Published in The Times Law Brief, Monday 13 March 2017
WikiLeaks’s latest dump of 9,000 CIA files revealed that US spies, in collusion with British intelligence services, had, as well as targeting smartphones and computers, developed a programme called Weeping Angel, which is allegedly able to turn a television set into a monitoring device – even when it appears to be switched off.
Frightening indeed – and it is all down to something called the Internet of Things. As the physical and online worlds merge, IoT devices of every type become able to gather information and communicate with each other.
While the benefits are convenience and efficiency for the consumer, there are serious concerns that the IoT creates dangerous vulnerabilities to data protection and may infringe the rights of consumers.
A study published last September co-ordinated by the Global Privacy Enforcement Network found that 59 per cent of devices failed to explain how information was collected, used and disclosed, 68 per cent failed to explain how the information was stored and 72 per cent neglected to explain how the information gathered could be deleted.
It is this lax attitude that is key to the privacy issue; the sheer number and range of IoT devices being rushed to market mean that security and protection from hacking or data breaches have been pushed low on the list of priorities.
While most people are aware of the need to protect information such as bank account details, the collection of seemingly trivial data hoovered up in vast quantities by devices has yet to sink in.
The UK Data Protection Act 1998 draws a clear distinction between personal data and sensitive data, with far greater controls being applied to the use of the latter. Sensitive data is currently defined as that which applies to areas such as race, politics, religion and sex. The obvious problem with this distinction is that, in the age of so-called big data, all data can become sensitive by sheer weight of accumulation.
A thousand tiny bits of information per hour, relatively harmless in isolation and offered freely without protection, can merge to build a thoroughly detailed picture of an individual – a picture that would be of interest to hackers, corporations and, it seems, our own governments.
When the EU’s General Data Protection Regulation comes into force in May 2018, it will introduce much tighter controls over the information that companies gather and the amount that the consumer will have to be told about this information. The hope must be that manufacturers will begin incorporating security measures when developing IoT devices, offering greater protection to consumers.
The problem with this scenario, as far as the UK is concerned, is that we appear to be moving inexorably towards a hard Brexit. If this means ditching the EU regulation then it is to be hoped that the equally tough regulations are introduced into UK data protection law