Internet of Things for Privacy Professionals

2. Internet of Things for Privacy Professionals IAPP Academy, Dallas, TX Elliot Maxwell, Fellow, Communications Program, Johns Hopkins University, and eMaxwell & Associates September 15, 2011

3. Societal Trends Encourage Proliferation of New Devices—RFIDs, Sensors • Desire to connect to anyone and anything from anywhere at any time • Pressure for greater efficiency and productivity • Increased concerns about security • Protection of the environment and disaster prevention • Aging of the population and crushing health care costs • Businesses recognizing that the business of business is data

4. Technology Trends • Devices are becoming: • Smaller, cheaper, smarter, and able to harvest power • Autonomous—surveillance without conscious action • Communicative and interconnected (not always through the Internet) • Identifiable and able to be located • Declines in cost of processing and storage stokes increase in perceived value of data • New tools emerging for aggregating, analyzing, and distributing data

5. PARADIGM CHANGES • The earlier paradigm shifts in IT are well known • From centralized and hierarchical • To distributed and commoditized • From the network/center to the edge • Now moving toward ubiquitous/pervasive computing • Will the privacy paradigm, originating in a world of centralized data controllers/processors and restricted categories of personal information, continue to be relevant in a world where it is unclear who collects, stores, distributes and secures the data?

6. Privacy Principles Still Relevant But Need New Ways of Applying Them • Our challenge: How to treat objects that observe their surroundings, monitor, directly or indirectly, the actions of humans, and communicate to people and machines often without human intervention? • No obvious cues for providing notice • No obvious opportunities for consent • Data is widely shared and, given enough effort, linkable • Collection minimization/purpose specification in tension with social needs e.g. treatment effectiveness research • Who will provide access, security, be accountable • Whose laws apply to whom?

7. There Are Potential Partial Answers • Not slogans. Not technology specific solutions • Greater awareness and responsibility by organizations • Plan ahead. Privacy and security by design/PIAs • Increased transparency • Liability with stronger focus on/enforcement against misuse of data • Technical means—PETs, encryption, privacy preferences attached to data, authentication, data segmentation • Interoperable global policies arrived at openly • Restrictions on government data collection/use

8. Closing Thoughts • Applications of sensor technologies limited only by our imaginations • Need to recognize paradigm shifts. Core values/principles have not changed. But need to change the ways they are operationalized in order to find ways to protect privacy AND gain the extraordinary benefits from data flows • Greater focus needed on actions taken based on data—particularly those actions that are most damaging and most likely to occur. Treating all threats equally and all data as PII undermines effective privacy protection • Recognize the value of persistence and openness

9. Further IoT Reading • http://www.cardozolawreview.com/content/28-5/28.5_Werbach.pdf

10. Contact Information emaxwell@emaxwell.net www.emaxwell.net (1) 301.229.8575