Connected devices poor on privacy finds global IoT sweep
According to the Sweep, Internet-connected devices generally score poorly with respect to privacy communications and fail to inform users about exactly what personal information is being collected and how it will be used, a global Sweep has found.
While a number of the devices swept can collect a great deal of often sensitive data, including health and financial information, privacy communications tended to be generic and those companies demonstrating good communication practices were in the minority.
“Overall there was significant room for improvement with respect to the privacy communications of the Internet-connected devices swept,” Commissioner Daniel Therrien said.
“With the proliferation of the Internet of Things, the activities, movements, behaviours and preferences of individuals are being measured, recorded and analyzed on an increasingly regular basis. As this technology expands, it is imperative that companies do a better job of explaining their personal information handling practices.”
Twenty-five privacy enforcement authorities participated in this year’s Sweep, which took place April 11-15, 2016. Over the course of the week, participants looked at the privacy communications and practices of 314 Internet connected devices, focusing largely on how organizations communicate their personal information handling practices.
Each authority had the flexibility to choose a different category of products and different sweep method. While some opted to sweep connected toys, health devices and household aids, others looked at very specific areas like smart meters, connected cars and smart TVs. Authorities also had the flexibility to examine the privacy communications that came in the box with the devices and/or those provided by the companies online. They could also choose to interact with the devices to assess how well privacy communications matched their experience using the product, and/or contact the relevant companies directly with follow-up privacy questions.
The goals of the Sweep initiative included: increasing public and business awareness of privacy rights, responsibilities and best practices; encouraging compliance with privacy legislation; and enhancing cooperation among privacy enforcement authorities.
The Sweep was not an investigation, nor was it intended to conclusively identify compliance issues or possible violations of privacy legislation. It was also not a review of organizations’ privacy practices in general, nor was it meant to provide an in-depth analysis of the design and development of the devices examined.
The Global Privacy Enforcement Network was established in 2010 upon recommendation by the Organisation for Economic Co-operation and Development. Its aim is to foster cross-border cooperation among privacy regulators in an increasingly global market in which commerce and consumer activity relies on the seamless flow of personal information across borders. Its members seek to work together to strengthen personal privacy protections in this global context.
US consumer research on IoT shows privacy is a major concern
Connected devices need e-commerce security standard, says industry group
Smart home security ‘woefully inadequate’ says report
Consumers on IoT: Sounds good, but security concerns
IoT Security Foundation launches, takes on cybersecurity