In 1967, in a highly acclaimed book titled ‘Privacy And Freedom’, Alan Westin argued that privacy was just a form of control that individuals exert over their environment to determine when, how, and to what extent information about them is communicated to others. The earliest example of this control was the walls we built to keep people from finding out what went on in the privacy of our homes. In time, this control was exercised through various laws that we enacted — including the confidentiality obligations that we invoke when we share personal information with our doctors and lawyers.
Viewed through this lens, privacy is nothing more than the process of exercising control over the boundaries through which personal information flows — so that, from time to time, this information can be made accessible to some people for specific purposes, while at other times, it is denied to some based on our own determination of whether or not that specific disclosure suits our needs. Privacy law establishes the framework within which these boundary controls operate, requiring persons to whom we provide our data to take our consent before collecting it, be transparent about what they do with it so that their use of it is limited to the specific purpose they have notified us about.
However, of late, our ability to regulate the boundary controls over our personal privacy has come under an unprecedented stress. We are surrounded by smart devices that collect information from us all the time, that have changed the nature of these boundaries — and along with that our ability to control what passes through them.
The Internet of Things (IoT) is a generic term used to describe a wide range of ordinary devices that have been upgraded so that they are, in addition to their normal functions, capable of collecting and analysing data that can be communicated back to remote data servers through internet networks. These devices have proliferated so pervasively that they are all around us today, amassing data from us in so many different ways that the boundaries that previously protected our personal privacy have broken down completely. Since we were the ones who willingly brought these devices into our homes and agreed to the terms and conditions of their use, we have no-one to blame but ourselves for all resulting violations of privacy.
As invasive as individual IoT devices might be, the inferences generated from inputs collected by multiple IoT devices are significantly more useful. For instance, measurements of heart rate and respiration by wearable devices can help a user track his or her exercise routine, but when combined together it can provide evidence of whether or not he uses cocaine, tobacco or alcohol. Data collected by voice recognition devices, when combined with information collected by facial recognition technologies can generate accurate emotion and sentiment analysis. Given that these devices are among us everywhere we turn, means that our ability to control our privacy by simply closing the door when we want to have a private conversation is long gone.
Since most connected devices are familiar objects, we tend not to think of them as data collection devices, constantly recording everything we say and do. As a result, we act more uninhibitedly around them than we would have in the presence of strangers. Examples of our blatant disregard for IoT devices and the data they collect is reflected in the many instances where data from smart devices has been subpoenaed as evidence of crimes committed within the privacy of the home. As they become the norm, we will be forced to change the way we behave around our IoT devices.
That said, we often agree to put up with our limited ability to control the boundaries of our personal space in exchange for the many benefits these devices provide. Smart cities are saturated with sensors designed to collect, analyse and share information about the traffic patterns, electricity consumption and waste management habits of its residents. All this data provides city administrators deep insights into the personal lives of those who live in it. And yet we accept the diminished privacy that comes from living in these cities in order to avail the many benefits that they offer.
Even so, surely there are some lines that should not be crossed no matter what benefits these technologies have to offer. For instance, can it ever be acceptable for employers to access information contained in an employee’s personal health tracker and use it to deny her a promotion on the grounds because she has an irregular heartbeat or is otherwise unfit? Should insurers be allowed access to data transmitted from within a connected car in order to evaluate whether the driver is rash or not—and then use that information to increase premiums or deny a no-claims bonus.
We need to upgrade our laws to appropriately account for the impact that IoT will have on our lives. We will need to find alternatives for consent if the devices and sensors that are going to be collecting our data going forward are going to be too small to come equipped with screens through which notice can be communicated and consent collected. More importantly, we will have to build new levers through which we can exercise control at the boundaries of our personal space since once IoT starts being used against us, the chilling effects of this new form of persistent surveillance will be devastating.