The Fastest Way to Turn the Internet of Things into the Internet of Nothing

March 9, 2015

A new report finds that old data privacy laws are failing, and the Internet of Things stands to be the biggest loser. The longstanding European Union (EU) Directive on data protection, for instance, which is the basis for a host of international privacy laws, is so broad as to be meaningless. Children selling Girl Scout cookies and team captains gathering names for flag football are deemed “data controllers” supposedly subject to draconian restrictions. Meanwhile, technology continues to leap past these aged laws, raising new questions about what exactly is acceptable in the data world. Operating under old privacy frameworks risks killing off new innovations. The right response to this confusion, as the report concludes, begins with identifying real harms to consumers and responding to them as they arise.

“Never before has so much information been so readily available to so many,” says McKay Cunningham, writing in the Groningen Journal of International Law on the deluge of data sweeping across our increasingly connected lives. Internet users around the globe have grown 566% from 2000 to 2012. The volume of data they generate is also increasing. By the end of this year the world is expected to have created 5.6 zettabytes of data.

What’s most intriguing though are the passively generated data produced as we go about our daily lives. The fastest growing sources of this “data exhaust” are the connected devices we own that talk with each other online in what’s known as the Internet of Things. And data exhaust, unlike what comes out of a car’s tail pipe, may actually become more valuable the more it is shared. Take toll tags, for instance. Cunningham writes:

Walk from the house to the car and the Internet of Things will follow. Toll tags, for example, include radio-frequency identification (RFID) technology that communicates with receptors at toll gantries in order to detect and record when a car passes. While toll agencies routinely protect billing information associated with toll tags, few policies, if any, protect the personal information gathered. Indeed, in New York, toll tags reveal the driver’s location in many part of the city regardless of toll gantries. Unbeknownst to users, New York traffic officials designed other uses for toll tags by erecting receptors throughout the city in order to better understand traffic flow in real time. While improving traffic in New York seems innocuous (if unlikely) the technology allows constant automobile tracking without the driver’s awareness or any assurance that the information will not be used or sold for other purposes.

Putting aside the invisible “scare quotes” hanging overhead, Cunningham’s point here is to show: how commonplace and mundane the Internet of Things has become; the questions that inevitably result when a centralized institution is gathering the resulting data, especially when it’s a creature of government; and that there is no turning back from this brave new world. As Cunningham concludes:

We generate much of this passive data simply by moving from one place to another; it is nearly impossible not to emit data exhaust. … Given the expansion of sensors and the emergence of the Internet of Things, it is becoming increasingly unlikely that a person could know precisely how much of their data is captured, who controls it and for what purpose.

The preeminent law on privacy, the EU Directive of 1995, requires that anyone processing or collecting personal information give some sort of official notice to the consumer and obtain their consent. (If you’re wondering why you have to scroll through interminable consent forms before downloading anything, this is why.) But in practice, this provision is nearly impossible to work out:

How do businesses and governments issue notice and obtain consent from every person strolling on the sidewalk, whose images are captured by rooftop cameras? Must toll tag and license plate readers notify and obtain consent before every scan? Can residents withhold their consent to data gathering when a municipal government requires them to use smart meters? For those municipalities that do allow residents to opt-out of smart metering, does the notice provide clarity with regard to the amount of data collected and if so, can a resident access and correct that data? (I was using the microwave, not the shower at 10:50pm on 11 August 2014.) Does the notice include notice of potential or future uses of such data, including sale or transfer to third parties?

The EU Directive manages to be both too broad and overly prescriptive. In fact, this is a problem that bedevils any attempt to address questions on privacy with an everything-but-the-kitchen-sink approach. Simply declaring everyone’s right to privacy, a temptation for many would-be regulators, is a standard that cannot be fairly applied because there is no standard of harm by which to enforce it. Worse yet, particularly for the Internet of Things, such an approach assumes that users are actively involved in volunteering their data. But most users would rather not sign a consent form every time they pass under a toll tag reader. That’s why they have a toll tag, after all: for passive convenience in the absence of clear harm. What you get then is half-hearted regulation based on an unworkable law.

Cunningham suggests instead that regulators apply rules gradually in response to real harms facing individual users, building on the sort of “rigorous cost-benefit analysis” that FTC Commissioner Joshua Wright has called for. Policymakers should prioritize and manage these risks within specific contexts and adapt accordingly. This approach borrows from the field of risk management and is based in the reality of just how advanced and fast-moving today’s technologies are. More to the point, laws should reflect reality rather than a dim view of future fears. Adaptive policy manages risk while encouraging risk-taking.

Addressing information privacy in the digital age means focusing on efforts that are, in the words of Adam Thierer, “Bottom-up, evolutionary, education-based, empowerment-focused, and resiliency-centered.” Cunningham helpfully lays out in his report a litany of unknowns surrounding data collection and the Internet of Things, concluding only that they are here to stay and that we must focus instead on managing them as they come. He’s right, but there’s also the need to humbly acknowledge how fast our technology and digital norms are changing, as Thierer notes:

Evolving social and market norms will also play a role as citizens incorporate new technologies into their lives and business practices. What may seem like a privacy-invasive practice or technology one year might be considered an essential information resource the next. Public policy should embrace—or at least not unnecessarily disrupt—the highly dynamic nature of the modern digital economy.

Why does all of this matter now? Beyond the reality of these innovations is the equally real push from European policymakers for what they hope will be a global framework for privacy in the 21st century. They intend to include most of the elements found in the 1995 directive—notice and consent among them—along with a raft of new rules, including the controversial “right to be forgotten.” EU regulators hope that the benefits of creating a common privacy model within Europe will outweigh the cost of a tough privacy regime. Even if that were true, it appears to double-down on the same mistakes Cunningham cites in his report on the 1995 EU directive—a globalized view focused on data collection and across-the-board privacy.

If America wants to continue to be the leader in data-driven innovation, particularly with the Internet of Things, it must lead in public policy as well. As the EU looks to craft its own set of privacy rules, we must remember one thing: the Internet doesn’t stop at Europe’s borders. U.S. Senator Cory Booker (D-NJ) came to a similar conclusion in a recent Senate hearing on the Internet of Things:

This is a phenomenal opportunity for a bipartisan, profoundly patriotic approach to an issue that can explode our economy. I think that there are trillions of dollars, creating countless jobs, improving quality of life, [and] democratizing our society. We can’t even imagine the future that this portends of, and we should be embracing that. …

America right now is the net exporter of technology and innovation in the globe, and we can’t lose that advantage, and we should continue to be the global innovators on these areas. … And so, from copyright issues, security issues, privacy issues… all of these things are worthy of us wrestling and grappling with, but to me we cannot stop human innovation and we can’t give advantages in human innovation to other nations that we don’t have.

America should continue to lead.