Like it or not, the internet is gaining access to every aspect of our lives. You may have a smart thermostat in your house that “learns” when you are home so that the temperature in your home can be adjusted when you are away. Your home may also have a smart doorbell (and networked home security cameras) that will track not only visitors, but can track your comings and goings as well. Certain refrigerators now have cameras inside them that can take pictures of the inside to assist you in restocking your groceries. You may be wearing a fitness watch that is tracking not only your steps, heartbeat, and exercise, but your sleep patterns and even diet (should you opt to enter and track such information). You get the point — more and more data is being collected about you than you may admit, but it is the potential compilation of this information and its use that is a bigger deal than you may think.
Let’s face it: Technology is growing at an exponential rate and the “internet of things” is no exception. The Merriam-Webster online dictionary defines “Internet of Things” as “the networking capability that allows information to be sent to and received from objects and devices (such as fixtures and kitchen appliances) using the Internet.” As I have written previously, more and more elements of this technology have their eyes, ears, and digital fingers on every part of our everyday lives. Although the technology can add value and may, in many cases, make our lives a little easier in the process, the cost to personal privacy cannot be underestimated.
First, let’s address the most obvious point: Each of these devices is collecting data — your data. That is, data about you that you have permitted the device to gather and use according to the privacy policy and the terms of use for the device. For example, the FitBit Privacy Policy not only addresses what they collect about you from their wearable device, but how that information is used and shared, which may include sharing your data with third-party applications and even your employer (for employer wellness programs with which you participate). This is indicative of most every such device that you may be using at home or on your person. Think such third-party application sharing is not a big deal? Think again. Facebook collects at least 98 different data points about its users, and as the Cambridge Analytica scandal of 2018 demonstrated, such data can be used in ways not necessarily agreed to by its users.
Although troubling, at least there is a level of control afforded the user regarding what data is collected and how it is stored and used for each type of device. The bigger issue, however, is the bigger picture presented by all of this data. Much of this data, while collected at the device-level, is actually saved to the “cloud” — a network of computers used by the device company to store such data. This is where things start getting dicey. For example, take the Amazon Echo speaker. This device incorporates a virtual assistant, Alexa, that according to Amazon is its “cloud-based voice service available on more than 100 million devices from Amazon and third-party device manufacturers [with which] you can build natural voice experiences that offer customers a more intuitive way to interact with the technology they use every day.” The problem is that not only does Alexa “listen” to what you ask (and potentially what you are doing), but apparently so are thousands of Amazon employees and contractors to ostensibly improve Alexa’s speech recognition and contextual understanding — they are listening to audio clips that cover not only the mundane, but potentially criminal activity according to one CNN report. You can opt out of such use of your recordings by Amazon; however, history has shown that this may not prevent unauthorized use (e.g., Cambridge Analytica).
This leads us to the biggest issue presented by such data in the “cloud” — the eventual analytics involving such information and compilation of all your collected data by third parties. Think about it: A compilation of your location data from all the IoT devices that you use that can be compiled into a digital representation of you and your daily routine and needs — compiled data that would be digital gold to everyone from advertisers and insurers to hackers. Your smartphone, combined with your smartwatch data and smart refrigerator providing a glimpse of not only how you eat, but what you eat and where you get it. Make no mistake, this is already happening. Unfortunately, the nature of consent in privacy policies does not generally prohibit third-party compilation of data, depriving the individual of control over their data. Further, there is very little that the law addresses in this context in the United States. Although the U.S. seems to be moving in the direction of the EU’s GDPR (as evidenced by California’s CCPA and other state laws following suit), the patchwork of state laws is simply not enough.
All of the foregoing leads me to reiterate the need for meaningful federal privacy legislation in the U.S. Let’s just hope that somehow Congress and business can resolve this dilemma in a way that is a win for personal data privacy. Given the current political climate, however, there seems to be little hope of progress on that front anytime soon. In the interim, an inadequate patchwork of state laws will be all we have to remain reactive to the ongoing march of technology. Make no mistake, a Pandora’s Box for privacy has been opened by these technological advancements, and it simply cannot be closed again. Let’s just hope we can keep the lid from flying off in the process.
Tom Kulik is an Intellectual Property & Information Technology Partner at the Dallas-based law firm of Scheef & Stone, LLP. In private practice for over 20 years, Tom is a sought-after technology lawyer who uses his industry experience as a former computer systems engineer to creatively counsel and help his clients navigate the complexities of law and technology in their business. News outlets reach out to Tom for his insight, and he has been quoted by national media organizations. Get in touch with Tom on Twitter (@LegalIntangibls) or Facebook (www.facebook.com/technologylawyer), or contact him directly at tom.kulik@solidcounsel.com.