FPF Releases A New Privacy Paradigm for the “Internet of Things”

FPF Releases A New Privacy Paradigm for the “Internet of Things”

Today the FTC is hosting a workshop on the Internet of Things, which will feature many great panelists including FPF’s Co-Chairman Christopher Wolf.  Chris and FPF Executive Director Jules Polonetsky have also today released a whitepaper arguing for a new privacy paradigm in the new highly connected world.

The whitepaper argues that current implementations of Fair Information Practice Principles (FIPPs) are becoming outdated in the world of the Internet of Things, where nearly every device or appliance will be connected to the internet and collecting data about consumers.  Attempting to provide meaningful “notice” in a world of billions of connected devices is not feasible when many devices lack meaningful user interfaces or screens, and relying on consumers to read thousands of Privacy Policies will lead to many simply “giving up” on their privacy. Similarly, FIPP’s strict usage limitations may thwart technological progress, because many socially valuable uses of data are not discovered until the data is already collected.  The challenge then is to allow practices that will support progress, while providing appropriate controls over those practices that should be forestalled or constrained by appropriate consent.

To that end, the paper proposes the following principles:

Use anonymized data when practical.  Anonymizing personal information decreases the risks that personally identifiable information will be used for unauthorized, malicious, or otherwise harmful purposes.  Although there is always some risk of Re-Identification, when data sets are anonymized and stored properly, re-identification is no easy task.

Respect the context in which personally identifiable information is collected.  Managing consumer expectations is a good first step; however, respect for context should not focus solely on what individuals “reasonably” expect.  There may be unexpected new uses that turn out to be valuable societal advances or important new ways to use a product or service.  Rigidly and narrowly specifying context could trap knowledge that is available and critical to progress. Finding a balance may require more sophisticated privacy impact assessments that can analyze the impact of risks or harms and assess the potential benefits for individuals and society.

Be transparent about data use.  Organizations making decisions that affect individuals should, whenever feasible, disclose the high-level criteria used when making those decisions.  This will help insure that factors – such as a user’s ethnicity, sexual orientation, and political preferences – are not factored into a company’s determinations when they would be irrelevant or unduly discriminatory.

Automate accountability mechanisms.  Automated accountability mechanisms could monitor data usage and determine whether the uses comply with machine readable policies.

Develop Codes of Conduct.  Self-regulatory codes of conduct will be the most effective means to honor these preferences and others in the rapidly evolving landscape of the Internet of Things.  Codes of conduct could establish frameworks that enable individuals to associate usage preferences with their connected devices.

Provide individuals with reasonable access to personally identifiable information.  This will likely enhance consumer engagement with and support of the Internet of Things.

FPF has worked on a number of projects related to the Internet of Things and is looking forward to tomorrow’s workshop.

Comments

Posted On
Nov 19, 2013
Posted By
Ruby Zefo

Thanks for posting the whitepaper — I entirely agree on the difficulty of applying FIPPs to IoT. Further, some of these devices are proving challenging in the enterprise environment (she says, as she beta tests a new wearable compute device).
Cheers!
~Ruby

Posted On
Nov 20, 2013
Posted By
Amedeo Maturo Senra

Hi,
Very interesting initiative.
Thansk,
Amedeo Maturo Senra

Leave a Reply


Privacy Calendar

Sep
15
Mon
all-day Big Data: A Tool for Inclusion or Exclusion? @ Constitution Center
Big Data: A Tool for Inclusion o… @ Constitution Center
Sep 15 all-day
The Federal Trade Commission will host a public workshop entitled “Big Data: A Tool for Inclusion or Exclusion?” in Washington on September 15, 2014, to [...]
Sep
17
Wed
all-day IAPP Privacy Academy and CSA Congress 2014 @ San Jose Convention Center
IAPP Privacy Academy and CSA Con… @ San Jose Convention Center
Sep 17 – Sep 19 all-day
This fall, the International Association of Privacy Professionals (IAPP) and Cloud Security Alliance (CSA) are bringing together the IAPP Privacy Academy and the CSA Congress [...]
Oct
21
Tue
6:00 pm Consumer Action’s 43rd Annual Awards Reception @ Google
Consumer Action’s 43rd Annual Aw… @ Google
Oct 21 @ 6:00 pm – 8:00 pm
To mark its 43rd anniversary, Consumer Action’s Annual Awards Reception on October 21, 2014, will celebrate the theme of “Train the Trainer.” Through the power of [...]
Jan
28
Wed
all-day Data Privacy Day
Data Privacy Day
Jan 28 all-day
“Data Privacy Day began in the United States and Canada in January 2008, as an extension of the Data Protection Day celebration in Europe. The [...]
Jan
28
Thu
all-day Data Privacy Day
Data Privacy Day
Jan 28 all-day
“Data Privacy Day began in the United States and Canada in January 2008, as an extension of the Data Protection Day celebration in Europe. The [...]

View Calendar