The IoT and the future of privacy



Insights

As the IoT matures, an unlikely ally in its growth has been the Covid-19 pandemic, and the questions it has raised for privacy

By Svein-Egil Nielsen, Chief Technology Officer (CTO), Nordic Semiconductor

If the current Covid-19 pandemic can be said to have had any positives in the years to come I believe one could be that it finally kick-started the IoT revolution by helping to remove certain barriers that had previously seemed almost intractable.

And one of the biggest was issues surrounding data privacy and understandable concerns about how and where that data might be used. This was a particularly hot button issue in Europe. And ‘patient privacy’ was routinely used by the understandably conservative medical industry in countries like the U.S, for example, to in some ways resist IoT-driven change despite the technology being widely available. The benefits just weren’t seen as justifying a huge sudden shift and all the privacy issues it would create.

The greater good

What’s changed is that in the life or death battle against Covid-19 decisions have had to be made quickly and sometimes for the benefit of the greater good over privacy. Wireless pulse oximeters, for example, that stream their data from the device to the cloud are never going to be as secure as traditional wired alternatives.

And even though the wires limit patient mobility and can thus be uncomfortable to wear for long periods of time, this wasn’t previously a compelling enough reason to justify a wholesale replacement of wired devices with wireless.

What’s changed is with Covid-19 came the realization that wired devices also require much more patient-to-medical-staff contact as readings have to monitored manually. And for hospitals facing surges of Covid-19 cases, wired devices also prevent the monitoring of large numbers of patients remotely and simultaneously for changes in this critical Covid-19 health parameter.

Suddenly the use of wireless over wired pulse oximeters became extremely compelling and I can see hospitals switching to wireless devices much more quickly around the world than they were planning previously simply to be ready for any future pandemics or Covid-19 outbreaks.

The lesson here is that if the benefits of the IoT are big enough, privacy is something that organizations may be willing to trade for the greater good. But what about individuals?

Before 2020 the thought of authorities being able to perform detailed contact tracking and tracing of entire populations in places like Europe would have been unthinkable. Yet it worked so well in combating Covid-19 in Taiwan, Singapore and South Korea that the model is one many countries are looking to duplicate.

And as employers now begin asking themselves how they can safely get their employees back to work, a whole new category of contact tracking and tracing wearable has emerged. These enable employers to know exactly where their employees are and who they have been in contact with and for how long. This capability in the workplace would again have been unthinkable before now. 

Yet these measures are gaining widespread adoption and acceptance. The key being that the benefit – stopping the spread of Covid-19, keeping workers safe, and ending lockdowns – are seen by most as worth the price – for a temporary loss of privacy.

What’s interesting is that in most cases data privacy has been anonymized as far as possible and reassurance given that the data will not be used for anything other contact tracing should someone test positive for Covid-19 and only in that specific scenario.

But here’s where I think we need to tread carefully. As Stacey Higginbotham expressed in a recent edition of her excellent newsletter, Stacey on IoT: “Wearables to ensure social distancing are already being marketed in manufacturing and factory environments. And some employers are turning to consumer wearables that people already own to track fevers or sleep as indicators of potential infection. But if those employers start looking closely at that data, they might see other habits that should remain private.”

She continues: “Additionally, it's worth remembering that actual people are the ones with access to that data. And in some cases, not people from the HR department or someone specially trained for the job. That symptom survey or temperature tracking wand might be wielded by a random 25-year-old receptionist or office manager who has time on his hands.”

I couldn’t agree more Stacey. Most employers have stressed they will not use data to monitor who employees spend their time with at work. And that this data will be accessed only for Covid-19 contact tracking purposes and is only a temporary measure.

Yet the world is full of temporary measures that become permanent. And private data should not be something every employee or employer has automatic access too.

The IoT will respect privacy

For the IoT to succeed and all its benefits to be fully unleashed, privacy needs to be respected in a similar way to an individual’s right to use the toilet or shower in a sports changing room without having to worry about security cameras. It should be considered socially and legally unacceptable for anyone’s data to be used without consent. And even then there should be full transparency, security, and legally binding safeguards in place.

And this is important because like effectively combating Covid-19, but on a vastly and more detailed scale, the IoT is all about processing data gained by digitizing the physical world at a granular level. Such a system creates unprecedented potential for privacy intrusion to the point of knowing not only where an individual is located, but what they are doing, and with whom, at any time.

For the IoT to work people must feel its benefits in terms of safety, convenience, automation, security, and quality of life improvement (etc.) outweigh an inevitable loss of privacy. But at the same time, those organizations – including governmental ones – entrusted with collecting and collating this data must be completely transparent as to what data is collected and how it will be used. And wherever possible, the data should be kept as anonymous as possible. And people should be able to see how their data is used and like an emailing list have the ability to ‘opt out’ at any time should they wish to do so.

In this way a privacy balance is struck between those individuals who don’t consider it to be a major issue, and those who do. But the main thing will be to consider respect for an individual’s right to privacy as a fundamental, along with having to seek their voluntarily consent in any decisions affecting what, how, and where their data is used.

If Covid-19 has proven this is the path forward for the IoT that balances privacy in a way most consumers and workers will feel comfortable about, then at least one bright light did emerge from this terrible pandemic.

 

What’s changed is that in the life or death battle against Covid-19 decisions have had to be made quickly and sometimes for the benefit of the greater good over privacy.