About the author:
Tejpal Singh Rathore is a 4th Year Student pursuing B.B.A. LL.B (Hons.) at Gujarat National Law University.
Introduction
Internet of things (IoT) is the most recent form of technology in the world of computers which, by means of the internet, aims to connect billions of physical devices to the global network. The use of IoT has lately increased at an alarming rate, especially for security purposes.[1] Automated gates, using cameras for homes and industry automation, a burglar alarm system that uses sensors to detect and thwart intruders are some of the examples of IoT for security purposes.[2] The access to these security systems can be through varied mediums including a cloud to a phone or a tablet. It can also be accessed through the use of motion sensors (Passive Infrared Sensors) for tracking purposes, photoelectric sensors and video recording features.[3]
IoT devices are capable of communicating with smartphones and send and receive data in a systematic manner.[4] The remarkable feature of IoT is its ability to represent itself digitally either by an IP network or by Bluetooth or Ethernet, which makes an IoT device more than its physical self.[5] Pretty much any physical device connected with the internet is an IoT. For e.g., a light bulb connected via a smartphone app, smart thermostat, smart watches, a child’s toy, a driverless vehicle or even a fitness band, etc., are IoT. Billions of IoT products are available to make a person’s life hassle-free. For instance, WeMo by Belkin permits users to control power (energy usage), home electronic appliances, water, and WiFi from a smartphone. HomeKit by Apple, another smart home product, facilitates the control of alarm systems, surveillance systems, lights & doors inter alia, via an iPhone or iPad. Wearable devices with GPS, Athos Clothing that analyze heart rate, temperature & breathing patterns, Scout5000 which allows GPS tracking & live streaming of pets are some notable examples of IoT. The ultimate object of IoT is to provide efficiency of our actions and activities. These conveniences, however, come at a cost: viz. to Privacy and Security.
Privacy Implications
As the IoT rolls itself from an idea of fiction to an entrenched reality, privacy concerns will mushroom as it collects the personal data generated by IoT devices. Such concerns have become all the more crucial in the wake of landmark judgment of Hon’ble Supreme Court of India in Justice K. S. Puttaswamy (Retd.) and Anr. vs. Union of India and Ors., which has declared privacy a fundamental right.
How does it breach Privacy?
Billions of devices collect, harvest, store and communicate a wealth of data associated with the subject. The more the number of devices, the greater the generation and accumulation of data over the internet.[6] This pushes up data volume and complexity and results in plausibly less control, which puts privacy in a rather sorry state.[7] Collection of data depends on the frequency of use of devices. For e.g., the collection of power uses by a device can provide significant personal information like whether the person is out of town or the time when a washing machine is switched on or off by analyzing the power uses which can be highly revealing without any realization.
The Guardian reported that a bug in the Google Home Mini caused entire conversations to be recorded and beamed back to Google, even if the “OK Google” wasn’t spoken. Google, however, apologized and fixed it, but does that really quell the fears of over-the-top surveillance? In fact, it causes a sense of fear within the consumers as to whether or not these devices are actually listening around-the-clock.
From smartphones which are open to snooping (to an extent) to the kind of websites we use, tracked by our online search patterns with the help of cookies and device fingerprinting,[8] we are tracked everywhere.[9] With the use of data analytics[10] and advanced technologies, data collected can be used to understand the patterns of behaviour, variations in an individual’s routine and signs of unusual behaviour by consumers.[11] Besides compromising personal information, data collected can be used to provide real-time information about a person, locations, contacts, habits and daily activities which puts a person’s privacy in peril.[12]
Furthermore, users may find it difficult to control the amount of information they agreed to share. The communication between devices may be triggered automatically as well as by default, without the consumer being aware of it. The data collected may also be used for secondary purposes as opposed to the assigned purposes. Recently, Reuters reported that Facebook had shared data with third parties, who may use the data for a completely different purpose, highlighting serious privacy concerns.
Security Implications
The security issues unfold due to the lack of protective measures for IoT devices.[13] The linking of these devices with people, property, plants and animals is highly vulnerable to hackers. Because of these exposures to hackers, personal information collected can be misused. The degree of seriousness increases particularly if the hacker holds the possession of financial or medical data resulting in ‘identity theft’.[14]
With increasing IoT devices we can expect more advanced, sophisticated and new forms of attacks due to the lack of critical infrastructure. According to 2018 Internet Organized Crime Threat Assessment (IOCTA) by Europol, it can result in new forms of blackmailing and extortion schemes. For example, ransomware for smart cars or smart homes, data theft, physical injury, possible death, and new types of botnets, etc. Furthermore, it affords perpetrators a chance to compromise IoT devices by launching Denial of Service (DoS) attack or by spreading malware, etc.
Medical devices are increasingly becoming internet enabled. To improve efficiency and effectiveness, devices like X-ray machines, bio-medical devices, drug infusion pumps, pacemakers, and anaesthesia devices inter alia, have become part of IoT.[15] If the default settings of medical devices are altered by stealthy actions, depending on the devices, such actions can cause illness, injuries, and even death. Nevertheless, this convenience comes at a cost as most of the IoT devices are built without security concerns in mind.
How far does the draft Bill address the issues of privacy and security?
India lacks a robust data protection regime as the existing laws are not designed to deal with the issues arising out of IoT devices. Realizing the need of the hour, the Hon’ble Supreme Court in the Puttaswamy Judgment, while recognizing privacy as a fundamental right, observed that “to make this right meaningful, it is the duty of the state to put in place a robust data protection framework”. The government of India set up a high-level expert committee under the chairmanship of Retd. Justice B. N. Srikrishna with the object of protecting the free & fair economy and protecting privacy. The Committee on July 27, 2018, submitted the report along with a draft “Personal Data Protection Bill, 2018” (the ‘Bill’).
Personal Data Protection Bill, 2018
The Bill has been drafted to protect individual privacy & autonomy in the data-driven world. If passed by the Parliament in the current session, it fills the void in the existing data protection regime in India. The Bill has incorporated significant provisions of General Data Protection Rights (GDPR). It has provisions safeguarding data including establishing a Data Protection Authority (DPA) which has powers to penalize any contravention of the provisions therein, Data Localization and Data Minimization inter alia. Though the Bill does not specifically address IoT devices but nevertheless it covers issues arising out of the same.
Definition of Data
The Bill defines two kinds of data viz: Personal Data (PD); and Sensitive Personal Data (SPD). PD is defined as relating to a natural person who is directly or indirectly identifiable.[16] SPD includes passwords, financial & health data, official identifier, sex life, sexual orientation, biometric data, genetic data, transgender status, intersex status, caste or tribe and religious or political belief, etc.[17] The Bill departs from the international data protection laws and provides a much broader definition of SPD to protect individual privacy in the broadest possible manner. For instance, Article 9 of GDPR (processing of special categories of PD) does not include “passwords” and “financial data” as SPD.[18] Despite the broad definition of SPD, with the help of ‘Big Data Analytics’, data gathered from IoT might become sensitive based on what they reveal and still not get covered under the definition. For e.g. if my non-personal data such as food purchases and eating habits (data collected by smart fridge and supermarket system) are combined and aggregated with data such as times of day I leave my home (collected by house sensors, alarm & home security systems and smart cars), it can reveal SPD like religion. Moreover, the Bill does not specifically include metadata[19] such as online identifiers and location data as PD, unlike GDPR. Imagine an IoT device is collecting location data of a person. Such location data collected can reveal caste or tribe (if a particular caste or tribe is believed to be located at a particular place) which are SPD upon aggregation. However, IoT can still survive as the Bill vests DPA with the right to identify any other category of PD as SPD[20] and therefore, geo-location data can be specified by the DPA as SPD. Whereas under the GDPR, the authority does not have the right to specify any new categories of PD which makes the definition under the Bill broader.
Explicit Consent and Right to be Forgotten
Due to the heterogeneity and dynamic nature of IoT devices, the problem lies when data principal does not realize he has consented. Even if he does, does not know the extent and specific purpose for which he has consented. The Bill aims to address that by requiring an informed, clear and specific consent.
The Bill mandates ‘explicit consent’, making implied consent, inactivity or pre-checked boxes redundant. However, in practice, it can be very difficult to enforce as IoT operates in a highly interconnected and concentrated environment. In fact, strict adherence may sometimes frustrate the purpose of IoT devices. For instance, in a video-enabled smart doorbell, it is difficult to imagine a situation where visitors are informed of their face being captured without frustrating the purpose of such a device. In such a scenario, the explicit consent of the visitor whose image i.e. data will be collected is not present. This breaches the consent requirement under the Bill and thus, makes the applicability of the Bill in IoT landscape challenging.
To some extent, the Bill addresses the problem of IoT home devices by exempting them from requirements in the course of purely personal or domestic purpose.[21] However, if products like smart doorbells or CCTV home surveillance capture a person in public space or outward from the private setting such as public roads, gardens, etc., it would be considered a violation under the Bill. In past, the European Court of Justice (Fourth Chamber) had considered such a situation violative of the data protection directives.[22] Thus, deployment of such devices poses a significant challenge under the Bill. Nevertheless, it can be fairly concluded that IoT devices must ensure heightened security and abide by the principle of ‘Privacy by Design’[23] to minimize any such harm.
The Bill also codifies the right to be forgotten, which restricts or prevents continuing disclosure of personal data. However, the very nature of IoT devices involves continuing disclosure of information and therefore, the efficient exercise of this right is frustrated. Moreover, the Right to be Forgotten in the Bill only grants a “right to restrict or prevent continuing disclosure of PD”[24], unlike GDPR which provides for a right to obtain the erasure of PD.[25] A data principal under the Bill cannot claim the erasure of data collected by IoT devices as a matter of right. As a result, the data in storage by IoT devices become vulnerable to hackers which puts privacy in an unpleasant situation and reflects poorly on the Bill to secure the privacy of data principals.
Periodic review of stored Personal Data
Section 10(3) of the Bill mandates a periodic review of the data stored, to determine the necessity of PD in its possession. However, the term ‘periodic review’ is too general and does not specify if it is monthly, bi-annually or annually, leaving scope for circumventing the provisions. The provisions pertaining to “collection limitation”[26] and “data storage limitation” (Section 10) in the Bill are premised on the principle of data minimization. Take a situation, wherein, data collected by IoT devices are retained even after the purpose for which they were collected is fulfilled. The Bill requires a periodic review to determine the necessity of that data, however, if the periodic review itself is delayed for lack of any time limit, data can still be retained, which makes it vulnerable and frustrates the purpose of data minimization. Moreover, a data principal cannot claim deletion or erasure of that data as well (as mentioned above). This results in a situation of helplessness wherein, it neither allows a data principal to get his data deleted nor prescribes any time limit for data fiduciary to determine the necessity of data. As a result of such provision which is at odds with the very objective of data minimization, the possible outcome is data theft. This is even at odds with EU Regulation which provides that time limits should be established by the data controller for a periodic review.[27] Thus, prescribing time limits for periodic review of data under the Bill which equally applies to IoT devices would minimize the potential loss/theft of PD and address privacy concerns.
Conclusion and Recommendations
The IoT connects lifeless devices and living objects for providing better services. It has become a repository of various aspects of a person’s life. The Bill marks a progressive step in establishing a standard for protection of privacy. However, it does not provide a comprehensive legal framework for the abovementioned challenges and may require new approaches from the IoT perspective. Reduce the dominance of text-heavy terms & conditions and jargon-based documentation and contracts for consent requirements of IoT devices. New forms of consent mechanisms for IoT devices such as utilizing more visual approach with the voice-over capabilities, new methods like audio, video and gestures like hand waving or blinking of different colour lights may be needed for the exchange of information.
IoT developers in India should be regularly engaged by appropriate DPA to develop workable guidelines to overcome such practical issues. The Bill mandates the use of methods such as de-identification and encryption as security safeguards. However, to prevent the use of unsafe IoT devices especially wearables, toys and smart home devices, a minimum level of mandatory security requirements also known as “Digital Standards” should be established. The same level of standards, however, will not be applicable for all IoT devices. The standards have to be more robust for devices that pose physical security or safety risks (such as insulin pumps or door locks, etc.) than devices which measure distance, heartbeat, etc. Such digital standards could be issued under “code of practice” in the Bill with the collaboration of industry members and standards organizations like ISO, ITU-T, etc. Standards are needed to minimize the security attack surface and leverage best practices to address security concerns in IoT devices.
Similar to the principle of privacy by design, security by design should be adopted i.e. IoT devices are designed in such a way that it secures the product throughout from the point of collection to deletion of PD. In order to prevent any tampering of medical devices, medical device manufacturers should be mandated to ensure that security safeguards are built into devices. Medical devices with backdoor passwords (which are supposed to be only known by the manufacturers) should have strong authentication requirements to avoid any unauthorized user access. Lastly, the firmware in these devices are updated and digitally signed.
The Bill does a half-baked job in addressing privacy and security issues arising out of IoT devices. Nevertheless, if it is enacted in the current state, manufacturers of IoT devices have to comply with the Bill despite the challenges in implementation. It is recommended that a thorough legal analysis is undertaken and new measures are developed. In my opinion, an excuse of a liberal economy and seamless worldwide internet cannot refute a fundamental right. It has to be implemented in letter and in spirit.
——————————————————————————————-
[1] Louis Columbus, 10 Charts That Will Challenge Your Perspective of IoT’s Growth (June 6, 2018) Forbes, Available at https://www.forbes.com/sites/louiscolumbus/2018/06/06/10-charts-that-will-challenge-your-perspective-of-iots-growth/#7c397f0d3ecc (last visited on 03/04/2019).
[2] PathPartner, How Latest Technologies are Upgrading the Home Security Landscape (August 17, 2018), Available at https://www.pathpartnertech.com/how-latest-technologies-are-upgrading-the-home-security-landscape/ (last visited on 02/04/2019).
[3] Desai G., An IoT Approach for Motion Detection Using Raspberry PI, Kalsekar Technical Campus, Available at http://www.aiktcdspace.org:8080/jspui/bitstream/123456789/1953/1/PE0170.pdf (last visited on 02/04/2019).
[4] Mehdia Ajana El Khaddar and Mohammed Boulmalf, Smartphone: The Ultimate IoT and IoE Device (November 2, 2017), Available at https://www.intechopen.com/books/smartphones-from-an-applied-research-perspective/smartphone-the-ultimate-iot-and-ioe-device (last visited on 02/04/2019).
[5] Micrium, Designing the Internet of things, Available at https://www.micrium.com/iot/devices/ (last visited on 03/04/2019).
[6] Sharon Shea et al., IoT Security and Privacy Issues, TechTarget, Available at https://internetofthingsagenda.techtarget.com/definition/Internet-of-Things-IoT (last visited on 03/04/2019).
[7] Id.
[8] Device fingerprinting means tracking devices overtime based on browser’s configurations and settings.
[9] Aaditya Narayan, Are You Being Tracked on The Internet? Know How to Find It, (October 06, 2017), The Economic Times, Available at https://economictimes.indiatimes.com/tech/internet/are-you-being-tracked-on-internet-know-how-to-find-out/articleshow/60890696.cms (last visited on 19/03/2019).
[10] Data Analytics is the process of examining data in order to draw conclusions about the information they contain, by using systems and software.
[11] Competition & Markets Authority, The Commercial Use of Consumer Data, (June 2015), Available at https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/435817/The_commercial_use_of_consumer_data.pdf (last visited on 19/03/2019).
[12] J. H. Ziegeldorf et al., Privacy in the Internet of Things: Threats and Challenges (June 10, 2013), Security Comm. Networks, 7, pages 2728– 2742, Available at https://doi.org/10.1002/sec.795 (last visited on 03/04/2019).
[13] Sharon Shea and Ivy Wigmore, IoT Security, TechTarget, Available at https://internetofthingsagenda.techtarget.com/definition/IoT-security-Internet-of-Things-security (last visited on 03/04/2019).
[14] Intersog, Security of IoT Devices: The Threats are Rising (March 22, 2018), Available at https://intersog.com/blog/security-of-iot-devices-the-threats-are-rising/ (last visited on 03/04/2019).
[15] Reda Chouffani, Current and Future Applications of IoT in Healthcare, TechTarget, Available at https://internetofthingsagenda.techtarget.com/feature/Can-we-expect-the-Internet-of-Things-in-healthcare (last visited on 03/04/2019).
[16] Personal Data Protection Bill, § 3 (29) (2018).
[17] Personal Data Protection Bill, § 3 (35) (2018).
[18] Art. 9, Regulation (EU) 2016/679, General Data Protection Regulation, Available at https://gdpr-info.eu/art-9-gdpr/ (last visited on 19/03/2019).
[19] Data that provides information about other data.
[20] Personal Data Protection Bill, § 22 (1) (2018).
[21] Personal Data Protection Bill, § 46 (2018).
[22] František Ryneš vs. Úrad Pro Ochranu Osobních Udaju, ECLI: EU: C: 2014: 2428.
[23] Personal Data Protection Bill, § 29 (2018).
[24] Personal Data Protection Bill, § 27 (2018).
[25] Art. 17, Regulation (EU) 2016/679, General Data Protection Regulation, Available at https://gdpr-info.eu/art-17-gdpr/ (last visited on 19/03/2017).
[26] Collection of personal data shall be limited to such data that is necessary for the purposes of processing.
[27] Recital 39, Regulation (EU) 2016/679 of the European Parliament and of the Council.