UK privacy watchdog warns that IoT devices can track people

News
11 Feb, 2016

More must be done by manufacturers to warn users their data is being collected

The Information Commissioner’s Office (ICO) has told manufacturers of Internet of Things devices they should make better attempts to notify people that data could be collected on them.

Speaking in a keynote speech at the IoT Tech Expo in Olympia, London, Simon Rice, technology group manager at the ICO, said that the IoT industry has to comply with data protection when collecting personal data.

There could arguably be some confusion over what constitutes personal data and Rice set out a few examples of where data is personal and where it isn’t. He said that for wind turbines, wind speed wasn’t personal data, but if there is data on who is repairing the turbine then that particular data is personal. With bridges, while data could be collected about the cars using it, vehicle registration data could be used to pinpoint the owner or driver and would therefor be considered personally identifiable information.

What definitely is personal data are Mac addresses used in smartphones. “An IPv6 address could be personal as it would be specific to that device,” he said. He added that even if individual identification is not the intended purpose, the implications of IoT for privacy and data protection are still significant.

He said that manufacturers should care about personal data and pointed to studies carried out by the ICO found that around 20 per cent of people would stop using a service if a data breach occurred with that service, another 60 per cent could reconsider the service in light of a breach. “Companies could potentially lose up to 80 per cent of their customers in a data breach,” he said.

Rice added that the ICO would also take enforcement actions against such firms involved in an incident of that nature.

He also said there are aspects of data protection that are special to IoT and there was potential for covert data collection. “People buying smart TVs may not be aware of the data being collected,” said Rice.

He asked delegates if any of them had read the privacy policy of the event there were attending, none put their hand up. He showed them the privacy policy and said that “most people wouldn’t read this and it would be beyond most expectations to assume they did.”

“We want to make sure that people can find privacy policies connected to IOT devices,” said Rice.

Rice's comments come on the same day it was revealed toy maker VTech, which recently suffered a hack on its database, has changed its terms and conditions in an attempt to lay the responsibility for the protection of children's data at their parents' door.