1 / 25

Privacy and Policy Implications of IoT

This article explores the challenges and opportunities for privacy in the Internet of Things (IoT), including the need for privacy by design principles and fair information practices. It discusses the implications of IoT devices collecting and sharing personal information and provides a legislative summary and future policy roadmap.

winebrenner
Télécharger la présentation

Privacy and Policy Implications of IoT

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Privacy and Public Policy Implications of IoT Girard Kelly California State Legislature

  2. Agenda • Introduction • Challenges and Opportunities for Privacy in the IoT • Privacy by Design Principles • Fair Information Practice Principles (FIPPs) • 2015 Privacy Legislative Summary • Future Privacy Policy Roadmap

  3. Introduction • The “Internet of Things” (IoT) is one of the fastest emerging, transformative, and disruptive technology developments since the Internet itself. • By 2025, an estimated 50 billion “smart” devices are expected to be wirelessly connected to the Internet. • Gartner predicts that the aggregated value and economic benefit of the IoT will exceed $1.9 trillion in the year 2020. • IoT Devices will be collecting, analyzing, and sharing personal information in real-time. • The IoT will dramatically change consumer’s expectations of personal data and privacy.

  4. Challenges and Opportunities for Privacy in the IoT

  5. IoT Privacy Challenges • IoT notice and consent model • Unexpected data collection and sharing • Discrimination through data aggregation and consumer profiling • Increased criminal, civil, and reputational harm • New types of sensor data will require new definitions of Personally Identifiable Information (PII) • Re-identification of anonymizeddata shared with third-parties

  6. IoT Privacy Opportunities • Convenience and information sharing • Real-time feedback and analysis • “Trusted” or connected computing • Automation and control • New forms of multi-factor authentication • Big data analytics and sensor fusion

  7. Privacy by DesignPrinciples

  8. Privacy by Design Principles Privacy by Design is an approach to systems engineering which takes privacy into account throughout the entire engineering process. • Proactive not reactive • Preventative not remedial • Privacy as the default setting • Privacy embedded into design • Full functionality – positive-sum, not zero-sum • End-to-end security – full lifecycle protection • Visibility and transparency – keep it open • Respect for user privacy – keep it user-centric

  9. Fair Information Practice Principles

  10. Fair Information Practice Principles • The Fair Information Practice Principles (FIPPs) are a widely accepted framework of defining principles to be used in the evaluation and consideration of systems, processes, or programs that affect individual privacy. • Transparency • Individual Control • Respect for Context • Focused Collection and Responsible Use • Security • Access and Accuracy • Accountability

  11. 2015 Legislative Summary

  12. 2015 Legislative Summary • AB-66 (Weber) - Peace officers: body worn cameras • AB-83 (Gatto) - Personal Data • AB-195 (Chau) - Unauthorized access to computer systems • AB-259 (Dabahneh) - Personal information: privacy

  13. 2015 Legislative Summary • AB-856 (Calderon) - Invasion of Privacy • AB-964 (Chau) - Civil Law: privacy • AB-1116 ( Privacy Committee) - Connected televisions • AB-1541 (Privacy Committee) - Privacy: personal information

  14. 2015 Legislative Summary • SB-30 (Gaines) - Carjacking • SB-34 (Hill) - Automated license plate recognition systems: use of data • SB-178 (Leno) - Privacy: electronic communications: search warrant • SB-570 (Jackson) - Personal information: privacy: breach

  15. 2015 Legislative Summary • SB-576 (Leno) - Mobile applications: geolocation information: privacy • SB-690 (Stone)- Stalking • SB-741 (Hill) - Mobile communications: privacy • SB-1177 (Steinberg) - Privacy: students of 2014

  16. Future Privacy PolicyRoadmap

  17. Fundamental Privacy Principles • Transparency • Individual Control • Respect for Context • Focused Collection and Responsible Use • Security • Access and Accuracy • Accountability

  18. 1. Transparency • Expand California’s Online Privacy Protection Act (CalOPPA) to include: • A short-form summary at the beginning of every privacy policy • Notice of what “type” of IoT sensor information is collected • Notice of what “specific” personal information an organization has collected • Notice of what “purpose” information is collected and shared with whom • Application of CalOPPA to State agencies and their use of personal information

  19. 2. Individual Control • Require opt-in/opt-out consent distinct from the operation of the IoT device • Provide more consumer privacy choices—Not simply all or nothing • Provide the ability to delete information • Privacy by Design—default IoT settings for privacy

  20. 3. Respect for Context • Restrict third-party sale of sensitive PII for marketing or unrelated advertising purposes • Respect the purpose for which the data is collected • Prohibit the use of data in unexpected ways • Require a “reasonable expectation of privacy” standard

  21. 4. Focused Collection and Responsible Use • Expand the definition of “Personally Identifiable Information” (PII) • Expand the definition of “Personal Information” under the Information Practices Act • Provide data minimization incentives for organizations • Provide data correction and “second-hand” exclusion • Responsible use of data based on fairness

  22. 5. Security • Provide for increased data breach notification of non-encrypted re-identified information • Require robust identity theft protection • Require reasonable security procedures and practices of businesses • Incentivize two-factor authentication / Biometric authentication • Align product warranty and customer expectations with security fixes and product life-cycle

  23. 6. Access and Accuracy • “Right to Know” what information an organization has collected about you • Right to know what third-parties an organization has shared your PII with • Right to correct inaccuracies in your information • Right to export or transfer your information • Right to access digital assets or information from deceased heirs

  24. 7. Accountability • Provide stronger enforcement mechanisms: • Federal Trade Commission (FTC) • California Office of the Attorney General • Consumer private right of action • Data Breach Notification Requirements • EU-U.S. Privacy Shield Safe Harbor

  25. Thank You Girard.Kelly@asm.ca.gov

More Related