IoT & the future of

Digital Privacy
Eric Ge
The complexity of digital privacy
The History of Monetized Privacy:
An economic perspective of the digital privacy market

Corporate Ethical Violations

User tracking & public awareness
Impediments to legislative solution

Orwells Metaphor & the Risks of IoT

Implications of IOT & government surveillance

Solution
PII restriction, Explicit Consent, & data responsibility
Conceptualizing Privacy
Privacy as a right

"the right to be left alone (1890)

Privacy as a commodity

privacy is not an absolute right

subject to the economic principles
Louis D. Brandeis
Privacy Monetization: A Timeline
The Right to Privacy
European Convention of Human Rights
Federal Privacy Act
Start of telemarketing Start of customer categorization
Targeted marketing saturation
Acceleration of IoT
GDPR
IoT devices reach 6.8bn

1890 1950 1965 1974 1980 1996 2009 2018

The Market: Privacy Calculus
What are the benefits to consumers?

User feedback and improved UX

Relevant advertisements

Public Research Facilitation

Consent vs. Acquiesce
Most data collection happens without consent

Visualization:
User Tracking
Data Brokerage
The value of data is monetized by data brokers

$200 billion
Data brokerage industry net worth

$89
Average value of one email
address to a brand
Public Opinion
Pew Institute (2016): public awareness do exists

Office Cameras

Health Info

Smart Thermostat

The majority (54%) are pessimistic about privacy protection

Laws vs Privacy Policies
Corporations collect data legally with privacy policies

Overwhelming Length Deliberate Ambiguity

2518 words
Average Private Policy Length
We generally may share
personal information we collect
on the Site with certain service

$781
providers, some of whom may
billion
use the information for their own
purposes as necessary.
Hypothetical National Opportunity
Cost to Read Them
Fit-Bit vs. HIPAA

Health Insurance Portability Wearable technology that

and Accountability Act (1996) tracks biometric information

Regulates use and Embedded analytical apps

disclosure of protected that upload user data to
health information cloud in backend
Force Agreement: One-size-fits-all
Privacy laws protects user privacy passively

Example: European Charter of human rights article 7 & 8

Corporations can withdraw whole service if users do not agree

to specific details in data collection

Users cannot withdraw consent after accepting privacy policies

Loss of granularity / liquidity

IOT & Data Security
More sensors, more data, less security

Heart Rate Hormones Glucose

Sleep Patterns Brain Activity DNA

85% of enterprises intend to deploy IoT devices

10% feel confident against hackers
Orwells Metaphor & Self-Censorship

Government must collect citizens data in

absence of consent due to national security
concerns

U.S. currently not in 1984 regime.*

Acknowledgement / opacity in surveillance

practices cause self-censorship & constriction

* Specific debates regarding government surveillance not covered in research

Kafkas Trail & Privacy Control
Consumers could lose track of their IoT data
The Danger of Social Transparency
Snowden, Wikileaks and NSA
Social Credit System
Case Study: China
We-chat and government censorship

963 million
Monthly Active Users (2017)
Solutions: PII Restriction
PII stands for Personally identifiable information

Differential privacy adds noise to user data before cloud upload

Solution: Explicit Consent
Enforce explicit user consent with active opt-in

Privacy by design: Standardize consent platforms in IoT devices

Establishes platform for user consent & data access

Solution: GDPR
European General Data Protection Regulation (GDPR)
enforcement starting May 2018

Unambiguous consent; implied consent is no longer enough

Freedom to request, correct, delete and block;
Data breaches must be notified within 72 hours
Large scale profiling/processing of sensitive data need to
appoint a data protection officer
Large fines up to 4% turnover or 20 m (whichever is greater)
o Mandatory audit rights for DPA
Conclusion: What Next?
Public Awareness
Privacy & consent education

Technology
Differential Privacy
Encryption

Legislation
Challenges of GDPR compliance
Resolving contextual issues in consent
Works Cited
AT&T's Cybersecurity Insights Report. AT&T Security Resource Center. 2016. https://www.business.att.com/cybersecurity/docs/exploringiotsecurity.pdf
Bascuas, Katie. Data Privacy Day To Raise Public's Awareness of Data Security. Associations Now, 12 Jan. 2016, associationsnow.com/2016/01/data-privacy-day-to-raise-
publics-awareness-of-its-role-in-data-security/.
Data Brokers A Call for Transparency and Accountability. Federal Trade Commision, May 2014, retrieved from https://www.ftc.gov/system/files/documents/reports/data-brokers-call-
transparency-accountability-report-federal-trade-commission-may-2014/140527databrokerreport.pdf
Greenberg, Andy. How One of Apple's Key Privacy Safeguards Falls Short. Wired, Conde Nast, 15 Sept. 2017, www.wired.com/story/apple-differential-privacy-shortcomings/.
Dorrer, Kiyo. Hello, Big Brother: How China Controls Its Citizens through Social Media. DW.COM, Deutsche Welle, 31 Mar. 2017, www.dw.com/en/hello-big-brother-how-china-
controls-its-citizens-through-social-media/a-38243388.
Joel R. Reidenberg et.al. Comparing Ambiguity in Privacy Policies and the Impact of Regulation University of Chicago, 10, June. 2015,
https://www.law.uchicago.edu/files/file/reidenberg_bhatia_privacy_policy_ambiguity.pdf
Madden, Mary. Why some Americans have not changed their privacy and security behaviors. Pew Research Center, 14 Apr. 2015, www.pewresearch.org/fact-
tank/2015/04/14/why-some-americans-have-not-changed-their-privacy-and-security-behaviors/.
Madrigal, Alexis C. Reading the Privacy Policies You Encounter in a Year Would Take 76 Work Days. The Atlantic, 1 Mar. 2012,
www.theatlantic.com/technology/archive/2012/03/reading-the-privacy-policies-you-encounter-in-a-year-would-take-76-work-days/253851/.
Rainie, Lee, and Maeve Duggan. Privacy and Information Sharing. Pew Research Center. 14 Jan. 2016, www.pewinternet.org/2016/01/14/privacy-and-information-sharing/.
Regan, Priscilla M., et al. "Generational Views of Information Privacy?." Innovation: The European Journal of Social Sciences, vol. 26, no. 1/2, Mar-Jun2013, pp. 81-99.
File:Screengrab of 'Disconnect', #an internet-browser addon#, visualizing the many trackers on the website 'abovetopsecret' #on 141127#-cropped.png. Wikimedia Commons. 28
Nov. 2014. https://commons.wikimedia.org/wiki/File:Screengrab_of_%27Disconnect%27,_(an_internet-
browser_addon),_visualizing_the_many_trackers_on_the_website_%27abovetopsecret%27_(on_141127)-cropped.png
Shahmiri, Sara. "Wearing Your Data on Your Sleeve: Wearables, the FTC, and the Privacy Implications of This New Technology." Texas Review of Entertainment & Sports Law, vol.
18, no. 1, Fall2016, pp. 25-48.
Smith, H. Jeff, et al. Information Privacy Research: An Interdisciplinary Review. MIS Quarterly, vol. 35, no. 4, 2011, pp. 9891015. JSTOR, www.jstor.org/stable/41409970.
Stuart Lacey. The Future of Your Personal Data - Privacy vs Monetization. Tedx Talks, 20 December 2015, https://www.youtube.com/watch?v=JIo-V0beaBw
Supreme Court Justice Louis D. Brandeis. Photograph Collection, American Jewish University, 1916. Retrieved October 23 2017.
Zibreg, Christian. A closer look at Differential Privacy in iOS 10 and macOS Sierra. Idownloadblog, 25 June 2016, www.idownloadblog.com/2016/06/25/differential-privacy-
overview/.