios and other perceived vulnerabilities of the IoT ecosystem and stoke user fears of the unknown.
How can IoT stakeholders own the narrative and write a lucrative future for the world economy
I think the stakeholders need to get ahead of the inevitable fearmongering and back to a minimum set of privacy standards that address the core concerns of IoT users. Other industries have successfully taken a similar self-regulatory approach, such as the mobile-marketing industry’s Mobile Application Privacy Policy Framework, automaker industry’s Consumer Privacy Protection Principles for Vehicle Technologies and Services and agribusiness sector’s Privacy and Security Principles for Farm Data.
What could an IOT privacy framework look like I think five core tenets would address the main risks and fears enumerated above.
1. Tested security. It’s one thing to adopt a set of security controls like the Payment Card Industry Data Security Standard, designed to reduce credit card fraud. It’s another thing for those controls to prevail in a sophisticated penetration test. The IoT would need to set the bar at this higher level to earn maximum user trust.
2. Data minimization. IoT components should maintain default settings that use the minimum amount of personal data to perform their service. Minimum can mean minimum types of data fields collected and exposed to other devices as well as minimum periods of data retention.
3. Controlled and transparent disclosure. Law enforcement and national defense around the world will seek to pursue their legitimate objectives within the IoT. Virtually every industry will seek to track or analyze their end consumers as they move through the system. Trust in the whole enterprise will collapse, however, if these pursuits are not counterbalanced with reliable disclosure controls that are proportionate to the identified threat, and widely known and understood.
4. Data portability. Users won’t want any one node of the IoT ecosystem to accumulate too much power by storing data in its own proprietary format. To bolster trust in the entire system, adopt a common data format that allows users to port their data from one platform to the next.
5. Right to be forgotten. The IoT should be safe for the most vulnerable in society: children, victims of crime and the poor. To protect their safety and thereby make the IoT the largest possible marketplace, enable users to completely opt out by being able to withdraw their data.
After reading these, marketers may be thinking, “Our consumers and customers aren’t asking for these features.” Product designers are probably saying, “I don’t know how we’d do all that,” and lawyers are adding, “We wouldn’t back this until we could do it.”
If IoT providers want to crack the European market, however, it’s going to be a lot cheaper to design these features in ahead of time instead of waiting for the new EU General Data Protection Regulation (GDPR) to mandate them. The GDOR includes requirements such as “data protection by design” and the “right to be forgotten.”
Along these lines, the Online Trust Alliance has released a call for public comment on its IoT Draft Framework, a more detailed set of controls echoing many of the themes above. The next challenge for this or any IoT framework is whether a critical mass of influential adopters begin enforcing it.
Vanderbilt, Rockefeller and Carnegie ignited the Industrial Revolution that changed the global balance of power. The architects of the IoT stand at the dawn of an even larger opportunity. The degree to which they make the connection between trust and adoption will determine the magnitude of that realization.
Jay Cline leads the privacy and consumer-protection practice at PwC LLP.