Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

A privacy standard for Internet of Things suppliers

Jay Cline | Dec. 2, 2015
Setting up a common privacy standard now will earn user trust.

Five privacy linchpins

I think the stakeholders need to get ahead of the inevitable fearmongering and back to a minimum set of privacy standards that address the core concerns of IoT users. Other industries have successfully taken a similar self-regulatory approach, such as the mobile-marketing industry’s Mobile Application Privacy Policy Framework, automaker industry’s Consumer Privacy Protection Principles for Vehicle Technologies and Services and agribusiness sector’s Privacy and Security Principles for Farm Data.

What could an IOT privacy framework look like? I think five core tenets would address the main risks and fears enumerated above.

1. Tested security. It’s one thing to adopt a set of security controls like the Payment Card Industry Data Security Standard, designed to reduce credit card fraud. It’s another thing for those controls to prevail in a sophisticated penetration test. The IoT would need to set the bar at this higher level to earn maximum user trust.

2. Data minimization. IoT components should maintain default settings that use the minimum amount of personal data to perform their service. Minimum can mean minimum types of data fields collected and exposed to other devices as well as minimum periods of data retention.

3. Controlled and transparent disclosure. Law enforcement and national defense around the world will seek to pursue their legitimate objectives within the IoT. Virtually every industry will seek to track or analyze their end consumers as they move through the system. Trust in the whole enterprise will collapse, however, if these pursuits are not counterbalanced with reliable disclosure controls that are proportionate to the identified threat, and widely known and understood.

4. Data portability. Users won’t want any one node of the IoT ecosystem to accumulate too much power by storing data in its own proprietary format. To bolster trust in the entire system, adopt a common data format that allows users to port their data from one platform to the next.

5. Right to be forgotten. The IoT should be safe for the most vulnerable in society: children, victims of crime and the poor. To protect their safety and thereby make the IoT the largest possible marketplace, enable users to completely opt out by being able to withdraw their data.

After reading these, marketers may be thinking, “Our consumers and customers aren’t asking for these features.” Product designers are probably saying, “I don’t know how we’d do all that,” and lawyers are adding, “We wouldn’t back this until we could do it.”

If IoT providers want to crack the European market, however, it’s going to be a lot cheaper to design these features in ahead of time instead of waiting for the new EU General Data Protection Regulation (GDPR) to mandate them. The GDOR includes requirements such as “data protection by design” and the “right to be forgotten.”


Previous Page  1  2  3  Next Page 

Sign up for CIO Asia eNewsletters.